1 / 37

Building a Strong Internal Control Environment

Building a Strong Internal Control Environment. Presented by: Leigh Baxter Leigh Goller. Research Academy Credit. Acknowledgments. Some content shared with permission from our friends and colleagues at: Duke PRMO Harvard Cornell RIT. Warm up exercise.

yoko
Download Presentation

Building a Strong Internal Control Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building a Strong Internal Control Environment Presented by: Leigh Baxter Leigh Goller Office of Internal Audits

  2. Research Academy Credit Office Of Internal Audits

  3. Acknowledgments Some content shared with permission from our friends and colleagues at: Duke PRMO Harvard Cornell RIT Office Of Internal Audits

  4. Warm up exercise Can Internal Controls Mitigate/Manage Risk? http://www.dailymotion.com/video/xahspa_risk-mitigation-for-beginners_fun Office Of Internal Audits

  5. Course Objectives To enable and empower you to: • Define and evaluate your internal control environment • Discuss & apply internal control activities & responsibilities • Leverage internal control understanding for effective decision making Office Of Internal Audits

  6. Today is not about: • Professional ethics • Conflicts of interest • Enterprise risk management (ERM) • Sarbanes-Oxley • Audit-proofing your business unit Office Of Internal Audits

  7. What is stewardship? Stewards carefully and responsibly manage all things entrusted to their care We are responsible for ensuring: • Duke business is executed in good faith • transactions actually occurred • Duke complies with laws, regulations and policies Office Of Internal Audits

  8. Pop Quiz!True or False? Internal controls are: • Based on trust • Effective by pure luck • Validated by customer feedback • Tested by auditors • Not my responsibility Office Of Internal Audits

  9. A simple equation Control Activities = Risk Management Many Controls = Good Controls Office Of Internal Audits

  10. What is risk? • The possibility a negative event will occur • The possibility a positive event may not occur • A calculated chance Risk can be: • External (economy, weather, laws) • Internal (systems, personnel, initiatives) • Controllable (mitigated) • Uncontrollable (inherent) Office Of Internal Audits

  11. What is control? • A process to regulate • Exercising influence • Authority or ability to manage or direct • An act to examine or verify • Reducing or preventing the spread of… Office Of Internal Audits

  12. Internal Control Types • Operational • Promotes operational effectiveness and efficiency as well as adherence to policies and procedures. • Financial • Designed to safeguard assets and ensure completeness, accuracy and reliability of financial records. • Compliance • Ensures compliance with applicable laws and regulations. Office Of Internal Audits

  13. Missing or ineffective controls • Operational Risks • Poor decision making • Asset theft or loss • Effort duplication • Financial Risks • Misleading or inaccurate financial information • False reporting to constituents • Ineffective cost recovery • Compliance Risks • Fines or penalties • Sponsor funding and program renewal • Health & safety Office Of Internal Audits

  14. Fact or fiction? Myth Fact Internal controls are a bunch of Internal controls should support, red tape not inhibit, business processes Controls are one - size fits all Controls may vary with the type of transaction, business activity or staffing level Internal controls will prevent Internal controls can deter and/or fraud detect fraud. Only good behavior prevents fraud Policies and procedures promote A strong control environment strong internal controls promotes strong internal controls Auditors own internal control Management owns internal effectiveness control effectiveness Office Of Internal Audits

  15. More fact or fiction? Myth Fact Internal control is a finance thing Internal controls are integral to – we do what GAP tells us to do all aspects of the business – control activities should be designed to meet specific business needs Internal controls prohibit certain Internal controls enable the activities rights things to happen the first time and every time Internal controls are just extra Internal controls promote work for me – I know how to do accountability and ensure my job without them consistent performance Internal controls only protect Internal controls protect Duke Duke assets and its employees Office Of Internal Audits

  16. Case Study I • Planning a Vacation • To: Egypt or South Africa • When: in 6 months (Summer) • How Long: for 2 weeks • Who: You and at least one other person Note: All travelers have valid passports Office Of Internal Audits

  17. Did you consider? • What is a successful outcome (good trip)? • What is the most critical planning activity? • How many variables you want to control? • Who owns what part of the vacation planning? • What required double-checking? • What might happen while you are on vacation? • Will you miss a flight? • Will you lose anything important? • Will you get sick? Office Of Internal Audits

  18. Careful Design With a carefully designed internal control environment, your department can: • Operate more efficiently and effectively • Provide a level of assurance that the processes, services and products for which you are responsible are adequately protected Office Of Internal Audits

  19. Health check Does your control environment promote: • Attention and direction from management? • Competence in all employees? • Ethical and quality operations? • Communicating “tone at the top”? • Appropriate assignment of responsibility and authority? • Development of people and skills? • Consistent practices? • Timely execution of required processes and transactions? • Asking questions? • Asking tough questions? Office Of Internal Audits

  20. Manager Responsibility Managers are responsible for ensuring that internal controls are established and functioning to achieve the mission and objective of your department Office Of Internal Audits

  21. Control Categories • Authorization • Reconciliation • Segregation of Duties • System Configuration • Documentation and Record Retention • Monitoring Operations • Key Performance Indicator • Exception/ Edit Report • Data Interfaces • System Access Office Of Internal Audits

  22. Authorization • Transaction Approval • Considers the nature and significance of the transaction • Segregates duties • Complies with DU and DUHS policy • Access Provisions • Safeguards assets and records • Segregates duties Office Of Internal Audits

  23. Reconciliation • A check to determine if two items are consistent • Invoices reconciled to account detail • A process to identify inaccurate or missing transactions Office Of Internal Audits

  24. Segregation of Duties • No individual is responsible for more than one of the following transaction components: • Authorization • Custody • Record-keeping Office Of Internal Audits

  25. System Configuration • Controls include “switches” that can be set by turning them on or off to secure data against inappropriate processing, based on the policies and procedures • Systems can be configured to require passwords of minimum characters and symbols. Office Of Internal Audits

  26. Documentation & Record Retention • Provide reasonable assurance that assets are controlled and transactions are correctly recorded, for example, retention of: • Financial Assistance Application for Charity Care patients • Explanation of Benefit forms for a third party payment Office Of Internal Audits

  27. Monitoring Operations • Verification that controls are operating properly • Review of activity of a person different than the preparer analyzing and performing oversight of activities performed • Periodic analytical review of average charge per patient to revenue reported for the period. Office Of Internal Audits

  28. Key Performance Indicator • Financial and Non-Financial quantitative measurements that are collected by the entity and used by management to evaluate the extent of progress toward meeting defined objectives • Productivity reporting for individual departments Office Of Internal Audits

  29. Exception / Edit Report • Report generated to monitor something and followed-up on through to resolution • Exceptions – report detailing violation of set standard • Edits – report detailing changes to master file Office Of Internal Audits

  30. Data Interfaces • The transfer of specifically defined information (data) between two computer systems, using either manual or automated means to ensure accuracy, completeness and integrity of the data • The University identity management system provides a feed to the Health System Enterprise Active Directory. Office Of Internal Audits

  31. System Access • The ability that individual users or groups have within a computer information system processing environment • determined and defined by authorized configuration • Established based on unique position number (SAP) or individual employee identification (NetID) Office Of Internal Audits

  32. Information & Communication • Processes and systems to provide timely and appropriate information for people to carry out their responsibilities • Quality information is: • Content appropriate • Timely and current • Accurate • Accessible • Communicated appropriately Office Of Internal Audits

  33. Control Limitations • Internal controls provide only reasonable assurance that operational, financial reporting and compliance objectives are met. These assurances are not absolute. • Limitations inherent in all internal control systems include: • Collusion: Two or more individuals acting together may alter financial information in a manner that results in control failure. • Return on investment: If the cost of control outweighs the benefit of implementing the control, it will not be adopted. • Judgment: Humans are fallible and sometimes make errors in judgment because of pressures. • Breakdowns: Personnel may misunderstand instructions or simply make mistakes. Office Of Internal Audits

  34. Biggest threats to the Internal Control Structure Threat Vulnerability Management Override A well - designed control system, if set aside at management’s discretion, can be equivalent to no control in terms of risk. Access to Assets The best way to safeguard assets is to control access to them. Substance over Form Controls may appear to be well - designed and still lack substance. Conflicts of Interest When employee loyalty is divided there is a distinct risk that the employee will choose a course of action detrimental to the organization. Failure to Anticipate Management may fail to anticipate certain risks, and thus fail to Certain Risks design and implement appropriate controls. Collusion Two or more employees may agree to circumvent internal controls. Office Of Internal Audits

  35. Case Study II • Planning a Vacation • To: Egypt or South Africa • When: in 6 days • How Long: for 1 week • Who: You and at least one other person Note: All travelers have valid passports Office Of Internal Audits

  36. What did you change? • How did you reprioritize activities? • What control activities changed? • How did time constraints affect you? • Did you delegate differently? • Are you worried about success? Office Of Internal Audits

  37. Building a Strong Internal Control Environment Questions? Office Of Internal Audits

More Related