Download
1 / 30
350 likes | 636 Views
2. Internal Control Objectives. Safeguard assetsFrom theft, embezzlement
E N D
1. Internal Controls University Of Miami
Controller’s Office
2. 2 Internal Control Objectives Safeguard assets
From theft, embezzlement & kickbacks
Reliable and accurate financial and operating reports
Preventing material errors & omissions
Compliance with policies, plans, procedures, laws and regulations
Promote operational efficiency
Minimize misuse and waste
3. 3 What Is Internal Control?
A process of managing risks
that could impact the organization’s achievement of goals and objectives.
Internal control is anything that you do to safeguard the University’s assets or to make more efficient or effective use of these assets. Internal controls help your department achieve its objectives.
Textbook definition:
Internal control comprises the plan of organization and all the coordinate methods adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies. This definition recognizes that a system of internal controls extends beyond those matters which relate directly to the functions of the accounting and financial departments.Internal control is anything that you do to safeguard the University’s assets or to make more efficient or effective use of these assets. Internal controls help your department achieve its objectives.
Textbook definition:
Internal control comprises the plan of organization and all the coordinate methods adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies. This definition recognizes that a system of internal controls extends beyond those matters which relate directly to the functions of the accounting and financial departments.
4. 4 What Types of Controls Are There?
Preventative
Stop undesirable outcomes before they happen
Processing vouchers only after signatures have been obtained from appropriate personnel
Detective
Identify undesirable outcomes after they happen
Reviewing department Pcard charges for personal charges
Corrective
Ensure that remedial action is taken to reverse undesirable outcome
Employee reimbursement of personal charges plus disciplinary action
Preventative controls are designed to discourage errors or irregularities from occurring.
Detective Controls are designed to find errors or irregularities after they have occurred – reviewing departmental phone bills for personal calls.Preventative controls are designed to discourage errors or irregularities from occurring.
Detective Controls are designed to find errors or irregularities after they have occurred – reviewing departmental phone bills for personal calls.
5. 5 Examples of Internal Controls Reviewing monthly department financial reports.
Depositing cash receipts daily.
Segregating job responsibilities.
Keeping computer passwords secret.
Verifying the accuracy of another staff member’s work.
Locking the desk/office especially in public areas. Review R90s on occasion internal audit will go to a department ask for their R90s and they are still in the envelopes.Review R90s on occasion internal audit will go to a department ask for their R90s and they are still in the envelopes.
6. 6 Why Are Internal Controls Important? Because adequate internal controls prevent against the following:
Waste of University assets
Inaccurate or incomplete information
Misuse of University assets
Embezzlement and theft
7. 7 Key Areas There are 5 key areas to internal control as shown in the slide.
1. Control environment
2. Control activities
3. Risk Assessment
4. Monitoring
5. Information & CommunicationThere are 5 key areas to internal control as shown in the slide.
1. Control environment
2. Control activities
3. Risk Assessment
4. Monitoring
5. Information & Communication
8. 8 Key Area 1 – Control Environment The integrity, ethical values, & competence of
management & employees
Employee training programs that provide information about the institution processes and raise expectations about performance
The process for delegating authority and responsibility
Control environment deals with the atmosphere found in the organization.
How strongly does top and middle management believe in integrity, honesty and ethical values.
What is management’s philosophy and operating style? Are the ethical values expected to be followed communicated or left to every staff members interpretation? Do we make our staff aware that there are rules that have to be followed in performing their jobs? Is this clearly communicated or is it taken for granted because we “trust” our staff?
I will leave up to each of you to question yourself as to the last time you communicated with your staff regarding these issues.
Therefore, communicate & train on what is expected.
And question where you have delegated authority. Is that person fully aware of the responsibilities that delegation brings? Make it clear.
Control environment deals with the atmosphere found in the organization.
How strongly does top and middle management believe in integrity, honesty and ethical values.
What is management’s philosophy and operating style? Are the ethical values expected to be followed communicated or left to every staff members interpretation? Do we make our staff aware that there are rules that have to be followed in performing their jobs? Is this clearly communicated or is it taken for granted because we “trust” our staff?
I will leave up to each of you to question yourself as to the last time you communicated with your staff regarding these issues.
Therefore, communicate & train on what is expected.
And question where you have delegated authority. Is that person fully aware of the responsibilities that delegation brings? Make it clear.
9. 9 Key Area 2 - Risk 3. Risk
Exposure arises:
from internal sources such as employees
external sources such as vendors,
consultants, computer hackers
3. Risk
Exposure arises:
from internal sources such as employees
external sources such as vendors,
consultants, computer hackers
10. 10 Key Area 2 – Risk (Cont’d)
11. 11 Key Area 2 – Risk (Cont’d)
12. 12 Key Area 2 – Risk (Cont’d)
13. 13 What’s at Risk? Anything of value:
Identity (personal
information)
Grades
Test Banks
Clinical Drugs
Cash
Inventory
Art Objects
14. 14 Key Area 3 – Control Activities Control activities
Approvals
Authorizations
Verifications
Reconciliation
Reviews (of operating performance)
Security (of assets)
Segregation of duties
15. 15 Key Area 4 - Monitoring Managers at all levels:
Are responsible for internal controls
Should monitor & report to Sr. Management
&/or Internal Audit &/or Controller:
Operational problems
Deviations from established standards
Concerns about policy violations or illegal acts
16. 16 Key Area 5 - Communication Communicate with your staff
Stress the importance of internal control activities,
Make sure that personnel you supervise understand their role in the control structure
Include in job descriptions
Communicate your expectations
Assess effectiveness in annual evaluations
17. 17 Internal Control by Functional Area Cash receipts, revenue, petty cash
Procurement & disbursements
Payroll & personnel
Cost monitoring Capital equipment and physical safety/security
Information systems
Sponsored programs
Tax matters
18. 18 Cash Receipts, Revenue and Petty Cash Segregation of duties is a must
Safeguard cash & checks
Deposit promptly
Have procedures for cash receipt processing, ensure that all employees are trained
Be familiar with the department’s nature & source of revenues – if it falls below expectations - investigate, analyze, compare data
Petty cash/Imprest fund – reconcile often Segregation of duties – are the following responsibilities distributed among personnel so one person is not responsible for all aspects: opening mail, endorsing checks, preparing deposits and reconciling to budget statements.
Safeguarding of cash/receipts – are checks endorsed immediately upon receipt, are receipts kept in a secure location until deposited, is access to credit card terminals and cash registers restricted to authorized personnel.
Cash Receipt Processing – are deposits made daily and or in compliance with Bursar guidelines, are daily cash register readings recorded on the daily cash reports and reconciled to daily deposits.
Gift receipts – are receipts properly classified as gifts and gift transmittals prepared timely.
Employee reimbursements – are receipts properly classified as employee reimbursements and processed timely.
Nature and source of revenues – are revenue sources properly classified?
Petty cash – is access to the petty cash fund restricted to the petty cash custodian, are petty cash disbursements made upon presentation of approved petty cash payout forms with supporting documentation.Segregation of duties – are the following responsibilities distributed among personnel so one person is not responsible for all aspects: opening mail, endorsing checks, preparing deposits and reconciling to budget statements.
Safeguarding of cash/receipts – are checks endorsed immediately upon receipt, are receipts kept in a secure location until deposited, is access to credit card terminals and cash registers restricted to authorized personnel.
Cash Receipt Processing – are deposits made daily and or in compliance with Bursar guidelines, are daily cash register readings recorded on the daily cash reports and reconciled to daily deposits.
Gift receipts – are receipts properly classified as gifts and gift transmittals prepared timely.
Employee reimbursements – are receipts properly classified as employee reimbursements and processed timely.
Nature and source of revenues – are revenue sources properly classified?
Petty cash – is access to the petty cash fund restricted to the petty cash custodian, are petty cash disbursements made upon presentation of approved petty cash payout forms with supporting documentation.
19. 19 Procurement and Disbursements Segregation of duties is a must
Proper processing of disbursements
Maintain approval levels
Review employee reimbursements
Must follow university policy
Must include documentation
Segregation of duties – are the following responsibilities distributed among personnel so no one individual performs all aspects: Requisitioning of goods or services, approving expenditures, receiving goods or services and reconciling disbursements to budget statements.
Proper processing of disbursements – are blank purchase requisitions forms kept secure, are records of numeric sequences kept for blank PR forms, so that missing forms will be detected, are disbursements appropriate to University purpose, is sales tax deducted before disbursements are made, are payments made to independent contractors/consultants supported by a Consultant Services Form.
Approval Levels – are approval levels proper according to existing structure.
Travel and entertainment – indicate purpose of trip, dates traveling and names of attendees, corroborating support such as conference brochures, timely submittal of charges subsequent to the trip. Policies and procedures adhered to.Segregation of duties – are the following responsibilities distributed among personnel so no one individual performs all aspects: Requisitioning of goods or services, approving expenditures, receiving goods or services and reconciling disbursements to budget statements.
Proper processing of disbursements – are blank purchase requisitions forms kept secure, are records of numeric sequences kept for blank PR forms, so that missing forms will be detected, are disbursements appropriate to University purpose, is sales tax deducted before disbursements are made, are payments made to independent contractors/consultants supported by a Consultant Services Form.
Approval Levels – are approval levels proper according to existing structure.
Travel and entertainment – indicate purpose of trip, dates traveling and names of attendees, corroborating support such as conference brochures, timely submittal of charges subsequent to the trip. Policies and procedures adhered to.
20. 20 Payroll and Personnel Must have segregation of duties
Time records, Overtime
Supervisor’s review prevents problems
Review labor distribution reports
Monitor time off
Become familiar with Human Resources policies & procedures
Segregation of duties – are payroll processing and reconciliation duties distributed among employees so that no single individual has control over all aspects of processing, custody of payroll checks, reconciliation of payroll expense distribution report to the budget statements. Does the supervisor maintain possession of time records after supervisory approval but before submission to Payroll for processing.
OT should be controlled by a) requiring supervisory permission prior to it happening; b) approving time sheets, c) reviewing labor distribution after the fact.
Monitoring Time Off – are records maintained to monitor and verify exempt vacation, sick, and personal days taken and available. Do supervisors review these records annually before a report is sent to Human Resources for annual vacation and sick time accrual.
HR Procedures – Are performance evaluations documented in writing and discussed with the employee.
Segregation of duties – are payroll processing and reconciliation duties distributed among employees so that no single individual has control over all aspects of processing, custody of payroll checks, reconciliation of payroll expense distribution report to the budget statements. Does the supervisor maintain possession of time records after supervisory approval but before submission to Payroll for processing.
OT should be controlled by a) requiring supervisory permission prior to it happening; b) approving time sheets, c) reviewing labor distribution after the fact.
Monitoring Time Off – are records maintained to monitor and verify exempt vacation, sick, and personal days taken and available. Do supervisors review these records annually before a report is sent to Human Resources for annual vacation and sick time accrual.
HR Procedures – Are performance evaluations documented in writing and discussed with the employee.
21. 21 Cost Monitoring Segregation of duties
Custodian, transaction preparer, approver & reconciler should be different individuals
Review and reconciliation of budget statements
Comparisons of budget to actual data should be performed on a monthly basis
Variances should have valid explanations
Validity of transactions
Without segregation of duties, theft and embezzlement are easier to perpetrate. Allowing staff to be tempted by an easy way to commit fraud should be avoided. Remember, it is easy to prevent problems than to face them after they occur. Recent problem discovered by Internal Audit in a routine departmental review, a staff member in a Medical department was able to set up patient appointments, requested payment from patients for coinsurance and certain procedures, issued receipts from a receipt book purchased in an office supply store, pocketed the money and reflected the appointment as cancelled in the billing system. Action: termination and a civil suite to recover the funds. $ lost
Monthly reconciliations allow for the person with the responsibility to ensure that transactions are posted properly, that there is data supporting the transactions and that errors, if they occur are corrected promptly. Recent example, staff member obtains supervisor’s signature on time sheet. Time sheet is returned to staff member to be sent to Payroll. Before submission, staff member adds overtime hours never worked. Action: termination, civil action to recover funds. # lost . Could have been prevented by supervisor review of labor distribution.
Variances should have be understood and have explanations. For instance, a revenue producing unit that is expected to have $500,00 in revenues based on prior year actual and current year projections has only $300,000. Ask yourself why. Is it that volume has decreased? Can that be substantiated by data? Has a deposit being posted to the wrong account? If there are no clear answers to the decrease it can be an indication that some cash receipts are being diverted. Recent example, department in CG, revenue typically at $600,000 per annum. Started decreasing three years ago. Volume, however was increasing and therefore, revenue should have gone up as well. In fact no one ask themselves why did revenue go down. Once discovered in a routine audit, discovery of $400,000 worth of funds taken. Action: termination and civil action against employee. Expenses can also be inflated. Recent example, inventory of supplies were purchased for a Medical department. Staff member in charge of purchasing was in collusion with the salesman. Once the supplies were received by the University, the staff member took them and gave them back to the salesman who resold the supplies. Because this worked the first time, the staff member and the salesman increased the purchases and therefore the expenses charged to the University. No explanations were not requested of the increses in expenses, IA found the problem in a routine review. $ lost . Employee terminated and arrested. Without segregation of duties, theft and embezzlement are easier to perpetrate. Allowing staff to be tempted by an easy way to commit fraud should be avoided. Remember, it is easy to prevent problems than to face them after they occur. Recent problem discovered by Internal Audit in a routine departmental review, a staff member in a Medical department was able to set up patient appointments, requested payment from patients for coinsurance and certain procedures, issued receipts from a receipt book purchased in an office supply store, pocketed the money and reflected the appointment as cancelled in the billing system. Action: termination and a civil suite to recover the funds. $ lost
Monthly reconciliations allow for the person with the responsibility to ensure that transactions are posted properly, that there is data supporting the transactions and that errors, if they occur are corrected promptly. Recent example, staff member obtains supervisor’s signature on time sheet. Time sheet is returned to staff member to be sent to Payroll. Before submission, staff member adds overtime hours never worked. Action: termination, civil action to recover funds. # lost . Could have been prevented by supervisor review of labor distribution.
Variances should have be understood and have explanations. For instance, a revenue producing unit that is expected to have $500,00 in revenues based on prior year actual and current year projections has only $300,000. Ask yourself why. Is it that volume has decreased? Can that be substantiated by data? Has a deposit being posted to the wrong account? If there are no clear answers to the decrease it can be an indication that some cash receipts are being diverted. Recent example, department in CG, revenue typically at $600,000 per annum. Started decreasing three years ago. Volume, however was increasing and therefore, revenue should have gone up as well. In fact no one ask themselves why did revenue go down. Once discovered in a routine audit, discovery of $400,000 worth of funds taken. Action: termination and civil action against employee. Expenses can also be inflated. Recent example, inventory of supplies were purchased for a Medical department. Staff member in charge of purchasing was in collusion with the salesman. Once the supplies were received by the University, the staff member took them and gave them back to the salesman who resold the supplies. Because this worked the first time, the staff member and the salesman increased the purchases and therefore the expenses charged to the University. No explanations were not requested of the increses in expenses, IA found the problem in a routine review. $ lost . Employee terminated and arrested.
22. 22 Capital Equipment & Physical Safety/security Disposed equipment reporting
Property records (financials, insurance)
Existence of capital equipment
UM tag
Safeguarding of capital equipment
Physical security
When University equipment is disposed of without completing proper documentation, the University records are not updated and the equipment is left as part of the University’s assets. This leads to incorrect external and internal financial reporting. In addition, records for insurance are not correct. A disposal or transfer of equipment form can be obtained by calling Property Accounting at 284-4658 or at http:/www.miami.edu/controller/forms
The Property Accounting Department, a Unit of the Controller’s Office is responsible for identifying new equipment, placing a UM tag on the equipment, maintaining records on the equipment inventory, and performing a physical inventory count every two to three years.
When University equipment is disposed of without completing proper documentation, the University records are not updated and the equipment is left as part of the University’s assets. This leads to incorrect external and internal financial reporting. In addition, records for insurance are not correct. A disposal or transfer of equipment form can be obtained by calling Property Accounting at 284-4658 or at http:/www.miami.edu/controller/forms
The Property Accounting Department, a Unit of the Controller’s Office is responsible for identifying new equipment, placing a UM tag on the equipment, maintaining records on the equipment inventory, and performing a physical inventory count every two to three years.
23. 23 Information Systems
Computing, networking policies & procedures
Protecting passwords
Safeguarding networks
Ensuring that terminated employees no longer have access to central and non-central systems
Never give your password(s) to anyone. By so doing, you are giving access to an unauthorized person to the systems and screens for which you have access. The University keeps a record of who logs into a particular system. It also keeps an audit trail of who performed transactions . If the staff member uses your access to do a fraudulent transaction, all systems will point to you, not to the person who actually did it. Why risk this? If a staff member needs access to screens, every University system has forms that once duly completed and approved by a supervisor allow access to systems. Take the safe and proper route and follow University policy, do not give your password to anyone!
Networks are subject to outside hackers. Ensure that there is communication with IT (Gables & Rsmas) and Network Services ( Medical School): build firewalls, require password protection, perform backups on a regular basis and decrease the possibility of having data destroyed
When an employee terminates or transfers to a different department, access to central computer systems is terminated. If the employee is transferring to a different department, access to systems must be requested through completion of access forms. However, non central systems do not have access to this information. Human Resources produces a monthly list of terminated employees and sends it to departments that have non central computer systems. It is up to the terminating employee’s supervisor to ensure that a his/her access is removed from any non central computer system. Never give your password(s) to anyone. By so doing, you are giving access to an unauthorized person to the systems and screens for which you have access. The University keeps a record of who logs into a particular system. It also keeps an audit trail of who performed transactions . If the staff member uses your access to do a fraudulent transaction, all systems will point to you, not to the person who actually did it. Why risk this? If a staff member needs access to screens, every University system has forms that once duly completed and approved by a supervisor allow access to systems. Take the safe and proper route and follow University policy, do not give your password to anyone!
Networks are subject to outside hackers. Ensure that there is communication with IT (Gables & Rsmas) and Network Services ( Medical School): build firewalls, require password protection, perform backups on a regular basis and decrease the possibility of having data destroyed
When an employee terminates or transfers to a different department, access to central computer systems is terminated. If the employee is transferring to a different department, access to systems must be requested through completion of access forms. However, non central systems do not have access to this information. Human Resources produces a monthly list of terminated employees and sends it to departments that have non central computer systems. It is up to the terminating employee’s supervisor to ensure that a his/her access is removed from any non central computer system.
24. 24 Sponsored Programs Government rules and regulations, agency
specific guidelines & restrictions & UM
policies and procedures require that
expenditures:
Be reasonable, allowable & allocable
Have proper documentation & approvals
Include effort tracking and certification
Adhere to University Sponsored policies at:
http://www.miami.edu/controller/ follow the link to
the policies on the left
Sponsored programs reflect dollars awarded to the University to conduct investigations, to perform tasks, to train new researchers, etc. The awards are based on proposals submitted by a faculty member. The government in awarding dollars for a project, requires that rules and regulations be followed. This training session is not meant to cover all rules and regs that Sponsored has. There is a separate training session that covers those. However, we want to bring to your attention that this is area requires expertize and that training should be sought to familiarize yourselves with the rules, regs and policies that govern it. The Office of Inspector General (OIG) audits universities when fraud, misconduct on science, is suspected. These audits have in other universities, placed holds in grant processes, barred universities from doing clinical trials, fined universities found to have broken the regulations in the millions, and have required that an integrity compliance program be put in place with heavy government oversight. This can all be avoided here. Spend time in training. Learn what is expected and required regarding government ules and regs and Um policies and procedures. Sponsored programs reflect dollars awarded to the University to conduct investigations, to perform tasks, to train new researchers, etc. The awards are based on proposals submitted by a faculty member. The government in awarding dollars for a project, requires that rules and regulations be followed. This training session is not meant to cover all rules and regs that Sponsored has. There is a separate training session that covers those. However, we want to bring to your attention that this is area requires expertize and that training should be sought to familiarize yourselves with the rules, regs and policies that govern it. The Office of Inspector General (OIG) audits universities when fraud, misconduct on science, is suspected. These audits have in other universities, placed holds in grant processes, barred universities from doing clinical trials, fined universities found to have broken the regulations in the millions, and have required that an integrity compliance program be put in place with heavy government oversight. This can all be avoided here. Spend time in training. Learn what is expected and required regarding government ules and regs and Um policies and procedures.
25. 25 Tax Matters
Sales tax reporting
Sales of books, rental of facilities
Unrelated business income tax (UBIT)
Alumni, sales of products, advertising, revenues from net proceeds rather than gross proceeds
Employee versus independent contractor
Control: work hours, job duties, how work will be performed, place where work will be done = usually employee
http://www6.miami.edu/controller/Taxes.doc
