400 likes | 657 Views
Internal Controls, Risks and You. Click mouse or press the Enter key to proceed!. March 2012. Created by: Dorraine Teitsch & Margie Harvey. What is Internal Control?. Definition –
E N D
Internal Controls, Risks and You Click mouse or press the Enter key to proceed! March 2012 Created by: Dorraine Teitsch & Margie Harvey
What is Internal Control? Definition – It is a combination of activities, plans, attitudes, policies and efforts of CDTA employees working together to provide reasonable assurance that CDTA will achieve its objectives and mission.
Who has a role in Internal Control? Everyone! Everyone at CDTA has responsibility for ensuring the internal control system is effective. We do this by maintaining a positive work environment, fulfilling our duties and responsibilities, while striving to meet performance standards and following company policies and procedures.
Internal Control Objectives: There are four: • Reliable financial statements, • Operational efficiency and effectiveness, • Compliance with laws and regulations, • Safeguarding resources from abuse, fraud and waste.
OK – So let’s review – • What exactly are Internal Controls? • Internal controls consist of systematic measures (reviews, checks and balances, methods and procedures) that are designed to: • Protect assets • Conserve resources • Comply with laws and regulations • Help CDTA meet its goals and objectives • Mitigate risk • Protect information • Manage change as optimally as possible
FIVE ELEMENTS OF INTERNAL CONTROL: “The COSO Model” Monitoring Information & Communication Control Activities Risk Assessment Control Environment
Control Environment • It is the foundation for all other components! • It encompasses “tone at the top” and management’s style, philosophy and supportive attitude. • It influences all decisions and activities of an organization. • Key factors are organizational structure and accountability.
Control Environment Objectives: • The Control Environment sends the message that internal controls are an integral part of CDTA and apply to everyone. • It includes: • Integrity and ethical values, • Operating style and attitude, • Organizational structure and methods of assigning, responsibility and authority, • Competence and reliability of people, • Influence of external entities.
Case Study #1 Biweekly, the Chief Executive Officer invites 8 to 10 employees from various departments to meet with him during lunch. The purpose of these meetings is to exchange thoughts and ideas about CDTA. During these meetings he discusses CDTA’s goals and asks for feedback. He also expresses that everyone is key to CDTA’s success. • Is this important? Yes.It encompasses “tone at the top” and management’s style, philosophy and supportive attitude. • Does this set the tone for the organization? Yes. The meetings address his operating style, attitude, philosophy, integrity, ethical values and organizational structure.
Risk Assessment • Risk Assessmentis the second element of internal control. • It is the identification and analysis of relevant risks in relation to the achievement of an organization’s objectives for the purpose of determining how best to manage those risks. • It determines what can go wrong. • The risk assessment process is an ongoing one as internal and external threats constantly develop or change.
Risk Components: • Risks are events that threaten CDTA’s objectives and mission. • Risks change over time. • There are internal and external risks. • Not all risks are equal. Some risks are more likely to occur, while others may have a greater impact. • Risks impact strategic and compliance efforts, operations, finances. Examples: • Human error • Failing to meet established goals • Fraud • System breakdowns • Natural disasters
Risk Assessment • The purpose is to assess the likelihoodand impact of the risk: • Likelihood- The probability that an unfavorable event will occur. • Impact- A measure of the magnitude of the effect on CDTA if the unfavorable event were to occur. Questions to keep in mind: • What can go wrong? • What obstacles could keep you from achieving your goal? • What’s the worst thing that could happen? • What’s the worst thing that has happened?
Case Study #2 A CDTA bus returns to the Albany garage with various defects during a snow storm. The defects include a small crack in the windshield and inoperable ADA announcements. The bus was evaluated and returned to tripper service. • Did the foreman assess the risk correctly? Yes. The small crack in the windshield did not obstruct the operator’s view and it was less than an inch in size. As the radio announcements were inoperable, the operator was able to call out the various stops along his trip for the passengers.
Fraud is a common risk! Causes of Fraud Poor internal controls create opportunity for fraud!
Case Study #3 An employee’s spouse lost his job. Several bills are delinquent and the monthly mortgage is due. The employee’s time is recorded as 18 hours of overtime, but she only worked 2 hours overtime. She notices that the incorrect time was submitted for her, but failed to alert her supervisor of the error. She needed the money and felt she had worked hard over the years and deserved it. • Is this fraud? Yes. All three elements of fraud exist: pressure, opportunity and rationalization.
Control Activities • As the third element of internal control, Control Activities are tools used to reduce and prevent risks that can hinder accomplishing CDTA’s objectives and mission. • They occur throughout CDTA at all levels and functions. • They are important to both automated and manual systems. Examples: • Authorized signatures required on checks • Computer passwords • Preventative maintenance schedules • Policy and procedure manuals • Signed Contracts • Segregation of duties
What’s Wrong With This Picture? A department supervisor submitted a travel voucher that included personal expenses incurred on a trip not covered under the CDTA’s travel policy amounting to $750. This supervisor also happens to be responsible for approving all of the department’s travel expenses, including his own. And the answer is... No employee should be permitted to approve their own expense reimbursements. In this case, the supervisor’s manager should have reviewed the expense reimbursement documents and approved the reimbursement before submission for payment. This is a weak control activity regarding authorization & approval.
Case Study # 4 CDTA performed a benefits dependent audit for cost savings. The criteria for a dependent needed to be provided, which included a spouse, child, step-child, adopted child, and legal custody of a minor, as per the health insurance contracts held by CDTA with the various health care providers. The health care providers supplied a list to CDTA of each employee with covered dependents. The employee was then asked to provide proof of dependency (ie. marriage certificate, family court documents, birth certificate, etc.). HR staff then reviewed the documents and verified dependent eligibility and notified the health care providers accordingly to adjust their records. CDTA saved over $100,000. • How many control activities can you identify? Establishing criteria for a dependent; the health insurance contracts; the list; providing employee proof of dependency; HR review & verification; notification of adjustments to the health care providers.
Monitoring • As the next element of internal control, Monitoring is the review of an organization’s activities to assess performance and to determine the effectiveness of controls. • It provides feedback to management and others by means of routine, on-going managerial and supervisory activities, as well as through the use of separate evaluations conducted by Internal Audit. • Examples: • Internal audits • Bank reconciliations • Driver Vehicle Inspection Reports (DVIR’s) • Preventative Maintenance Inspections (PMI’s)
Case Study #5 Every October CDTA must report to the federal government various performance measures that occurred during the previous fiscal year. Failure to do so impacts our external funding substantially. As part of the report, some of the performance measures include ridership per revenue hour, the mean distance between failures, passenger boardings, missed trips, on-time performance, fuel usage, accidents, operational expenses by mode (fixed or flexible), etc. Prior to the submission, this information is reviewed regularly by CDTA personnel and tied to various goals and objectives. Eventually our information is then reviewed and compared to other transit agencies. • Do these activities represent monitoring and if so, describe? Yes, the continual review and monitoring of information provides a wealth of knowledge internally and externally to ultimately meet CDTA’s goals and objectives.
Information & Communication • As the final element of internal control, Information & Communicationexchanges information between and among people and organizations. • They fulfill many needs, including: • Conveying organizational goals, objectives, policies, procedures, performance targets, ethics, and expectations, • Conveying operational and financial information, • Coordinating activities, • Expressing the needs, goals, and accomplishments of employees, • Expressing the needs of CDTA’s customers and the public as a whole, • Demonstrating accountability, performance and reliability both internally and externally.
Communication and Technology • The paths of communication must be found throughout CDTA and must flow internally, upward, downward and across, as well as externally. • Technology allows for more effective communication. • Both are essential to the organization, should be tailored to the user, and must provide information that is: • Accurate • Complete • Timely • Useful
Case Study # 6 An operator notices the check engine light come on during his run. The operator radios Central Communications to notify them of the light. Central Communications in turn contacts a foreman. They also instruct the driver to pull the bus over in a safe location and shut it down. The foreman dispatches a mechanic and tow truck to perform a road call. The mechanic assesses the situation and calls the foreman to let him know the bus will be towed. In the meantime, another bus has been dispatched so as not to interrupt service. • Does this display the exchange of communication through information and technology? Yes. The radio system provided an effective system of communication between transportation and maintenance, while the paths of communication flowed up and down demonstrating coordinating activities to meet the needs of CDTA and its customers.
Everyday Internal Controls • Think about your own personal internal controls and the things you do: • Lock your house and your vehicle • Keep your checkbook in a safe place • Set up a username and password for on-line banking • Review your credit card statements before paying them • Reconcile your bank statement • Maintain a budget for household expenses • Keep your ATM debit pin # separate from your card • Have your children ask for permission before they do certain things
What Happens When Controls Break Down? Well, let’s look at another example of a lack of controls…
Anything Wrong Here? • A department within CDTA is planning an official event. An employee of the department goes to the local grocery store to purchase some items necessary for the event and charges the items on the company credit card. The purchases included a 25-lb turkey for his family’s Thanksgiving dinner. At the end of the month he forwards the monthly charge statement to his supervisor and includes the charge card receipt showing only the total of the grocery store transaction amounting to $350 to his supervisor. His supervisor was very busy that day, so the purchase was approved without reviewing the supporting documentation.
Supervisory approval should not be given until all relevant backup documentation has been carefully reviewed and reconciled to applicable charges. Receipts should provide an itemized list of goods purchased. Let’s Talk Turkey… Adequate documentation supporting all reimbursements must be reviewed
NYS Internal Control Act • In 1987, the Legislature enacted the NYS Governmental Accountability, Audit and Internal Control Act which highlighted the need for management to promote good internal controls and accountability in government. This law was later updated and made the Internal Control Act effective January 1, 1999. • 6 areas of responsibility mandated are: • Establish & maintain guidelines for a system of internal controls. • Establish & maintain a system of internal controls and a program for internal control review. • Make available to each officer and employee a clear & concise statement of generally applicable management policies and standards with which the officer or employee shall be expected to comply with. • Designate an internal control officer (ICO) who shall report to the CEO and who will implement and review internal control responsibilities. The ICO should be communicated to all employees. • Implement education & training efforts for officers and employees for adequate awareness and understanding. • Periodically assess the need to establish, maintain or modify an internal audit function.
Internal Control Officer Role • The ICO has the responsibility for coordinating, maintaining and reviewing internal control activities for CDTA. • The ICO is Margie Harvey. • The ICO position does not in any way diminish the responsibility of all managers to oversee internal controls in their operations. • The ICO is responsible for managing the annual “Internal Control Review and Certification” process and does so in conjunction with the Internal Audit Assistant (IAA).
Internal Audit Role • Internal Audit (IA) has the responsibility for evaluating the effectiveness of internal control through a review of systems and processes. • In order to identify potential audit areas, IA must review specific risk factors including operational deficiencies, internal control weaknesses, and liabilities to the organization. • IA must establish an audit plan that focuses on the highest areas of risk to increase audit efficiency and effectiveness. • The Internal Audit Assistant is Dorraine Teitsch.
Annual Internal Control Review & Risk Assessment Process • Managers are required to evaluate their departmental internal controls. This is done through a risk vulnerability and internal control review self assessment. Each manager is required to certify that the information submitted is true and correct. • The “Internal Control Review and Certification Process” occurs annually at CDTA in March and is coordinated by the ICO and the IAA. • Before 2011, CDTA was required to certify its internal controls to the NYS Division of Budget, however with the advent of the Authority Budget Office, CDTA is no longer required to certify this to DOB. However, in order to be in compliance with the Internal Control Act, CDTA is required to review its internal controls at least annually.
Next Steps... Internal Control Officer (ICO): • Reviews the certification forms for completeness; • Meets with managers as necessary. Internal Audit Assistant (IAA): • Reviews forms for areas of risk and control; • Meets with managers as necessary; • Summarizes the risk data for senior management; • Reviews forms to formulate annual Audit Plan.
Take a Quick Quiz Who is the Internal Control Officer? • Margie Harvey • Dorraine Teitsch • Carm Basile Who has a role in Internal Control? • Management only • Operators and maintenance personnel only • Everyone What are the 5 elements of Internal Control? • Integrity, Ethics, Fraud, Risk Assessment, Auditing • Control Environment, Risk Assessment, Control Activities, Monitoring, Information and Communication • Control Environment, Fraud, Control Activities, Monitoring, Information and Technology
Quiz continued What are risks? • Events that threaten CDTA’s mission and objectives • Fraud • Human Error • System breakdowns and natural disasters • All of the above What is the importance of internal control and risk assessment? • To operate effectively and efficiently • To provide reasonable assurance that CDTA is meeting its goals & objectives • To manage and mitigate risks • To protect resources from fraud, waste & abuse • All of the above Answers: a, c, b, e, e
Remember: You’re on a roll with Internal Control and Risk Assessment!