1 / 67

Small Government Internal Controls

Small Government Internal Controls. Presented by Donna Collins Milestone Professional Services. Why are Internal Controls So Important?. Accountability Citizens Approved budget has been followed Spending and letting of contracts has been legal Appropriate safeguards taken against fraud

halima
Télécharger la présentation

Small Government Internal Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Small Government Internal Controls Presented by Donna Collins Milestone Professional Services

  2. Why are Internal Controls So Important? • Accountability • Citizens • Approved budget has been followed • Spending and letting of contracts has been legal • Appropriate safeguards taken against fraud • Grantors • Funds have been used for the purpose given • Compliance requirements have been met • Management • Data is reliable for decision making

  3. Why are Internal Controls So Important? • Accurate reporting • Internal • Budgeting and planning purposes • Cash flow management • External • Creditors (Bankers, bondholders, etc.) • Grantors • Financial statement users • State and other governments • Companies moving to our City

  4. Why are Internal Controls So Important? • Efficient use of resources • Eliminating redundancy in our process to allow for a streamlined workforce • Protecting against loss due to fraud and misappropriation • Communicating clearly internally and externally so that operations flow smoothly • Providing for the ability to recognize excellence within our government

  5. Internal Control - Definition • Internal Control is a process, affected by management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with laws and regulations

  6. Internal Control - Definition • Internal control consists of five interrelated components that affect each of the three categories

  7. Internal Control - Components • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring

  8. Internal Control - Components • Internal control components interact with operations, financial reporting and compliance

  9. Control Environment • Sets the tone for the government • Influences control consciousness • Foundation for all other control components • Includes: integrity, ethical values, competency, management’s philosophy, and the way authority and responsibility is assigned

  10. Practical Application - Control Environment • Establish current policies with regard to ethical behavior (Code of Conduct), Conflict of Interest, Nepotism • Enforce appropriate discipline for failure to comply with these policies • Ensure personal adherence to strong moral code • Reward competency

  11. Practical Application - Control Environment • Place high degree of importance on maintaining strong internal control • Provide for a “whistle blower” policy that allows employees and others to report fraud or false statements by the management team

  12. Impact of the Control Environment • Don’t underestimate the importance of this part of the control system. All the great control activities in the world will not be effective if employees know that management is not concerned with strong internal control, lacks integrity or does not value their employees.

  13. Control Environment Pitfalls • Ignoring the tone that management sets or thinking that the control environment is not important. • Inconsistency in treatment of lapses in ethical conduct. • Allowing employees to feel devalued.

  14. Risk Assessment • Risks result from both external and internal sources • These change over time based on economic, regulatory, and operating conditions • Risk Assessment must link identified policy objectives to specific risk factors

  15. Risk Assessment • Example: a policy of receiving the highest rate of return on investments must be linked to interest rate risk

  16. Risk Assessment • Example: a policy of allowing payment from vendor statements rather than original invoices only must be linked to the risk of duplicate payments

  17. Risk Assessment • Example: a policy of decentralized cash receipts must be linked to the risk of untimely deposit and recording to the general ledger.

  18. Risk Assessment • Risk Assessment must also link identified control objectives to specific risk factors • All transactions are properly authorized • Transactions are recorded in the correct period for the correct amount • All revenues are received and recorded timely • Assets are not stolen or lost

  19. Risk Assessment • Risk factors are created by: • The nature of particular accounts or transactions • Turnover in key employee positions • Changes in the financial markets • The expertise of the personnel handling transactions • Ineffective or poorly designed control activities

  20. Practical Application - Risk Assessment • Be realistic about the true risk with regard to a particular account or cycle of transactions • Consider all types of applicable risk: inherent, control risk, fraud risk, credit risk, etc • Make sure to address IT risk • Identify “What could go wrong?”

  21. What could go wrong?Example: Cash Disbursements • Payments could be made to fictitious vendors • Disbursements could be made for the wrong amount • Duplicate payments could be made on an invoice • Disbursements could be recorded in the wrong period

  22. What could go wrong?Example: Investments • Excessive transaction fees could be charged to the government. • Investments held by the government could be stolen (Certificates of Deposit). • Investments outside the government’s risk tolerance could be purchased and result in loss of principal.

  23. What could go wrong?Example: Cash Receipts • Funds received could be credited to the wrong customer account • Cash could be stolen by an employee • Amounts received could be recorded net rather than gross • Amounts receivable may never be collected due to failure to follow on past due amounts

  24. How to perform an effective risk assessment • Use “What could go wrong” scenarios to identify areas of potential risk. • Rank the likelihood and impact of each of these risk factors. • Identify controls that mitigate risk for the highest ranked risk factors.

  25. Risk Matrix – Cash Receipts

  26. Practical Application - Risk Assessments • Risk Assessments can be documented via narrative, checklist or matrix • Tools available include: • COSO documents available via AICPA • PPC checklists or other auditor utilized templates • Local government websites (perform Google search for “government internal control”)

  27. Practical Application - Risk Assessments • Remember that use of a third party does not eliminate management’s responsibility for assessing risks. • Structure of agreement is important • Obtain SAS 70 • Reconcile reports to general ledger (as applicable)

  28. Practical Application - Risk Assessments • Remember that IT controls can affect risk for all cycles of transactions. Well designed internal controls can be made ineffective by poor controls over IT. • System log-in should mirror job responsibilities • Passwords • Remove temporary access granted once no longer appropriate

  29. Risk Assessment Pitfalls • Trying to identify a control for every risk factor. • Ignoring the possibility of existing compensating controls. • Not performing a risk assessment annually or at least when key factors have changed (regulatory, employee turnover, etc.) • Ignoring IT controls.

  30. Control Activities • The policies and procedures that ensure management’s directives are followed • These occur at all levels throughout the organization • Include : approvals, authorizations, verifications, reconciliations, security of assets, segregation of duties and review of operating performance

  31. Practical Application - Control Activities • Address control objectives: existence or occurrence, completeness, valuation or allocation, rights and obligations, accuracy or classification, cutoff and presentation and disclosure • Tie control activities to risks previously identified and address “What could go wrong” scenarios • Balance cost and benefit

  32. Practical Application - Control Activities • Identify control objectives and the risks of what could happen • For each risk factor identified, evaluate the potential impact and probability of occurrence • Design control activities to address high impact, high probability concerns • Evaluate annually

  33. Risk Matrix • Cash Receipt Example

  34. Risk Matrix • Cash Disbursements Example

  35. Practical Application - Control Activities • It is not necessary to address every risk factor with a specific control activity – focus on key areas • Utilize compensating controls where “textbook approach” is not practical • Evaluate the benefit of existing monitoring controls

  36. Risk Matrix • Cash Disbursements Example

  37. Key Control Activities • Address unusual transactions or variance from expected benchmarks in timely fashion • Reconcile accounts per general ledger to subsidiary ledgers or statements from trustee/custodian (as applicable) • Separate initiation and authorization from recording of transactions

  38. Key Control Activities • Provide for oversight by interested party such as Investment Committee (include trustee activities) , Audit Committee or Citizens’ Group • Utilize disclosure checklist to ensure presentation and disclosure requirements are met

  39. Control Activities Pitfalls • Remember that for small governments key objectives must be identified • Reducing the risk of theft or fraud • Providing for accountability • Ensuring compliance with regulations • Focus on true effectiveness – not just cookie cutter approaches • Ensure benefit justifies the cost

  40. Information and Communication • Includes both internal and external interaction • Requires pertinent information to be identified, captured and communicated in a form and timeframe for employees to carry out their responsibilities • Reports must contain relevant operational, financial and compliance information

  41. Practical Application - Information and Communication • System generated reports must include relevant information • Statements from outside third parties (broker/dealers, bank statements, grantor agency) must be channeled to correct personnel and provided timely

  42. Information and CommunicationExample: Investments • Communication with Investment Committee or other oversight body should include: • Types of investments held • Average rate of return for period and YTD compared with benchmarks • Average maturity of portfolio • Compliance with investment policy provisions

  43. Information and CommunicationExample: Investments • Communication with Investment Committee or other oversight body should also include: • Changes in investment strategy (if any) • Interest rate environment changes • Discussion of any unusual transaction or particularly risky investment

  44. Information and CommunicationExample: Cash Disbursements • Communication with Departments • Budget to Actual Report by budgeted line • Request to explain certain variances • Detail of Capital Assets added to subledger • Communication with Council • Budget to Actual Comparison by Department • Explanations for variances over a certain threshold

  45. Information and CommunicationExample: Cash Receipts Daily Cash reports should show revenue by major categories such that reconciliation to the general ledger is facilitated. The date of receipt and date of deposit should be included along with the general ledger and bank account information.

  46. Information and Communication Pitfalls • Generating reports that provide inaccurate, untimely or unnecessary information • Providing inappropriate information outside the organization (SS #, employee evaluations) • Failure to verify accuracy of externally provided reports

  47. Monitoring • Assessing the quality of the internal control system and making modifications as needed • This process is ongoing through the normal course of operations and at separate specific evaluations of a particular process

  48. Monitoring • COSO Framework states that “Monitoring ensures that internal control continues to operate effectively.” • The COSO Framework recognizes that risks change over time and that management needs to “determine whether the internal control system continues to be relevant and able to address new risks.”

  49. Monitoring • The original COSO report on internal controls was issued in 1992. • In 2009, COSO issued “Guidance on Monitoring Internal Control Systems” • Emphasized importance of monitoring controls as part of even small government environments.

  50. Monitoring • Monitoring is both an on-going process and can be annual in nature (testing of key controls) • Process can be done annually by the Internal Audit Department (as applicable) or as an Internal Review by Finance personnel.

More Related