Internal AuditBest Practices Workshop 12th November 2013 Presented by: Kellie Hart, CPA, CA, CIA, Manager, Internal Audit Michael Brown, CIA, Senior Internal Auditor
Overview • Introduction to Internal Audit • Internal Control 101 • Hot Topics • Fraud 101
Internal Audit’s Mandate Internal Audit “provides independent, objective assurance and consulting services designed to add value and improve the organization’s operations...[and] effectiveness of governance, risk management and control processes.” (Source: Institute of Internal Auditors)
What is an Internal Auditor? Our Role: • Monitor/Audit Queen’s • Make recommendations • Drive continuous improvement and VALUE!
What we do • Governance, Risk, and Compliance • Operational • Financial • Forensic (fraud related investigations/ reviews) • IT Systems
How We Select University Audits • Internal Audit Plan: • Risk-based approach • Professional judgment • Best use of our time • Various types of audits • Approved by the University’s Audit and Risk Committee of the Board of Trustees
Agenda • Definition • Internal Control at Home and Work • Risk • Roles and Responsibilities • SOAPSPAM - Applying the Theory
Definition of Internal Control “Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.”
Simple Definition • Internal control - trying to make the things we want to happen,happen … • And the things we don’t want to happen, not happen.
Internal Control at Home • Lock your home and vehicle. • Turn off the stove / iron • Keep your ATM/debit card pin number separate from your card • Review bills and credit card statements before paying them
Internal Control at Home..Cont’d • Reconcile your bank statement • Don’t leave blank cheques or cash just lying around • Expect your children to ask permission before they can do certain things
Internal Control at Work • Computer passwords are periodically changed and aren’t written down • PCard transactions are checked against source documents. • Financial transactions are checked. • Authorizations required for certain activities.
What is ‘Risk’? The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of consequenceand likelihood
What is ‘Risk’? Success is the reward for taking risks (“I miss 100% of the shots I don’t take”)
Risk External Risk Drivers • Economic changes • Changing student & community needs • New/changed legislation & regulations • Technological developments • Natural catastrophes • Competitive conditions
Risk Internal Risk Drivers • New Personnel / High Turnover of Staff • Low Morale • New policy / internal control system • New or Revamped Information Systems • Complexity of Activities • Dispersion of Operations • Changes in Management
Risk Example • Example: Risk of not sleeping through the night.. • External Factors • Internal Factors • Consequence • Likelihood • Internal Controls…?
Risk Tolerate Treat Transfer Terminate
Risk Management Internal controls are one way to manage risk.. But.. ‘risk vs. reward’ • Are there any risks that have no / few controls? • Are there risks that may have too many controls? • Are there controls that do not mitigate any risks? • What are the COSTS of control – is it worth it?
QUIZ: 1 Internal Controls exist solely for the detection of fraud a. True b. False
Who Is Responsible? • Board of Trustees • Principal • Management • Frontline Personnel • University policies assign responsibility for the internal control system to all University employees.
Internal Controls & Internal Audit • Internal auditors are not responsible for establishing or maintaining controls • Instead we are responsible for: • Examining the adequacy and effectiveness of the University’s internal controls, • Making recommendations where control improvements are needed • Contributing to the effectiveness of the control environment
QUIZ: 2 Internal control can do which of the following? I. Ensure organizational success II. Ensure organizational survival III. Ensure the reliability of financial reporting IV. Ensure absolute compliance with laws and regulations • I, II, and III only • II, III, and IV only • All of the above • None of the above
Controls 101 – ‘SOAPSPAM’ S- Segregation of Duties O - Organisational A - Authorisation P - Physical S - Supervision P - Personnel A - Arithmetic/Accounting M - Managerial
SOAPSPAM – PCard Example S- Segregate payment and review and approval of reconciliation O-Review and understand PCard Policy A- Ensure that transactions, claims and statements are authorised P-Keep the card secure when not in use. Do you know where it is right now?
SOAPSPAM – PCard Example S –Review and supervision P – Training and support A – Arithmetic - Reconcile PCard statement to backup in accordance with timetable M - Know who is accountable, reporting lines
PCard – What can go wrong? PCard fraud, misuse found at Florida universities • A Florida International University professor used a school credit card to buy at least $5,000 worth of personal items, including an MP3 player, a wireless reading device and a membership with United Airlines' Red Carpet club. • An administrative assistant in University of Florida's oral history program submitted receipts for books for a “ WWII project." But the books weren't about a world war. They were from Weight Watchers.
WARNING SIGNS ‘I didn’t know that!’ Inadequate knowledge of policies or governing regulations ‘We trust ‘A’ who does all those things.’ Inadequate segregation of duties ‘We share a password, it’s easier.’ Inappropriate access to assets ‘You mean I’m supposed to do something besides initial/sign it?’ Form over Substance ‘I know that’s the policy, but we do it this way.’ ‘Just get it done; I don’t care how!’ Control override Be alert to these responses – they usually INDICATE poor controls OR ineffective practices…
Myths and Facts FACT A lack of formal policies does NOT preclude good business practices MYTH If a policy doesn’t exist, we don’t have to do it
Myths and Facts MYTH If controls are strong enough, we can be sure that errors, fraud and irregularities will always be detected FACT Internal controls are our best defence against errors..but DO NOT guarantee this
Myths and Facts MYTH Internal controls are just about finance and accounting FACT Internal controls are integral to every aspect of university systems and processes
Myths and Facts MYTH Internal controls are negative. They take time away from our core responsibilities FACT Internal controls are designed to IMPROVE processes and make them more efficient!
Final Thoughts… • Internal control is a process; it is a means to an end, not an end itself. • Everyone has a role in regard to internal controls • Controls are there for you! • Avoid mistakes and re-work • Protect yourself • Save time • Avoid uncomfortable questions • Provide a framework • Clarity and confidence
HOT TOPICS • Procurement / BPS • Hospitality Policy • Travel and Related Expenses Policy • Procurement Policy • Procurement Card Policy • PeopleSoft HR • Revenue
BPS In 2011 the Ontario government established new directives for open, fair and transparent financial practices at all Broader Public Sector (BPS) organizations, including Queen’s. All BPS organizations must comply. ..the whole policy is not just a Queen’s thing, it’s the law!
BPS Cont’d… Hospitality Policy Highlights: • Pre-approval requirements have been instituted for expenses incurred for internal meetings • Alcohol purchases for employee/student only meals or events must be pre-approved in writing by the Dean, Vice-Principal or Principal • Personal University Club memberships will not be reimbursed
BPS Cont’d… Travel Meal Highlights: • Meal per diems are no longer allowablefor travel claims • Itemized receipts are required for meals, as they are for all expenses (Even Hotel Meals!) • Maximum daily meal reimbursement = $71.80
BPS Cont’d… Procurement Policy Highlights: • Three quotes must be obtained and submitted with a PeopleSoft Purchase Requisition for: • all consulting services of any value • goods and services over $10k • Purchase orders are required for purchasing goods and services over $5,000; and, • Hospitality expenses cannot be included in or paid under a consulting contract
Procurement Card Policy • The Procurement Card can be used for the purchase of goods and services up to a transaction limit of $5,000. • Monthly credit limit standard is $20,000
Travel and Related Expenses – Best Practices • Meal / Meeting Claims: Need to indicate who is/isn’t an employee/student (important indicator of pre-approval requirement) Always attach pre-approval (when required) List the business purpose of the meeting / event
Travel and Related Expense and Hospitality Policies - Best Practices • Always explain variances between total claims and total receipts • Submit proof of payment (itemized receipts, boarding passes) • Use the right form (i.e. Travel Claim on a Cheque Requisition Form) • Submit claims with a signature in ‘Approved by’ or ‘Manager’ section (e.g. ‘visitor’ claims) • Check tax calculation
Procurement Card Policy – Best Practices • Ensure procurement card activity statements are signed by the cardholder and one-over approver • Don’t split transactions • Remind yourself of policy and only purchase allowable items (i.e., not computers and hotels)
Travel and Related Expenses Policy- FAQ Q: I lost the receipt for my lunch. How can I claim this as an expense? A: If original receipts are lost, destroyed, or stolen, a written explanation of the circumstances must be provided by the claimant and approved by the approver before the claim will be processed.
Travel and Related Expenses Policy - FAQ Q: The Approver is responsible to ensure expenses are in accordance with applicable granting agency guidelines or with the terms of the specific award. How can an approver be expected to have sufficient knowledge of the terms of every grant? A: If the Approver is not familiar with specific terms of an award funding travel, he or she should ask appropriate questions to assure themselves that the individual submitting the claim has complied with the applicable requirements.
Travel and Related Expenses Policy - FAQ Q: I want to keep my original receipts, can I just send in photocopies with my claim? A: No. Credit card receipts/statements and photocopies are not eligible as proof of expense. If you require your original receipts back please indicate this and they will be stamped (“spoiled”), dated, and initialed and sent back to you after your claim has been reviewed.