Upload
nelson-jackson
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Office of Internal Audits© 2009
Building a Strong Internal Control
Environment
Presented by:Leigh BaxterLeigh Goller
Office Of Internal Audits
Research Academy Credit
© 2009
Office Of Internal Audits
Acknowledgments
Some content shared with permission from our friends and colleagues at:
Duke PRMOHarvardCornell
RIT
© 2009
Office Of Internal Audits
Warm up exercise
Can Internal Controls Mitigate/Manage Risk?
http://www.dailymotion.com/video/xahspa_risk-mitigation-for-beginners_fun
© 2009
Office Of Internal Audits© 2009
Course Objectives
To enable and empower you to:
Define and evaluate your internal control environment
Discuss & apply internal control activities & responsibilities
Leverage internal control understanding for effective decision making
Office Of Internal Audits
Today is not about:
Professional ethics Conflicts of interest Enterprise risk management (ERM) Sarbanes-Oxley Audit-proofing your business unit
© 2009
Office Of Internal Audits
What is stewardship?
Stewards carefully and responsibly manage all things entrusted to their care
We are responsible for ensuring: Duke business is executed in good faith transactions actually occurred Duke complies with laws, regulations and policies
© 2009
Office Of Internal Audits
Pop Quiz!True or False?
Internal controls are:A. Based on trustB. Effective by pure luckC. Validated by customer feedbackD. Tested by auditorsE. Not my responsibility
© 2009
Office Of Internal Audits
A simple equation
Control Activities
=Risk Management
Many Controls = Good Controls
© 2009
Office Of Internal Audits
What is risk?
The possibility a negative event will occur The possibility a positive event may not occur A calculated chance
Risk can be: External (economy, weather, laws) Internal (systems, personnel, initiatives) Controllable (mitigated) Uncontrollable (inherent)
© 2009
Office Of Internal Audits
What is control?
A process to regulate Exercising influence Authority or ability to manage or direct An act to examine or verify Reducing or preventing the spread of…
© 2009
Office Of Internal Audits
Internal Control Types
Operational Promotes operational effectiveness and efficiency as
well as adherence to policies and procedures.
Financial Designed to safeguard assets and ensure completeness,
accuracy and reliability of financial records.
Compliance Ensures compliance with applicable laws and
regulations.
© 2009
Office Of Internal Audits
Missing or ineffective controls
Operational Risks Poor decision making Asset theft or loss Effort duplication
Financial Risks Misleading or inaccurate financial information False reporting to constituents Ineffective cost recovery
Compliance Risks Fines or penalties Sponsor funding and program renewal Health & safety
© 2009
Office Of Internal Audits
Fact or fiction?
© 2009
Myth Fact
Internal controls are a bunch of red tape
Internal controls should support,not inhibit, business processes
Controls are one-size fits all Controls may vary with the type of transaction, business activity or staffing level
Internal controls will prevent fraud
Internal controls can deter and/or detect fraud. Only good behavior prevents fraud
Policies and procedures promote strong internal controls
A strong control environment promotes strong internal controls
Auditors own internal control effectiveness
Management owns internal control effectiveness
Office Of Internal Audits
More fact or fiction?
© 2009
Myth Fact
Internal control is a finance thing– we do what GAP tells us to do –
Internal controls are integral toall aspects of the business control activities should be designed to meet specific business needs
Internal controls prohibit certain activities
Internal controls enable the rights things to happen the first time and every time
Internal controls are just extra work for me – I know how to do my job without them
Internal controls promote accountability and ensure consistent performance
Internal controls only protect Duke assets
Internal controls protect Dukeand its employees
Office Of Internal Audits
Case Study I
Planning a Vacation
To: Egypt or South Africa When: in 6 months (Summer) How Long: for 2 weeks Who: You and at least one other person
Note: All travelers have valid passports
© 2009
Office Of Internal Audits
Did you consider?
What is a successful outcome (good trip)? What is the most critical planning activity? How many variables you want to control? Who owns what part of the vacation planning? What required double-checking? What might happen while you are on vacation?
Will you miss a flight? Will you lose anything important? Will you get sick?
© 2009
Office Of Internal Audits
Careful Design
With a carefully designed internal control environment, your department can:
Operate more efficiently and effectively
Provide a level of assurance that the processes, services and products for which you are responsible are adequately protected
© 2009
Office Of Internal Audits
Health check
Does your control environment promote: Attention and direction from management? Competence in all employees? Ethical and quality operations? Communicating “tone at the top”? Appropriate assignment of responsibility and authority? Development of people and skills? Consistent practices? Timely execution of required processes and transactions? Asking questions? Asking tough questions?
© 2009
Office Of Internal Audits
Manager Responsibility
Managers are responsible for ensuring that internal controls are established and functioning to achieve the mission and objective of your department
© 2009
Office Of Internal Audits
Control Categories
Authorization Reconciliation Segregation of Duties System Configuration Documentation and Record
Retention Monitoring Operations Key Performance Indicator Exception/ Edit Report Data Interfaces System Access
© 2009
Office Of Internal Audits
Authorization
Transaction Approval Considers the nature and significance of the
transaction Segregates duties Complies with DU and DUHS policy
Access Provisions Safeguards assets and records Segregates duties
© 2009
Office Of Internal Audits
Reconciliation
A check to determine if two items are consistent Invoices reconciled to account detail
A process to identify inaccurate or missing transactions
© 2009
Office Of Internal Audits
Segregation of Duties
No individual is responsible for more than one of the following transaction components: Authorization Custody Record-keeping
© 2009
Office Of Internal Audits
System Configuration
Controls include “switches” that can be set by turning them on or off to secure data against inappropriate processing, based on the policies and procedures Systems can be configured to require
passwords of minimum characters and symbols.
© 2009
Office Of Internal Audits
Documentation & Record Retention
Provide reasonable assurance that assets are controlled and transactions are correctly recorded, for example, retention of: Financial Assistance Application for Charity
Care patients Explanation of Benefit forms for a third party
payment
© 2007
Office Of Internal Audits
Monitoring Operations
Verification that controls are operating properly
Review of activity of a person different than the preparer analyzing and performing oversight of activities performed Periodic analytical review of average charge
per patient to revenue reported for the period.
© 2009
Office Of Internal Audits
Key Performance Indicator
Financial and Non-Financial quantitative measurements that are collected by the entity and used by management to evaluate the extent of progress toward meeting defined objectives Productivity reporting for individual
departments
© 2009
Office Of Internal Audits
Exception / Edit Report
Report generated to monitor something and followed-up on through to resolution Exceptions – report detailing violation of set
standard Edits – report detailing changes to master file
© 2009
Office Of Internal Audits
Data Interfaces
The transfer of specifically defined information (data) between two computer systems, using either manual or automated means to ensure accuracy, completeness and integrity of the data The University identity management system
provides a feed to the Health System Enterprise Active Directory.
© 2009
Office Of Internal Audits
System Access
The ability that individual users or groups have within a computer information system processing environment determined and defined by authorized
configuration Established based on unique position number
(SAP) or individual employee identification (NetID)
© 2009
Office Of Internal Audits
Information & Communication
Processes and systems to provide timely and appropriate information for people to carry out their responsibilities
Quality information is: Content appropriate Timely and current Accurate Accessible Communicated appropriately
© 2009
Office Of Internal Audits
Control Limitations
Internal controls provide only reasonable assurance that operational, financial reporting and compliance objectives are met. These assurances are not absolute.
Limitations inherent in all internal control systems include: Collusion: Two or more individuals acting together may alter
financial information in a manner that results in control failure. Return on investment: If the cost of control outweighs the
benefit of implementing the control, it will not be adopted. Judgment: Humans are fallible and sometimes make errors in
judgment because of pressures. Breakdowns: Personnel may misunderstand instructions or
simply make mistakes.
© 2009
Office Of Internal Audits
Biggest threats to the Internal Control Structure
© 2009
Threat Vulnerability
Management Override -A well designed control system, if set aside at management’s discretion, can be equivalent to no control in terms of risk.
Access to Assets The best way to safeguard assets is to control access to them.
Substance over Form -Controls may appear to be well designed and still lacksubstance.
Conflicts of Interest When employee loyalty is divided there is a distinct risk that the employee will choose a course of action detrimental to the
organization.
Failure to Anticipate Certain Risks
Management may fail to anticipate certain risks, andthus fail to design and implement appropriate controls.
Collusion Two or more employees may agree to circumvent internal controls.
Office Of Internal Audits
Case Study II
Planning a Vacation
To: Egypt or South Africa When: in 6 days How Long: for 1 week Who: You and at least one other person
Note: All travelers have valid passports
© 2009
Office Of Internal Audits
What did you change?
How did you reprioritize activities? What control activities changed? How did time constraints affect you? Did you delegate differently? Are you worried about success?
© 2009
Office Of Internal Audits
Building a Strong Internal Control Environment
Questions?
© 2009