390 likes | 407 Vues
This session at the 2017 SDASBO Spring Conference will discuss the importance of internal control in government management, the COSO framework, and the Green Book. It will explore the various components of internal control and how they contribute to an organization's success and fraud prevention.
E N D
2017 SDASBO Spring Conference-- Internal Control Rod Fortin—Director of Local Gov’t Assistance Department of Legislative Audit 300 S. Sycamore Avenue, Suite 102 Sioux Falls, SD 57110-1323 ph. (605) 367-5810 rod.fortin@state.sd.us http://legislativeaudit.sd.gov/home.htm
Agenda • Thank you and welcome to 2017 SDASBO Spring Conference (where everybody counts). • Please check your email for PowerPoint • Importance of Internal Control • COSO Framework • Green Book • Three page Internal Control Narrative
Internal Control • Why are Business Managers always so calm, composed and methodical?
Internal Control • Does anyone really get it? • The more you try to control someone, the more they tend rebel and resent being controlled. • Is there too much of a emphasis on the wrong control component under the premise that control activities (polices, procedures, documentation) are the most critical elements of an organization’s success and in preventing fraud? • Is there too little focus on the control environment? • Is there too much emphasis on the wrong objective? • Controlling time vs. controlling productivity, • Controlling the paperwork vs verifying the underlying transactions.
Internal Control • Why Is it Important? • Citizens are demanding the very highest level of accountability from government officials for their stewardship of pubic resources. • Not acceptable to consign the whole issue of internal controls to internal and external auditors. • Objectives can only be achieved within the framework of a sound and comprehensive system of internal controls.
Internal Control-Objectives • Management’s three basic objectives: • Operations: • Operate effectively and efficiently. • Safeguard against potential loss. • Reporting: • Accounting of resources entrusted to them. • Preparation of reliable financial reports. • Compliance: • External constraints (laws, regs, contracts). • Internal constraints (policies).
Internal Control-Definition • Accountants Definition of Internal Control • A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. • How do you know that the organization is operating effectively and efficiently in achieving its objectives? • How do you know the financial statements are fairly presented? • How do you know that the organization is complying with applicable laws, regulations, and policies?
Internal Control-Definition • Key aspects of definition • A process—Internal control is active and ongoing; something management does rather than has done. • Involves personnel—Internal control cannot be reduced to policies and procedures. People are integral part. • Strives for reasonable assurance—Internal control is subject to inherent limitations. Costs vs. benefits must be considered.
Internal Control-Definition • Key aspects of definition (continued) • Relates to achievement of objectives—Internal control cannot be reduced to a standardized set of policies and procedures, but must be derived from management objectives. • Recap—The structure that management puts into place to provide reasonable assurance that it will achieve its basic objectives.
Internal Control-Responsibilities • Management: Primarilyresponsible for IC. • Principal beneficiary of internal control • No one else can effectively implement and maintain IC. • Internal Auditors: Assist management in meeting its IC responsibility. • Governing Board: Ultimately responsible for IC • Oversees management’s performance • Audit Committee: Assists the governing board in its IC responsibility.
Internal Control-Responsibilities • Independent Auditor: Relies upon internal control (to some degree) to support an opinion on the fair presentation of the financial statements and compliance with state and federal laws and regulations. • Neither responsible for nor a part of internal control.
Internal Control- Limitations • Judgment—IC involves significant human judgment, which is never perfect. • External Events—Achievement can be affected by factors outside management’s control. • Breakdowns—Possibility of human error can be minimized, but never eliminated entirely. • Management Override—management could take advantage of position to override procedures. • Collusion—Employees work together to circumvent control procedures.
Internal Control • Costs vs. Anticipated Benefits • Entity must accept a certain level of risk • Level depends on an entity’s specific circumstances • Risk Appetite—the level of risk determined to be acceptable from a broad-based, strategic vantage point • Risk Tolerance—the more narrowly focused tactical application of this same concept to the achievement of specific objectives. Monitoring done at this level.
Internal Control-COSO Framework • The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Internal Control—Integrated Framework (COSO Framework) • Released May, 2013 • COSO Cube: • Three Objectives • Five Components • Entity’s Organization represented by 3rd dimension.
Internal Control-COSO Framework • Established common IC definitions and IC components • Established direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives).
Internal Control-COSO Framework • Retains the components and adds principles and points of focus • Sets out 17 principles • Fundamental concepts associated with the components • Each principle is supported by related points of focus. • Represent characteristics associated with the principles.
Internal Control-COSO Framework • Control Environment—standards, processes, and structures that provide the basis for carrying out IC. • Commitment to integrity and ethical Values “tone at the top” • Independent oversight- governing body oversees management’s IC • Assignment of authority and responsibility- clear structures and lines. • Competent staff- committed to attracting, developing, and retaining competent staff. Prepared orderly succession
Internal Control-COSO Framework • Enforces Accountability- holds individuals accountable, avoids excessive pressure. • RED FLAGS-control environment: • The agency or program has recently undergone major changes. New responsibilities, reorganization, cuts in funding, expansion of programs, changes in management. • Employees are generally disgruntled. • Top Management is unaware of actions taken at the lower level of the organization. • The organization structure is inefficient or dysfunctional.
Internal Control-COSO Framework • Risk Assessment—process of identifying and assessing risks to achievement of objectives. • Specification of objectives—objectives clearly defined to permit ID of related risks. • Identification of risks—management IDs risks, estimates significance, and determines how to respond (accept, avoid, reduce or share). • Alertness to potential fraud- organization specifically considers the possibility of fraud.
Internal Control-COSO Framework • Identification and assessment of changes- id’s and considers the potential risk from changes in: • External Environment • Internal Operations • Personnel Changes • RED FLAGS-risk assessment: • The agency or program does not have well-defined objectives • The agency or program does not have adequate performance measures. • The agency or program does not have an adequate strategic plan
Internal Control-COSO Framework • Control Activities—policies and procedures that help ensure that management’s directives to mitigate risk to the achievement of objectives are carried out. • Selection and development of control activities • Tied to risk assessments • Tailored to entity’s circumstances • Address completeness, accuracy, and validity • Use of different types of control activity (authorization and approvals, verifications, physical controls, controls over standing data, reconciliations, supervisory controls) • Application at different levels • Appropriate segregation of incompatible duties
Internal Control-COSO Framework • General controls over technology- controls over technology infrastructure, security-management controls, and controls over the process to acquire, develop, and maintain technology • Policies and procedures—control activities are implemented through policies (“what is expected”) and procedures (“specific actions”).
Internal Control-COSO Framework • RED FLAGS-control activities • Agency or program is understaffed and /or workload has drastically increased, and staff is having difficulties handling operational workload. • There have been previous issues with fraud, waste, or abuse. • Employees are unaware of policies and procedures, but do things the way “they have always been done.” • Key documentation is often lacking or does not exist.
Internal Control-COSO Framework • Information and communication—information is only of value if it communicated to those who need it. • Relevant, quality information- timely, current, accurate, complete, accessible, projected, and verifiable information to decision makers • Internal communication- within the entity includes confidential information. • External communication- external parties (including governing body) and includes confidential or sensitive information.
Internal Control-COSO Framework • RED FLAGS-information and communication • Information was not readily available. When management needs info, there is a mad scramble to assemble the info, or the process is handled through ad hoc mechanisms. • Staff is frustrated by requests for info because it is time consuming and difficult to provide the info. • Management does not have reasonable assurance that the information it is using is accurate
Internal Control-COSO Framework • Monitoring—determine if each of components of the comprehensive framework of IC continues to be present and functioning in accordance with all the principles relevant to that component. • Conduct ongoing and/or separate evaluations • Evaluate and communicate deficiencies—management subsequently tracks whether corrective action takes place on a timely basis.
Internal Control-COSO Framework • RED FLAGS-monitoring • Previous audit findings are not being resolved adequately or timely. • Significant problems exist in controls and management was not aware of those problems until a big problem occurred; or until another outside party brought it to their attention (ex-a recipient of funding, or an external audit).
Green Book • US Government Accountability Office (GAO) Revised Green Book: Standards for Internal Control in the Federal Government. • GAO released 9/10/14 • http://www.gao.gov/assets/670/665712.pdf
Green Book-Overview • Reflects federal internal control standards required per Federal Managers’ Financial Integrity Act (FMFIA). • Green Book may be adopted by state and local governments as a framework for an internal control system. • Retained 5 COSO components and adapted COSO Framework’s language to make it appropriate for a federal government standard.
Green Book-Overview • Adapted the concepts for a government environment. Uses government terms. • Explains fundamental concepts of IC • Addresses how components, principals, and attributes (vs. points of focus) relate to an entity’s objectives • Discusses management evaluation of IC.
Green Book-Overview • Components, principles, and attributes are required for an effective internal control system. • Entity should implement relevant principles and attributes • If a principle or attribute is not relevant, document the rationale of how, in the absence of that principle or attribute, the associated component could be designed, implemented, and operated effectively.
Green Book-Standards • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring • Discuss requirements of each component • Explains principles and attributes for each component • Application material for each attribute
Green Book—Definition of IC • Internal Control is an integral part of the organization’ management that provides reasonable assurance that the agency’s objectives are being met in the following categories: • Effectiveness and efficiency • Reliability of financial reporting • Compliance with laws and regulations • Safeguarding of assets
Green Book—Definition of IC • Internal control serves as the first line of defense in safeguarding assets (including public funds) and preventing and detecting errors and fraud. • Internal control helps managers achieve program results through effective stewardship of public resources.
Green Book- Responsibility • Management is responsible for internal control: • Designing • Implementing, • Reviewing, and • Improving
Internal Control • See attached three page Internal Control Narrative for addition information.