VGFOA Fall Conference October 23, 2014 John Montoro, Presenter - - PowerPoint PPT Presentation

VGFOA Fall Conference October 23, 2014 John Montoro, Presenter

 Brief overview of internal control components

under the new COSO framework

 Monitoring of Internal Controls

• What to do?
• By Whom?
• How?

Team Competition

Team Selection

Adam Gwen Shakira Blake Christina Pharrell

Team “BUZZER”

High FIVE! HOLLA back girl HIPS don’t lie TEXAS!

(with finger point)

JEANIE in a bottle I’m so HAPPY!

Look for…

TRUE OF FALSE

VGFOA Stands for: “Virginia Golfing Federation of America”

FALSE

 Safeguard your organization’s assets while in

your possession

 Efficiently manage and spend the funds

entrusted to you

 Accurately report how the money was spent  Obey all applicable laws and regulations while

doing so

1992 2006 2009 2013

Internal controls

Name one of the five components of internal controls

It makes perfect sense! CPA’s are so smart!

Set the tone – establish a culture of accountability Analyze your risks. Ask yourself: “What could go wrong? Establish control procedures to mitigate significant risks Communicate those procedures to your employees Check back from time to time to see if controls are working as designed

Internal Controls for Dummies

Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities

• 1. Demonstrates commitment to integrity and ethical values
• 2. Exercises oversight responsibility
• 3. Establishes structure, authority and responsibility
• 4. Demonstrates commitment to competence
• 5. Enforces accountability
• 6. Specifies suitable objectives
• 7. Identifies and analyzes risk
• 8. Assesses fraud risk
• 9. Identifies and analyzes significant change

10.Selects and develops control activities

• 11. Selects and develops general controls over technology

12.Deploys through policies and procedures 13.Uses relevant information 14.Communicates internally 15.Communicates externally 16.Conducts ongoing and/or separate evaluations 17.Evaluates and communicates deficiencies

1.

Demonstrate a commitment to integrity and ethical values

2.

Board that demonstrates independence and provides oversight over internal control

3.

Management establishes, with board oversight, structures, appropriate lines of authority and responsibility in the pursuit of objectives

4.

Organization demonstrates a commitment to attract, develop and retain competent individuals

5.

Employees are held accountable for their internal control responsibilities

Setting the tone

6.

Objectives are stated with sufficient clarity to enable the identification and assessment of risk relating to the objectives

7.

The organization identifies risks to the achievement of it’s objectives across the entity and considers how the risks will be managed

8.

Organization always considers the potential for fraud when assessing risk

9.

Identifies and assesses changes that could significantly impact internal controls

What could go wrong?

• 10. Control activities are developed that

contribute to the mitigation of risks to acceptable levels

• 11. Selects and develops general control

activities over technology

• 12. Control activities are deployed

through policies that establish what is expected and procedures that put policies into action

I want to prevent and detect errors

• 13. Relevant, quality information is

generated to support the functioning of internal control

• 14. Internally communicates

information on objectives and responsibilities for internal control

• 15. The organization communicates

with external parties regarding matters affecting the functioning

• f internal control

Employees are not mind- readers

• 16. Ongoing or separate evaluations are

conducted to ascertain whether the components of internal control are present and functioning

• 17. The organization evaluates and

communicates internal control deficiencies in a timely manner to those persons responsible for taking corrective action

Do we have that much in the bank?

Identifies and assesses changes that could significantly impact internal controls

Is a principle of which internal control component?

RISK ASSESSMENT

“Ongoing or separate evaluations are conducted to ascertain whether the components of internal control are present and functioning” Is a principle of which internal control component?

MONITORING

Select and develop general control activities over technology Is a principle of which internal control component?

Establish control procedures

TRUE OF FALSE

If you have implemented 4 out

• f the 5 components of

internal control, that’s a score

• f 80% and considered a

passing grade by the auditors

FALSE

 Effective internal control provides reasonable

assurance regarding the achievement of objectives and requires that:

• Each component and each relevant principle is

present and functioning

• The five components are operating together in an

integrated manner

 Each principle is suitable to all entities; all

principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component

 Components operate together when all

components are present and functioning and internal control deficiencies aggregated across components do not result in one or more major deficiencies

 A major deficiency represents an internal

control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives

 Users are encouraged to transition

applications and related documentation to the updated Framework as soon as feasible

 Updated Framework will supersede original

Framework at the end of the transition period (i.e., December 15, 2014)

 During the transition period, external

reporting should disclose whether the original

• r updated version of the Framework was

used

Demonstrates a commitment to integrity and ethical behavior? A) Risk assessment B) Monitoring C) Procedures D) None of the above

CONTROL ENVIRONMENT

Monitoring Internal Controls

TRUE OF FALSE

“The effectiveness of internal controls is the responsibility of internal audit”

FALSE

Monitoring Internal Controls

Periodically monitor what you are doing now – validate Identify a change in process or structure. Keep in mind that the change may be

• external. -

Initiate a change management process

Monitoring Internal Controls

 Who should perform monitoring?  What controls to consider?  What information should be evaluated?  What procedures to employ, by whom and

how often.

 How to assess and report results.

TRUE OF FALSE

The reliability of a monitoring procedure is dependent upon who performs it.

TRUE

 Self review  Peer review  Supervisory review  Impartial review

Increasing

• bjectivity

 Use your risk assessment to identify key

controls

• Formal comprehensive analysis
• Informal discussion (documented)

 Risk factors to consider

• Nature of operations
• Changes in operations
• Environmental factors
• Susceptibility to theft or fraud

 Area:

Revenue

 Objective:

Timely recorded and properly classified

 Risk:

Increased fraud risk if not timely; risk of not identifying regulations to follow (state vs federal)

 Priority:

High

TRUE OF FALSE

When evaluating controls, your goal is to obtain absolute assurance that the control is effective

FALSE

 Identify persuasive information – both

suitable and sufficient in the circumstances that provides evaluator reasonable, not absolute support for conclusion regarding the continuing effectiveness of internal controls in a particular risk area

TRUE OF FALSE

In order to be effective, a monitoring procedure should be conducted by someone

• utside of the department

being evaluated

FALSE

 Ongoing Monitoring: procedures include both

direct and indirect information

• Regular management activities
• Peer comparisons
• Reconciliations

 Separate evaluations

• Conducted periodically
• Not ingrained in routine operations

 Attributes of Ongoing Monitoring

• Integrates with operations
• Provides objective assessments
• Uses knowledgeable personnel
• Considers feedback
• Adjusts scope and frequency as needed

TRUE OF FALSE

Only report results of monitoring if a problem or potential weakness is identified

FALSE

 Need to prioritize results. Consider:

• Likelihood that the deficiency will affect the

achievement of an objective

• The effectiveness of compensating controls
• The aggregating effect of multiple deficiencies

Periodically monitor what you are doing now – validate Identify a change in process or structure. Keep in mind that the change may be

• external. -

Initiate a change management process

Monitoring Internal Controls

TRUE OF FALSE

A quote from Jenny Smith, Finance Director of Aloha County: “Internal controls in the Treasurer’s office are not my problem”

FALSE

 You have government wide responsibility for internal

controls

 Decentralized operations  You have limited authority and daily oversight of a

number of key accounting functions

 You rely on other departments for key information  Public oversight

How do you encourage departments/functions to be proactive and let you know of potential problems?

 What can management do?  What can internal audit do?

 Commonwealth of Virginia ARMICS program

• Specifically excluded internal audit shops from

participating

 Annual certification of the effectiveness of

internal controls in their department/agency

 Internal audit can use the results to help

tailor their audit program for the next year

A word of caution:

 Proper monitoring requires the assessment of

persuasive information and documentation

 With that in mind, what type of

documentation would you require for the annual certification of internal controls?

 Generally a key control  Susceptible to change due to turnover, vacant

positions, downsizing

 Before you can monitor, you need to formally identify

those controls.

 Encourage reporting  Annually request verification that controls are in

place- throughout the year.

 Timely reconciliations of balances to external

documentation, to subsidiary ledgers are a key control for all organizations

 Examples….  How do you know they are being done every

month?

 What are your key controls to ensure that

payments are not made to fictitious vendors?

 How can you monitor those controls to

ensure that they are functioned as designed?

 You have lunch with your banker. “We never

look at signatures anymore.”

 You initiate ACH payments or your bank now

• ffers on line bill pay.

Name one way you can encourage monitoring and reporting in departments outside of finance

John Montoro, CPA, CGMA RealTime Accounting Solutions 804.554.5793 jmontoro@rta-solutions.com