Documenting Internal Controls From Theory to Implementation

1

Documenting Internal ControlsFrom Theory to Implementation

CACUBO Annual Meeting

October 7, 2007

Dennis K. Miller, Sr.

2

Agenda for Today

• Brief History

• Why So Important Today

• Define Internal Controls

• Internal Controls Evaluation: A Process

3

Brief HistoryForeign Corrupt Practices Act

• In mid 70’s over 400 US companies involved in bribery

• Congress’s response– Unlawful to bribe– Accounting Provisions

• Must keep good books• Must maintain an adequate system of Internal

Controls.

4

Brief HistoryTreadway Commission

• Treadway Commission or COSO

• Formed to deal with financial reporting fraud

• First Report in 1985

5

Brief HistoryFDICIA

• FDICIA – Federal Deposit Insurance Corporation Improvement Act

• Enacted by Congress in1991

• Required “large” financial institutions to opine on systems of control

6

Brief HistorySarbanes Oxley

• Sarbanes Oxley act of 2002

• Formalize and strengthen internal checks and balances within corporations

• Institute various new levels of control and sign-off designed to ensure that financial reporting exercises full disclosure

• Transact corporate governance with full transparency

7

Brief HistorySAS 112

Establishes standards for communicating internal control issues relating to:- integrity of financial reporting- compliance with applicable laws and

regulation

8

Brief HistorySAS 112

• SAS112 standards adopted by the federal agencies

• Government Audit Standards updated to incorporate SAS112

– It is likely that universities—with a history of clean audits—will have reportable conditions when SAS 112 is implemented

9

Why Should We Care

• All of this history dealt with corporations

• It doesn’t apply to us

• It’s not a large leap from stockholder concerns to bondholder concerns

10

Why Should We Care

• Aren't’ we dealing with public money and trust on a par with the largest SEC registrants

• 150 people here on a Sunday afternoon?

• Trailing effect, what applies to business trickles down to us. Do it now, ala Drexel, or be forced to.

11

Why Should We Care

New York Attorney General Eliot Spitzer accepted Sarbanes Principles and proposed them as mandatory standards in NY

California Senate Bill 1262, “Sarbanes-Oxley for Non-Profits” signed by Gov Schwarzenegger 9/29/2004

Federal Government Hearings “Charity Oversight and Reform.

12

Why Should We Care

• Federal Managers Financial Integrity Act modified in 2006 to incorporate much of Sabanes-Oxley.

• Massachusetts legislature is to vote later this year on the “Act to Promote Financial Integrity of Public Charities” similar to California’s

• And others in the works

13

Why Should We Care

• The NACUBO Advisory Report 2003-3 recommended that institutions start identifying and evaluating the adequacy of their controls over financial reporting– Institutions should consider certifications and

sub certifications

• Many institutions are implementing certifications and addressing their internal controls challenges

14

Define Internal Controls

Broadly defined as a process, effected by the curators/Regents/directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations. • Reliability of financial reporting. • Compliance with applicable laws and

regulations.

15

Define Internal Control

• Management Driven

• Ethical environment of the organization drives level of internal control

• 1st thing to look for/develop is Statement of Ethic or general statement of principal

• Provides the foundation for the entire process• Almost a charter

16


• Objectives Focused

– Accounting controls– Operating controls– Legal oriented controls– If you don’t know your objective how can you

possibly achieve it. Don’t know where we’re going but we’re making good time.

17


• Internal Controls are not:

– Providers of Absolute Assurance

– Fraud Prevention not the sole objective

18

Control Environment

1. Integrity and ethical values

2. Commitment to Competence

3. Training and reinforcement on ethical values

4. HR and operating Policies and Procedures

19

Identify Risks and Activities Required for Mitigation

•First identify risks

•Then develop the Objectives to mitigate those risks

•Objectives goals to ensure:

-Authorization

-Completeness

-Accuracy

-Timeliness

-Safeguarding of assets

20

Control Activities

•What activities are required to ensure management’s objectives are met.

21

Monitoring Activities

Provide assurance the control activities are functioning

Provides feedback into the management loop as to the status of operations.

22

Translate Theory to Action

• Attestation Requirement Recommended by NACUBO in 2003.

• Attestation based on ? ? ?

• Audits will focus on tests of Management’s Key Controls– Identify your key controls– Ensure they are documented– Demonstrate what are they based upon

23

Internal Controls EvaluationA Process

1. Identify major risk areas – Macro level

2. What are the exposures within these areas

3. What controls are in place to mitigate these risks

4. Where and how is control execution documented.

5. Who is responsible for control execution

6. Management tests the operation of controls

24

Step 1 - Risk AnalysisMacro Level

• Within your organization, what areas present the greatest risk

• Does not require Billy-Whiz-Bang tools

• Do it yourself?

• Should be systematic and documented

• Key to document the criteria

• End product a prioritized list of areas that present the greatest risk

25

Step 1 – Risk AnalysisRisk Area Rating Rationale for Rating

Payroll

High

1. Finance: Largest category of expense for the University

2. Legal/Regulatory: Legal implications of not paying on time, accurately, or improperly.

3. Audit Results: Good internal & external audits.

4. Environment: High degree of volatility Confidentiality of information and hacking 5. Summary: Though Audits indicate strong

controls, the magnitude of this expense and reputation exposure make the overall risk one of the highest.

Sponsored Programs

Moderate 1. Finance: Significant source of revenue for the university

2. Legal Regulatory: Complex Legal environment with multiple agencies

3. Audit results: Internal and External Audit ratings – Excellent.

4. Environmental: Strategic Focus for the University :Political Sensitivity due to problems at State U.

5. Summary: Solid audits indicate controls and administration are strong.

26

Step 1- Risk Analysis

Area / Function

Balance Sheet P&L

immpact VolumePast

AuditsStaff

TurnoverRisk

RatingPayroll 5 5 3 0 13Capital Assets 5 1 0 0 6T & E 2 2 5 1 10Development 4 3 3 2 12State Appropriations 5 1 1 1 8

National UniversityFinancial Risk Rating

27

Step 2 – Identify Exposures

• Within our major areas, what is it we are concerned about.

28

Controls DocumentationWorksheet

Explanation of the Exposure

Where is this control

documented?

Who is responsible

for this? Describe the Managerial Controls

Completeness:

Authorization:

Accuracy:

Safeguarding of Assets:

Timeliness:

Segregation of Duties:

Controls in Place to Mitigate the Exposure

29

Step 2 – Identify Exposures Payroll Example

• Payroll activity is unauthorized – to unauthorized people or unauthorized rate of pay, or . . .

• Pay delivered to the wrong person• Rate of pay is incorrect• Checks or currency is stolen• Employee records are improperly

disclosed• Benefit Plans are not approved or are not

in compliance with regulations

30

Step 2 – Identify Exposures Payroll Example


Completeness:

Authorization:

Accuracy:


Timeliness:

Segregation of Duties:

Controls in Place to

Payments made to unauthorized persons

31

Step 3 – Controls Requirement

• Identify how to mitigate risks – AKA controls.

• Controls provide reasonable assurance of:– Authorization– Accuracy– Complete– Timely– Safeguarding of Assets

• Segregation of Duties

32

Step 3 – Controls Requirement


Completeness:Segregation of

Duties:Accuracy

A person with no data entry capability reviews the new employee report against the new employee forms checking for accuracy of data entry, proper authorization of the form, existence of a form, and to ensure all forms have been entered.

Authorization: Personnel are not to process any changes to payroll data without a form signed by the depatment head.


N/A

Timeliness: Ensures all forms are received by the 15th of the month. If not follows up to ensure all are received.

Controls in Place to Mitigate the ExposurePayments made to unauthorized persons

33

Step 4 – Control Documentation

• How is control evidenced– If its not documented it doesn’t exist– The control procedure in policy

• Policy not in and of itself a control

– Performance of the control– Who does it

34

Step 4 – Control Documentation


Where is this control documented?

Who is responsible for this?

Completeness:Segregation of

Duties:Accuracy


New employee report signed and dated by person performing the review. Each entry is checked or errors noted.See Policy APM 20.05

Administrative Assoiciate in Payroll Department.


Payroll policy number APM20.21

Maintained on the Unversity Intranet.


N/A

Timeliness: Ensures al forms are received by the 15th of the month. If not follows up to ensure all are received.

Payroll policy number APM20.21

Maintained by the Payroll Director on the Unversity Intranet.

Controls in Place to Mitigate the ExposurePayments made to unauthorized persons

35

Step 6 – Managerial Controls

• Managerial Control: – What does management do to ensure the

control actually functions, and is effective– Feedback up and down chain of command

36

Step 6 – Managerial Controls

Explanation of the

Exposure

Where is this control

documented?

Who is responsible for

this? Managerial ControlCompleteness:Segregation of

Duties:Accuracy


New employee form signed and dated by person performing the review. Each entry is checked or errors noted.See policy APM 20.05

Administrative Assoiciate in Payroll Department.


Payroll policy

number APM20.21

Employees instructed in policy manaual and department training of this prohibition.


N/A

Timeliness: Ensures al forms are received by the 15th of the month. If not follows up to ensure all are received.

"Payroll policy number APM20.21"

Maintained by the Payroll Director on the Unversity Intranet.

Controls in Place to Mitigate the Exposure

Payments made to unauthorized persons

Before the payroll is processed, the signed and dated new employee reports, with the new employee forms attatched, are forwarded to the Payroll Manager. The Payroll Manager ensures the reports are signed, spot checks some of the Payroll Forms, and initials the report as evidence of the review. Reports are filed in Central Payroll.

37

Controls EvaluationEnd Product

• Identification of risk areas in the University

• Identified significant exposures in those areas

• Documented the key controls to mitigate risks and exposures

• Created a tool to ensure policies are up to date, effective, and functioning

• Developed basis for controls certification

38

Dennis K. Miller, Sr. CBA, CFSA

Manager Internal Controls – Financial Services

118 University Hall

Columbia, MO 65211-3020

[email protected]

mailto:[email protected]

Documents

Documenting Internal Controls From Theory to Implementation