documenting internal controls from theory to implementation
TRANSCRIPT
1
Documenting Internal ControlsFrom Theory to Implementation
CACUBO Annual Meeting
October 7, 2007
Dennis K. Miller, Sr.
2
Agenda for Today
• Brief History
• Why So Important Today
• Define Internal Controls
• Internal Controls Evaluation: A Process
3
Brief HistoryForeign Corrupt Practices Act
• In mid 70’s over 400 US companies involved in bribery
• Congress’s response– Unlawful to bribe– Accounting Provisions
• Must keep good books• Must maintain an adequate system of Internal
Controls.
4
Brief HistoryTreadway Commission
• Treadway Commission or COSO
• Formed to deal with financial reporting fraud
• First Report in 1985
5
Brief HistoryFDICIA
• FDICIA – Federal Deposit Insurance Corporation Improvement Act
• Enacted by Congress in1991
• Required “large” financial institutions to opine on systems of control
6
Brief HistorySarbanes Oxley
• Sarbanes Oxley act of 2002
• Formalize and strengthen internal checks and balances within corporations
• Institute various new levels of control and sign-off designed to ensure that financial reporting exercises full disclosure
• Transact corporate governance with full transparency
7
Brief HistorySAS 112
Establishes standards for communicating internal control issues relating to:- integrity of financial reporting- compliance with applicable laws and
regulation
8
Brief HistorySAS 112
• SAS112 standards adopted by the federal agencies
• Government Audit Standards updated to incorporate SAS112
– It is likely that universities—with a history of clean audits—will have reportable conditions when SAS 112 is implemented
9
Why Should We Care
• All of this history dealt with corporations
• It doesn’t apply to us
• It’s not a large leap from stockholder concerns to bondholder concerns
10
Why Should We Care
• Aren't’ we dealing with public money and trust on a par with the largest SEC registrants
• 150 people here on a Sunday afternoon?
• Trailing effect, what applies to business trickles down to us. Do it now, ala Drexel, or be forced to.
11
Why Should We Care
New York Attorney General Eliot Spitzer accepted Sarbanes Principles and proposed them as mandatory standards in NY
California Senate Bill 1262, “Sarbanes-Oxley for Non-Profits” signed by Gov Schwarzenegger 9/29/2004
Federal Government Hearings “Charity Oversight and Reform.
12
Why Should We Care
• Federal Managers Financial Integrity Act modified in 2006 to incorporate much of Sabanes-Oxley.
• Massachusetts legislature is to vote later this year on the “Act to Promote Financial Integrity of Public Charities” similar to California’s
• And others in the works
13
Why Should We Care
• The NACUBO Advisory Report 2003-3 recommended that institutions start identifying and evaluating the adequacy of their controls over financial reporting– Institutions should consider certifications and
sub certifications
• Many institutions are implementing certifications and addressing their internal controls challenges
14
Define Internal Controls
Broadly defined as a process, effected by the curators/Regents/directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations. • Reliability of financial reporting. • Compliance with applicable laws and
regulations.
15
Define Internal Control
• Management Driven
• Ethical environment of the organization drives level of internal control
• 1st thing to look for/develop is Statement of Ethic or general statement of principal
• Provides the foundation for the entire process• Almost a charter
16
Define Internal Controls
• Objectives Focused
– Accounting controls– Operating controls– Legal oriented controls– If you don’t know your objective how can you
possibly achieve it. Don’t know where we’re going but we’re making good time.
17
Define Internal Controls
• Internal Controls are not:
– Providers of Absolute Assurance
– Fraud Prevention not the sole objective
18
Control Environment
1. Integrity and ethical values
2. Commitment to Competence
3. Training and reinforcement on ethical values
4. HR and operating Policies and Procedures
19
Identify Risks and Activities Required for Mitigation
•First identify risks
•Then develop the Objectives to mitigate those risks
•Objectives goals to ensure:
-Authorization
-Completeness
-Accuracy
-Timeliness
-Safeguarding of assets
20
Control Activities
•What activities are required to ensure management’s objectives are met.
21
Monitoring Activities
Provide assurance the control activities are functioning
Provides feedback into the management loop as to the status of operations.
22
Translate Theory to Action
• Attestation Requirement Recommended by NACUBO in 2003.
• Attestation based on ? ? ?
• Audits will focus on tests of Management’s Key Controls– Identify your key controls– Ensure they are documented– Demonstrate what are they based upon
23
Internal Controls EvaluationA Process
1. Identify major risk areas – Macro level
2. What are the exposures within these areas
3. What controls are in place to mitigate these risks
4. Where and how is control execution documented.
5. Who is responsible for control execution
6. Management tests the operation of controls
24
Step 1 - Risk AnalysisMacro Level
• Within your organization, what areas present the greatest risk
• Does not require Billy-Whiz-Bang tools
• Do it yourself?
• Should be systematic and documented
• Key to document the criteria
• End product a prioritized list of areas that present the greatest risk
25
Step 1 – Risk AnalysisRisk Area Rating Rationale for Rating
Payroll
High
1. Finance: Largest category of expense for the University
2. Legal/Regulatory: Legal implications of not paying on time, accurately, or improperly.
3. Audit Results: Good internal & external audits.
4. Environment: High degree of volatility Confidentiality of information and hacking 5. Summary: Though Audits indicate strong
controls, the magnitude of this expense and reputation exposure make the overall risk one of the highest.
Sponsored Programs
Moderate 1. Finance: Significant source of revenue for the university
2. Legal Regulatory: Complex Legal environment with multiple agencies
3. Audit results: Internal and External Audit ratings – Excellent.
4. Environmental: Strategic Focus for the University :Political Sensitivity due to problems at State U.
5. Summary: Solid audits indicate controls and administration are strong.
26
Step 1- Risk Analysis
Area / Function
Balance Sheet P&L
immpact VolumePast
AuditsStaff
TurnoverRisk
RatingPayroll 5 5 3 0 13Capital Assets 5 1 0 0 6T & E 2 2 5 1 10Development 4 3 3 2 12State Appropriations 5 1 1 1 8
National UniversityFinancial Risk Rating
27
Step 2 – Identify Exposures
• Within our major areas, what is it we are concerned about.
28
Controls DocumentationWorksheet
Explanation of the Exposure
Where is this control
documented?
Who is responsible
for this? Describe the Managerial Controls
Completeness:
Authorization:
Accuracy:
Safeguarding of Assets:
Timeliness:
Segregation of Duties:
Controls in Place to Mitigate the Exposure
29
Step 2 – Identify Exposures Payroll Example
• Payroll activity is unauthorized – to unauthorized people or unauthorized rate of pay, or . . .
• Pay delivered to the wrong person• Rate of pay is incorrect• Checks or currency is stolen• Employee records are improperly
disclosed• Benefit Plans are not approved or are not
in compliance with regulations
30
Step 2 – Identify Exposures Payroll Example
Explanation of the Exposure
Completeness:
Authorization:
Accuracy:
Safeguarding of Assets:
Timeliness:
Segregation of Duties:
Controls in Place to
Payments made to unauthorized persons
31
Step 3 – Controls Requirement
• Identify how to mitigate risks – AKA controls.
• Controls provide reasonable assurance of:– Authorization– Accuracy– Complete– Timely– Safeguarding of Assets
• Segregation of Duties
32
Step 3 – Controls Requirement
Explanation of the Exposure
Completeness:Segregation of
Duties:Accuracy
A person with no data entry capability reviews the new employee report against the new employee forms checking for accuracy of data entry, proper authorization of the form, existence of a form, and to ensure all forms have been entered.
Authorization: Personnel are not to process any changes to payroll data without a form signed by the depatment head.
Safeguarding of Assets:
N/A
Timeliness: Ensures all forms are received by the 15th of the month. If not follows up to ensure all are received.
Controls in Place to Mitigate the ExposurePayments made to unauthorized persons
33
Step 4 – Control Documentation
• How is control evidenced– If its not documented it doesn’t exist– The control procedure in policy
• Policy not in and of itself a control
– Performance of the control– Who does it
34
Step 4 – Control Documentation
Explanation of the Exposure
Where is this control documented?
Who is responsible for this?
Completeness:Segregation of
Duties:Accuracy
A person with no data entry capability reviews the new employee report against the new employee forms checking for accuracy of data entry, proper authorization of the form, existence of a form, and to ensure all forms have been entered.
New employee report signed and dated by person performing the review. Each entry is checked or errors noted.See Policy APM 20.05
Administrative Assoiciate in Payroll Department.
Authorization: Personnel are not to process any changes to payroll data without a form signed by the depatment head.
Payroll policy number APM20.21
Maintained on the Unversity Intranet.
Safeguarding of Assets:
N/A
Timeliness: Ensures al forms are received by the 15th of the month. If not follows up to ensure all are received.
Payroll policy number APM20.21
Maintained by the Payroll Director on the Unversity Intranet.
Controls in Place to Mitigate the ExposurePayments made to unauthorized persons
35
Step 6 – Managerial Controls
• Managerial Control: – What does management do to ensure the
control actually functions, and is effective– Feedback up and down chain of command
36
Step 6 – Managerial Controls
Explanation of the
Exposure
Where is this control
documented?
Who is responsible for
this? Managerial ControlCompleteness:Segregation of
Duties:Accuracy
A person with no data entry capability reviews the new employee report against the new employee forms checking for accuracy of data entry, proper authorization of the form, existence of a form, and to ensure all forms have been entered.
New employee form signed and dated by person performing the review. Each entry is checked or errors noted.See policy APM 20.05
Administrative Assoiciate in Payroll Department.
Authorization: Personnel are not to process any changes to payroll data without a form signed by the depatment head.
Payroll policy
number APM20.21
Employees instructed in policy manaual and department training of this prohibition.
Safeguarding of Assets:
N/A
Timeliness: Ensures al forms are received by the 15th of the month. If not follows up to ensure all are received.
"Payroll policy number APM20.21"
Maintained by the Payroll Director on the Unversity Intranet.
Controls in Place to Mitigate the Exposure
Payments made to unauthorized persons
Before the payroll is processed, the signed and dated new employee reports, with the new employee forms attatched, are forwarded to the Payroll Manager. The Payroll Manager ensures the reports are signed, spot checks some of the Payroll Forms, and initials the report as evidence of the review. Reports are filed in Central Payroll.
37
Controls EvaluationEnd Product
• Identification of risk areas in the University
• Identified significant exposures in those areas
• Documented the key controls to mitigate risks and exposures
• Created a tool to ensure policies are up to date, effective, and functioning
• Developed basis for controls certification
38
Dennis K. Miller, Sr. CBA, CFSA
Manager Internal Controls – Financial Services
118 University Hall
Columbia, MO 65211-3020