8/8/2019 Controls 101 v6

1/17

1

1

FM Controls 101Internal Controls What are they and why should I care?

Donald Harvey, CPA,CIA

8/8/2019 Controls 101 v6

2/17

2

8/8/2019 Controls 101 v6

3/17

3

Course Objective

3

1. Understand what internal control is and define thevarious types of internal controls.

2. Understand the approach you should use to identify

controls within your work stream.

8/8/2019 Controls 101 v6

4/17

4

What is Internal Control?

Internal control is a process, effected by an entitys

board of directors , management and other

personnel, designed to provide reasonable

assurance regarding the achievement of the following

objectives: Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations

Reasonable Assurance: includes the understanding that there is a remote likelihood that material misstatements willnot be prevented or detected on a timely basis.

8/8/2019 Controls 101 v6

5/17

5

11/1/2010

Internal Control Key Concepts

Internal control is a process. Its a means to an end, not

an end in itself.

Internal control is affected by people. Its not merely

policy manuals and forms, but people at every level of the

organization.

Management, not auditors, must establish and maintain the

entitys controls

No system can be regarded as completely effective

Should be applied to both manualand computerized

systems

8/8/2019 Controls 101 v6

6/17

6

Elements of Internal Controls

6

Internal Controls consists offive interrelated components

1.Control Environment

2.Risk Assessment

3.ControlActivities

4.Information and Communication

5.Monitoring

8/8/2019 Controls 101 v6

7/17

7

Elements of Internal Controls

7

1. ControlEnvironment: The control environment establishes the overall tone forthe organization and is the foundation for all other components of internal control.

There are seven sub-components of the control environment:

Integrity and ethical values

Commitment to competence and development of people

Managements philosophy and operating style Organizational structure

Assignment of authority and responsibility

Human resources policies and procedures

Participation by those charged with governance (i.e. board of directors, audit

committee)

8/8/2019 Controls 101 v6

8/17

8

Elements of Internal Controls (cont.)

8

2.Risk Assessment: For an entity to exercise effective control, it must establishobjectives and understand the risks it faces in achieving those objectives.

The process of identifying and analyzing risks is an ongoing iterative process. The

sub-components for the risk assessment include:

Entity-wide objectives: Does the entity have approved entity-wide objectivesthat are aligned with the strategic plan?

Activity-level objectives: Are activity-level objectives consistent with entity-

wide objectives and are the relevant?

Risk Analysis: Are there mechanisms to identify risks and to prevent the

entity from achieving its objectives from both internal and external sources?

Is the process thorough and relevant? Mechanisms for change: Are there adequate mechanisms to identify change

for routine events and for events that may have a pervasive impact on the

entity?

8/8/2019 Controls 101 v6

9/17

9

Elements of Internal Controls (cont.)

9

3.Control Activities: Control activities are the controls implemented to prevent or

detect errors or fraud that could result in material misstatement in financial

statements. Control activities occur throughout the organization, at all levels, and in

all functions. Physical Safeguards and

Security Access to physical

assets and information systems

are controlled and properly

restricted to authorized personnel Error Handling Errors detected

at any stage of processing receive

prompt corrective action and are

reported to the appropriate level of

management.

Segregation of Duties Duties

are assigned to individuals in amanner that ensures that no one

individual can control both the

recording function and the

procedures relative to processing

a transaction.

Authorization & Approvals All

transactions are pre-approved by

responsible personnel

Completeness All valid

transactions are included in theaccounting

Accuracy All valid transactions are

accurate, consistent with the

originating transaction data, and

information is recorded in a timely

manner

Validity All recorded transactionsfairly represent the economic events

that actually occurred, are lawful in

nature, and have been executed in

accordance with managements

general authorization.

8/8/2019 Controls 101 v6

10/17

10

Elements of Internal Controls (cont.)

10

4. Information and Communication: Pertinent information must be identified,captured and communicated in a form and timeframe that enables people to

carry out their responsibilities.

Types of information to consider when evaluating the information and

communication component of a companys internal control.

Accounting Systems Policy Manuals (including financial reporting manuals)

Managements Reports

Accounting Policy Updates

Technical Updates

Training

Newsletters

Staff Meetings

8/8/2019 Controls 101 v6

11/17

11

Elements of Internal Controls (cont.)

11

5. Monitoring: Effective monitoring is a process that assesses the quality of the

systems performance over time. It includes the regular management activities

as well as separate evaluations by central units, Internal Audit, or other

independent parties.

Examples of monitoring controls:

Management Reviews Internal Audits

Audit Committee Activities

Disclosure Committee Activities

Self-Assessment Review

8/8/2019 Controls 101 v6

12/17

12

Types of Internal Controls

12

There are two primary types of internal controls:

Preventive Controls: designed to keep errors or irregularities from

occurring in the first place

Detective Controls: designed to detect errors or irregularities that may

have occurred

8/8/2019 Controls 101 v6

13/17

13

How Do I Use This?

13

When documenting sub-processes make sure that both preventive and detective

controls are in place for each of the seven control activities.

Control Activities

1. Authorization & Approvals

2. Completeness

3. Accuracy

4. Validity

5. Physical Safeguards and Security

6. Error Handling

7. Segregation of Duties

ControlTypes1. Preventive Controls

2. Detective Controls

8/8/2019 Controls 101 v6

14/17

14

Workstream Approach -What Can Go Wrong

14

Use the What Can Go Wrong Approach to identify and document the controls

related to your workstream.Proposed Workstream Approach:

1. Identify and document controls related to the A-133 Audit Findings for your

workstream (first priority)

2. Identify and document other primary controls for your workstream by using the

control activities (second priority)

Process What Can Go Wrong Control Activity Controls (P-Preventive; D-Detective)

What ensures that timecards correctly

summarize time worked?Completeness Time reports are reviewed & approved before payment (P)

What ensure that payments are not

made for time not worked?Validity

-Access to data/transaction files is appropriately restricted (P)

-System will not generate paychecks for terminated employees (P)

-Time reports are reviewed & approved before payment (P)

-Costs by department are compared to budget (D)

Expenditures What ensures that expenditures are real? Validity

-Approvals is required for changes to vendor master files (P)

-Disbursements greater than specified dollar amounts require

additional approval (P)

-System matches purchase order, receiving report, and invoice prior

to payment (P)

Payroll

8/8/2019 Controls 101 v6

15/17

15

15

Management!!!!

Who is accountable for assurance that

appropriate internal controls are in place?

8/8/2019 Controls 101 v6

16/17

16

16

Everyone!!!!

Who is responsible for the performance of

internal control activities?

8/8/2019 Controls 101 v6

17/17

17

17

Questions!