INtERNAl CoNtRols TRAiNiNG, Exams of Credit and Risk Management

Risk and Internal Controls. Questions to ask yourself: • What can go wrong? • How could someone steal from us? • What policies are we most affected by?

Typology: Exams

2022/2023

Uploaded on 05/11/2023

marylen
marylen 🇺🇸

4.6

(26)

250 documents

1 / 30

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Internal Controls
Training
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e

Partial preview of the text

Download INtERNAl CoNtRols TRAiNiNG and more Exams Credit and Risk Management in PDF only on Docsity!

Internal Controls

Training

Internal Controls

  • Fraud• Separation of

duties

What do you think of when someone mentions• SOA Reconciliation

Internal Controls?

  • University Audits• P-Cards• Article on front

page of Ann ArborNews

Internal Control Framework

Central Financial Processes • Reviewed annually by external auditors

  • Reviewed periodically by internal audit Unit Financial Functions • Highly decentralized process with individual control processes• Relies heavily on institutional knowledge and often undocumented processes• Oversight may rely on faculty and other non-financial leadership Optimized Control Environment • Ongoing integrated process to connect central process owners with Units

Internal Controls Myths and Facts

MYTHS:Internal control starts with a strong set ofpolicies and procedures.Internal control: That’s why we haveinternal auditors!Internal control is a finance thing.Internal controls are essentiallynegative, like a list of “thou-shalt-nots.”Internal controls take time away fromour core activities of research,instruction, and patient care.

FACTS:Internal control starts with a strong controlenvironment.While internal auditors play a key role in thesystem of control, management is theprimary owner of internal control.Internal control is integral to every aspectof business.Internal control makes the right thingshappen the first time.Internal controls should be built “into,” not“onto” business processes.Source: Institute of Internal Auditors, 2003

Risk and Internal Controls

Questions to ask yourself:•^

What can go wrong?

-^

How could someone steal from us?

-^

What policies are we most affected by?

-^

What types of transactions in our area providethe greatest risk?

-^

How can someone bypass the internal controls?

-^

What potential risk areas could cause adversepublicity?

Likelihood ofOccurrence

Impact

AcceptRisk

Mitigate

and ControlRisk

ControlRisk

ShareRisk

Assessing Risk

Top Ten Areas of DecentralizedControl/Compliance Attention

Where have there been recent unfortunate publicized events across thecountry? 1.

Use of P-Cards for personal benefit

Undocumented/approved compensation and/or benefit arrangements

Imprudent travel and entertainment expenses

Inappropriate charging of restricted funds (e.g., gifts, grants, etc.)

Localized receipt of cash and off book bank accounts

Purchasing practices not appropriately followed

Untimely or cursory reviews of departmental expense activity

Undocumented and/or approved expense transfers

Inaccurate account coding of expense and revenue activity

International activities not in compliance with policies

  • List developed by John Mattie, PwC U.S. Education & Nonprofit Practice Leader – presented at UM Internal Controls Forum inMarch 2013

Types of Internal Controls

Controls can be either automated or manual•^

Automated Controls

  • Incorporated into

application logic / algorithms– Example: System automatically searches for a

matching PO before paying an invoice

-^

Manual Controls

  • Performed by individuals

outside of the system or application– Example: Supervisor’s signature on P-Card

statement

Types of Internal Controls

Level ofReliability(Effective)

Level of Economic Value (Efficient)

While Automated Controls are generally more effective,Preventive Controls are typically more efficient

Automated Detective

Automated PREVENTIVE

ManualDetective

Manual PREVENTIVE

Types of Internal Controls

Controls - particularly related to information processing -

support the following objectives or assertions: Completeness

-^

All transactions are processed (onceand only once)

Accuracy

-^

All transactions are processedcorrectly

Validity

-^

All transactions are authorized orapproved by appropriate person

-^

Access to certain functions is restrictedto appropriate persons

Restrictiveness

CAVR and the Gross Pay Register

Completeness

•^

All employees that should be in aunit, are in the unit

-^

The pay for a new hire starting inthe middle of a month is correct

-^

Additional pay was approved byappropriate personPerson processing changes in payis not reconciling GPR

AccuracyValidityRestrictiveness •

Types of Internal Controls AutomatedControls

ManualControls

Preventive

Detective

Preventive

Detective

CompletenessAccuracyValidityRestrictiveness

The Five Components of a Strong

Internal Control Framework

Control Activities

^ Policies/procedures that ensuremanagement directives arecarried out. ^ Range of activities includingapprovals, authorizations,verifications, recommendations,performance reviews, assetsecurity and segregation ofduties.

Monitoring

^ Assessment of a control system’sperformance over time. ^ Combination of ongoing andseparate evaluation. ^ Management and supervisoryactivities. ^ Internal audit activities.

Control Environment ^ Sets tone of organization-influencing control consciousnessof its people. ^ Factors include integrity, ethicalvalues, competence, authority,responsibility. ^ Foundation for all othercomponents of control.

Information and Communication ^ Pertinent information identified,captured and communicated in atimely manner. ^ Access to internal and externallygenerated information. ^ Flow of information that allows forsuccessful control actions frominstructions on responsibilities tosummary of findings formanagement action.

Risk Assessment

^ Risk assessment is theidentification and analysis ofrelevant risks to achieving theentity’s objectives-forming thebasis for determining controlactivities.

All five components must be in place for internal control to be effective.

Component

General Description

Examples of UM Activity

ControlEnvironment

Sets tone of organization

Standard Practice GuidesStatement on StewardshipFinance, Audit and Investment Committee

Risk Assessment

Identification and analysisof relevant risks

Internal Audit Risk AssessmentRisk Management, Compliance Offices

Control Activities

Policies and proceduresthat govern day-to-dayactivity

P-Card Approvals, SOA reconciliations, separationof duties, written procedures, access controls

Information andCommunication

Flow of timely, accessibleand pertinent information

Foundations of Supervision, metric reporting,management reviews, websites, annualperformance reviews

Monitoring

Assessment of controls

Internal Audit, annual gap analysis, M-Reports, Oversight reports

Internal

Control Framework