Developing An Internal Control Plan For Your LEA SASBO Conference April 29, 2008 Presenters: Kathy H. Isenhour, CPA Associate Superintendent Hickory Public Schools Hickory, NC Lynne E. Hensley, Retired CFO and Consultant Burnsville, NC
In-ter-nal Con-trol Internal- Of or on the inside: having to do with or belonging to the inner nature of a thing Control- To exercise authority over, direct
Internal Control Defined The plan of organization and all of the co-ordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies. SAP No. 33
Internal Control Pronouncements SAS No. 1 (SAS 104-Amendment to SAS 1) Accounting controls: Safeguarding of assets, reliability of financial records Managerial controls: Promote operational efficiency, encourage adherence to prescribed managerial
Changes to Scope of Audit as a result of SAS 112-Communicating Internal Control Matters Identified in an Audit Expands the quality and depth of the auditor’s required understanding of the entity and its environment including internal control Requires the auditor to assess the risks of material misstatements at the financial statements Emphasizes importance of the entity’s risk assessment process
Overall Changes to Audit Process in relation to Internal Control Matters Auditor must evaluate identified control deficiencies Auditor required to communicate in writing significant deficiencies and material weaknesses to management and Board of Education. SAS takes away the option to communicate orally matters related to deficiencies and weaknesses.
Auditor to Evaluate Design of Internal Controls Auditor will specifically review : Points where transactions are Initiated Processed Recorded Reported and will assess risk that errors may not be prevented and detected
Examples of Deficiencies: Inadequate design of internal control over the preparation of the financial statements being audited Employees or management who lack qualifications & training to fulfill their assigned functions (unfamiliar with GAAP) Inadequate documentation of the components of internal control Inadequate design of monitoring controls Inadequate design and control of information technology Q & A survey no longer adequate
Components of An Internal Control Plan When developing and writing an internal control plan, the plan should address the following: Control the environment Define the risks Control activities to minimize risk Inform and communicate procedures and policies Monitor activities
Control Environment Controlling the environment is greatly influenced by the extent to which individuals recognize they will be held accountable Accountable is the “operative word” ACCOUNTABLE “ IS THE OPERATIVE WORD”
Control Activities Who is responsible? The Board of Education, Superintendent and Chief Finance Officer are ultimately responsible for identifying the financial and compliance risks and for designing, implementing and monitoring the internal control system for the Local Education Agency.
Tips to enhance a department’s control environment Administrative Procedures Employee Handbook stating policies and procedures Finance Department Standards of Conduct Clearly defined job descriptions Adequate training Appropriate disciplinary action when an employee does not comply
Risk Assessment Identify the risks by determining: What could go wrong Where there are vulnerabilities How theft and fraud could take place What assets need to be protected Expect Auditor to ask these questions
Some Examples of High Risk Transactions Petty Cash ( if high volumes are processed) Cash Receipts Travel Expenditures Equipment Purchases Payment to Non-Vendors Supplies for Maintenance and Bus Garage
Characteristics of Fraud Generally there are three requirements for fraud to occur: motivation – need for money opportunity- weakness in internal controls personal characteristics-willingness to commit the crime It is difficult to have an effect on an individual’s motivation for fraud, but having an effective internal control plan can remove opportunities to commit fraud.
Control Activities General Controls include: Access Security including data and program security Physical Security Software and program change controls Disaster Recovery
Software Application Controls Input controls -authorized users -error listings -limit checks written; dollar amounts -self-checking digits for duplicates Processing controls -control totals -audit trails Output controls -listing of master file changes -distribution of registers -review of output
Examples of Control Activities Approvals, Authorizations, and Verifications ( Preventive) Reconciliations –Bank Statements, External Reports (Detective) Access to Equipment, Inventories, cash is limited and periodically counted and compared to previous inventory (Preventive and Detective) Segregation of Duties (Preventive)
Segregation of Duties No one person should Initiate the transaction Approve the transaction Record the transaction Reconcile balances Handle assets Review reports Even in the smallest LEAs –at least Two Sets of EYES
Balancing Risk and Control Internal controls should be proactive, value added, cost-effective and address the exposure to risk. The cost of a control should not exceed the benefit to be derived from it.
Information and Communciation Information and communication are essential to effecting control. Reliable and relevant information from both internal and external sources must be identified, processed and communicated to people in a timeframe that is useful.
Communication Communication can be formal or informal Communication as simple as staff meetings can provide input and feedback relative to the LEAs operations, financial reporting and compliance reporting. Employees often provide some of the most critical information needed to identify risks and opportunities for wrong doing.
Monitoring Monitoring is the assessment of internal control performance over time; it is accomplished by ongoing monitoring activities such as: Annual evaluation of personnel Conduct periodic internal audits Review applicable laws and regulations to ensure compliance
Effectiveness of Internal Control Plan Internal control is effective and adequately designed if all internal control components are properly executed and functioning as planned: Control of the environment Assessment of the Risks Control the Activities Information and Communication Monitoring
What is the Price for NOT Having Good Internal Controls? Loss of public trust Loss of future grants School system’s reputation Violation of laws
Elements To Use in Internal Control Exercise Bank Statement Reconciliation Vending Machine Change Payroll Master File Maintenance Facsimile Signature (Rubber Stamp) Travel Reimbursement Claim Plumbing Contractor Cafeteria Daily Cash Collection Superintendent’s Sister-in-Law Individual School Fund Raising Receipts Parts for School Bus Garage
Sample Internal Control Plan Control Activities for Budget Hickory Public Schools Control Activities for Budget The Board of Education adopts an annual budget for all funds in accordance with state statutes. Budget amendments over $10,000 are required to be approved by the Board of Education. Accounting principals used in the budget preparation are the same as those used in preparing the financial statements.
Sample Internal Control Plan Control Activities for Cash Receipts Hickory Public Schools Control Activities for Cash Mail is opened and a list of daily receipts is prepared by the receptionist. Checks are forwarded to accounts receivable to process daily deposits. Deposits are made daily when cash/checks exceed $50. Cash receipts are promptly and accurately recorded as to the account, amount and date. Petty Cash is permissible not to exceed $25 at reception area for change when citizens request transcripts. Reconciliation is done monthly to reconcile cash collected to receipts.
? ? ? ? ? ? ? Questions isenhourka@hickoryschools.net ? ? ? ? ? ? ? isenhourka@hickoryschools.net lehensley@yanceync.net