Internal Controls What are they and why should I care - PowerPoint PPT Presentation


PPT – Internal Controls What are they and why should I care PowerPoint presentation | free to view - id: 41151-ODEyO


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Internal Controls What are they and why should I care


... the correlation between fraud and internal controls and ... Red Flags for Fraud. No vacation. Voluntary overtime. Unexplained variances. Complaints ... – PowerPoint PPT presentation

Number of Views:193
Avg rating:3.0/5.0
Slides: 75
Provided by: john166
Tags: care | controls | for | fraud | internal


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Internal Controls What are they and why should I care

Internal Controls What are they and why should
I care?
  • Richard See, CIA
  • Internal Audit Manager

(No Transcript)
(No Transcript)
Course objectives
  • Understand what internal control is and define
    the various types of internal controls.
  • Gain an understanding of the control
  • Understand the types of controls you should have
    in your work environment.
  • Analyze case studies to understand the
    correlation between fraud and internal controls
    and what can happen when controls fail.
  • Where to go for help.

What is Internal Control?
  • Internal control is a process, effected by an
    entitys board of directors (regents), management
    and other personnel, designed to provide
    reasonable assurance regarding the achievement of
    the following objectives
  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

Internal Control Key Concepts
  • Internal control is a process. Its a means to
    an end, not an end in itself.
  • Internal control is affected by people. Its
    not merely policy manuals and forms, but people
    at every level of the organization.
  • Internal control can be expected to provide only
    reasonable assurance, not absolute assurance,
    to an entitys management and board.
  • Internal control is geared to the achievement of
    the entitys objectives .

Internal Control Key Concepts (cont.)
  • Management, not auditors, must establish and
    maintain the entitys controls
  • No system can be regarded as completely effective
  • Should be applied to both manual and computerized
  • Are implemented to protect the employee

Internal Controls can fail because
  • Employees can make mistakes or exercise poor
  • There can be collusion where two or more
    individuals work together to steal
  • Management may inappropriately override
    established policies or procedures.

Implementing Internal Controls
  • The cost of a control vs. the benefit derived
    is always a balancing act. Its all part of the
    risk assessment. Remember though, not all
    controls will cost more money.

Risk Assessment What is it?
  • Its a process to
  • Identify significant risks
  • Assess risks
  • What is the likelihood of occurrence?
  • What is the potential impact?
  • Manage these risks through
  • Avoidance
  • Acceptance and sharing (insurance)
  • Mitigate with internal controls

What are risks?
  • A risk is anything that could jeopardize the
    achievement of your organizations objective to
  • Achieve your goals
  • Operate effectively and efficiently
  • Protect the Universitys assets from loss
  • Provide reliable financial data
  • Comply with applicable laws, policies, and

Identifying your risks
  • Questions to ask yourself
  • What can go wrong?
  • How could someone steal from us?
  • What laws or regulations would be violated?
  • What policies most affect us?
  • What types transactions/activities in our area
    expose us to the greatest risk?
  • How can someone bypass the internal controls?
  • What potential risks could cause adverse

What are control activities?
  • Control activities are the policies and
    procedures that help ensure that actions
    identified as necessary to manage risks are
    carried out properly and in a timely manner.
  • Policies should be implemented thoughtfully,
    conscientiously, and consistently.
  • Procedures are not useful without a focus on

Key Control Activities
Control Environment
  • Ethical tone at the top communicated in words
    and deeds.
  • Ethics program, including meaningful code of
  • Active, independent, well-informed Board of
    Directors (Regents)
  • Organization structure appropriate to entitys
    activities and which promotes the flow of
  • Clear definition of responsibilities and

Control Environment (cont.)
  • Analysis of knowledge and skills needed to
    perform each job formal or information job
  • Qualified and well-trained personnel
  • Frequent interaction between senior and operating
  • Appropriate policies and procedures for hiring,
    training, promoting and compensating employees.
  • Background checks for new hires, especially those
    in sensitive positions.

What do we mean by Tone at the Top ?
  • Its Managements behavior, control consciousness
    and commitment to competence by
  • Promoting integrity, ethical values conduct
  • Walking the walk
  • Leading by example
  • Being approachable
  • Complying w/Policy
  • Not circumventing policies procedures
  • Providing full disclosure
  • Fixing problems
  • Implementing equal treatment for equal offenses
  • Rewarding things that are done right

Control Environment at the University of Iowa
  • Recent additions and changes
  • Implementation of a Code of Business and
    Fiduciary Conduct which includes a specific
    section for senior management (Copy included in
    your packet)
  • Composition of a Resource Handbook for Business
    and Fiduciary Conduct
  • (Copy included in your packet)
  • http//
  • This Business Process Series Training Opportunity

Control Environment at the University of Iowa
  • Implementation of a confidential reporting
    mechanism for questionable financial behavior
  • EthicsPoint is an independent third party
    contracted to receive reports of questionable
    financial activity
  • Reports can be made by telephone or through the
  • Reports can be made anonymously
  • All reports are forwarded to Internal Audit for
    triage and follow up.

Control Environment at the University of Iowa
  • The reporter is assigned an ID and password to
    sign into the system to track progress and answer
  • Links are at the bottom of Presidents Welcome
    page and on the Internal Audit home page.
  • http//
  • http//

Segregation of Duties
  • Functions are divided so that no one person has
    control over all parts of a transaction. This
    reduces the risk of error or inappropriate
  • Normally, the responsibilities of the following
    should be separated
  • Initiating, approving, recording transactions
  • Handling the related assets
  • Reconciling balances
  • Reviewing reports
  • Example Lets review the cash handling policy in
    your packet

  • Limit authorization authority
  • Delegation of Signature Authority form is
  • included in your packet
  • Rubber Stamping
  • Responsibility of an Approver information is
    included in your packet
  • Secure access to passwords, electronic signatures
    or other signatory devices
  • Develop written procedures outlining delegation

Authorizations/Approvals/Verification (Cont.)
  • Verify
  • Against an internal or external document
  • Invoice
  • Picture ID
  • With other parties (NIH, SSA, Higher Ed
  • NEVER, NEVER, NEVER sign a blank form!!!
  • NEVER, NEVER, NEVER give your password to

Security of Assets
  • Periodic asset counts
  • Periodic comparisons
  • Investigation of discrepancies
  • Regular data file backups
  • Secure document retention (both hard copy
  • Physical safeguards against theft and fire

Security of Assets (Cont.)
  • Even though this is a financially oriented
    presentation, please remember as you do your risk
    assessments, not all assets are financially
  • Children in PICU/NICU
  • Academic Research Data
  • Human Animal Research Subjects

  • Ongoing monitoring activities are Managements
  • Compares information about current performance
  • Budgets
  • Prior periods
  • Other benchmarks (i.e. other peer universities)
  • Measures against achievement of goals and
  • Identifies unexpected results or conditions which
    require follow-up.

Monitoring (cont.)
  • The entire process must be constantly monitored,
    and make changes as conditions warrant.
  • Separate evaluations are conducted by Internal

Who is accountable for assurance that appropriate
internal controls are in place?
  • Management!!!!

Whos responsible for the performance of internal
control activities?
  • Everyone!!!!!!

Types of Internal Controls
  • Directive Controls encourage good behavior,
    its the right thing to do
  • Incentive plans
  • Recognition awards
  • Training
  • Policies and Procedures
  • Promotions

Types of Internal Controls
  • Preventative Controls prevent undesirable
    events from occurring
  • Knowledge that someone is reviewing your work
  • Segregation of duties
  • Limited access
  • Levels of authorization
  • Security badges
  • Business rule set-up in automated systems

Types of Internal Controls
  • Detective Controls detect and correct
    undesirable events after they occur.
  • Reconciliations
  • Auditing
  • Confirmations
  • Exception reports
  • Reviews done on a regular basis

Types of Internal Control
  • Mitigating Controls Mitigate for the lack of an
    expected control.
  • Cash handling lack of adequate staff for proper
    segregation of duties sharing with another area
  • Software security/access regular monitoring of
    access for certain employees when software
    security is not adequate because of functional

IT Access Limitation Controls
  • To create a record
  • To change a record
  • To approve a transaction
  • By allowing read-only
  • By requiring passwords
  • Requiring time out limits
  • By installing firewalls

Control Tools (Partial Listing)
  • Formal Compliance programs
  • Checklists
  • Inspections
  • Exception reports (i.e. Performance appraisals
    not completed, excessive overtime, duplicate
    payments etc.)
  • Forms control (pre-numbered documents, filing by
    and verifying integrity of numerical sequence)
  • Performance standards
  • Physical safeguards (safes, locks, access cards,
    dual control over sensitive assets, cameras,
    alarms, guards, ID badges etc.)
  • Simulated disaster recovery drills

Which of the following are examples of an
internal control?
  • Managers being scrupulous in completing their own
    expense reports
  • Managers telling employees to be scrupulous in
    completing their expense reports
  • Standard price lists, with sales people allowed a
    maximum of 10 variance for negotiation
  • Segregation of duties
  • Passwords
  • Bonus plans
  • Reconciliations
  • Staff Meetings
  • Training on a new system
  • Training in group dynamics
  • Directions on how to complete expense reports
  • Requiring original receipts for expense reports

  • What happens when internal controls are not in
    place or break down?

Fraud Fast Facts
  • Annual estimated fraud losses 660 billion
  • Most fraudsters are first-time offenders
  • Amount of loss is directly related to fraudsters
    position in the organization
  • Most frauds are detected by tips
  • Deterrence is key
  • Source ACFEs 2004 Report to the Nation on
    Occupational Fraud and Abuse

Fraud Triangle
Undisclosed Financial Problems
Red Flags for Fraud
  • No vacation
  • Voluntary overtime
  • Unexplained variances
  • Complaints
  • No reconciliation
  • One employee does it all
  • Documentation is not original
  • Rush requests

Detection of Fraud
  • 40 Tips
  • 24 Internal Audit
  • 21 By accident
  • 18 Internal controls
  • 11 External audit
  • 1 Other
  • Source ACFEs 2004 Report to the Nation on
    Occupational Fraud and Abuse

If you suspect fraud.
  • Do Not confront the person
  • Do Not talk about it with co-workers
  • Do Not try to verify fraud has taken place or
    catch them on your own.
  • DO call Internal Audit, University Counsel, or
    University Police
  • Experts in objective verification of the facts
  • Work closely with University Counsel and
    Safety/Security to document the issues with
    possibility of testifying in court.

(No Transcript)
Facts of the case
  • Opened unauthorized checking account to maintain
    coffee funds.
  • Unauthorized account used to deposit
    subscriptions, travel reimbursements, copy
    reimbursements, etc
  • Approx. 7,000 of University funds diverted from
    unauthorized account to personal account
  • Procurement card in her name used to purchase
    furniture that never showed up in the department

Facts of the case continued..
  • Procurement card reconciliation with furniture
    purchase was approved by supervisor
  • Procurement card reconciliations were always late
  • Forged signatures of different staff members on
    University vouchers.
  • Discovered by call from Credit Union asking about
    University checks being deposited into personal

What controls failed
  • Violated various policies including
  • checking account creation
  • cash handling
  • expense reimbursement processing
  • No segregation of duties
  • No account reconciliations
  • No monitoring by management
  • Department allowed the creation of a checking

(No Transcript)
Facts of the case
  • Manager of vending services pled guilty for
    stealing over 12,000 in cash from token operated
    vending machine operation.
  • Students would pay cash for tokens but not all
    the cash was deposited and token inventories were
    not reconciled.
  • Discovered when another person who counted the
    money noticed missing bags of money from one day
    to the next.

What controls failed..
  • No proper segregation of duties
  • No account reconciliations
  • No inventory reconciliations
  • Cash not safeguarded

(No Transcript)
Facts of the case
  • Misrepresented her credentials
  • Resume noted a Bachelors, two Masters, and a
    Ph.D. when in fact she had not earned any degree.
  • Added her name on a scholarly article when she
    was not an author
  • Received funds from the NIH to pay for a
    post-doctoral program even though she had not
    earned a doctorate

Facts of the case (cont.)
  • Filed fraudulent travel reimbursements
  • Claimed up to 880 mi. per day to visit research
    subjects when she didnt visit them at all.
  • Many weeks she filed for trips taken 7 days in a
  • Filed for trips taken when she also filed
    vacation or sick leave time
  • Filed for expenses taken for a trip on
    Thanksgiving Day which was in the middle of a
    string of 10 straight days of trips
  • Total reimbursement over an 18 month period
    totaled 53,000 and 215,000 miles

Facts of the case continued..
  • University had to reimburse NIH for several
    thousand dollars for the grant she was involved
  • Detected when other employees became suspicious
    about her credentials

What controls failed..
  • No monitoring by management
  • Inadequate approval and verification
  • Inadequate control environment

(No Transcript)
Facts/Allegations in the case
  • Ames contractor alleged to have over billed Iowa
    State University in excess of 400,000 over a
    three year period.
  • Contractor won a three year contract through
    competitive bid to perform all general repairs on
    campus that were estimated to be under 25,000.
  • It appears that on several days employees were
    charged for a full day on multiple projects.

Facts/Allegations in the case
  • Contractor had many jobs in progress at the same
    time. Usually each job had a different ISU
    project manager so job invoices were reviewed by
    different managers.
  • Projects were small and with other larger
    projects requiring most of their time, project
    managers rarely visited the job site.
  • Contractor always presented an estimate before a
    job and the department was asked by the project
    manager whether they had money in their budget.

Facts/Allegations in the case
  • The contractors defense appears to be that he
    always came in under budget.
  • Discovered when a new, inexperienced ISU project
    manager had a question about an invoice and when
    compared with another invoice, realized the same
    employee showed up on both invoices as working a
    full day on each job.

What controls failed..
  • Improper monitoring by project managers
  • Little on-site monitoring
  • Cursory review of estimates
  • Invoices not properly verified

Other instances of control failures
  • University Parking
  • Attendants using free parking passes for their
    own use.
  • University Student Health
  • Clerk allegedly crediting her own account
  • ISU Parking
  • Attendants not ringing up all transactions
  • Hiley B. Smith
  • Manipulated invoices and voids to subvert
    payments from customers

Internal Control Quiz
  • Which of the following is NOT a true statement?
  • Putting controls in place will always cost more
  • Controls help to ensure compliance with policies
  • Controls will help the organization achieve its
  • Controls will help protect the organizations

  • The most important component of internal control
  • Segregation of duties
  • Following policies
  • The integrity, ethical values, and competence of
    an organizations employees
  • Theft prevention

  • Who has the primary responsibility for internal
    controls in your college/department?
  • The college dean/department chair
  • The college/department fiscal officer
  • The Internal Audit Department
  • The Controller

  • Segregating duties is most important because
  • An employee should not be put in a position where
    they are able to steal conceal
  • Having too many duties overburdens an employee
  • The auditors may write you up if you dont do it
  • All of the above

  • Which is NOT an example of an internal control?
  • Maintain adequate records
  • Combine recordkeeping and custody of assets
  • Apply IT controls to your work environment
  • Make deposits daily or per policy

  • Which of the following is true regarding internal
  • Are only needed to keep dishonest people from
  • Are not needed in a small office where everyone
    knows each other
  • Are not needed if the staff is honest
  • Are always necessary regardless of the staff

  • The fiscal officer of the School of DeArts wants
    to make sure the controls that were implemented
    are still effective. The fiscal officer should
  • Ask all of the other school fiscal officers if
    they have had any money stolen
  • Change the locks on the doors
  • Spot-check transactions, records, and
    reconciliations to ensure they meet your
  • Ask for an Internal Audit of the schools
    internal controls

  • The fiscal officer for the School of
    LearningStuff is trying to decide the best way to
    process payroll for their ten non-exempt (hourly)
    lab techs who work for the schools only
    researcher. Which of the following ideas would
    have adequate controls?
  • Each employee would fill out their time card,
    compute total regular and overtime hours, then
    give it to the school secretary for input into
    the system.
  • Each employee would fill out their time card,
    then give it to the school secretary who would
    calculate hours and input it into the system.
  • The school secretary would keep track of lab tech
    hours, compute total hours and input them into
    the system.
  • All of the above contain adequate controls.
  • None of the above contain adequate controls.

  • One critical element in the internal controls of
    any department or college is
  • Background checks for all employees
  • Level of education of staff
  • Integrity and ethics of the chair or dean
  • The number of policies and procedures

  • No matter how well designed and executed,
    internal controls can fail because
  • Employees can make mistakes or exercise poor
  • There can be collusion where two or more
    individuals work together to steal
  • Management may override established policies or
  • All of the above

  • You have accepted a position whose duties include
    the role of fiscal officer for several
    departments in your school. One of you first
    decisions is to delegate your signature authority
    and the review of the payroll reports for fiscal
    transactions to an approver for one of the
    departments. Of the list of potential
    candidates, who should you NOT choose to be an
  • The account manager for the department
  • Administrative support staff who have no payroll
    processing duties
  • Administrative support staff who are payroll
  • Administrative support staff who have no payroll
    processing duties but who are outside of the
  • You would not choose a, c, or d from the above

What can Internal Audit do for you?
  • Give you free expert advice
  • Benchmark with your peers
  • Assist with specific issues within the area
  • Provide training on internal controls
  • Provide a confidential sounding board for your
    ideas or concerns
  • Help identify risks in your areas.

Thank you for your time today.Questions?
  • University Internal Audit
  • W512 Seashore Hall
  • E613 General Hospital
  • http//