Get documents about "Internal Controls
Document Sample
INDIANA UNIVERSITY
Risks, Controls, & Ethics
Financial Administrator Development Series
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Session Objectives
• Understand and apply INTERNAL
CONTROL concepts to accomplish your
organization’s objectives
• RISK Assessment and Management
• ETHICAL VALUES and CONDUCT
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What are Internal Controls and why
should I care ?
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Why should you care?
Internal Controls
minimize the RISKS to
your Organization!!!
Kuali Financial Systems – Financial Administrator Development Series – October 2006
RISKS your Organization faces
• Financial Reporting
• Compliance
• Operational
• Loss of Assets
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Why should you care?
IT’S YOUR
JOB TO
CARE
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Financial Institutional Policy I-1
Role of Fiscal Administrator, Account Manager,
and Account Supervisor.
• Account Supervisor has a leadership or
executive role.
• Account Manager has an operational
role.
• Fiscal Officer has an oversight role.
Kuali Financial Systems – Financial Administrator Development Series – October 2006
It’s your Job
Financial Institutional Policy I-1
“…trained and hired for the purpose of
providing fiscal, policy, and internal
control management of all funds...”
“…responsible for ensuring that processes
and related controls have been
established to achieve the mission and
objectives of their organization(s). “
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What is Internal Control
Internal control is a PROCESS of specific policies
and procedures designed to provide reasonable
assurance that organization’s objectives will be met
– Provide reliable financial reporting
– Promote efficient and effective operations
– Helps ensure compliance with policy
– Protect University Assets
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Control Environment
TONE AT THE TOP
– Integrity, ethical values, and behavior of
management
– Management’s control consciousness
– Management’s commitment to competence
It’s the way you do Business
– Organization structure
– Assignment of authority and responsibility
– Policies and practices
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What do we mean by
“Tone at the Top” ?
• Promote ethical • Full disclosure
values & conduct • Fix problems
• Walk the walk • Equal treatment for
• Lead by example equal offenses
• Be approachable • Reward things that
• Compliance w/Policy are done right
• Don’t circumvent rules • Hug your Auditor
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Questions
• Which attributes of a Super Fiscal
Officer can be useful in exhibiting
a strong “Tone at the top”?
• When should you be
demonstrating a strong “Tone at
the top”?
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What are Ethics?
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Defining Ethics?
eth·ic Pronunciation: 'e-thik Function:
noun from Greek Éthos, Date: 14th
century
1 the discipline dealing with what is good
and bad and with moral duty and
obligation
2 a: a set of moral principles or values
b : the principles of conduct governing an
individual or a group <professional
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Defining Ethics?
”Doing the right thing”
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What’s the Right Thing?
“What are the Rules”
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Ethical Rules?
• Is it legal and in compliance with IU
policy?
• Is it fair?
– Honest, truthful, responsible,
trustworthy, respect individual
• Would it pass the newspaper test
(or the Mom test)?
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Why Ethics are important to your
Organization?
Responsibility
Regulatory requirements
Return on integrity (the other ROI)
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Return on integrity (the other ROI)
Good Ethics = Good Business
– Better employee decision making
– Greater employee commitment to the
organization
– Reduced unethical or illegal behavior
– Better work environment
– Better reputation and image for IU
Kuali Financial Systems – Financial Administrator Development Series – October 2006
ETHICS
Closing Thoughts
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Silence is NOT Golden
• Speak out!
• Be outraged!
• Silence implies your consent!!
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Important to talk
• Transparency
• Get other perspectives/input
• Hopefully Consensus
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Who you going to call?
• Supervisor
• Human Resources
• Purchasing
• Accounting
• University Legal Counsel
• Internal Audit
• Police
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Causes of Ethical Failures
1. NO “Tone at the Top”
2. NO Consistency
3. Train Wrecks
4. Fear of Retaliation
5. No Reporting Mechanisms
6. No Education, Communication or Tools
Kuali Financial Systems – Financial Administrator Development Series – October 2006
QUESTION
What specifically are you
going to do to promote a
strong ethical
environment in your
organization?
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Written goals and objectives?
• Internal control is pointless without goals
and objectives.
• Written goals and objectives focus efforts
toward desired outcomes.
• Written goals and objectives provide a
rationale for resource allocation.
• Written goals and objectives are evidence
of thoughtful management.
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What objectives do we need?
• Mission statement.
• Operations objectives.
• Financial reporting objectives.
• Compliance objectives.
• Objectives for all significant activities.
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What are risks?
• A risk is anything that could jeopardize the
achievement of your organization’s objective.
– Operate effectively and efficiently and achieve
our goals
– Provide reliable financial data
– Comply with applicable laws, policies, and
procedures
– Protect the university’s assets from loss
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Risk Assessment is a process to
• Identify significant risks
• Assess risks
– What is the likelihood of occurrence?
– What is the potential impact?
• Manage these risks through
• Avoidance
• Acceptance and Sharing (Insurance)
• Mitigate with Controls
Kuali Financial Systems – Financial Administrator Development Series – October 2006
How do we identify risks?
• You know your risks.
• For each objective, ask yourself:
– What could go wrong?
– What assets do we need to protect?
– How could someone steal from us?
– What is our greatest legal exposure?
– What else?
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Assess Risks
• Likelihood – probability of occurrence
• Impact – effect on IU/your organization
– Loss of resources
– Loss of public trust
– Violation of policies, laws, regulations
– Bad publicity
– Decreased enrollment
– What else?
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Control Activities
• The policies and procedures that help
ensure that actions identified as necessary
to manage risks are carried out properly
and in a timely manner
– must be implemented thoughtfully, conscientiously,
and consistently
– unusual conditions identified must be investigated and
appropriate corrective action taken
– Should be proactive, value added, and cost effective
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Control Activities
• Approvals, Authorizations, and
Verifications
– Having written policies and procedures and
limits to authority
• Reconciliations
– Explanations of the differences between
two different sets of data
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Control Activities
• Reviews of Performance
– For programs, departments, and individual
employees
• Security of Assets
– Limiting access, keeping records, and making
periodic counts to compare to our records
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Control Activities
• Segregation of Functions
– The approval, recording/reconciling, and
custody functions should be segregated
• Controls over Information Systems
– Application and development, controls within
applications, security of data and machines
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What control activities do I need?
• Enough to help ensure that you are managing
your significant risks.
• Actions should be taken and control activities
should be performed to mitigate significant risks
to acceptable levels.
• An action to manage a risk can be anything.
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What needs to be approved?
• Per policy, all financial transactions must
be approved by the dept Financial
Administrator.
– Financial Administrator can delegate
signature authority
• What to approve and what to delegate?
• It depends on the risk assessment.
• Generally, the higher the risk activities
the higher level of approval/authorization.
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What needs to be reconciled?
• It depends on the risk assessment. Information
about high risk activities should be reconciled
to ensure its accuracy and completeness.
• Monthly operating reports must be reconciled to
departmental records.
• Payroll voucher reports should be reviewed and
compared to departmental records.
• What else?
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What activities should be reviewed?
• It depends on the risk assessment
• Information about high risk activities must be
reviewed by management.
• Generally, the Chair/Director/PI should review
reports which compare budget to actual
– To measure performance.
– To detect problems.
• Performance reviews of staff
• Management’s review should be documented.
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What assets need to be secured?
• It depends on the risk assessment
• Liquid assets, assets with alternative uses,
dangerous assets, vital documents, critical
systems, and confidential information need to
be secured.
• Access to these assets should be restricted.
• Perpetual records should be maintained;
periodic physical counts should be performed--
differences should be checked.
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What duties need to be segregated?
• It depends on the risk assessment
• The approval, accounting/reconciling, and
asset custody functions should be
segregated.
• Generally, duties related to cash receipts,
payroll and purchases are high risk and
should be segregated.
Kuali Financial Systems – Financial Administrator Development Series – October 2006
How do we control our computers?
• It depends on the risk assessment
• If critical or confidential information then both the
information and the computer need to be
controlled.
• Basic controls are
– Password protecting information.
– Backing-up information.
– Virus Scanning
– Practicing safe computing
– What else?
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Information and Communication
• Communicate policies and procedures
– Supervisors and employees understand
objectives and job responsibilities
• Get the information you (and staff) need
• Do performance evaluations
• Measure customer satisfaction
• Open door policy
– Hear the good and the bad news
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Monitor Performance
• Evaluating your Internal Controls to
determine
– Adequately designed
– Properly executed, and
– Effective
• How can we KNOW?
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Monitor Performance
• Internal Controls are effective if you know:
– The extent to which your organization’s goals
and objectives are being achieved
– In compliance with relevant policies, etc.
– Financial records are reliable
– Assets are safeguarded
– Resources are use to advance organization’s
mission
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Who is Responsible for Control?
•EVERYONE
• Management is responsible for establishing a
controlled environment.
• Faculty and staff are responsible for carrying
out internal controls by following policies and
procedures.
• Internal Audit, in an advisory/consultant role, is
responsible for evaluating whether appropriate
controls have been implemented and if they are
functioning as intended.
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Internal Control
• Is a Process
• Designed to provide reasonable assurance
that organization’s objectives will be met
– Provides reliable financial reporting
– Promotes efficient and effective operations
– Helps ensure compliance with policy
– Protects university Assets
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Why Internal Controls fail?
• Human Errors - Bad Judgment
• Management Override
• Collusion
• Cost versus Benefit
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Internal Control components
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Define Organization’s
Goals and Objectives?
Organizational
Objectives
Identify & Define goals and
Assess Risks
objectives in relation to
Mission,
Identify Current Activities and
Controls processes,
Financial reporting
Identify & Assess requirements, and
Residual Risks Compliance issues
Action
Acceptable
No
Yes
Document Risk
Acceptance Decision
Kuali Financial Systems – Financial Administrator Development Series – October 2006
SMART Goals & Objectives
S pecific
M easurable
A ttainable
R ealistic
T imeframe
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Identify and assess potential
RISKs by asking
Organizational
Objectives
Identify &
What Could Go WRONG ?
Assess Risks
What must go RIGHT?
Identify Current
Controls How likely is it that the risk will
happen?
Identify & Assess
Action
Residual Risks What will be the impact) if it
happens?
Acceptable
No
Yes
Document Risk
Acceptance Decision
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What controls are in place
to achieve your objectives ?
Organizational
Objectives
Identify &
Assess Risks Control Environment
Tone at Top
Identify Current
Control s Competence
Roles &
Identify & Assess
Action
Residual Risks Responsibilities
Information &
Acceptable Communication
No
Yes Control Activities
Document Risk
Acceptance Decision
Kuali Financial Systems – Financial Administrator Development Series – October 2006
What could still go wrong
given existing controls ?
Organizational
Objectives
Identify & Look at your risks, and your
Assess Risks
existing controls to identify any
gaps.
Identify Current
Controls
Identify & Assess
Residual Risks
Action
Acceptable
No
Yes
Document Risk
Acceptance Decision
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Can you live with the
Residual Risk ?
Organizational
Objectives
Identify & Do your existing controls,
Assess Risks
provide reasonable assurance that
you will get achieve your
Identify Current objectives?
Controls Something's you can’t control
(changes in government
regulations, weather)
Identify & Assess
Residual Risks
Action Risk acceptance decision will
depend on the culture of the
Acceptable organization
No
Yes
Document Risk
Acceptance Decision
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Organizational Action Planning
Objectives
Identify & If the level of uncontrolled risk is
Assess Risks
too high/unacceptable then action
plans are developed to reduce the
Identify Current residual risk to an acceptable
Controls level.
Identify & Assess
Residual Risks
Action
Acceptable
No
Yes
Document Risk
Acceptance Decision
Kuali Financial Systems – Financial Administrator Development Series – October 2006
QUIZ - Internal control is a
• PROCESS of specific policies and procedures
• Designed to provide reasonable assurance that
organization’s objectives will be met
– Provide reliable financial reporting
– Promote efficient and effective operations
– Helps ensure compliance with policy
– Protect university Assets
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Who is Responsible for Control ?
• In a word, everyone
• Management is responsible for establishing a
controlled environment.
• Faculty and staff are responsible for carrying
out internal controls by following policies and
procedures.
• Internal Audit, in an advisory/consultant role, is
responsible for evaluating whether appropriate
controls have been implemented and if they are
functioning as intended.
Kuali Financial Systems – Financial Administrator Development Series – October 2006
QUIZ
• Name four Control Activities:
1.
2.
3.
4.
Kuali Financial Systems – Financial Administrator Development Series – October 2006
QUIZ
The most important Internal Control
component is:
1. Risk assessment/management process
2. Hug your auditor
3. Positive “Tone at the Top”
4. Strong ethical climate
5. Control environment with answers 3 & 4
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Quiz
Risk Assessment/Management is:
1. Planning a surprise birthday party
2. A department at IU
3. A process to assess risks and controls
as they impact on the achievement of a
business objective
Kuali Financial Systems – Financial Administrator Development Series – October 2006
QUIZ
Effective Internal Control Systems will:
1. Provide reasonable assurance that your
organizations objectives will be met
2. Promote reliable financial reporting
3. Provide efficient and effective
operations
4. Help ensure compliance with policy
5. Protect university assets
6. All of the above
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Quiz?
• Short Definition of Ethics?
• What are the Rules?
Kuali Financial Systems – Financial Administrator Development Series – October 2006
Case Study
• Identify 1- 3 SMART OBJECTIVES
• Identify the 1- 3 possible RISKs that
would prevent you from achieving your
objectives
• List the CONTROLS you would
implement to mitigate these risks
Kuali Financial Systems – Financial Administrator Development Series – October 2006
