© 2009 Office of Internal Audits Building a Strong Internal Control Environment Presented by: Leigh Baxter Leigh Goller

Office of Internal Audits© 2009

Building a Strong Internal Control

Environment

Presented by:Leigh BaxterLeigh Goller

Office Of Internal Audits

Research Academy Credit

© 2009


Acknowledgments

Some content shared with permission from our friends and colleagues at:

Duke PRMOHarvardCornell

RIT

© 2009


Warm up exercise

Can Internal Controls Mitigate/Manage Risk?

http://www.dailymotion.com/video/xahspa_risk-mitigation-for-beginners_fun

© 2009



Office Of Internal Audits© 2009

Course Objectives

To enable and empower you to:

Define and evaluate your internal control environment

Discuss & apply internal control activities & responsibilities

Leverage internal control understanding for effective decision making


Today is not about:

Professional ethics Conflicts of interest Enterprise risk management (ERM) Sarbanes-Oxley Audit-proofing your business unit

© 2009


What is stewardship?

Stewards carefully and responsibly manage all things entrusted to their care

We are responsible for ensuring: Duke business is executed in good faith transactions actually occurred Duke complies with laws, regulations and policies

© 2009


Pop Quiz!True or False?

Internal controls are:A. Based on trustB. Effective by pure luckC. Validated by customer feedbackD. Tested by auditorsE. Not my responsibility

© 2009


A simple equation

Control Activities

=Risk Management

Many Controls = Good Controls

© 2009


What is risk?

The possibility a negative event will occur The possibility a positive event may not occur A calculated chance

Risk can be: External (economy, weather, laws) Internal (systems, personnel, initiatives) Controllable (mitigated) Uncontrollable (inherent)

© 2009


What is control?

A process to regulate Exercising influence Authority or ability to manage or direct An act to examine or verify Reducing or preventing the spread of…

© 2009


Internal Control Types

Operational Promotes operational effectiveness and efficiency as

well as adherence to policies and procedures.

Financial Designed to safeguard assets and ensure completeness,

accuracy and reliability of financial records.

Compliance Ensures compliance with applicable laws and

regulations.

© 2009


Missing or ineffective controls

Operational Risks Poor decision making Asset theft or loss Effort duplication

Financial Risks Misleading or inaccurate financial information False reporting to constituents Ineffective cost recovery

Compliance Risks Fines or penalties Sponsor funding and program renewal Health & safety

© 2009


Fact or fiction?

© 2009

Myth Fact

Internal controls are a bunch of red tape

Internal controls should support,not inhibit, business processes

Controls are one-size fits all Controls may vary with the type of transaction, business activity or staffing level

Internal controls will prevent fraud

Internal controls can deter and/or detect fraud. Only good behavior prevents fraud

Policies and procedures promote strong internal controls

A strong control environment promotes strong internal controls

Auditors own internal control effectiveness

Management owns internal control effectiveness


More fact or fiction?

© 2009

Myth Fact

Internal control is a finance thing– we do what GAP tells us to do –

Internal controls are integral toall aspects of the business control activities should be designed to meet specific business needs

Internal controls prohibit certain activities

Internal controls enable the rights things to happen the first time and every time

Internal controls are just extra work for me – I know how to do my job without them

Internal controls promote accountability and ensure consistent performance

Internal controls only protect Duke assets

Internal controls protect Dukeand its employees


Case Study I

Planning a Vacation

To: Egypt or South Africa When: in 6 months (Summer) How Long: for 2 weeks Who: You and at least one other person

Note: All travelers have valid passports

© 2009


Did you consider?

What is a successful outcome (good trip)? What is the most critical planning activity? How many variables you want to control? Who owns what part of the vacation planning? What required double-checking? What might happen while you are on vacation?

Will you miss a flight? Will you lose anything important? Will you get sick?

© 2009


Careful Design

With a carefully designed internal control environment, your department can:

Operate more efficiently and effectively

Provide a level of assurance that the processes, services and products for which you are responsible are adequately protected

© 2009


Health check

Does your control environment promote: Attention and direction from management? Competence in all employees? Ethical and quality operations? Communicating “tone at the top”? Appropriate assignment of responsibility and authority? Development of people and skills? Consistent practices? Timely execution of required processes and transactions? Asking questions? Asking tough questions?

© 2009


Manager Responsibility

Managers are responsible for ensuring that internal controls are established and functioning to achieve the mission and objective of your department

© 2009


Control Categories

Authorization Reconciliation Segregation of Duties System Configuration Documentation and Record

Retention Monitoring Operations Key Performance Indicator Exception/ Edit Report Data Interfaces System Access

© 2009


Authorization

Transaction Approval Considers the nature and significance of the

transaction Segregates duties Complies with DU and DUHS policy

Access Provisions Safeguards assets and records Segregates duties

© 2009


Reconciliation

A check to determine if two items are consistent Invoices reconciled to account detail

A process to identify inaccurate or missing transactions

© 2009


Segregation of Duties

No individual is responsible for more than one of the following transaction components: Authorization Custody Record-keeping

© 2009


System Configuration

Controls include “switches” that can be set by turning them on or off to secure data against inappropriate processing, based on the policies and procedures Systems can be configured to require

passwords of minimum characters and symbols.

© 2009


Documentation & Record Retention

Provide reasonable assurance that assets are controlled and transactions are correctly recorded, for example, retention of: Financial Assistance Application for Charity

Care patients Explanation of Benefit forms for a third party

payment

© 2007


Monitoring Operations

Verification that controls are operating properly

Review of activity of a person different than the preparer analyzing and performing oversight of activities performed Periodic analytical review of average charge

per patient to revenue reported for the period.

© 2009


Key Performance Indicator

Financial and Non-Financial quantitative measurements that are collected by the entity and used by management to evaluate the extent of progress toward meeting defined objectives Productivity reporting for individual

departments

© 2009


Exception / Edit Report

Report generated to monitor something and followed-up on through to resolution Exceptions – report detailing violation of set

standard Edits – report detailing changes to master file

© 2009


Data Interfaces

The transfer of specifically defined information (data) between two computer systems, using either manual or automated means to ensure accuracy, completeness and integrity of the data The University identity management system

provides a feed to the Health System Enterprise Active Directory.

© 2009


System Access

The ability that individual users or groups have within a computer information system processing environment determined and defined by authorized

configuration Established based on unique position number

(SAP) or individual employee identification (NetID)

© 2009


Information & Communication

Processes and systems to provide timely and appropriate information for people to carry out their responsibilities

Quality information is: Content appropriate Timely and current Accurate Accessible Communicated appropriately

© 2009


Control Limitations

Internal controls provide only reasonable assurance that operational, financial reporting and compliance objectives are met. These assurances are not absolute.

Limitations inherent in all internal control systems include: Collusion: Two or more individuals acting together may alter

financial information in a manner that results in control failure. Return on investment: If the cost of control outweighs the

benefit of implementing the control, it will not be adopted. Judgment: Humans are fallible and sometimes make errors in

judgment because of pressures. Breakdowns: Personnel may misunderstand instructions or

simply make mistakes.

© 2009


Biggest threats to the Internal Control Structure

© 2009

Threat Vulnerability

Management Override -A well designed control system, if set aside at management’s discretion, can be equivalent to no control in terms of risk.

Access to Assets The best way to safeguard assets is to control access to them.

Substance over Form -Controls may appear to be well designed and still lacksubstance.

Conflicts of Interest When employee loyalty is divided there is a distinct risk that the employee will choose a course of action detrimental to the

organization.

Failure to Anticipate Certain Risks

Management may fail to anticipate certain risks, andthus fail to design and implement appropriate controls.

Collusion Two or more employees may agree to circumvent internal controls.


Case Study II

Planning a Vacation

To: Egypt or South Africa When: in 6 days How Long: for 1 week Who: You and at least one other person

Note: All travelers have valid passports

© 2009


What did you change?

How did you reprioritize activities? What control activities changed? How did time constraints affect you? Did you delegate differently? Are you worried about success?

© 2009


Building a Strong Internal Control Environment

Questions?

© 2009

Documents

© 2009 Office of Internal Audits Building a Strong Internal Control Environment Presented by: Leigh Baxter Leigh Goller