540 likes | 1.01k Views
The Importance of Internal Controls. LGC Resource April 2014. WHAT ARE INTERNAL CONTROLS?. Processes effected by an entity’s management and other personnel designed to provide assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
E N D
The Importance of Internal Controls LGC Resource April 2014
WHAT ARE INTERNAL CONTROLS? Processes effected by an entity’s management and other personnel designed to provide assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
COSO (Committee of Sponsoring Organizations) of the Treadway Commission
ControlEnvironment • The control environment is the core of any system of internal control. • It sets the tone for the entire organization. • Factors include: • ethical values • competence of employees at all levels • managements’ operating style and attitude toward controls
Risk Assessment • Risks are INTERNAL and EXTERNAL events that threaten the accomplishment of objectives. • Process of identifying, evaluating, and deciding how to manage these events….. What is the likelihood of the event occurring? What would be the impact if it were to occur? How do we reduce the risk? • Consideration of Fraud
Control Activities • Control Activities consist of the specific policies and procedures put in place to mitigate the risk of error, noncompliance, and fraud. (physical inventory count, segregation of duties, authorization of activities, proper backup procedures)
Communication & Information • Adequate information must be captured, identified, and communicated on a timely basis. • Just a reminder……. ACTIONS SPEAK LOUDER THAN WORDS
Monitoring • Monitoring occurs in the course of everyday operations, it includes regular management & supervisory activities and other actions personnel take in performing their duties.
Simple Definition • Internal controls are common sense procedures that address: • What could go wrong? • What steps should be taken to prevent those events from happening?
Personal Internal Control System • Locking your car when you leave it in the parking lot • Comparing your receipts to your credit card statement • Keeping your banking PIN confidential
Why are Internal Controls Important? • They can catch small mistakes before they become big problems. • They protect employees by removing opportunities for innocent mistakes or intentional fraud.
Why are Internal Controls Important? • Protect the strong from temptation • Protect the weak from opportunity • Protect the innocent from false accusation From Once upon Internal Control by James Ulvog, CPA
FRAUD TRIANGLE Opportunity Pressure Rationalization
FRAUD $208,830 $202,345 $177,630
FRAUD • Frauds discovered in the recent years. • Committed by one person • Trusted employee • Internal controls were either nonexistent or not monitored
Effective IS Controls • Proper back-up procedures • Section 10-7-121, TCA, requires that records maintained electronically be copied to a storage media daily. Storage media more than one week old shall be stored at a location other than at the building where the original is maintained
Effective IS Controls (cont.) • Proper back-up procedures • Daily backups should be stored in a secure location within the office. • Weekly backups should be rotated to a secure, fireproof off-site location. • A backup log documenting the location of all backups should be maintained. • Backups should be tested.
Effective IS Controls (cont.) • Password Maintenance • All users should have a unique login and password. Shared logins should not be used. • Passwords should remain confidential. • Passwords should be changed every 90 days. • Passwords of former employees should be immediately disabled.
Effective IS Controls (cont.) • Disaster Recovery Planning • Specific steps to follow to restore system • Emergency phone numbers of personnel and vendors • Backup storage location • Manual procedures to follow until the system is restored
Effective IS Controls (cont.) • Virus/Spyware Prevention • Virus detection software should be used. • Virus definitions should be kept current. • All files, e-mail attachments, etc. should be scanned.
Effective IS Controls (cont.) • Policies and procedures manual • Operating system and application security • Start-up/shut down procedures • Back-up procedures • Hardware software maintenance procedures • Daily, monthly, and year-end procedures • Output distribution list • Hardware disposal policy • Virus prevention policy
Effective IS Controls (cont.) • Loading Operating System Updates • Restricting Physical Access to System • Proper Application Controls • Adequate audit trail exists. • Audit logs are maintained and reviewed.
Audit Logs and Other Reports • TnCIS • Delete Log Report • Out-of Court Payments Report • Trustee • Audit Changes By Date Report • Unprorated Receipts Report • Maximum Posting Date Report • Fund Offices • Payroll Check Change Report • Maximum Posting Date Report
Reasons why controls don’t always work: • Inadequate knowledge of policies or governing regulations. “I didn’t know that!” • Form over substance “You mean I’m supposed to do something besides initial/sign it?” • Inadequate segregation of duties “We trust ‘A’ who does all of these things”
The “Trusted Employee” Per the ACFE’s 2012 Report to the Nations: • 87% of the fraudsters studied had never been charged or convicted of a fraud related offense • 84% had never been punished or terminated by an employer for fraud-related conduct
What is Segregation of Duties? In general, the main incompatible duties to be segregated are: • Custody of Assets • Authorization or approval of related transactions affecting those assets • Recording or reporting of related transactions
What is Segregation of Duties? • No employee should be in a position to both commit fraud or error and conceal it in their normal course of duties. • At least two sets of eyes are required for any transaction • Example: Movie Theater
What if it’s not possible to properly segregate duties? Use Compensating Controls • Supervisory or other oversight procedures designed to reduce the risk of errors or fraud not being detected
Compensating Controls by James Climer @ Climercomics.com
Effective Controls- Cash Receipts and Deposits • Separate cash drawers • Prenumbered cash receipts- 9-2-103, TCA • Stamp checks “for deposit only” as soon as they are received • Drawer checkout procedures • Deposit timely- 3 day deposit law • Deposit Receipts Intact
Effective Controls- Cash Receipts and Deposits (cont.) • Deposit slips should be itemized • Sign- “You must receive an official receipt or your transaction is not complete • Segregate Duties- Employees responsible for receipting should NOT also be responsible for posting receipts to the accounting records.
Effective Controls- Disbursements • Disbursements by official prenumbered checks • Review documentation • Do not sign blank checks • Segregate duties between writing checks, signing, distribution, and posting to the accounting records
Effective Controls- Bank Reconciliations • One employee should be responsible for opening the bank statement, reviewing it, and initialing. • A separate employee should reconcile the bank statement monthly • Bank reconciliations should be reviewed by an employee not responsible for reconciling the statement.
Effective Controls- Procurement • Establish clear lines of authority for approving purchases before they occur • Purchase orders • Verify availability of appropriations before purchases are approved • Payments for purchases should only be made after documentation that the goods or services were received • Segregate duties between approval, payment and updating the accounting records
Effective controls- Journal Entries (JE’s) • Use a standard journal entry form • Supervisory review and approval of all journal entries • Segregate duties between preparation of the JE, Approval of the JE, and posting to the records • Supervisory review that all JE’s were properly posted to the records
More information? • Comptroller’s website has internal control checklists specifically designed for offices such as • Trustee • General Sessions and Circuit Court Clerk • Clerk and Master • Etc. www.comptroller.tn.gov
Penny AustinPenny.Austin@cot.tn.govAmy SosvilleAmy.Sosville@cot.tn.gov