Internal Control Workshop

esophagusbunnyManagement

Nov 20, 2013 (3 years and 9 months ago)

65 views

Internal Control Workshop

Kenneth Wilson, Associate Comptroller

Deb Martin, Internal Auditor

Agenda


Quiz on what you know

Movie on applying internal control concepts in
higher education

Review answers to quiz

Presentation reviewing concepts, objectives,
and risk assessment

Case studies

Wrap
-
up


Internal Control Quiz

Internal Control Concepts &
Objectives



Why have Internal Controls?

Promote operational efficiency and
effectiveness

Provide reliable financial information

Safeguard assets and records

Encourage adherence to prescribed
policies

Comply with regulatory agencies

Basic Concepts of Internal Controls

Management, not auditors, must establish
and maintain the entity’s controls

Internal controls structure should provide
reasonable assurance that financial reports
are correctly stated

No system can be regarded as completely
effective

Should be applied to manual and
computerized systems

Detailed Internal Control Objectives

Recorded transactions are valid

Transactions are properly authorized

Existing transactions are recorded

Transactions are properly valued

Transactions are properly classified

Detailed Internal Control Objectives

Transactions are recorded at the proper time

Transactions are properly included in
subsidiary records and are correctly
summarized

Ensure compliance with policy

Safeguard Assets



What are Control Activities?


Control activities are the policies and
procedures that help ensure that actions
identified as necessary to manage risks
are carried out properly and in a timely
manner.

Policies should be implemented thoughtfully,
conscientiously, and consistently

Mechanical procedures are not useful without
focus on policies

Control Activities Include:

Approvals

Authorizations

Verifications

Reconciliations

Reviews of
Performance

Security of Assets

Segregation of
Duties

Controls over
Information Systems

Approval, Authorization, & Verification

Management authorizes activities and
transactions within limited parameters.


Management specifies when prior supervisory
approval is needed.


A supervisor’s approval implies that he/she
verified conformance with policies and
procedures.

Reconciliations


Relate different sets of data to one
another.


Identify and investigate differences.


Take corrective action when necessary.

Reviews of Performance

Management

compares information about current
performance.

To budgets

Prior periods, competitors

Other benchmarks


Measures against achievement of goals and objectives.


Identify unexpected results or conditions which require


follow
-
up.


Security of Assets

Access to assets such as equipment,
inventories, and cash is restricted.


Periodically assets are counted and
compared to control records.

Segregations of Duties


Duties are segregated to reduce the risk of
error or inappropriate action.

Normally the responsibilities of the following
should be separated:

Initiating, approving, & recording transactions

Handling the related assets

Reconciling balances

Reviewing reports

One person cannot steal and conceal.

Controls over Information Systems

General controls include data center, system
software acquisition & maintenance, security
access, and system development &
maintenance.


General controls support the functioning of
application controls.


Application controls are programmed steps
designed to control application processing.


Risk Assessment: Creating the
Right Balance and
Understanding the Limitations
of Internal Controls

Risk Assessment is a process to


Identify significant risks


Assess risks


What is the likelihood of occurrence?


What is the potential impact?


Manage these risks through:


Avoidance


Acceptance and Sharing (Insurance)


Mitigate with Controls

What are risks?


A risk is anything that could jeopardize the
achievement of your organization’s objective.


Achieve our goals


Operate effectively and efficiently


Protect the university’s assets from loss


Provide reliable financial data


Comply with applicable laws, policies, and
procedures

Risks

Questions to ask yourself:



What can go wrong?


How could someone steal from us?


What policies are we most affected by?


What types of transactions in our area
provide the greatest risk?


How can someone bypass the internal
controls?


What potential risk areas could cause
adverse publicity?

Limitations on Internal Controls



Employees can make mistakes or exercise
poor judgment



There can be collusion


where two or more
individuals work together to steal



Management may inappropriately override
established policies or procedures

Questions?


OFFICE
OF THE EXECUTIVE VICE PRESIDENT FOR BUSINESS AND FINANCE, TREASURER



To
: Faculty, Staff, and
Students


Fr:

A
. V. Diaz


Executive
Vice President for Business and Finance,
Treasurer


Re: Fraud Reporting
Program


Best

practices

provide

for

a

fraud

reporting

program

as

an

important

part

of

a

healthy

business

environment
.

Purdue

University

has

in

place

controls

to

provide

reasonable

assurance

that

fraudulent,

illegal,

or

dishonest

activity

on

the

part

of

University

employees,

officers,

or


business

contacts

is

prevented

or

detected,

but

the

potential

for

inappropriate

transactions

and

behavior

still

exists

within

the

University,

as

it

does

in

any

organization
.

therefore
,

consistent

with

best

business

practices,

Purdue

University

has

implemented

a

fraud

reporting

program

to

ensure

that

the

University

provides

a

mechanism

for

reporting

improper

or

inappropriate

acts
.


This

is

an

important

program,

and

I

encourage

you

to

use

it

when

appropriate

and

to

communicate

the

existence

of

this

program

to

your


Colleagues

in

the

University

community
.

Please

help

us

make

the

program

a

success

by

using

it

for

its

intended

purpose,

reporting

suspected

improper

or

illegal

acts

affecting

Purdue

University

that

you

have

witnessed

or

of

which

you

might

have

knowledge
.

Personal

complaints

regarding

harassment

or

issues

other

than

fraud

should

be

filed

according

to

existing

University

policies
.


The

Internal

Audit

Office

is

responsible

for

the

administration

of

the

Purdue

University

fraud

reporting

program
.

For

additional

information


on

the

program
,

please

visit

www
.
purdue
.
edu/fraud
.

A

Disclosure

Form

for

Anonymous

Reporting

is

available

at

the

Web

site
.

If

you

have

specific

questions

about

the

program
,

please

contact

Peggy

Fish,

Director

of

Audits,

at

(
765
)

494
-
7588

or

plfish@purdue
.
edu
.

To

anonymously

report

suspected

fraud

or

other

wrongdoings,

call

(
765
)

494
-
6999
,

toll
-
free

(
866
)

818
-
2620
,

or

mail

information

to

Purdue

University,

Internal

Audit

Office,

Freehafer

Hall

of

Administrative

Services,

401

S
.

Grant

Street,

West

Lafayette,

IN

47907
-
2024
.


Thank

you

for

your

assistance

and

commitment

to

this

effort
.


c
:

President

France

A
.

Córdova




Hovde Hall, Room 230 • 610 Purdue Mall • West Lafayette, IN 47907
-
2040 Phone (765) 494
-
9705 • Fax (765) 494
-
9062


Reportable Activities Include


Theft


Embezzlement


Improper reporting of time


Questionable payments


Misuse or questionable use of cash/p
-
cards


Diversion of or lack of timely deposit of revenues


Credit card fraud


Inappropriate communication of confidential
information


Any other illegal or questionable acts




Fraud Reporting Program

Not Intended for:


address through departmental management or Human Resources





Monitoring personnel issues:




affirmative action



equal access



equal employment



educational opportunity

Direct to the Office of the Vice President for Ethics and

Compliance or to the Office of Institutional Equity Issues
related to:

Mechanisms to Report

Suspicious Acts


Fraud Reporting Hotline


a) is anonymous


b) has no caller ID


c) has no call back option


Anonymous Form


a)

available through Internal Audit’s homepage


Call Internal Audit Direct




Internal Control
Case Studies

New Business Manager


2 employees


Payroll Clerk, 20 yrs. exp., does own payroll/HR
processing, does all follow
-
up review, knows new system,
everyone is happy with her, wants to be left alone,
schedules vacation around payroll, will call you when she
needs you


Accounting Clerk, 18 months exp. at PU, prior exp., no
training except invoice vouchers, does work by category
once a month (Cash receipts, funds transfers, billings,
Budget Adjustments, Error Corrections.) Purchasing done
as needed. Works well with giving academic
administrators what they need.


BA has senior role with Dean, does not look at monthly
statements since staff is so competent and has delegated
all signature authority without further review.

Procurement Cards



One clerk for procurement card transactions


extensive
use of the card occurs. People love its ease.


Only has one card so not does need a check
-
out process.


Distribution document is quickly reviewed and approved.
Does account allocation but never changes object code.


Users have 90 days to turn in receipts


meets
requirement to turn in reconciliation within 90 days.


Validates amount of receipt matches the reconciliation.


Missing receipts are not pursued


she finds that the BM
accepts certain explanations for missing receipts and she
always uses these standard reasons.


The clerk is newly graduated from high school and is up
-
to
-
date on desktop computer skills. Saves the
department from having to train her. They are very
happy.

Travel


PI has federal grant that requires a lot of travel.


Car travel primarily to 3 locations.


PI is account manager and has chosen who the delegate will be


a clerk reporting to them.


Business Manager delegated signature authority, but delegate
insists on signing Bus Managers name


BM agreed to this.


PI/delegate make travel arrangements and process all
transactions.


Delegate knows of instance where PI was in town during “travel”


BM just found out exception to policy routinely filed


no receipts
for travel since PI stays with colleagues.


Cuts down on grants travel costs


everyone is happy.


It bothers BM, but you are reviewing monthly statements and feel
as good as you can about it.

.

Asset Control


Inventory of capital assets is hard to make a priority.


New capitalization limit is wonderful, assets went from
500 to 150.


Inventories have never really been completed in past.


Lot of movement in departmental equipment


a lot of
take home.


Student hourly is performing inventory with scanning
equipment.


125 of 150 items found


BM is very happy with this #
but is being asked to resolve the remaining 25,


Not really BM problem since she is new since last
inventory 2 years ago.


Will be hard to resolve since equipment taken home is
not recorded and equipment has been disposed of.


Property Accounting is requiring police reports on
unresolved items.


Receipting of Revenue


½ day workshop developed for 300 people, at $50 per person.


Chair has decided to deposit the revenue in a restricted fund to
maintain control.


Documentation for registration states that fee is a donation


although
the donation is required for registration.


Department secretary is in charge of process and will receive and
process all registrations and payments.


Chair is not interested in details, only wants final list.


Cash and checks coming via mail and hand delivered.


Registration information is entered into a database and registration
forms are then destroyed because of lack of storage space.


Receipts are not being issued because mailed
-
in registrations would
be too much trouble and expense.


Secretary accumulated all receipts before processing CRV.


Business Manager found out about this when transaction showed up
on the monthly operating statements.



Internal Controls



Thank you for your time and participation


If questions please contact Ken Wilson at
47366 or
kjwilson1@purdue.edu

or Deb
Martin
martindd@purdue.edu