Presentation Description

No description available.


Presentation Transcript

Internal Controls Training : 

Internal Controls Training R·I·T


Steven Morse, CPA, Executive Director Session Objectives IACA’s Mission, Who We Are, Internal Auditing at RIT Patrick Didas, CPA, CFE, Associate Director Session Content R·I·T 2


Objectives What you should know after this class: five types of business risk examples of internal controls and their components who relies on RIT’s internal controls who is responsible for RIT’s internal controls maintenance and oversight R·I·T 3

IACA’s Mission: 

IACA’s Mission Institute Audit, Compliance & Advisement promotes a strong internal control environment by objectively and independently assessing risks and controls; evaluating business processes for efficiency, effectiveness, and compliance; providing management advisory services; and offering training to the University community. We focus on preserving the resources of the University for use by our students as they prepare for successful careers in a global society. 4 R·I·T


IACA Reporting Structure Staffing 5

Internal Auditing at RIT: 

Internal Auditing at RIT Annual Risk Assessment Performed by IACA Academic and non-academic areas Coordinated with external auditors Creation of Annual Audit Plan Audit Engagements (primarily operational) Business Process Reviews Questionnaire Reviews Continuous Auditing (fraud) Management Advisement Requests Annual Audit Plan is approved by Audit Committee of the RIT Board of Trustees 6 R·I·T


7 RIT Ethics Hotline R·I·T The EthicsPoint system is anonymous and accessible via phone by calling (866) 294-9358 or (866) 294-9572 TTY or online at More Ethics Hotline information is available at

The Audit Process at RIT: 

The Audit Process at RIT R·I·T 8 Planning: Planning is done prior to the start of every engagement to assess specific risks of the business unit or business process to be audited and to establish the preliminary scope and work plan. Fieldwork: During fieldwork, the auditors will review and evaluate the internal controls in place. This will be accomplished through reviews of process documentation, interviews, transaction testing, account analysis, data analysis, and other means as appropriate.

The Audit Process at RIT : 

The Audit Process at RIT R·I·T 9 Reporting: At the conclusion of fieldwork, we will issue an audit report consisting of two sections: The Executive Summary provides the auditors’ overall assessment of the internal control environment and comments on issues and trends noted during the review. The Detailed Audit Issues section presents the individual audit issues that are included in the report. It also includes the related risks, management action plans and discussion items. Monitoring of Corrective Action: IACA actively monitors the implementation of management action plans throughout the year.

IACA Quality Control Program : 

IACA Quality Control Program R·I·T 10 Yes, the auditors get audited! Annual internal assessment. Periodic self assessment with independent validation. Client satisfaction survey. Annual audit process review meeting with prior year’s clients. Bldg 13

What is any organization concerned with?: 

What is any organization concerned with? Risks R·I·T 11

What is Risk?: 

What is Risk? Anything that could negatively impact the Institute’s (Department’s) ability to meet its business objectives. R·I·T 12

Types of Risk : 

Types of Risk Strategic – risk that would prevent an area from accomplishing its objectives. (meeting its mission). Financial – risk that could result in a negative financial impact to the Institute. (waste or loss of assets). Regulatory (Compliance) – risk that could expose the Institute to fines and penalties from a regulatory agency due to non-compliance with laws and regulations. Reputational – risk that could expose the Institute to negative publicity. Operational – risk that could prevent the department from operating in the most effective and efficient manner or be disruptive to other Institute operations. R·I·T 13

What Does an Organization Do To Mitigate Those Risks? : 

What Does an Organization Do To Mitigate Those Risks? Implement R·I·T 14 Internal Controls

What are Internal Controls?: 

What are Internal Controls? Internal control is a process, effected by people, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with laws and regulations R·I·T 15

Internal Control Types: 

Internal Control Types Operational – promotes operational effectiveness and efficiency as well as adherence to policies and procedures. Examples: Employee Performance Evaluations Project Goals/Milestones, Key Performance Indicators, Publishing Policies and Guidelines Physical Asset Controls System Access Controls – Exception Reports Management Oversight – 3rd Party Verification Job Rotation, Cross Training R·I·T 16

Internal Control Types: 

Internal Control Types Financial – designed to safeguard assets and ensure completeness, accuracy and reliability of financial records. Examples: Ledger Account Reconciliations Budget to Actual Reviews Oracle Reports Fixed Asset Inventory List Authorizations and Approvals Segregation of Duties Trend Analysis R·I·T 17

Internal Control Types: 

Internal Control Types Compliance – ensures compliance with applicable laws and regulations. Examples: Public Safety Crime Reports Human Subjects Research Review Research Sponsor Agreements and regular review of adherence Material Safety Data Sheets R·I·T 18


Components of Internal Control R·I·T 19 Source: The Committee of Sponsoring Organizations of the Treadway Commission The COSO Model Control Environment Risk Assessment Control Activities Monitoring Information & Communication

Control Activity Descriptors:: 

Control Activity Descriptors: Soft Controls – ethics and competency - “Tone at the Top” Hard Controls - segregation of duties (assignment of authority & responsibility) limiting access to cash Preventive Controls – controls to prevent an undesirable situation, for example: Policies & Procedures, Authorization and Approvals Detective Controls - controls to detect when an undesirable condition occurs (after the fact)-for example: reconciliation of ledger account activity R·I·T 20


Controls Are Everybody’s Business Myth Fact Internal control starts with a strong Internal control starts with a strong set of policies and procedures control environment Internal control – that’s why we have Management is the owner of the internal auditors. internal control. Internal control is a finance thing. Internal control is integral to every We do what the controller’s office aspect of the business. tells us to do. Internal controls are essentially Internal control makes the right things negative, like a list of “thou shalt happen the first time, and every time. nots.” 21


Controls Are Everybody’s Business (continued) Myth Fact Internal controls are a necessary Internal controls should be built into, not evil. They take time away from our not onto, business processes. core activities – making products, making sales, and serving customers. With downsizing and empower- With downsizing and empowerment, ment, we have to give up a certain we need different forms of control. amount of control. If controls are strong enough, we Internal controls provide reasonable, can be sure there will be no fraud, but not absolute, assurance that the and financial statements will be organization’s objectives will be accurate. achieved. 22

Biggest threats to the Internal Control Structure: 

Biggest threats to the Internal Control Structure R·I·T 23

5 minute break: 

5 minute break R·I·T 24

Who Relies On RIT Having a Good System Of Internal Controls?: 

Who Relies On RIT Having a Good System Of Internal Controls? Students, Parents, Alumni, Donors, Research Sponsors – Is their money being converted into the best value and used in accordance with their intentions? Financial Institutions, Rating Agencies – RIT’s ability to meet its debt payments. Middle States – Is RIT managing resources to best ensure student interests are served? Government – Is RIT providing a value to the community, and in compliance with laws and regulations? Faculty and Staff – Do we work in a well controlled environment? RIT’s Officers and Board – Are they confident that all of the above is happening? R·I·T 25

Who is responsible for Internal Controls oversight?: 

Who is responsible for Internal Controls oversight? YOU - all employees are risk managers Check IACA’s web site (forms link) to test your area of responsibility. R·I·T 26

Your Role: 

Your Role Follow RIT policies and procedures – they were designed with Internal Controls in mind Identify areas in your department’s operations where controls could be strengthened and develop controls to address the weakness. Be a good steward of RIT’s assets Use common sense R·I·T 27

RIT Senior Management’s Role: 

RIT Senior Management’s Role To enhance the control environment, the Institute is responsible for: Setting standards/policies Defining expectations Providing training Stating its mission, vision, and core values Supporting the design of systems to include built-in detective controls as well as data security controls Planning, organizing, directing, controlling R·I·T 28

Scheme : 

Scheme Sunday, January 21, 2007 BOWLING GREEN, Ohio — A former Bowling Green State University employee is accused of ordering $400,000 in computers and electronics with school money and selling them, the school said today. Michael McHugh, 44, of Bowling Green, has pleaded not guilty to theft and two counts of theft in office. He has been jailed since Dec. 1 on $100,000 bond. The alleged theft went unnoticed for years in the university's $400 million budget because the items were bought slowly starting in 2001, spokeswoman Kim McBroom said. The purchases from Apple Computers, Office Depot and other retailers ramped up in 2003 and caught attention last year. The activity fits the profile of a typical embezzler, McBroom said. "As they start to gain confidence they get to a point where they get greedy or careless," she said. "When that happens it gets easier to track them." The university fired the 11-year employee Nov. 2, a few weeks after the purchasing department flagged some unusual orders, spokeswoman Teri Sharp said. McHugh acknowledged to school officials that he ordered the items and sold many on eBay, McBroom said. Bowling Green has since made changes in its purchasing policies, she said, such as having only one person review all orders from a single department and requiring approval for orders over a certain dollar amount or for certain items such as computers. R·I·T 27

College president ordered to repay funds : 

College president ordered to repay funds Estrella (es-TRAY'-uh) Mountain Community College President Homero Lopez has been ordered to repay $7,500 for European and Asian vacations that were billed as educational projects. The Arizona Republic reports Lopez has taken a tour of Italy, a train trip through French mountains and an ocean cruise from Bangkok to Beijing. Maricopa Community Colleges District Chancellor Rufus Glasper told Lopez last month that the international trips didn't meet the college standards for travel and asked for the money back. Glasper called for the restitution after Lopez's trips surfaced during an audit of international travel at all ten community colleges. The audit was prompted by an Arizona Republic investigation in October that revealed 87 administrators, faculty and staffers at Mesa Community College spent over $300,000 on trips to China and Europe over five years. 28

Local Investigation D & C 6-6-02 : 

Local Investigation D & C 6-6-02 The woman accused of embezzling $72,000 from a local women's health program could face additional charges. State Police are continuing to sift through financial records of the Women's Health Partnership, where 40-year-old Bonnie Lewis of Rochester had served as director for the past decade. Lewis was arrested Tuesday and charged with second-degree grand larceny. State Police allege she misappropriated funds from July 1, 1999, through Dec. 15, 2001. Records prior to 1999 are still being reviewed. Additional charges could be filed depending on what is discovered, said State Police Lt. Mark Lincoln. Lewis pleaded not guilty to the charges at a city court hearing Wednesday. She was released and declined comment through her attorney, Ian Mackler. According to court documents, the program made 11 payments totaling nearly $49,000 to Craig Jackson for services he did not perform. Jackson was married to Lewis' sister, the documents state. The payments were made for a list of services that include computer services, leadership training, patient transportation, catering, cookbooks and plastic breast display models. The payments also included vouchers for patient services that would have required Jackson to be a medical doctor, a radiologist and an anesthesiologist, according to the documents. Program officers, in depositions included in the documents, said Jackson is not an approved vendor for the organization. 29

Local Investigation (cont’d) : 

Local Investigation (cont’d) State Police said only that the investigation remains open. "All I can say is that the money was channeled to places it shouldn't have been," Lincoln said. Lewis, in the court documents, is further accused of using the program's Wegmans/ Chase Pitkin credit card for personal purchases. The card was used to buy items such as dog food and baby formula, as well as $6,875 in gift certificates. The Women's Health Partnership is run jointly by the University of Rochester Medical Center and the Monroe County Health Department. It started in 1993 and - through a network of physicians - provides free mammograms and pelvic exams to women who can't afford them. Funded through state grants and private donations, it serves about 2,500 women annually. The office is at 111 Westfall Road in Rochester and has a small staff of two to three people, said Teri D'Agostino, spokeswomen for the UR Medical Center. Doctors who work through the Women's Health Partnership were stunned by Lewis' arrest. "I just hope all the good work that goes on through this program is not overshadowed by the problems of this one person (Lewis)," said Dr. Wende Logan-Young, director of the Elizabeth Wende Breast Clinic in Brighton, who stressed that medical service has not been disrupted because of the larceny allegations. At Wednesday's court hearing, Assistant District Attorney Jennifer A. Whitman said Lewis was released after her arrest because she has no previous criminal record. "This is a serious matter, and we are taking it very seriously," Whitman said. Financial discrepancies at the health partnership were discovered earlier this year when UR officials conducted a routine audit, said State Police. Lewis was placed on administrative leave March 27 and then fired May 7, D'Agostino said. 30


Video Internal Controls for Colleges and Universities R·I·T 31

What is Fraud?: 

What is Fraud? Fraud definition Intentional misrepresentation Victim suffers monetary or property loss Cost of fraud to U.S. organizations Over $650 billion annually 5% of annual revenues of any given entity Source: Association of Certified Fraud Examiners 2006 Report to the Nation R·I·T 32

Who Typically Commits Fraud and Why?: 

Who Typically Commits Fraud and Why? The Fraud Triangle R·I·T 33

Fraud in the Workplace: 

Fraud in the Workplace R·I·T 34 By attending this seminar you will learn: why you should be concerned about fraud who typically commits fraud, and why common fraud myths methods typically used by individuals committing fraud how you can reduce the risk of fraud in your area of responsibility the fraud investigation process the legal process of a typical fraud case how to report suspected fraudulent activity about real fraud cases investigated by the instructor what to look for to detect potential fraud Who should attend? Anyone interested in learning how to help protect their area of responsibility from potential fraudulent activity Date: December 13, 2007 Time: 9:00 am - 11 a.m. Location: CIMS 2140


R·I·T 35 Case Study 1 Missing Camera Joe, the hard working staff assistant, is asked to process a requisition to purchase a new $5,000 camera to be used by a Research Associate (RA) who is working on a federal grant. Later, when Joe conducts the annual physical inventory for the department, as requested by the Property Control Office, he is not able to locate the camera in the department. Joe learns the RA was given permission by the grant administrator to take the camera home so that he could take photos at his sister’s wedding (that was 2 months ago). When Joe talks to the department chair about it, he is told not to worry – since the camera wasn’t purchased with university funds (i.e., the grant paid for it), it would be ok to check it off on the inventory report even though it had been removed from the premises.


Jill, a senior staff assistant, is the department’s procurement card holder. Her manager Anna, the department’s budget authority, travels extensively so Jill occasionally uses a signature stamp to approve her procurement card statements. Jill went shopping for a new TV one weekend. While checking out, Jill mistakenly used her company’s procurement card. On Monday she received an email from Paymentnet confirming the purchase when she realized her mistake. Jill decided to wait until Anna returned from out of town to ask her advice. Jill was certain Anna would understand and help her straighten things out. The statement arrived a week later and Jill had Jack, the office assistant, approve the statement since Anna wasn’t due back for another two weeks. Upon Anna’s return, Jill had not saved enough money to repay the company for the TV. Since Anna had not seen the statement and it had already been processed by Accounting, Jill decided not to bring it up. She had been an exceptional employee for years and had seen many of her coworkers receive bonuses. She decided it was her turn. This would be her bonus. She had earned it. R·I·T 36 Case Study 2 - The New TV

To Summarize – What Can You Do: 

To Summarize – What Can You Do Set the right tone – your behavior influences others. Be aware of your organization’s objectives and risks. Adhere to policies and procedures Call IACA or the Controller’s Office with internal control questions Report violations R·I·T 37


Questions? R·I·T 38

authorStream Live Help