Introduction to Internal Control Activities
Introduction to Internal Control Activities Everyone has a role to play with internal control activities! We all have a responsibility. 3
ABOR policy ABOR policy “Internal Control Responsibilities” /chap6/6-711.pdf ABOR policy “Internal Control Responsibilities” implementation guidelines guidelines-protocols/6-711-Guidelines.pdf 4
Who is responsible? President Chief Financial or Business Officer Provosts, Vice Presidents, Deans and Other Management Positions Chief Audit Executive All Employees –“All employees are responsible for complying with university and board internal control policies.” ABOR “Internal Control Responsibilities” Implementation guidelines 5
Who is responsible? “Adherence to the system of internal control shall be promoted by university management and those in positions of authority who have the responsibility for: –Setting expectations for individual accountability for internal control responsibilities, which includes ensuring adequate separation of duties;… 6
Who is responsible? –…Ensuring employees receive training related to the internal control responsibilities of their positions; and –Ensuring these expectations are documented, discussed, monitored regularly, included in annual performance evaluations, and as appropriate, considered in decisions regarding job retention, promotion, and salary adjustment.” »ABOR “Internal Control Responsibilities” Implementation guidelines 7
How can you meet these expectations? This training helps you to understand… –What are internal control activities? –What are the different types? –What are you already doing that is a control activity? 8
How can you meet these expectations? Performance appraisals –“Carries out internal control activities” added to Personal Accountability for Own Work, Words and Actions –“Ensures internal control activities are established and clearly communicates expectations about compliance” added to Supervisory section 9
What are internal control activities? “ …the policies and procedures established and executed to help ensure the action necessary to address risks and assure that the board’s and university’s objectives are effectively carried out.” »ABOR “Internal Control Responsibilities” Implementation guidelines 10
What are internal control activities? “ …the policies and procedures established and executed to help ensure the action necessary to address risks and assure that the board’s and university’s objectives are effectively carried out.” »ABOR “Internal Control Responsibilities” Implementation guidelines 11
What are internal control activities? “ …the policies and procedures established and executed to help ensure the action necessary to address risks and assure that the board’s and university’s objectives are effectively carried out.” »ABOR “Internal Control Responsibilities” Implementation guidelines 12
What are internal control activities? “ …the policies and procedures established and executed to help ensure the action necessary to address risks and assure that the board’s and university’s objectives are effectively carried out.” »ABOR “Internal Control Responsibilities” Implementation guidelines 13
Types of internal control activities Control conscious environment Separation (or segregation) of duties Authorization and approvals Safeguarding records and assets Monitoring and review 14
Control conscious environment “The core of any university is its people and the internal control environment tone set by senior management. The people and the control environment are the engine that drives the organization. Their attributes (integrity, ethical values, and competence) and the environment in which they operate set the tone for the organization and determine the sincerity with which the institution embraces the control environment.” »ABOR “Internal Control Responsibilities” Implementation guidelines 15
Control conscious environment Examples of activities that contribute to a control conscious environment in your personal life: –Aligning access to TV shows and websites with your family’s values –Establishing expectations with children 16
Control conscious environment Examples of control activities that contribute to a control conscious environment at NAU: –“I have read and understand the Employee/Faculty handbook.” –“I have disclosed any and all ownership interest in companies that I am doing business with or proposing to do business with the university and have made my supervisor aware.” –“All of my dealings with my supervisor, other employees, vendors, contractors, and all other parties are based on full honesty and fairness.” 17
Control conscious environment Examples of questions to ask yourself to understand if you are (or should be) performing control activities that contribute to a control conscious environment: –“Am I familiar with departmental and university policies and procedures that apply to my position?” –“Do I understand my job responsibilities, the limits to my authority, my performance standards and expectations, and reporting relationships?” –“Do I ask myself these questions before making an ethical decision: Is it legal? Is it fair? How will it make me feel about myself?” 18
Control conscious environment What functions do you perform in your position that support a control conscious environment? 19
Separation of duties Why separate duties? –Reduce the risk of error –Reduce the risk of inappropriate action What to separate? –Recording a transaction –Authorizing a transaction –Custody or handling of the related asset “Two sets of eyes” 20
Separation of duties Examples of separation of duties in your personal life: –A manager must turn a register key when making a return at a store –The doctor writes the prescription but it is dispensed at the pharmacy 21
Separation of duties Examples of separation of duties at NAU: –“Transactions are touched by more than one person.” The supervisor has custody of the master keys. I sign the key out by recording it in a log with my name, date, etc. The supervisor also initials the log. The key is ‘checked in’ in a similar manner. Cash is received by one person, deposited by another, and recorded in PeopleSoft by a third. 22
Separation of duties Examples of questions to ask yourself to understand if you are (or should be) performing the separation of duties internal control activity: –“Are there at least two sets of eyes on every transaction?” –“If I make an error in my work, will someone downstream of me detect it?” –“Do I have security access in the information system that will allow me to perform all parts of a transaction without requiring the approval of someone else?” 23
Separation of duties What functions do you perform that support separation of duties? 24
Authorization and approval What is authorization? –Define activities an employee can perform –Define transaction parameters –Define transactions that require approval What is approval? –Verification and validation –Review of supporting documentation –Evidence of approval 25
Authorization and approval Examples of authorization and approval in your personal life: –A signature on a check provides authorization for funds to be withdrawn from a checking account –A listing of who is allowed to check out DVDs on your account –A signed permission slip for a child’s field trip 26
Authorization and approval Examples of authorization and approval at NAU: –“I question what I sign and review the supporting documentation to be sure that the transaction is valid, in line with university and departmental policy and is properly supported by documentation.” –“I do not share my password with other people.” 27
Authorization and approval Examples of questions to ask yourself to understand if you are (or should be) performing authorization and approval internal control activities: –“Am I clear on the limits to my authority?” –“Do I refuse to approve a request if it is not properly supported with documentation?” –“Do I have appropriate access to information systems to allow me to only authorize transactions for my area of responsibility?” 28
Authorization and approval What activities do you perform that are authorization or approval functions? 29
Safeguarding records and assets How are records and assets safeguarded? –Access is physically restricted –Assets are periodically counted and compared to records –Protect against unauthorized acquisition, use or disposition 30
Safeguarding records and assets Examples of safeguarding records and assets in your personal life: –Locking the house when you leave –Keeping copies of tax documents, the deed to the house, your social security card in a secure location –Keeping breakable items out of the reach of small children 31
Safeguarding records and assets Examples of safeguarding records and assets at NAU: –“I lock the door when I leave at night.” –“Fire extinguishers are checked regularly and are in working order.” –“I perform a physical inventory of my department’s assets and compare it to the records kept by Property Administration. Differences are investigated and resolved.” 32
Safeguarding records and assets Examples of questions to ask yourself to understand if you are (or should be) safeguarding records and assets: –“Do I lock my computer when I get up from my desk?” –“Are cash and checks kept locked at all times?” –“Are all records containing confidential or sensitive information kept in a locking file?” 33
Safeguarding records and assets What activities do you perform that safeguard records and assets? 34
Reconciliation and review What is review and reconciliation? –Review and compare information about current performance to benchmarks to measure the extent to which objectives are being achieved –Identify reasons for unexpected results –Reconcile accounts by comparing different sets of data to one another –Document review by signature and date –Take corrective action when necessary 35
Reconciliation and review Examples of monitoring and review activities in your personal life: –Reconciling your check register to your bank statement –Reviewing credit card statements for erroneous charges –Looking at a child’s report card and signing it 36
Reconciliation and review Examples of monitoring and review internal control activities at NAU: –“I reconcile my deposit form to the receipts returned to me by the Bursar’s Office.” –“I review long distance telephone usage for my department on a regular basis.” –“I complete controls self assessments on an annual basis.” 37
Reconciliation and review Examples of questions to ask yourself to understand if you are (or should be) performing reconciliation and review internal control activities: –“Do I review Business Objects reports and compare my department’s actual financial situation to budget? Do I investigate and resolve unusual items?” –“Do I initial and date reports that I have reviewed as evidence that the review was conducted?” 38
Reconciliation and review What monitoring and review internal control activities do you perform? 39
Who relies on NAU’s internal controls? Students, parents, alumni, donors, research sponsors Financial institutions, rating agencies Faculty and staff The state of Arizona ABOR 40
Threats to an internal control structure Management override Inappropriate access to assets Substance over form Conflicts of interest Failure to anticipate risks Collusion 41
Consequences of internal control failures Decreased enrollment Reputational damage Fines Loss of donor confidence and investment Loss of research dollars Inability to secure financing for new initiatives Media publicity Additional ABOR scrutiny Endangerment of students, faculty, staff and the campus 42
Summary Everyone has a responsibility for internal control activities. Control activities are found in all parts of life – and in every NAU position. Failure of internal control activities can be very detrimental to faculty and staff, the department and to the university. 43
Summary Want to know more about internal controls? See something that concerns you? Please contact us! –Wendy Swartz Asst. Comptroller – Financial Controls 44