internal control, risk assessment & performance auditing (thoughts from sas’s 109 & 115)...
TRANSCRIPT
Internal Control, Risk Assessment & Performance Auditing
(Thoughts from SAS’s 109 & 115)
Presented by:
Billy Morehead, Ph.D., CPA, CGFM, CPM
AGA Past National President and
Chair, Division of Accountancy, CIS & Finance
Delta State University, Cleveland, Mississippi
Definition of Internal Control
Internal control is a process – effected by those charged with governance, management, and other personnel – designed to provide reasonable assurance about the achievement of entity’s objectives with regard to:
– Reliability of financial reporting– Effectiveness and efficiency of operations, and– Compliance with applicable laws and regulations
Source: AICPA SAS 115 2
Definition of Risk Assessment
Risk analysis involves a careful, rational process of estimating the significance of a risk, assessing the likelihood of its occurrence, and considering what actions and controls are necessary to manage it.
Risk analysis involves estimating the cost to the agency if an unexpected risk actually occurs.
3
Definition of Performance Audit
“Performance Audit is a valuable management tool carefully structured around tough, nationally recognized auditing principles that evaluate whether tax dollars are being spent in an effective, efficient and economic manner.”
(Heartland Institute)
4
Those Charged With Governance:
is defined as: “the person(s) with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing the financial reporting and disclosure process.”
In most entities, governance is a collective responsibility….
5
Internal Control Is Affected by those charged with Governance –
an Entity’s Board of Directors, Management, & Other Personnel.
The Establishment of Internal Control Is
MANAGEMENT’S Responsibility.
6
Internal Control Consists of 5 Interrelated Components: Control environment (values, ethics,
integrity) Risk assessment (inherent and direct) Control activities (policies and procedures) Information and communication (systems
and financial statements, etc.) Monitoring (management, internal
auditors, audit committees, etc.)7
There Is a Direct Relationship Between:
OBJECTIVES(What an Entity Strives to Achieve) and
COMPONENTS(Organizational Climate & Structure Needed to Achieve the Objectives)
BOTH are related to the entire entity & all business units & functions
9
Internal Control, No Matter How Well Designed and Operated,
Can Only Provide REASONABLEREASONABLE Assurance
to Management and the Board of Directors Regarding Achievement of an Entity’s
Control Objectives.11
Control Environment
The control environment sets the tone of an organization influencing the control consciousness of its people.
It is the foundation for effective internal control, providing discipline and structure.
12
Control Environment Factors Communication & enforcement of integrity &
ethical values Commitment to competence Participation of those charged with
governance Management’s philosophy & operating style Organizational structure Assignment of authority & responsibility Human resource policies and practices Entity’s risk assessment process
13
Communication & Enforcement of Integrity & Ethical Values
Codes of conduct (behavioral statements)
Policies and procedures regarding: Acceptable business practices Conflicts of interest Expected standards of ethical and moral
behavior How communicated & reinforced
14
Communication & Enforcement of Integrity & Ethical Values
Dealings with employees, suppliers, customers, investors, creditors, insurers, competitors, and auditors
Pressures to meet unrealistic performance targets
15
Commitment to Competence
Hiring practices (check references) Formal job descriptions defining tasks
that comprise particular jobs Analyses of the knowledge and skills
necessary to perform jobs adequately
16
Participation of Those Charged with Governance Independence from management Experience & stature of its members Extent of its involvement and scrutiny of
activities Appropriateness of its actions Information it receives
17
Participation of Those Charged with Governance Degree to which difficult questions are raised
and pursued with management Interaction with internal and external auditors Oversight of the design & effective operation
of whistle-blower procedures Oversight of the process for reviewing the
effectiveness of the entity’s internal control
18
Management’s Philosophy and Operating Style
Management philosophy is the set of shared beliefs and attitudes characterizing how the agency handles everything it does, from developing and implementing strategy to day-to-day activities. This philosophy reflects the agency’s values, influencing its culture and operating style, and affects how well fiscal programs can implement, maintain, and enforce control.
19
Management’s Philosophy and Operating Style
Management philosophy appears in policy statements, oral and written communications, and decision-making. Management reinforces the philosophy more with everyday actions than with its words.
20
Management’s Philosophy and Operating Style Approach to taking and monitoring
business risks Attitudes and actions toward financial
reporting (conservative or aggressive application of GAAP, conscientiousness and conservatism when developing accounting estimates)
Attitude toward information processing and accounting functions and personnel
21
Organizational Structure
Appropriate framework for necessary planning, execution, control, and review of entity wide objectives
Adequately defined key areas of authority and responsibility; and, appropriate lines of reporting
Appropriate organization structure depends upon size, complexity, and nature of activities
22
Assignment of Authority and Responsibility How responsibility assigned How authority delegated Appropriate business practices Knowledge and experience of key personnel Appropriate resources provided for carrying
out duties Policies and communications so all personnel
understand entity’s objectives, know their roles and how they will be held accountable
23
Human Resource P&Ps Relate to recruitment, orientation, training,
evaluation, counseling, promoting, compensating, and remedial actions
Adequate background checks (educational background, prior work experience, past accomplishments, evidence of integrity & ethical behavior)
Adequate retention and promotion criteria (continued education; performance appraisals; code of conduct guidelines)
24
©2008 by the Association of Certified Fraud Examiners, Inc.
Fraud Perpetrator’s Criminal History
Fraud Perpetrator’s Employment History
25
Risk Assessment
Inherent -- By the Very Nature of the Business Entity
Direct -- As a Result of Action Taken by Management or Employees
26
Risk Circumstances Changes in operating environment New personnel New / revamped information systems Rapid growth of entity New technology New business models, products, activities Corporate restructuring New or expanded foreign operations New accounting pronouncements
27
External Influences Contributing to Risk:
Economic Conditions Social Conditions Political Conditions External Regulation Natural Events Supply Sources Technological Changes
Source: AICPA SAS 109 28
Internal Influences Contributing to Risk:
Changes in personnel duties Availability of funds for new initiatives or
continuation of key programs Employee relations Information systems Data processing Cash management activities Asset protection and preservation
Source: AICPA SAS 109 29
Managing Risk... Can you identify internal and external
risks? Which risks are significant? Do you have a thorough risk analysis
process? Can you adequately anticipate the risk
associated with change (self-imposed or as a result of external infliction)?
30
Information Systems
Consists of:– infrastructure (physical and hardware)– Software– People– Procedures (manual & IT)– Data– Adequate Backup Systems
31
Information Systems
Relevant to financial reporting objectives consists of procedures and records established to:– Initiate– Authorize– Record– Process– Report– Maintain accountability– Provide security
32
Information Systems
Encompasses methods and records that:
– Identify and record all valid transactions– Describe transactions in sufficient detail &
on a timely basis– Measure the value of transactions– Determine proper accounting time period– Properly present transactions & related
disclosures in the financial statements
33
Control Activities...
…Are the Policies and Procedures That Help Ensure Management Directives Are Carried Out and Necessary Actions Are Taken to Address Risks that Threaten the Achievement of the Entity’s Objectives.
34
Relevant Control Activities...
Provide for Performance ReviewsPerformance Reviews
Provide for Information ProcessingInformation Processing (accuracy, completeness, & authorization – application controls & general controls)
Provide Physical ControlsPhysical Controls (physical security of Assets, Documents, & Records; reconciliations & inventory counts)
Adequate SegregationSegregation of Duties35
Monitoring Activities... Ongoing -- performance evaluation Corroboration of information -- bank
reconciliations, etc. Comparison of physical assets to book
assets -- inventories Internal and external audits -- effectiveness Codes of ethics certification Training and education
36
Monitoring...
If No One Ever Looks at or Reviews the Internal Control Environment -- What Good Is It Doing?
37
Benefits of Internal Control...
A Well-designed & Well-functioning Internal Control System Can Help an Entity Achieve Its Performance and Profitability Targets
38
It CanHelp PreventLoss of Resources,Help Ensure ReliableFinancial Reporting, andHelp Ensure That the EntityComplies With Laws and Regulations
39
In Other Words,Internal Control Systems
Can Help an Entity Get to Where
It Wants to Go and Avoid Pitfalls and Surprises Along the Way
40
Increasing Interest in Performance
Performance Measurement
+ Reporting Results
+ Accountability over Resources
= Performance Management
Government Performance Auditing (Ives & Hancox)
Increasing Interest in Performance
Agency Managers must actively: Develop & Implement appropriate,
cost-effective IC for results-oriented management
Periodically assess the adequacy of those controls
Identify needed improvement, and Take corresponding corrective action
Government Performance Auditing (Ives & Hancox)
Six Stages for “Managing to Achieve Results”
1. Strategic Planning (setting goals & objectives)2. Program Planning (establishing measurable
objectives)3. Setting Priorities & Allocating Resources4. Actively Planning (establishing strategies &
operational processes)5. Managing Operations (controlling & measuring
performance)6. Assessing Results & Adjusting Strategies
(where warranted)Government Performance Auditing (Ives & Hancox)
Performance Audits May be Broad or Narrow in Scope & Cover: Whether an entity is acquiring, protecting & using its
resources in the most productive manner to achieve program objectives
The extent to which legislative, regulatory, or organizational goals & objectives are being achieved
Whether a program produced intended results or produced effects that were not intended by the program’s objectives
Whether the entity is following sound procurement practices
The validity & reliability of performance measuresGovernment Performance Auditing (Ives & Hancox)
When Evaluating Economy & Efficiency of Operations – Ascertain:
Whether resources are properly deployed
Whether there are idle resources or overstaffed functions
Whether resources are acquired at a reasonable price
Government Performance Auditing (Ives & Hancox)
Types of Subjects Covered in Performance Audits Progress made in achieving goals of a specific
program Assessment of the hiring, training & supervision
of staff of a program State oversight & local government compliance
with regulation of a program Assessment of a program intended to
increase/decrease aspect of a program Assessment of the efficiency & effectiveness of
a program Assessment of program service delivery &
financial management
Government Performance Auditing (Ives & Hancox)
Limitations of Internal Control Not a cure all Cannot ensure entity’s success or
survival Cannot ensure entity will achieve
operation, financial reporting, and compliance objectives
Effectiveness limited by human judgment and hasty decision making
47
System can breakdown due to misunderstandings, mistakes in judgment, or errors committed due to carelessness, distraction, or fatigue
Only as effective as the people who are responsible for its functioning
Collusion can result in control failure Limited resources (cost/benefit)
excessive control is costly & counterproductive
too little control presents undue risk to entity48
Everyone in an Organization Has Some Responsibility for Internal Control;
However, MANAGEMENTMANAGEMENT Is Responsible!
49
Deficiency in Internal Control
Statement of Auditing Standard (SAS) 115 entitled “Communicating Internal Control Related Matters Identified in an Audit” defines deficiency in internal control, significant deficiency, and material weakness and provides guidance for auditors on evaluating the severity of the deficiencies in internal control.
50
Deficiency in Internal Control
Determination as to whether a deficiency is significant or material is based upon whether a reasonable person would derive the same conclusion as the auditor or whether prudent officials having knowledge of the same facts and circumstances would agree with the auditor’s classification of the deficiency.
51
Deficiency in Internal Control
A deficiency in internal controldeficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.
52
Deficiency in Internal Control
Significant deficiencySignificant deficiency is defined as a deficiency or combination of deficiencies, in internal control that is less severe than a material weaknesses, yet important enough to merit attention by those charged with governance.
53
Deficiency in Internal Control
A material weaknessmaterial weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.
54
Deficiency in Internal Control
One situation when a deficiency in internal control should be regarded as at least a significant deficiency and a strong indicator of a material weakness – ineffective oversight of ineffective oversight of the entity’s financial reporting and internal the entity’s financial reporting and internal control by senior management and those control by senior management and those charged with governance. charged with governance.
55
Indicators – Material Weakness Identification of fraud, whether or not material, on the
part of senior management. Restatement of previously issued financial statements
to reflect the correction of a material misstatement due to error or fraud
Identification by the auditor of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control.
Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance.
56
Deficiencies in Design Controls
Inadequate design of controls over the preparation of the financial statements being audited.
Inadequate design of controls over a significant account or process.
Inadequate documentation of the components of internal control.
Insufficient control consciousness within the organization; for example, the tone at the top and the control environment.
57
Deficiencies in Design Controls
Absent or inadequate segregation of duties within a significant account or process
Absent or inadequate controls over the safeguarding of assets
Inadequate design of IT general and application controls that prevent the information system from providing complete and accurate information consistent with financial reporting objectives and current needs.
58
Deficiencies in Design Controls
Employees or management who lace the qualifications and training to fulfill their assigned functions.
Inadequate design of monitoring controls used to assess the design and operating effectiveness of the entity’s internal control over time.
The absence of an internal process to report deficiencies in internal control to management on a timely basis.
59
60
SAS 109
– Describes the procedures to be used to gather information and gain an understanding of the entity and its environment, which include:• Inquiries• Analytical procedures• Observation and Inspection
60
61
• SAS 109 Requires a brainstorming session, which may be conducted concurrently with the SAS 99 session
61
SAS 109 directly links the understanding of the entity and its internal control with the assessment of risk and the design of further audit procedures
– The understanding of the entity and its environment, including its internal control, provides audit evidence necessary to support the auditor’s assessment of risk
62
Under the previous standard, the primary purpose of gaining an understanding of internal control was just to plan the audit.
63
SAS 109 requires auditors to evaluate the design of controls and determine whether they have been implemented. Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing or detecting and correcting material misstatements.
Thus, the understanding of internal control provides audit evidence that ultimately supports the auditor’s opinion on the financial statements.
It is anticipated that this phase of the audit will require more work than simply gaining understanding of internal control
64
65
The determination of significant risks, which arise on most audits, is a matter for the auditor’s professional judgment. In exercising this judgment, the auditor should consider:
─ inherent risk to determine whether:
─ the nature of the risk, ─ the likely magnitude of the potential misstatement,
including the possibility the risk may give rise to multiple misstatements, and
─ the likelihood of the risk occurring are such that ─ they require special audit consideration.
(SAS 109, ¶ 111)
Whether the risk is a risk of fraud.
Whether the risk is related to recent significant economic, accounting, or other developments and, therefore, requires specific attention.
The complexity of transactions.
Whether the risk involves significant transactions with related parties.
The degree of subjectivity in the measurement of financial information related to the risks, especially those involving a wide range of measurement uncertainty.
Whether the risk involves significant nonroutine transactions which are outside the normal course of business for the entity, or otherwise appear to be unusual.
(SAS 109, ¶111)
66
Appendix A – Understanding the Entity and Its Environment
Appendix B – Internal Control Components
Appendix C – Conditions and Events That May Indicate Risks of Material Misstatement
SAS 109 – Appendices…(Excellent Resources)
67
This Control Implemented and Operating Effectively Agree/Disagree Comments
1. Job descriptions (and other documents that define key position duties/requirements) are current, accurate, and understood.
3 - Somewhat agree We are in the process of updating our job descriptions. We recently purchased a software program that will assist in making sure that adequate ADA language is included,etc.
2. There is a mechanism in place to keep the job descriptions current, accurate, and understood.
4 - Agree We need to do a better job to ensure that our job descriptions are kept current. The Executive Director has appointed the Communications Officer to lead the effort to bring the job descriptions up-to-date.
3. Job knowledge/skill requirements realistically match the organization and position’s needs.
5 - Strongly agree
4. Management has the specialized knowledge, experience, and training required to perform their duties and does not rely extensively on technical specialists or outside consultants.
4 - Agree We do hire several outside consultants throughout each fiscal year to help in the technology area. We have only 3 employees in this area and they are responsible for keeping all divisions and locations' networks up and running.
5. Employees are properly trained and are capable of performing all jobs within your division.
4 - Agree We are working to strengthen training on new computers and computer applications.
6. Employees are committed to excellence in performing their jobs.
5 - Strongly agree Employees at the agency are very professional and are committed to excellence.
7. Individual performance targets focus on both the long- and short-term and address a broad spectrum of criteria (e.g., quality, productivity, leadership, teamwork, and self-development).
5 - Strongly agree Each division is responsible for providing the executive director with 4 or more goals above and beyond normal job duties that they will strive to achieve during the upcoming fiscal year. These goals may be either short or long-term.
Conclusions Reached and Actions Needed:
Our management has a high commitment to professional and technical competence. However, we need to do a better job in keeping our job descriptions current. XYZ, DEF, and ABC on 5/12/09 and 5/28/2009.
Exhibit 4: Management’s Commitment to Professional and Technical Competence
68
This Control Implemented and Operating Effectively Agree/Disagree Comments
1. Formal or informal mechanisms exist to inform management of events that are considered risks; i.e., events that may adversely affect the achievement of agency-wide or division objectives.
5 - Strongly agree We have 7 divisions within the Agency and each division head is a member of the Senior Staff, which meets weekly to discuss any issues of concern and the 6 division heads can and do speak to the Executive Director any time they need to do so.
2. Management assesses for inherent risk, each event or combination of events that represents a risk, considering both likelihood and impact, and then develops a risk response.
5 - Strongly agree See comments to question #1. For example, we just had a staff meeting where our employee in charge of safety and risk informed the group of precautions and actions to take in the event of a swine flu outbreak.
3. Once a risk response is developed for each risk, management considers residual risk.
5 - Strongly agree See comments to question #1.
4. Management uses an appropriate blend of quantitative or qualitative techniques across the various divisions/functions such that sufficient consistency exists to assess risks agency-wide.
5 - Strongly agree We certainly analyze risks quantitatively and qualitatively. For example, we use both in considering new affects of the current recession, increased special revenues, reduced state tax collections and potential budget cuts.
5. The process used to analyze risks is clearly understood and includes estimating the significance or risks and assessing the likelihood of their occurring.
5 - Strongly agree See comments to question #1. This agency has an excellent staff that is qualified and able to assess the significance and liklihood of risks.
Conclusions Reached and Actions Needed:
Our Senior Staff meets weekly which puts them in a good position to assess risks and to be responsive to any known risks.
EDF, DFG 5/13/2009
Exhibit 7: Risk Assessment
69
Exhibit 5: Assignment of Authority and Responsibility
This Control Implemented and Operating Effectively Agree/Disagree Comments
1. Management designates who is responsible for committing to financial or contractual obligations through a formal delegation of authority.
5 - Strongly agree Management assigns signature authority to appropriate personnel to designate personnel authorized to commit to financial or contractual obligations.
2. Specific limits are established for certain types of transactions and delegations are clearly communicated and understood by employees.
4 - Agree Management personnel with signature authority are aware of any specific limits for certain types of transactions, if applicable.
3. Job descriptions for personnel include specific references to control related responsibilities.
4 - Agree Job Content Questionnaires (JCQ) are completed for each employee. The JCQ includes specific references of job related responsibilities including control related responsibilities, if applicable.
4. Management accepts responsibility for information generated and on reported results.
5 - Strongly agree Management accepts the responsibility for the information generated and works constantly to improve the accuracy and effectiveness of the information. Management also reviews and documents their approval by signing required reports.
5. Managers at all levels within your agency are appropriately empowered to correct problems and implement improvements.
5 - Strongly agree Managers are expected to correct problems and implement improvements if needed. Depending on the materiality of the problem, senior management encourages they be informed of the problem and corrective action.
6. The current level of delegation of duties balances empowerment and “getting the job done” with management involvement and authority levels.
5 - Strongly agree Employees have the empowerment to "get the job done". Management is available for training and assistance. Management will normally approve or review the "job".
70
Exhibit 7: Risk Assessment
This Control Implemented and Operating Effectively Agree/Disagree Comments
1. Formal or informal mechanisms exist to inform management of events that are considered risks; i.e., events that may adversely affect the achievement of agency-wide or division objectives.
5 - Strongly agree Mechanisms are in place. Please refer to the conclusions section below for more detail.
2. Management assesses for inherent risk, each event or combination of events that represents a risk, considering both likelihood and impact, and then develops a risk response.
4 - Agree Once a risk is identified, management considers the likelihood of the risk occurring and the potential impact it will have on the agency's financials and the achievement of the agency's objectives.
3. Once a risk response is developed for each risk, management considers residual risk.
4 - Agree Once a control activity is created for an identified risk, management considers the remaining risk.
4. Management uses an appropriate blend of quantitative or qualitative techniques across the various divisions/functions such that sufficient consistency exists to assess risks agency-wide.
4 - Agree Quantitative and qualitative techniques are used by management to assess risk.
5. The process used to analyze risks is clearly understood and includes estimating the significance or risks and assessing the likelihood of their occurring.
4 - Agree Both the agency-wide risk assessment and divisional assessments include determining the risks, the likelihood of their occurrence, and the potential impact of those risks on the agency.
Conclusions Reached and Actions Needed:
Risks are assessed at the agency-wide level and divisional level. The agency-wide assessment is included in the agency's Strategic Plan (http://www.agencyname.ms.gov/Documents/agency5YearStrategicPlan.pdf). The agency has procedures in place for assessing risk at divisional levels. We will enhance and expand our risk assessment process in conjunction with enhancing our internal control plan.
71
Exhibit 8: Risk Response
This Control Implemented and Operating Effectively Agree/Disagree Comments
1. The process used to analyze risks is clearly understood and includes determining steps needed to mitigate risks.
3 - Somewhat agree
2. In determining risk response, management considers the effects of potential responses on risk likelihood and impact because a response may affect the likelihood and impact differently.
4 - Agree
3. Management considers the relative costs and benefits of alternative risk response options.
4 - Agree
4. When considering cost-benefit relationships, management looks at risks as interrelated and pools the agency’s risk reduction and risk sharing responses.
4 - Agree
5. The agency’s risk response considerations are not limited solely to reducing identified risks, but also include consideration of new opportunities.
3 - Somewhat agree
6. Once management has selected a response, management determines whether an implementation plan is needed.
3 - Somewhat agree
7. If an implementation plan is needed, management establishes the necessary control activities to ensure the risk response is carried out.
4 - Agree
8. The agency evaluates risk from an agency-wide perspective.
3 - Somewhat agree
72
Exhibit 22: Monitoring Questionnaire
This Control Implemented and Operating Effectively Agree/Disagree Comments
1. Management has established performance measures for processes and receives periodic reports of results against those measures.
2. Personnel responsible for reports are required to “sign off” on their accuracy and integrity and are held accountable if errors are discovered.
3. In the event of known control breakdowns or deficiencies, controls that should have prevented or detected problems are reassessed and modified as appropriate.
4. Controls most critical to mitigating high priority risks in your function are evaluated with appropriate frequency.
5. Evaluations of the entire internal control system are performed when there are major strategy changes, major acquisitions or dispositions, or operations and methods of processing financial information are changed.
6. An appropriate level of documentation is developed to facilitate the understanding of how your internal control system works.
7. Employees are provided with sufficient control and compliance training sessions and feedback opportunities.
73
The Hot Ten!
10. Weak Internal Controls
9. Lack of or Poor Assessment of IC by Management
8. Personal Pressures
7. Environmental Changes
6. Audit Deficiencies
5. Inadequate, Limited, or Reduced Training Resources
4. Related Party Transactions
3. Management’s Override of Internal Controls
2. Negative Work Environment – Poor Tone at the Top
1. Blind Trust
74
Questions?
Contact InformationWilliam A. (Billy) Morehead, Ph.D., CGFM, CPA,
CPM
Delta State University
DSU Box 3222
1003 West Sunflower Road
Cleveland, MS 38733
Phone: 662-846-4180
Fax: 662-846-4429
Email: [email protected]