Page 1
1050 N. Lindbergh Blvd. | St. Louis, MO 63132 | 314.983.1200 1551 Wall St., Ste. 280 | St. Charles, MO 63303 | 636.255.3000 2220 S. State Route 157, Ste. 300 | Glen Carbon, IL 62034 | 618.654.3100
888.279.2792 | www.bswllc.com
GFOA - Missouri
Preparing An Internal Control Manual
May 3,2012
© 2012 Brown Smith Wallace All Rights Reserved
Ron Steinkamp, CPA, CIA, CFE 314.983.1238 [email protected]
Page 2
© 2011 Brown Smith Wallace All Rights Reserved
Facilities Cell phones Presentation materials
Participation
© 2012 Brown Smith Wallace All Rights Reserved
1
Page 3
© 2011 Brown Smith Wallace All Rights Reserved
Questions Who has an IC manual?
If you do, why do you?
If you don’t, why not? What are the benefits? What would you like to learn from this presentation?
© 2012 Brown Smith Wallace All Rights Reserved
2
Page 4
© 2011 Brown Smith Wallace All Rights Reserved
© 2012 Brown Smith Wallace All Rights Reserved
3
Page 5
© 2011 Brown Smith Wallace All Rights Reserved
Agenda GFOA best practice COSO internal control framework
Importance of having an internal control manual Developing an internal control manual Components of an internal control manual Examples Guidance/resources Questions
© 2012 Brown Smith Wallace All Rights Reserved
4
Page 6
© 2011 Brown Smith Wallace All Rights Reserved
GFOA Best Practice
Documentation of Accounting Policies and Procedures Every government should document
Appropriate level of management
should promulgate
Review and update no less than once every three years
Update changes as they occur
Assign employee duty of overseeing the process
© 2012 Brown Smith Wallace All Rights Reserved
5
Page 7
© 2011 Brown Smith Wallace All Rights Reserved
Cont. Documentation should:
Be readily available to all employees who need it Delineate the authority and responsibility
of all employees, especially the authority to authorize transactions and for the safe- keeping of assets and records
Include which employees are to perform which procedures Be described as actually performed Explain the design and purpose of control related
procedures to increase employee understanding and support for controls
© 2012 Brown Smith Wallace All Rights Reserved
6
Page 8
© 2011 Brown Smith Wallace All Rights Reserved
Cont. Enhancing Management Involvement with IC Financial managers obtain the information
and training needed to take responsibility for internal control
Obtain a sound understanding of the essential
components of a comprehensive framework of internal control as set forth by the Council of Sponsoring Organizations (COSO)
Employees responsible for internal control
receive the information and training needed to fulfill their responsibilities
© 2012 Brown Smith Wallace All Rights Reserved
7
Page 9
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Document internal control procedures
Procedures include practical means for employees to report management override of controls
Periodically evaluate relevant internal control procedures to ensure they are:
Adequately designed Have been implemented Function as designed
© 2012 Brown Smith Wallace All Rights Reserved
8
Page 10
© 2011 Brown Smith Wallace All Rights Reserved
COSO INTERNAL CONTROL FRAMEWORK
© 2012 Brown Smith Wallace All Rights Reserved
9
Page 11
© 2011 Brown Smith Wallace All Rights Reserved
What is COSO?
Issued the Internal Control Integrated Framework in 1992
Established a common definition of internal control
Provided a standard (criteria) to assess the effectiveness of internal controls
The standard for internal control recognized by the U.S. accounting profession
© 2012 Brown Smith Wallace All Rights Reserved
10
Page 12
© 2011 Brown Smith Wallace All Rights Reserved
Internal Control Definition Process Effected by people Provide reasonable assurance
regarding the achievement of objectives related to:
Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations
© 2012 Brown Smith Wallace All Rights Reserved
11
Page 13
© 2011 Brown Smith Wallace All Rights Reserved
COSO Control Categories Control environment
Risk assessment
Control activities
Information and communication
Monitoring
© 2012 Brown Smith Wallace All Rights Reserved
12
Page 14
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Control Environment
Sets the tone of an organization Provides discipline and structure
Factors include:
Integrity and ethical values Commitment to competence Organizational structure Assignment of authority and responsibility Human resource policies and practices
© 2012 Brown Smith Wallace All Rights Reserved
13
Page 15
© 2011 Brown Smith Wallace All Rights Reserved
Cont. Risk Assessment
Identify risks, including fraud risks, that could impede the
achievement of objectives Analyze risks
Formulate a risk management approach
© 2012 Brown Smith Wallace All Rights Reserved
14
Page 16
© 2011 Brown Smith Wallace All Rights Reserved
Cont. Control Activities
The policies and procedures that help mitigate risks Common control categories include:
Tracking achievements to plans Monitoring performance measures and indicators Physically securing and safeguarding vulnerable assets Ensuring accuracy and completeness of information processing
systems Segregating key duties and responsibilities to reduce the risk of
error or fraud Ensuring transactions are authorized, properly classified, and
promptly recorded
© 2012 Brown Smith Wallace All Rights Reserved
15
Page 17
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Limiting access to resources and records and establishing accountability for their custody
Documenting all transactions
Ensuring transactions are conducted in accordance with applicable laws and regulations
© 2012 Brown Smith Wallace All Rights Reserved
16
Page 18
© 2011 Brown Smith Wallace All Rights Reserved
Cont. Information and Communication
Management should receive
information in a timely manner and in a format that allows proper execution of internal controls and operational responsibilities
Communication should be useful, reliable and continuous
© 2012 Brown Smith Wallace All Rights Reserved
17
Page 19
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Monitoring
Assess the quality of performance of internal controls over time
Includes:
Ongoing monitoring – regular management and supervisory activities
Separate evaluations – internal and external audits Mechanism to ensure prompt resolution of audit findings
and recommendations Management is responsive to recommendations aimed at
strengthening controls
© 2012 Brown Smith Wallace All Rights Reserved
18
Page 20
© 2011 Brown Smith Wallace All Rights Reserved
Why Have an Internal Control Manual
© 2012 Brown Smith Wallace All Rights Reserved
19
Page 21
© 2011 Brown Smith Wallace All Rights Reserved
Accountability Government officials are entrusted by the public to:
Operate in an efficient and effective manner
Properly handle and safeguard funds
Comply with laws and regulations
Achieve results for which they were authorized/funded
Must be accountable to the public
A good up to date IC Manual that is properly implemented and followed provides reasonable assurance that risks are properly identified, managed, monitored and reported on through control activities.
© 2012 Brown Smith Wallace All Rights Reserved
20
Page 22
© 2011 Brown Smith Wallace All Rights Reserved
Con’t.
Sound Management Practice
Maintain control
Describe the method and systems of management
Comply with regulations
Educate employees
Provide for continuity
Preparation for audit
© 2012 Brown Smith Wallace All Rights Reserved
21
Page 23
© 2011 Brown Smith Wallace All Rights Reserved
Developing an Internal Control Manual
© 2012 Brown Smith Wallace All Rights Reserved
22
Page 24
© 2011 Brown Smith Wallace All Rights Reserved
© 2012 Brown Smith Wallace All Rights Reserved
23
R E V I E W
P L A N
E V A L U A T E
D E S I G N
D O C U M E N T
E D U C A T E
Approach
Page 25
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Plan Select the team and leader Establish objectives
Determine format and contents of the IC
manual and contents
Determine processes to document
Establish a time line
Assign team responsibilities
Schedule team check points
© 2012 Brown Smith Wallace All Rights Reserved
24
Page 26
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Review Review current policies and procedures Walk through “as is” process with process
owner
Document “as is” process
Validate “as is” process documentation with process owner
Make changes as appropriate
© 2012 Brown Smith Wallace All Rights Reserved
25
Page 27
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Evaluate Identify existing internal controls in
“as is” process Determine adequacy and effectiveness
of existing internal controls
Identify control gaps – missing controls
Discuss with process owner and seek input on design of controls
© 2012 Brown Smith Wallace All Rights Reserved
26
Page 28
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Design Design process with adequate
and effective controls Walk through re-design process
with process owner
Make changes as necessary
© 2012 Brown Smith Wallace All Rights Reserved
27
Page 29
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Document Document process and related controls Compile IC Manual with all processes
© 2012 Brown Smith Wallace All Rights Reserved
28
Page 30
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Educate Train & roll-out to all effected employees
Part of new hire orientation
Refresher training
© 2012 Brown Smith Wallace All Rights Reserved
29
Page 31
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Tips Start with a flexible table of contents Keep it simple, short and uncomplicated
Determine consistent format and layout
Date each policy and procedure included in the manual
Include page numbers
© 2012 Brown Smith Wallace All Rights Reserved
30
Page 32
© 2011 Brown Smith Wallace All Rights Reserved
Components of an Internal Control Manual
© 2012 Brown Smith Wallace All Rights Reserved
31
Page 33
© 2011 Brown Smith Wallace All Rights Reserved
Internal Control Manual
© 2012 Brown Smith Wallace All Rights Reserved
32
• Introduction • Fraud
• Risk assessment
• Information & communication
• Internal control basics
• Control environment
• Control activities
• Monitoring
Page 34
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Introduction Purpose Scope
Authority
How to use the manual
Definitions
© 2012 Brown Smith Wallace All Rights Reserved
33
Page 35
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Internal Control Basics Define internal control
Control framework
Importance of controls
Management’s responsibility for internal controls
© 2012 Brown Smith Wallace All Rights Reserved
34
Page 36
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Fraud
Definition
Characteristics
Reporting responsibility
How to report
© 2012 Brown Smith Wallace All Rights Reserved
35
Page 37
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Control Environment
Definition
Responsibility
Expectations related to:
Integrity and ethical values
Commitment to competence
Management philosophy and operating style
© 2012 Brown Smith Wallace All Rights Reserved
36
Page 38
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Organizational structure
Assignment of authority and responsibility
Human resource policies and procedures
© 2012 Brown Smith Wallace All Rights Reserved
37
Page 39
© 2011 Brown Smith Wallace All Rights Reserved
Cont. Risk Assessment Definition
Responsibility
Expectations related to:
Establishment of objectives
Risk identification
Risk analysis
Managing risk during change
© 2012 Brown Smith Wallace All Rights Reserved
38
Page 40
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Control Activities
Definition
Responsibility
Control types: Approvals, authorizations and verifications
Reconciliations
Performance reviews
© 2012 Brown Smith Wallace All Rights Reserved
39
Page 41
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Security of assets
Segregation of duties
IT – general controls
IT – application controls
Identify procedures and controls
within critical cycles/processes such as: Revenue Procurement
Disbursement
Payroll
© 2012 Brown Smith Wallace All Rights Reserved
40
Page 42
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Treasury
Financial reporting
Fixed assets
Regulatory
Information systems
© 2012 Brown Smith Wallace All Rights Reserved
41
Page 43
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Information & Communication
Definition
Responsibility
Expectations related to:
Information
Communications
© 2012 Brown Smith Wallace All Rights Reserved
42
Page 44
© 2011 Brown Smith Wallace All Rights Reserved
Cont.
Monitoring
Definition
Responsibility
Expectations related to:
Ongoing monitoring
Evaluations
Audit resolution
© 2012 Brown Smith Wallace All Rights Reserved
43
Page 45
© 2011 Brown Smith Wallace All Rights Reserved
Example Internal Control Manuals
© 2012 Brown Smith Wallace All Rights Reserved
44
Page 46
© 2011 Brown Smith Wallace All Rights Reserved
Example IC Manuals
© 2012 Brown Smith Wallace All Rights Reserved
45
• IC Policy Manual – North Carolina • IAC Manual – Ohio Counties • Atlantic Beach NC Internal Control Policy • Fin Mgmt Controls Manual - Example • Understanding Internal Control • Internal Control Manual
Page 47
© 2011 Brown Smith Wallace All Rights Reserved
Guidance/Resources
© 2012 Brown Smith Wallace All Rights Reserved
46
Page 48
© 2011 Brown Smith Wallace All Rights Reserved
COSO – www.coso.org GAO – www.gao.gov
www.gao.gov/products/AIMD-00-21.3.1 www.gao.gov/products/GAO-01-1008G
GFOA – www.gfoa.org
IIA – www.theiia.org
© 2012 Brown Smith Wallace All Rights Reserved
47
Page 49
© 2011 Brown Smith Wallace All Rights Reserved
48 © 2012 Brown Smith Wallace All Rights Reserved
Questions