Upload
surendrachoudhary
View
238
Download
2
Embed Size (px)
Citation preview
8/4/2019 Understanding Internal Control-Internal Audit
1/28
Understanding InternalControls
Internal Audit DivisionEdward A. Dion
County Auditor's Office
8/4/2019 Understanding Internal Control-Internal Audit
2/28
Why are we here? The Countys emphasis on internal
controls.
Give you tools to prepare:
System Implementation
On-going Operations
8/4/2019 Understanding Internal Control-Internal Audit
3/28
T
raining Objectives Convey that management is
responsible for internal controls.
Convey that all employees of theCounty are responsible for compliance
with internal controls.
Give you tools to establish, document,
and maintain a system of internal
controls.
8/4/2019 Understanding Internal Control-Internal Audit
4/28
Why is this important?Reduces the likelihood of errors and
irregularities resulting in:
Efficient and effective departments Good custodianship of County
Resources
Compliance with laws and regulations
8/4/2019 Understanding Internal Control-Internal Audit
5/28
What is internal control? Definition
Ongoing process
Effected by everyone
Reasonable--not absolute--assurance
Applies to:
Operations objectives Financial reporting objectives
Compliance objectives
8/4/2019 Understanding Internal Control-Internal Audit
6/28
Internal Control is a Process The internal control process has five
components :
y Control environment
y Risk assessment
y Control activities
y Information and communication
y Monitoring
All five must be present to be effective.
8/4/2019 Understanding Internal Control-Internal Audit
7/28
Internal Control Process
Control Environment What is a control
environment?
It is the control consciousness of an
organization.
It is the extent to which management and
employees are committed to doing whats
right and doing it the right way.
It encompasses technical competence andethical commitment.
It is an intangible factor that is essential to
effective internal control.
8/4/2019 Understanding Internal Control-Internal Audit
8/28
Control Environment-What
is a good environment? Code of ethics; standards of conduct.
Ethical behavior.
Good hiring practices.
Adequate training.
Clear policies and procedures.
Employee development.
Assignment of authority and
responsibility.
8/4/2019 Understanding Internal Control-Internal Audit
9/28
Risk Assessment Determine
goals and objectives.
Internal control is pointless without
goals and objectives. Written goals and objectives focus
efforts toward desired outcomes.
Written goals and objectives provide a
rationale for resource allocation.
8/4/2019 Understanding Internal Control-Internal Audit
10/28
Risk Assessment - What
objectives do we need? Operations objectives.
Financial reporting objectives. (All
transactions are recorded, all recordedtransactions are real, properly valued,
timely, properly classified, and
correctly summarized and posted.)
Compliance objectives.
Related to Department/Agency and
activity.
8/4/2019 Understanding Internal Control-Internal Audit
11/28
Risk AssessmentIdentify risks.
A risk is anything that could
jeopardize the achievement of an
objective. Once identified, a risk analysis is
performed where risks are
ranked/prioritized in order to address
significant risks.
8/4/2019 Understanding Internal Control-Internal Audit
12/28
Risk Assessment - How do
we identify risks? You know your risks.
For each objective, ask yourself:
What could go wrong?
What assets do we need to protect?
How could someone steal from us?
What is our greatest legal exposure? Identify risks at the department level
and at the activity (or process) level.
8/4/2019 Understanding Internal Control-Internal Audit
13/28
Risk Assessment-What is
risk analysis? Risk analysis is the process of
determining which risks are
significant.
It involves ranking/prioritizing. For
each identified risk, ask two questions:
What is the likelihood of occurrence?
What is the potential impact? A risk is significant if it has a
reasonable likelihood of occurrence
and a large potential impact.
8/4/2019 Understanding Internal Control-Internal Audit
14/28
Control Activities-Whatcontrol activities do we need?
Enough to help ensure that you are
managing your significant risks.
Actions should be taken and control
activities should be performed tomitigate significant risks to prudently
acceptable levels.
Control activities can be preventive and
detective, and include approvals,reconciliations, reviewing reports,
securing assets, segregating duties, and
Information Technology controls.
8/4/2019 Understanding Internal Control-Internal Audit
15/28
Control Activities - Preventive
& Detective Controls Preventive Controls:
They attempt to deter or prevent
undesirableevents from occurring. Examples:
separation
of duties and proper authorization.
Detective Controls:
They attempt to detect undesirable
acts.
Examples: reviews and reconciliations.
8/4/2019 Understanding Internal Control-Internal Audit
16/28
Control Activities-What needsto be approved? (Preventive)
It depends on the risk assessment.
High risk activities should be approved
by management.
Generally,high dollar transactions should
be approved by the Director of the
department or agency.
Approval means that the approverhasreviewed the supporting documentation
and is satisfied that the transaction is
appropriate.
8/4/2019 Understanding Internal Control-Internal Audit
17/28
Control Activities What needsto be reconciled? (Detective)
It depends on the risk assessment.
Information about high risk activities
should be reconciled to ensure its
accuracy and completeness.
Reconciliations compare different sets
of data (check logs/deposit slips to
financial reports).
Generally, monthly financial reports
from Auditor-Controller should be
reconciled to departmental records.
8/4/2019 Understanding Internal Control-Internal Audit
18/28
Control Activities-Whatreports should be
reviewed?(Detective) It depends on the risk assessment.
Information about high risk activities
should be reviewed by management.
Generally, the Director should review
reports which compare budget to actual
and prior year to current year amounts
To measure performance.
To detect problems.
Managements review should be
documented.
8/4/2019 Understanding Internal Control-Internal Audit
19/28
Control Activities (Preventive& Detective) - What assets need
to be secured? It depends on the risk assessment.
Liquid assets, assets with alternative uses,
dangerous assets, vital documents, critical
systems, and confidential information need to
be secured.
Access to these assets should be restricted. Perpetual records should be maintained;
periodic physical counts should be
performed--differences should be checked.
8/4/2019 Understanding Internal Control-Internal Audit
20/28
Control Activities (Preventive& Detective) - What duties need
to be segregated?
It depends on the risk assessment.
The approval, accounting/reconciling,and asset custody functions should be
segregated.
Generally, duties related to cash
receipts and purchases are high risk
and should be segregated.
8/4/2019 Understanding Internal Control-Internal Audit
21/28
Control Activities InformationSystems -
General Controls
Apply to entire information systems
and all applications which reside on
the systems.
Maintain the integrity & availability of
networks, information processing
functions, & associated applicationsystems.
8/4/2019 Understanding Internal Control-Internal Audit
22/28
Control ActivitiesGeneral Controls (Preventive
and Detective)
General Controls Include:
Access Security, Data & ProgramSecurity, Physical Security
Software Development & Program
Change Controls
Data Center Operations
DisasterRecovery
8/4/2019 Understanding Internal Control-Internal Audit
23/28
Control Activities -
Application Controls(Preventive and Detective)
Application Controls:
Specific to Computer ApplicationSystems
Prevent, Detect, and Correct Errors
and Irregularities
Programmed Procedures Within
Application Software
8/4/2019 Understanding Internal Control-Internal Audit
24/28
Control ActivitiesApplication Controls
(Preventive and Detective) Application Controls Include:
Input Controls-Authorized & Validated Data , Errors
Detected, CorrectedProcessing Controls-Ensure Data Not Lost, Mishandled
Output Controls-Accurate, Complete, Properly
Distributed Data
Examples
Edit Checks
Record Counts
Distribution Lists
8/4/2019 Understanding Internal Control-Internal Audit
25/28
Control ActivitiesBalancing Risks and Controls
ExcessiveRisks
Loss of Assets
Poor Business Decisions
Noncompliance Increased Regulations
Public Scandals
Excessive Controls
Increased Bureaucracy
Reduced Productivity
Increase Complexity
Increased Cycle Time
Increased No-Value Activity
8/4/2019 Understanding Internal Control-Internal Audit
26/28
Information and Communication -
Why information andcommunication?
Employees need information to do their jobs;
management needs information to effect control. Information about plans, risks, and performance.
Information in a form and time frame that is useful.
Information from internal and external sources.
When completing a Business Controls Worksheetfor a significant activity (or process), evaluate the
quality of related information and communication
systems.
8/4/2019 Understanding Internal Control-Internal Audit
27/28
Monitoring-What is
monitoring? Monitoring is the assessment of internal
control performance over time to
determine whether internal control isadequately designed, properly executed,
and effective.
Ongoing supervisory activities
Periodic evaluations
Self-assessment
Peer review
Internal audit
8/4/2019 Understanding Internal Control-Internal Audit
28/28
Monitoring - When is internal
control effective? All five internal control components are present
and functioning as designed.
The Commissioners Court and management
have reasonable assurance that:
They understand the extent to which operations
objectives are being achieved.
Published financial statements are being
prepared reliably.
Applicable laws and regulations are being
complied with.