Understanding Internal Control-Internal Audit

8/4/2019 Understanding Internal Control-Internal Audit

1/28

Understanding InternalControls

Internal Audit DivisionEdward A. Dion

County Auditor's Office


2/28

Why are we here? The Countys emphasis on internal

controls.

Give you tools to prepare:

System Implementation

On-going Operations


3/28

T

raining Objectives Convey that management is

responsible for internal controls.

Convey that all employees of theCounty are responsible for compliance

with internal controls.

Give you tools to establish, document,

and maintain a system of internal

controls.


4/28

Why is this important?Reduces the likelihood of errors and

irregularities resulting in:

Efficient and effective departments Good custodianship of County

Resources

Compliance with laws and regulations


5/28

What is internal control? Definition

Ongoing process

Effected by everyone

Reasonable--not absolute--assurance

Applies to:

Operations objectives Financial reporting objectives

Compliance objectives


6/28

Internal Control is a Process The internal control process has five

components :

y Control environment

y Risk assessment

y Control activities

y Information and communication

y Monitoring

All five must be present to be effective.


7/28

Internal Control Process

Control Environment What is a control

environment?

It is the control consciousness of an

organization.

It is the extent to which management and

employees are committed to doing whats

right and doing it the right way.

It encompasses technical competence andethical commitment.

It is an intangible factor that is essential to

effective internal control.


8/28

Control Environment-What

is a good environment? Code of ethics; standards of conduct.

Ethical behavior.

Good hiring practices.

Adequate training.

Clear policies and procedures.

Employee development.

Assignment of authority and

responsibility.


9/28

Risk Assessment Determine

goals and objectives.

Internal control is pointless without

goals and objectives. Written goals and objectives focus

efforts toward desired outcomes.

Written goals and objectives provide a

rationale for resource allocation.


10/28

Risk Assessment - What

objectives do we need? Operations objectives.

Financial reporting objectives. (All

transactions are recorded, all recordedtransactions are real, properly valued,

timely, properly classified, and

correctly summarized and posted.)

Compliance objectives.

Related to Department/Agency and

activity.


11/28

Risk AssessmentIdentify risks.

A risk is anything that could

jeopardize the achievement of an

objective. Once identified, a risk analysis is

performed where risks are

ranked/prioritized in order to address

significant risks.


12/28

Risk Assessment - How do

we identify risks? You know your risks.

For each objective, ask yourself:

What could go wrong?

What assets do we need to protect?

How could someone steal from us?

What is our greatest legal exposure? Identify risks at the department level

and at the activity (or process) level.


13/28

Risk Assessment-What is

risk analysis? Risk analysis is the process of

determining which risks are

significant.

It involves ranking/prioritizing. For

each identified risk, ask two questions:

What is the likelihood of occurrence?

What is the potential impact? A risk is significant if it has a

reasonable likelihood of occurrence

and a large potential impact.


14/28

Control Activities-Whatcontrol activities do we need?

Enough to help ensure that you are

managing your significant risks.

Actions should be taken and control

activities should be performed tomitigate significant risks to prudently

acceptable levels.

Control activities can be preventive and

detective, and include approvals,reconciliations, reviewing reports,

securing assets, segregating duties, and

Information Technology controls.


15/28

Control Activities - Preventive

& Detective Controls Preventive Controls:

They attempt to deter or prevent

undesirableevents from occurring. Examples:

separation

of duties and proper authorization.

Detective Controls:

They attempt to detect undesirable

acts.

Examples: reviews and reconciliations.


16/28

Control Activities-What needsto be approved? (Preventive)

It depends on the risk assessment.

High risk activities should be approved

by management.

Generally,high dollar transactions should

be approved by the Director of the

department or agency.

Approval means that the approverhasreviewed the supporting documentation

and is satisfied that the transaction is

appropriate.


17/28

Control Activities What needsto be reconciled? (Detective)


Information about high risk activities

should be reconciled to ensure its

accuracy and completeness.

Reconciliations compare different sets

of data (check logs/deposit slips to

financial reports).

Generally, monthly financial reports

from Auditor-Controller should be

reconciled to departmental records.


18/28

Control Activities-Whatreports should be

reviewed?(Detective) It depends on the risk assessment.

Information about high risk activities

should be reviewed by management.

Generally, the Director should review

reports which compare budget to actual

and prior year to current year amounts

To measure performance.

To detect problems.

Managements review should be

documented.


19/28

Control Activities (Preventive& Detective) - What assets need

to be secured? It depends on the risk assessment.

Liquid assets, assets with alternative uses,

dangerous assets, vital documents, critical

systems, and confidential information need to

be secured.

Access to these assets should be restricted. Perpetual records should be maintained;

periodic physical counts should be

performed--differences should be checked.


20/28

Control Activities (Preventive& Detective) - What duties need

to be segregated?


The approval, accounting/reconciling,and asset custody functions should be

segregated.

Generally, duties related to cash

receipts and purchases are high risk

and should be segregated.


21/28

Control Activities InformationSystems -

General Controls

Apply to entire information systems

and all applications which reside on

the systems.

Maintain the integrity & availability of

networks, information processing

functions, & associated applicationsystems.


22/28

Control ActivitiesGeneral Controls (Preventive

and Detective)

General Controls Include:

Access Security, Data & ProgramSecurity, Physical Security

Software Development & Program

Change Controls

Data Center Operations

DisasterRecovery


23/28

Control Activities -

Application Controls(Preventive and Detective)

Application Controls:

Specific to Computer ApplicationSystems

Prevent, Detect, and Correct Errors

and Irregularities

Programmed Procedures Within

Application Software


24/28

Control ActivitiesApplication Controls

(Preventive and Detective) Application Controls Include:

Input Controls-Authorized & Validated Data , Errors

Detected, CorrectedProcessing Controls-Ensure Data Not Lost, Mishandled

Output Controls-Accurate, Complete, Properly

Distributed Data

Examples

Edit Checks

Record Counts

Distribution Lists


25/28

Control ActivitiesBalancing Risks and Controls

ExcessiveRisks

Loss of Assets

Poor Business Decisions

Noncompliance Increased Regulations

Public Scandals

Excessive Controls

Increased Bureaucracy

Reduced Productivity

Increase Complexity

Increased Cycle Time

Increased No-Value Activity


26/28

Information and Communication -

Why information andcommunication?

Employees need information to do their jobs;

management needs information to effect control. Information about plans, risks, and performance.

Information in a form and time frame that is useful.

Information from internal and external sources.

When completing a Business Controls Worksheetfor a significant activity (or process), evaluate the

quality of related information and communication

systems.


27/28

Monitoring-What is

monitoring? Monitoring is the assessment of internal

control performance over time to

determine whether internal control isadequately designed, properly executed,

and effective.

Ongoing supervisory activities

Periodic evaluations

Self-assessment

Peer review

Internal audit


28/28

Monitoring - When is internal

control effective? All five internal control components are present

and functioning as designed.

The Commissioners Court and management

have reasonable assurance that:

They understand the extent to which operations

objectives are being achieved.

Published financial statements are being

prepared reliably.

Applicable laws and regulations are being

complied with.

Documents

Understanding Internal Control-Internal Audit