march 2011 created by: margie harvey & dorraine teitsch
TRANSCRIPT
Internal Controls, Risks and You
March 2011
Created by: Margie Harvey & Dorraine Teitsch
Definition –
It is the integration of activities, plans, attitudes, policies and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its objectives and mission.
What is Internal Control?
Organization
E m p lo y ees
Ac tiv it ies
P lan s
P o lic ies
E f f o r ts
Attitu d es
P r o c es s es
Everyone!
Who has a role in Internal Control?
Everyone at CDTA has responsibility for ensuring the internal control system is effective.
There are four:
1. Reliable financial statements2. Operational efficiency and effectiveness3. Compliance with laws and regulations4. Safeguarding resources from abuse, fraud
and waste
Internal Control Objectives
Operating Controls: Promote effectiveness, efficiency, and compliance• Examples: Policies, regulations, and procedures
to enforce compliance with laws and CDTA goals
Safeguarding Controls: Designed to detect and prevent fraud, waste and abuse of resources• Examples: Payment documentation and
approvals, separation of duties, physical inventory counts – comparing SPEAR data to actual parts on shelves
Two Broad Control Types
The Committee of Sponsoring Organizations (COSO) produced the Internal Control – Integrated Framework, known as the COSO report.
This report has directly influenced corporate governance, government accountability, and internal auditing.
It set forth 5 interrelated components:1. Control Environment2. Risk Assessment3. Communication and Information Systems4. Control Activities5. Monitoring
Five Elements of Internal Control
Internal Control Pyramid
It is the attitude toward internal control established and maintained by management and employees.
It is the foundation for all other components!
It encompasses “tone at the top” and management’s style, philosophy and supportive attitude.
It influences all decisions and activities of an organization.
Key factors are organizational structure and accountability
Control Environment
The Control Environment sends the message that internal controls are an integral part of the organization and apply to everyone
It includes:• Integrity and ethical values • Operating style and attitude• Organizational structure and methods of
assigning responsibility and authority• Competence and reliability of people• Influence of external entities
Control Environment Objectives
Management’s Responsibilities regarding the control environment include:• Practicing ethics & integrity• Committing to excellence• Fostering positive employee morale• Having a supportive attitude• Setting the tone• Providing direction and vision• Hiring and keeping competent staff
Management’s Responsibilities
Risks are events that threaten the accomplishment of meeting the organization’s objectives and mission.
Risks can be industry specific or enterprise-wide.
There are internal and external risks.Examples:• Human error• Failing to meet established goals • Fraud• System breakdowns• Natural disasters
What are Risks?
Risks vary and impact:• Strategic efforts and corporate governance• Operations• Finance • Reporting• Compliance
They change over time. Not all risks are equal – some are more likely to occur
than others, while some have greater impact than others.
It is important to identify the probability of the event happening and its significance.
Too much trust and a lack of a segregation of duties influence risk.
Risks
Fraud is a common risk that should not be ignored. By definition, fraud is an intentional misrepresentation
of a material existing fact made by one person to another with knowledge of its falsity and for the purpose of inducing the other person to act, and upon which the other person relies with resulting injury or damage.
It may be made by omission or purposeful failure to state material facts, which nondisclosure makes other statements misleading.
It must relate to an existing fact (not a promise) and must be made knowingly and intentionally (not by mistake)!
Fraud
Causes of Fraud
Poor internal controls create opportunity for fraud!
Risk Assessment is the second element of internal control.
Risk Assessment is the identification and analysis of relevant risks in relation to the achievement of an organization’s objectives for the purpose of determining how best to manage those risks.
It determines what can go wrong.
The risk assessment process is an ongoing one as internal and external threats constantly develop or change.
Risk Assessment
The purpose is to assess the likelihood and impact of the risk:
• Likelihood – The probability that an unfavorable event would occur.
• Impact – A measure of the magnitude of the effect on CDTA if the unfavorable event were to occur.
Questions to keep in mind:o What can go wrong?o What obstacles could keep you from achieving your goal?o What’s the worst thing that could happen?o What’s the worst thing that has happened?
Risk Assessment
Strategic: Risks that prevent CDTA from achieving its overall mission and vision.
Operational: Risks that prevent a department or function from operating in the most effective and efficient manner that disrupts other operations.
Financial: Risks that have significant financial impact to CDTA and may negatively impact.
Reporting: Risks that occur for failure to document and report data timely and accurately.
Compliance: Risks that may expose CDTA to fines and penalties from a regulatory agency for non-compliance with laws and regulations.
5 Types of Risk
Management needs to think continuously about:• How to manage risk day-to-day• How to prevent risk• How to manage risk during change
Management needs to determine the level of risk that is acceptable or not acceptable.
Management needs to either accept the risk or establish control activities to prevent or mitigate the risk.
Managing Risks
Management may accept the risk if it is not very significant.
Management may choose to accept the risk if the cost associated with implementing control activities is greater than the cost of the event occurring, should it occur.
Accepting Risk
Sometimes management cannot accept the risk, therefore management must establish controls that work to prevent the risk from occurring or at least reduce the risk to an acceptable level.
Management must identify the most effective and efficient control activities for handling the risk by evaluating:• The cause of the risk• Identifying the cost of the control vs. the cost of the
event happening (cost-benefit analysis)• Prioritizing the risk
Preventing or Reducing Risk
As the third element of internal control, Control Activities are tools used to reduce and prevent risks that can impede accomplishment of the organization’s objections and mission.
They occur throughout CDTA at all levels and functions.
They are important to both automated and manual systems.Examples:• Authorized signatures required on checks• Computer passwords• Preventative maintenance schedules• Policy and procedure manuals• Segregation of duties
Control Activities
The cost of the control activities should not be greater than the cost of the potential loss!
A cost benefit analysis is done where positive factors are identified, quantified and added and negative factors are identified, quantified and subtracted to determine the net result, which then determines whether the control is acceptable.
Cost vs. Benefit
As the next element of internal control, monitoring is the review of an organization’s activities to assess performance and to determine the effectiveness of controls.
It provides feedback to management and others by means of routine, on-going managerial and supervisory activities, as well as through the use of separate evaluations conducted by Internal Audit
Examples:• Internal audits• Bank reconciliations• Driver Vehicle Inspection Reports (DVIR’s) • Preventative Maintenance Inspections (PMI’s)
Monitoring
As the final element of internal control, Information & Communication exchanges information between and among people and organizations.
They fulfill many needs, including:• Conveying organizational goals, objectives, policies, procedures,
performance targets, ethics, and expectations • Conveying operational and financial information • Coordinating activities• Expressing the needs, goals, and accomplishments of employees• Expressing the needs of CDTA’s customers and the public as a
whole• Demonstrating accountability, performance and reliability both
internally and externally The paths of communication must be found throughout CDTA
and must flow internally, upward, downward and across, as well as externally.
Information & Communication
Communication is the exchange of useful information to support decisions and coordinate activities.
Information systems allow for more effective communication in order to carry out responsibilities.
Both are essential to the organization, should be tailored to the user, and must provide information that is:
Accurate Complete Timely Useful
Communication and Information Systems
Think about your own internal controls and the things you do:• Lock your house and your vehicle• Keep your checkbook in a safe place• Set up a username and password for on-line
banking • Review your credit card statements before paying
them• Reconcile your bank statement• Maintain a budget for household expenses• Keep your ATM debit pin # separate from your card• Have your children ask for permission before they
do certain things
Everyday Internal Controls
• CDTA offices are locked when not occupied• Computer passwords are periodically changed• Check purchase card charges against source
documents• Check management reports against source
documents• Compare actual cash received in Treasury to GFI
fare box reports• Reconcile bank statements• Perform preventative maintenance on buses
and fare boxes• Perform pre-trip inspection of buses• Ask for certain permission and authorizations
CDTA Internal Control Examples
In order to succeed, we must manage our operations effectively and efficiently
Provide reasonable assurance we are meeting our goals and objectives
Manage and mitigate risks Protect resources from fraud, waste and
abuse Be accountable to employees, customers,
stakeholders, vendors, and the public Adhere to the Internal Control Act
Importance of Internal Control & Risk Assessment Process
In 1987, the Legislature enacted the NYS Governmental Accountability, Audit and Internal Control Act which highlighted the need for management to promote good internal controls and accountability in government. This law was later updated and made the Internal Control Act effective January 1, 1999.
6 areas of responsibility mandated are:1. Establish & maintain guidelines for a system of internal controls2. Establish & maintain a system of internal controls and a program of
internal control review 3. Make available to each officer and employee a clear & concise statement
of generally applicable management policies and standards with which the officer or employee shall be expected to comply with
4. Designate an internal control officer (ICO) who shall report to the CEO and who will implement and review internal control responsibilities. The ICO should be communicated to all employees.
5. Implement education & training efforts for officers and employees for adequate awareness and understanding
6. Periodically assess the need to establish, maintain or modify an internal audit function
NYS Internal Control Act
The ICO has the responsibility for coordinating, maintaining and reviewing internal control activities for CDTA.
The current ICO is Margie Harvey. The ICO position does not in any way diminish the
responsibility of all managers to oversee internal controls in their operations.
The ICO is responsible for managing the annual “Internal Control Review and Certification” process and does so in conjunction with the Internal Audit Assistant (IAA)
Internal Control Officer Role
Internal Audit (IA) has the responsibility for evaluating the effectiveness of internal control through a review of systems and processes.
Further, in order to identify potential audit areas, IA must review specific risk factors including operational deficiencies, internal control weaknesses, and liabilities to the organization.
IA must establish an audit plan that focuses on the highest areas of risk to increase audit efficiency and effectiveness.
Internal Audit Role
Managers are required to evaluate the internal controls for their department. This is done through a risk vulnerability and internal control review self assessment by management for their respective departments and functions. Each manager is required to certify that the information submitted is true and correct.
The “Internal Control Review and Certification Process” occurs annually at CDTA in March and is coordinated by the ICO and the Internal Audit Assistant.
Before 2011, CDTA was required to certify its internal controls to the NYS Division of Budget, however with the advent of the Authority Budget Office, CDTA is no longer required to certify its internal controls to DOB. However, in order to be in compliance with the Internal Control Act, CDTA is required to review its internal controls at least annually.
Annual Internal Control Review & Risk Assessment Process
To complete an Internal Control Self-Assessment Survey
Define key departmental functions and the risks associated with them
Rate the likelihood and impact that risks will occur
Determine whether there are effective internal controls in place to carry out goals and objectives and to mitigate any risks
Management’s Role
Directors and Department Heads are responsible for periodically assessing internal controls
Self-assessment of each department’s internal controls and risks are key to carrying out departmental goals and objectives, as well as to adhering to
CDTA’s fundamental mission
Where do we go from here?
Step 1:
Complete the Internal Control Self-Assessment Survey
How is this accomplished?
Department:_____________________________________
Department Head/Director/Manager:__________________________
General Questions: Always Sometimes Never Does your department have a clearly defined, documented and communicated mission?
Is your department's organizational structure documented and well structured with effective delegation of authority and responsibility?
Are policies and procedures reasonable and consistent?
Are policies and procedures documented?Does your Department place sufficient emphasis on the importance of integrity, ethical conduct, fairness and honesty when dealing with employees, vendors, and other organizations?Are your managers, supervisors and employees committed to doing a good job with high ethical standards and integrity? Does your department have a supportive attitude toward internal controls?Do your employees understand their responsibilities and limits to their authorities?Do your managers, supervisors and employees have the qualifications, knowledge and skills to perform their jobs adequately?Do you have open and effective communication channels within your department?Do open and effective communication channels exist within the organization as a whole?Are managers, supervisors and employees informed of the organization's goals, policies, objectives, job duties and ethical values?
Control Environment
CDTA Internal Control Self-Assessment
Internal Control Self-Assessment Survey
Step 2:
Define key functions of your department and the risks associated with them. Determine the risks in terms of strategic (executive management only), operational, financial, reporting and compliance risks.
Step 3:Rate the likelihood and impact of the risk in the event that it will occur.
Instructions: (Step #1) List a minimum of five (5) high risk functions of your department that you have examined this past year & the associated risks.Rate the impact that each function has to CDTA. Rate the likelihood that associated risk will occur.
Then, total your impact rate, plus your likelihood rate to get your risk factor.(Step #2): Using the "ICR: Existing Controls, Weaknesses, Corrective Actions" page, identify the existing internal controlsfor those functions, weaknesses associated with those functions, and your planned corrective action.
Departmental FunctionStrategic Risks
Associated
Risk: High/Medium
/Low Impact LikelihoodOperational Risks
Associated
Risk: High/Medium/
Low Impact
Certification: I have reviewed the functions and risks for the department to help assess and manage risk. I understand that this self-assessment is subject to audit and verification.
Signature: Date:
Strategic Risks Associated Operational Risks Associated
Internal Controls Review: Function & Risk Assessment
Step 4:
Determine whether you have effective internal controls in place to mitigate those risks, and identify whether they are effective, and if they can be improved or changed, note the corrective action either implemented or to be implemented.
Internal Controls Review: Existing Controls, Weaknesses, Corrective Actions
Department: Date:
Existing Internal Controls
Effectiveness Y or N Weaknesses Corrective Actions
Internal Controls Review Form
Internal Control Officer (ICO): Reviews the forms for completeness Meets with managers as necessary Internal Audit Assistant (IAA): Reviews forms for areas of risk and control Meets with managers as necessary Summarizes the risk data for senior
management Reviews forms to formulate annual Audit
Plan
Next Steps:
Case of the transmission purchaseJill, a senior staff assistant, has a company procurement card. Her manager, Anna, is out of town on company business and will not be in the office for 3 weeks. On Wednesday, Jill’s car wouldn’t start. She desperately needed a transmission which her mechanic replaced. When paying for the repairs to her vehicle, which totaled $2,898.93, she accidentally used the company procurement card to pay for the repairs. On Thursday, Jill received a notice from American Express confirming the purchase, at which point she realized her mistake.The statement arrived a week later and Jill, failing to disclose her personal purchase, asked Jack, the department head, to approve the statement in Anna’s absence. By the time of Anna returned, Jill was unable to save enough money to repay the company for the car repairs. Since Anna had not seen the statement and it had already been approved and processed for payment by Finance, Jill decided not to bring it up. She had been an exceptional employee for 15 years and had seen many of her co-workers receive bonuses. She decided it was her turn. This would be her bonus, she rationalized. She had earned it!
Case Study
Take a moment to answer these questions before going to the next slide.
• What internal controls were side stepped by Jill?
• Did Jill commit fraud?
• Which internal control element does fraud come under?
Case Study: Questions
Internal controls were side stepped that could have mitigated fraud including:• Jill did not comply with procedure when she used the company
procurement card for personal use. (This is a weakness in the control activity.)
• Integrity and ethical values were set aside when Jill did not disclose her fraud. She knowingly omitted a material fact that one of the purchases was for personal use and rationalized she deserved it, in addition to the pressure of being short of funds. (This is a high risk area, in addition to a weakness in communication and information.)
• The department head failed to review the credit card statement and compare to source documentation. If he reviewed the original receipt, he should have seen Jill’s signature. (This is both a weakness in the control environment and monitoring.)
While fraud is evaluated under the element of risk assessment, this
case study showed weaknesses in each of the elements of internal
control.
Case Study: Control Concerns
Who is the Internal Control Officer?a) Margie Harveyb) Dorraine Teitschc) Carm Basile
Who has a role in Internal Control?d) Management onlye) Operators and maintenance personnel onlyf) Everyone
What are the 5 elements of Internal Control?g) Integrity, Ethics, Fraud, Risk Assessment, Auditingh) Control Environment, Risk Assessment, Control Activities, Monitoring,
Information and Communicationi) Control Environment, Fraud, Control Activities, Monitoring, Information and
Technology
Take a Quick Quiz
What are risks?a) Events that threaten CDTA’s mission and objectivesb) Fraudc) Human Errord) System breakdowns and natural disasterse) All of the above
What is the importance of internal control and risk assessment?f) To operate effectively and efficientlyg) To provide reasonable assurance that CDTA is meeting its goals &
objectivesh) To manage and mitigate risksi) To protect resources from fraud, waste & abusej) All of the above
Answers: a, c, b, e, e
Quiz continued
Remember:You’re on the roll with Internal Control and Risk Assessment!