Slide 1: Internal Control
Sherif Shahin 1 Slide 2: Internal Control 2 Internal Control : Internal Control 3 Internal Control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following three categories :
Effectiveness and Efficiency of Operations
Processes are doing what they are intended to do (i.e., achieving their objectives), and doing so in an efficient manner - - i.e., making good use of available resources.
2. Compliance with Laws and Regulations
Actions are consistent with all applicable laws and regulations.
3. Reliability of Financial Reporting
Accuracy and reliability of Financial Statements. Types of Internal Controls : Types of Internal Controls Controls can be either preventive or detective
Built into the process or system to avoid or minimize risk. Helps make processes more efficient and can reduce cost of corrective actions.
Provides a process assessment to identify potential issues for further review 4 Slide 5: Preventative Controls:
“Prevent undesirable events from occurring”
Knowledge that someone is reviewing your work
Segregation of duties
Levels of authorization
Business rule set-up in automated systems 5 Slide 6: Detective Controls :
“Detect and correct undesirable events after they occur.”
Reviews done on a regular basis 6 Slide 7: Controls can be either Automated or Manual
Automated Controls – Incorporated into application logic.
Example: System automatically searches for a matching PO before paying an invoice
Manual Controls – Performed by individuals outside of the system or application
Example: Supervisor’s signature 7 Who is accountable for assurance that appropriate internal controls are in place? : Who is accountable for assurance that appropriate internal controls are in place? Management!!!! 8 Internal Controls can fail because: : Internal Controls can fail because: Employees can make mistakes or exercise poor judgment
There can be collusion – where two or more individuals work together to steal
Management may inappropriately override established policies or procedures. 9 Who’s responsible for the performance of internal control activities? : Who’s responsible for the performance of internal control activities? Everyone!!!!!! 10 Slide 11: Risk 11 Risk : Risk What are risks?
A risk is anything that could jeopardize:
Achieving our goals
Operating effectively and efficiently
Providing reliable financial data
Protecting the assets from loss
Complying with applicable laws, policies, and procedures 12 Risk : Risk What could go wrong in our unit?
System/application goes down
Key employee calls in sick
Fraud 13 Risk Assessment – What is it? : Risk Assessment – What is it? It’s a process to:
Identify significant risks
What is the likelihood of occurrence?
What is the potential impact?
Manage these risks through:
Acceptance and sharing (insurance)
Mitigate with internal controls 14 Slide 15: What happens when internal controls are not in place or break down? 15 Slide 16: Misstatement financials is untrue declaration of financial data
Fraud is generally defined in the law as an intentional misrepresentation of material existing fact made by one person to another 16 Providing reliable Financial data : Providing reliable Financial data The American Institute of Certified Public Accountants' Statement on Auditing Standards No. 31: Evidential Matter provides a logical framework for designing audit procedures. The framework is built around five financial statement assertions. The first three assertions--existence, completeness, and valuation--address whether accounts contain valid entries that are recorded accurately. The last two assertions--rights and obligations , and presentation and disclosure--focus on whether the entity's legal rights and obligations are presented properly and described adequately in the financial statements. 17 What are the assertions? : What are the assertions? CE- VOP 18 Slide 19: Completeness all transactions are recorded completely
Existence all transactions which are recorded exists
Valuation all transactions are reflected in its value
Ownership all transactions are owned by the company
Presentation all transactions are disclosed correctly 19 What is Fraud? : What is Fraud? Fraud : Typically requires 3 key elements:
Did something bad/wrong “misrepresentation of facts”
Resulted in unauthorized personal gain 20 Red Flags for Fraud : Red Flags for Fraud No vacation
One employee “does it all”
Documentation is not original
“Rush” requests 21 Who Commits Fraud? : Who Commits Fraud? Those having:
Pressure - Usually caused by financial need or desire
Ability to rationalize – Make excuses and do not think of crime as stealing
Opportunity – Typically arises from weak controls or too much independence/ control given to someone 22 How Does Fraud Occur? : How Does Fraud Occur? Billing – Employee submits invoice for payment to bogus vendor or for personal expenses
Non-cash – Employee steals office supplies, stamps, business services, identity of students/staff, etc.
Expense reimbursement – Employee files expense report claiming personal travel, nonexistent meals, etc.
Skimming – Employee accepts payment from customer but does not record
Payroll – Employee takes unreported annual/sick leave, claims overtime for hours not worked, adds ghost employee to payroll 23 Slide 24: Sarbanes Oxley Act 24 What do these dates have in common? : What do these dates have in common? 25 December 2, 2001 Enron declares
July 19, 2002 MCI Worldcom declares
August 31, 2002 Arthur Anderson agrees to
stop auditing public
companies Slide 26: How Did Congress Respond? 26 Slide 27: Senator Paul SarbanesPaul Spyros Sarbanes (born February 3, 1933), Democrat, represented the state of Maryland in the United States Senate for thirty years
Michael G. Oxley
Michael Garver Oxley (born February 11, 1944), Republican, represented the 4th congressional district of Ohio in the U.S. House of Representatives. 27 Sarbanes-Oxley Act : Sarbanes-Oxley Act Key Background/Facts:
Issued by U.S. Securities and Exchange Committee (SEC) in 2002 in response to corporate and accounting scandals involving well known US companies (e.g., Enron).
Intended to restore public trust and confidence in corporate business practices, reporting and disclosures
Applies to US publicly traded companies registered with the SEC; not applicable to institutions of higher education or other not-for-profit institutions 28 Sarbanes-Oxley Act : Sarbanes-Oxley Act Extremely comprehensive piece of legislature that contains 11 sections;
Public Company Accounting Oversight Board
External Auditor Independence
Enhanced Financial Disclosures
Analyst Conflict of Interest
Commission Resources and Authority
Studies and Reports
Corporate and Criminal Fraud Authority
White-Collar Crime Penalty Enhancements
Corporate Tax Returns
Corporate Fraud and Accountability 29 Sarbanes-Oxley Act : Sarbanes-Oxley Act Corporate Responsibility – Section #302
Requires the CEO and CFO to certify with annual report that:
1- They have reviewed the report
2- There are no untrue statements of material fact or omission
3- The financial statements present the financial condition of operations
4- They are responsible for:
A) Establishing and maintaining internal controls
B) Material information is known to officers
C) Have evaluated controls and presented their conclusions
5- They have disclosed to the auditors and audit committee all significant deficiencies and material weaknesses in controls that could adversely affect the financial data
6- They have indicated if there were significant changes in internal controls that could significantly affect internal Controls 30 Are the Numbers Right? Sarbanes-Oxley Act : Sarbanes-Oxley Act Enhanced Financial Disclosures – Section #404
Each annual report shall contain an internal control report which:
States the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.
Contains an assessment, as of the end of the fiscal year, of the effectiveness of the internal control structure and procedures of the company for financial reporting.
The public accounting firm shall attest to and report on
the internal control assessment made by management. 31 Is the Process to Derive the Numbers Right?