Office of the Controller and Office of the Controller and Internal ControlsInternal Controls
Sandra FeathersonSandra FeathersonAssociate Director of ControlsAssociate Director of ControlsOffice of the ControllerOffice of the ControllerFebruary 2010February 2010
Abbreviated Organization ChartAbbreviated Organization Chart
Henry T. Yang Chancellor
Jim Corkill,Controller, Accounting Services and Controls
Craig WhitebirchDirector,
Audit and Advisory Services
Sheryl VaccaSenior Vice
President/Chief Compliance and Audit
Officer, UCOP
Anne BroomeVice President,
Financial Management,
UCOP
Ron CortezAssociate Vice Chancellor,
Administrative Services
VacantVice Chancellor,
Administrative Services
VacantUniversity Auditor
Distinct and Complimentary Distinct and Complimentary RolesRoles
Office of the ControllerOffice of the Controller• Provide leadership in a campus-
wide effort to ensure effective controls and accountability practices.
• Assist management in assessing their control environment and the effectiveness and efficiency of operations.
• Ensure that campus financial policies and procedures are clear, adequate, and current.
• Evaluate systems and participate in system development to ensure proper controls are implemented and compliance with policy.
Audit and Advisory ServicesAudit and Advisory Services• Independent evaluation of
systems of accountability and control.
• Investigate reported cases of alleged improper financial activities.
• Serve as the liaison between the University community and external audit agencies.
UCSB Control InitiativeUCSB Control Initiative
Business Officer Institute (BOI)
Campus Financial Mgmt. Training
& Manual
Departmental Control Self- Assessments
Campus Wide Process Risk Assessment
Departmental Process Risk Assessment
Control Advisory Committee
(CAC) Financial Risk Assessment
BOI Feedback Common
Audit Findings
AssessmentsAssessments
Departmental Control Self AssessmentsDepartmental Control Self Assessments Departmental Process Risk AssessmentDepartmental Process Risk Assessment Campus Wide Process Risk AssessmentCampus Wide Process Risk Assessment
Office of the ControllerOffice of the Controllerhttp://controller.ucsb.eduhttp://controller.ucsb.edu
Jim CorkillJim Corkill ControllerController
Director of Accounting Services and ControlsDirector of Accounting Services and [email protected]@accounting.ucsb.edu
Sandra FeathersonSandra Featherson Associate Director of ControlsAssociate Director of Controls x7667x7667
[email protected]@accounting.ucsb.edu
Neil ClarkNeil Clark Administrative AnalystAdministrative Analyst x8593x8593
[email protected]@accounting.ucsb.edu
Tonika JonesTonika JonesAdministrative AssistantAdministrative [email protected]@accounting.ucsb.edu
Internal ControlsInternal Controls
What are Internal Controls?What are Internal Controls?• DefinitionDefinition• COSO ModelCOSO Model• ExamplesExamples
Why are They Important?Why are They Important? Who is Responsible for Internal Controls?Who is Responsible for Internal Controls?
Internal Control - A definitionInternal Control - A definition
Internal Control is a process, effected by a college Internal Control is a process, effected by a college or university’s governing board, administration, or university’s governing board, administration, faculty and staff, designed to provide reasonable faculty and staff, designed to provide reasonable assurance regarding achievement of objectives in assurance regarding achievement of objectives in the following areas:the following areas:
• Effectiveness and efficiency of operationsEffectiveness and efficiency of operations
• Reliability of financial reportingReliability of financial reporting
• Compliance with applicable laws and regulationsCompliance with applicable laws and regulations
Internal Control Concepts & Applications, 1992, Committee of Sponsoring Organizations of the Treadway Commission
COSO Internal Control ModelCOSO Internal Control Model
COSO stands for Committee of Sponsoring COSO stands for Committee of Sponsoring Organizations.Organizations.
Committee was formed to develop a Committee was formed to develop a common definition of internal controls and common definition of internal controls and provide guidance on judging its provide guidance on judging its effectiveness.effectiveness.
COSO is referred to as an Internal Control COSO is referred to as an Internal Control Model or framework.Model or framework.
COSO Internal Control ModelCOSO Internal Control Model
Officially adopted by the University of Officially adopted by the University of CaliforniaCalifornia
A tool for departments to use in evaluating A tool for departments to use in evaluating their internal controls.their internal controls.
COSO Internal Control ModelCOSO Internal Control Model
There are five components of internal control in the There are five components of internal control in the COSO Model:COSO Model: Control EnvironmentControl Environment
Risk AssessmentRisk Assessment
Control ActivitiesControl Activities
Information and CommunicationInformation and Communication
MonitoringMonitoring
Control EnvironmentControl Environment
Control EnvironmentControl Environment The “tone at the top” set by people in positions of The “tone at the top” set by people in positions of
authorityauthority Based on attitudes and habits of those in authorityBased on attitudes and habits of those in authority
An element in establishing the organizational cultureAn element in establishing the organizational culture
Control EnvironmentControl Environment
Control Environment Factors:Control Environment Factors: Integrity and Ethical ValuesIntegrity and Ethical Values Commitment to CompetenceCommitment to Competence Management’s Philosophy andManagement’s Philosophy and
Operating StyleOperating Style Assignment of Authority andAssignment of Authority and
ResponsibilityResponsibility
Risk AssessmentRisk Assessment
Risk Risk - Anything that gets in the way of - Anything that gets in the way of meeting your goal/objectivemeeting your goal/objective
Risk Assessment - Risk Assessment - The identification and The identification and analysis of relevant risks associated with analysis of relevant risks associated with achieving business goals/objectivesachieving business goals/objectives
Risk AssessmentRisk Assessment
Why is a risk assessment important?Why is a risk assessment important? Risks impact an organization’s ability to Risks impact an organization’s ability to
meet its objectives such as:meet its objectives such as:• Positive Public ImagePositive Public Image
• Providing Excellent CustomerProviding Excellent CustomerServiceService
• Reducing OverdraftsReducing Overdrafts
Control ActivitiesControl Activities
Control ActivitiesControl Activities• Policies and procedures that help ensure management Policies and procedures that help ensure management
directives are carried out and necessary actions are directives are carried out and necessary actions are taken to address riskstaken to address risks
Control Activities - Control Activities - Specific ExamplesSpecific Examples
Segregation of DutiesSegregation of Duties Transaction ReviewsTransaction Reviews ReconciliationsReconciliations
Control Activities – Control Activities – Specific ExamplesSpecific Examples
Financial Performance ReviewsFinancial Performance Reviews Systems ControlsSystems Controls Physical ControlsPhysical Controls
Case StudyCase Study
Information and CommunicationInformation and Communication
The information system must provide data The information system must provide data that is:that is:
• Relative to established objectivesRelative to established objectives• Accurate and in sufficient detailAccurate and in sufficient detail• Understandable and in a usable formUnderstandable and in a usable form
This information must be provided to the This information must be provided to the right people in time to allow appropriate right people in time to allow appropriate actionaction
Information and CommunicationInformation and Communication
CommunicationCommunication• Up and down the organizationUp and down the organization
• Across organizational linesAcross organizational lines
Communication ExamplesCommunication Examples• Employee duties and control responsibilities Employee duties and control responsibilities
should be clearly communicatedshould be clearly communicated
• Ability to report suspected problems, Ability to report suspected problems, without fear of repercussionswithout fear of repercussions
MonitoringMonitoring
MonitoringMonitoring A process that assesses the quality of an internal control A process that assesses the quality of an internal control
system’s performance over timesystem’s performance over time
MonitoringMonitoring
Monitoring Activity ExamplesMonitoring Activity Examples ManagementManagement
• Review of actual expenditures vs. budgeted Review of actual expenditures vs. budgeted • Comparison of various reports with Comparison of various reports with
physical assetsphysical assets Separate evaluationsSeparate evaluations
• Assessment of internal controls by Audit Assessment of internal controls by Audit and Advisory Servicesand Advisory Services
• External auditors reviewsExternal auditors reviews
Internal ControlsInternal Controls
Why are They Important?Why are They Important? Who is Responsible for Internal Controls?Who is Responsible for Internal Controls?
Internal Controls and SAS 112Internal Controls and SAS 112
SAS 112: Statement of Accounting SAS 112: Statement of Accounting StandardsStandards
Auditors will be reviewing not only the Auditors will be reviewing not only the transactions and ensuring the numbers are transactions and ensuring the numbers are correct, but also the correct, but also the controlscontrols in place to in place to ensure those numbers are correct. ensure those numbers are correct.
Controls must be Controls must be documented documented – or they are – or they are not considered controls.not considered controls.
Questions??Questions??