






















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Risk and Internal Controls. Questions to ask yourself: • What can go wrong? • How could someone steal from us? • What policies are we most affected by?
Typology: Exams
1 / 30
This page cannot be seen from the preview
Don't miss anything!























Internal Controls?
Internal Control Framework
Central Financial Processes • Reviewed annually by external auditors
Internal Controls Myths and Facts
MYTHS:Internal control starts with a strong set ofpolicies and procedures.Internal control: That’s why we haveinternal auditors!Internal control is a finance thing.Internal controls are essentiallynegative, like a list of “thou-shalt-nots.”Internal controls take time away fromour core activities of research,instruction, and patient care.
FACTS:Internal control starts with a strong controlenvironment.While internal auditors play a key role in thesystem of control, management is theprimary owner of internal control.Internal control is integral to every aspectof business.Internal control makes the right thingshappen the first time.Internal controls should be built “into,” not“onto” business processes.Source: Institute of Internal Auditors, 2003
Questions to ask yourself:•^
What can go wrong?
-^
How could someone steal from us?
-^
What policies are we most affected by?
-^
What types of transactions in our area providethe greatest risk?
-^
How can someone bypass the internal controls?
-^
What potential risk areas could cause adversepublicity?
Likelihood ofOccurrence
Impact
AcceptRisk
Mitigate
and ControlRisk
ControlRisk
ShareRisk
Top Ten Areas of DecentralizedControl/Compliance Attention
Where have there been recent unfortunate publicized events across thecountry? 1.
Use of P-Cards for personal benefit
Undocumented/approved compensation and/or benefit arrangements
Imprudent travel and entertainment expenses
Inappropriate charging of restricted funds (e.g., gifts, grants, etc.)
Localized receipt of cash and off book bank accounts
Purchasing practices not appropriately followed
Untimely or cursory reviews of departmental expense activity
Undocumented and/or approved expense transfers
Inaccurate account coding of expense and revenue activity
International activities not in compliance with policies
matching PO before paying an invoice
-^
statement
Level ofReliability(Effective)
Level of Economic Value (Efficient)
While Automated Controls are generally more effective,Preventive Controls are typically more efficient
Automated Detective
Automated PREVENTIVE
ManualDetective
Manual PREVENTIVE
Controls - particularly related to information processing -
support the following objectives or assertions: Completeness
-^
All transactions are processed (onceand only once)
Accuracy
-^
All transactions are processedcorrectly
Validity
-^
All transactions are authorized orapproved by appropriate person
-^
Access to certain functions is restrictedto appropriate persons
Restrictiveness
CAVR and the Gross Pay Register
Completeness
All employees that should be in aunit, are in the unit
-^
The pay for a new hire starting inthe middle of a month is correct
-^
Additional pay was approved byappropriate personPerson processing changes in payis not reconciling GPR
AccuracyValidityRestrictiveness •
ManualControls
Preventive
Detective
Preventive
Detective
The Five Components of a Strong
Internal Control Framework
Control Activities
^ Policies/procedures that ensuremanagement directives arecarried out. ^ Range of activities includingapprovals, authorizations,verifications, recommendations,performance reviews, assetsecurity and segregation ofduties.
Monitoring
^ Assessment of a control system’sperformance over time. ^ Combination of ongoing andseparate evaluation. ^ Management and supervisoryactivities. ^ Internal audit activities.
Control Environment ^ Sets tone of organization-influencing control consciousnessof its people. ^ Factors include integrity, ethicalvalues, competence, authority,responsibility. ^ Foundation for all othercomponents of control.
Information and Communication ^ Pertinent information identified,captured and communicated in atimely manner. ^ Access to internal and externallygenerated information. ^ Flow of information that allows forsuccessful control actions frominstructions on responsibilities tosummary of findings formanagement action.
Risk Assessment
^ Risk assessment is theidentification and analysis ofrelevant risks to achieving theentity’s objectives-forming thebasis for determining controlactivities.
All five components must be in place for internal control to be effective.
Component
General Description
Examples of UM Activity
ControlEnvironment
Sets tone of organization
Standard Practice GuidesStatement on StewardshipFinance, Audit and Investment Committee
Risk Assessment
Identification and analysisof relevant risks
Internal Audit Risk AssessmentRisk Management, Compliance Offices
Control Activities
Policies and proceduresthat govern day-to-dayactivity
P-Card Approvals, SOA reconciliations, separationof duties, written procedures, access controls
Information andCommunication
Flow of timely, accessibleand pertinent information
Foundations of Supervision, metric reporting,management reviews, websites, annualperformance reviews
Monitoring
Assessment of controls
Internal Audit, annual gap analysis, M-Reports, Oversight reports
Internal
Control Framework