INTERNAL CONTROLS
2/2/2012 – Mt. Laurel2/7/2012 – Rockaway
2/9/2012 – Robbinsville
Internal Control Guide
• State of New Jersey• Office of the State Comptroller• A. Matthew Boxer, State Comptroller
• November 2011• Report of Fraud Toll Free Hotline 1-866-OSC-TIPS
• Link• http://www.nj.gov/comptroller/doc/internal_control_guide_nov_2011.pdf
Management of Organization
Four Basic Functions
– Planning– Organizing– Leading– Controlling
Effective Management
Allows Managers to:
– Delegate responsibilities to staff
– Have comfort that expectations will be realized
What is Internal Control
COSO (Committee of Sponsoring Organizations)
A process…designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
– Effectiveness and efficiency of operations– Reliability of financial and management data– Compliance with applicable laws and regulations
– Safeguard resources against loss
Internal Control System
• Integral part of managing any organization
• To meet goals and objectives system includes:– Plans– Methods– Procedures
• First line of Defense in safeguarding assets
• Preventing and detecting errors and fraud
IMPORTANCE
• Keeps organization on course• Protects organization by catching small mistakes
• Protects organization by mitigating opportunities for innocent mistakes or internal fraud
• Impacts organization’s people, processes, and physical structure
Fundamental Concepts
• Internal Controls will change with organizational changes
• Degree of control employed is a business judgment
• Cost should not exceed benefit derived
Fundamental Concepts
• Considerations of Weaknesses– Increase supervision– Institute additional or compensating controls– Accept the risk inherent with the control weakness
Fundamental Concepts
• Organizational Self Regulation– Affects every aspect including staff, processes and operations
– Integrated into day-to-day operations and responsibilities
– Incorporates the qualities of good management– Depends upon people– Must make sense within each unique environment
LIMITATIONS• Human errors and poor judgments• Controls can be circumvented by collusion
• Management can intentionally override controls
• Excess costs can prevent management from implementing ideal controls
• More controls are not always better• Balance between risk and controls
– Proactive– Value-added– Cost effective– Decrease exposure
Design Considerations
– Organizational size– Organizational structure– Nature of business operations– Diversity and complexity of operations
– Method of transmitting, processing, maintaining and accessing information
– Applicable legal and regulatory requirements
ONE SIZE DOES NOT FIT ALL!
FRAMEWORK COMPOENENTS
• Control Environment• Risk Assessment• Control Activities• Information &
Communication• Monitoring
Control Environment• Integrity and Ethical Values• Commitment to Competence• Organizational Structure• Organizational Structure• Delegation of Authority and Responsibility
• Relationship with Oversight Agencies• Human Resources Policies and procedures
Risk Assessment• Risk Identification
– Change in operating cycle– New employees– New or enhanced technology systems– New programs– New and revised laws and regulations
• Questions to Ask– What could go wrong– What is worst case scenario– What would cause us to fail– What areas are we most vulnerable– What assets do we need to safeguard
Risk Assessment• Methods
– Periodic management conferences– Executive round tables– Forecasting– Strategic planning– Consideration of findings from audits– Other assessments
• Risk Management– Accept the risk and not institute further controls– Share the risk– Reduce the risk by instituting controls– Avoid the risk by avoiding the function
Control Activities – Specific Policies and Procedures
• Security Assets• Segregation of Duties• Authorization of Activities• Approval, Verification and Reconciliation
• Adequate Documentation• Information Processing• Independent Performance Review
Security Assets
• Unique user IDs and passwords• Physical security of tangible and intangible assets
• Backup for computer records and programs – secure offsite facility
• Disaster recovery plans• Performing periodic unannounced verifications
Segregation of Duties
• Prevent one person from performing incompatible duties
• Require responsibility for operations be separate from related record-keeping
• Ensure three functions of authorizing, recording, and maintaining assets are separate
Authorization of Activities
• Define parameters– Execution of transactions– Requirement of signature– Appropriate monetary thresholds– Documentation requirements adhered to
Approval, Verification and Reconciliation
• Identify activities or transactions that require supervisory approval
• Require supervisory approval to ensure transaction has been validated and conforms
• Prior to transaction review all supporting documentation
Adequate Documentation
• Concise and clear• Implementation of storage and retention policies
• Documents periodically verified to ensure accountability and compliance
Information Processing
• Access within the computing environment controlled by unique user passwords
• Change passwords on a periodic basis
• Restrict Access
Independent Performance Review
• Periodic reconciliations performed• Comparison of different sets of data to identify differences
• Implement necessary corrective actions
• Management review of reports, statements, reconciliations
• Comparison of information about current performance
INFORMATION COMMUNICATION
RelevantReliableTimely
Information and Communication
• Written policies and procedures• Mission statements, goals and objectives• Organization charts• Job descriptions and performance evaluations
• Training materials• Period reports measuring progress towards goals
• Internal/external audit report• Financial reports
Types of Communication
• Performance and management systems• Information systems• Policy and procedure manuals• Management directives• Memos and e-mails• Internet and intranet• Speeches and briefings
Characteristics of Effective Communication
• Relevant information on operational performance
• Current, accurate, complete and timely
• Shared with appropriate staff at right time
• Management receptive to employee recommendations
• Appropriate channels
MONITORING
Assessment of Internal Control performance over time- Self Assessments- Peer Reviews
- Internal Audits
Monitoring should focus on:
• Control Activities• Mission• Control Environment• Communication• Risk and Opportunities
Fraud Awareness
Common Anti-fraud measuresThree elements Present when
Fraud OccursTypes of Fraud
Examples
Common Anti-Fraud Measures
• External Audits• Internal Audits• Fraud Training• Surprise Audits• Establishment of hotline
Three Elements Present
• Opportunity– Caused by ability to circumvent internal controls or internal control weaknesses
• Motive– Pressure or perceived pressure – financial– Greed– Revenge– Thrill Seeking
• Rationalization– Excuse or perceived validation for action
Types of Fraud
• Management Fraud– Top management’s manipulation of financial statements
• Employee Fraud– Embezzlement of assets
• Vendor– Overcharging for goods– Shipping inferior goods– Not shipping goods but billed and payment received
Examples of Fraud
• Theft or misappropriation of assets• Fictitious revenues or
disbursements• Check tampering• Fictitious refunds• Fictitious vendor or employee
payments• False statements• False Overtime• Forgery or alteration of documents• Invoice Kickbacks• Bid Rigging
• Unauthorized use of records• Falsification of Reports• Conflicts of interest• Inaccurate employment records• Authorizing or receiving
compensation for hours not worked
• Incurring obligation in excess of appropriate authority
• Willful violation of laws, regulations, policies or contractual obligations
Indicators of Fraud
• Unsupported or unauthorized transactions
• Missing or altered documents• Inconsistent, vague, or
implausible responses• Denial of access to records• Unusual delays in providing
requested information• Numerous complaints• Significant transactions involving
related-parties• Inadequate or absent internal
controls
• Analytical anomalies• Unexplained inventory shortages• Purchases in excess of needs• Excessive voided transactions• Cash shortages
• A CRITICAL COMPONENT IS PROPER EDUCATION OF EMPLOYEES CONCERING FRAUD AWARENESS
• THE PERCEPTION OF THE POSSIBILITY OF DETECTION IS THE BIGGEST DETERENT
Top Related