Presented to Managers
INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its mission. Simply put -
Internal Controls are actions taken to make sure the right things happen and the wrong things don’t.
Promote efficient and effective operations and produce quality products and services Safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud Ensure adherence to laws, regulations, contracts and management directives Develop and maintain reliable data, and accurately present the data in timely reports
Compliance with laws and policies Accomplishment of mission Relevant and reliable data Economical and efficient use of resources Safeguard assets
Monitoring Assess internal control performance Control Activities Tools that help prevent or reduce risk Risk Assessment Identification and analysis of relevant risks to achievement of objectives Control Environment Sets the tone for the organization The foundation for all other components of internal control Communication Information
Everyone in an organization has responsibility for internal control. Senior Management sets the “tone at the top” that affects integrity, ethics and other factors of a positive control environment.
Setting the proper control environment is crucial to the effective implementation of all the other elements of internal control. Staff will take their cue from the attitude and example displayed by management.
RISKS are events that threaten the accomplishment of objectives. They ultimately impact an organization’s ability to accomplish its mission. Risk is things that can go wrong and things that need to happen that affect efforts to succeed.
Risks can be categorized as follows: Strategic Financial Legal/Compliance Operational
Strategic Risks are those which affect an institution’s ability to achieve its goals. Financial Risks are those which may result in a loss of asset. Legal or Compliance Risks are those that may result in non-compliance with either external laws and regulations or internal policies and procedures. Operational Risks are those which affect the day-to-day processes.
Address the risks identified from the vulnerability assessment: Risk assumption – impact and likelihood low (do not establish control activities) Risk control – take action to lower the probability or eliminate the risk (establish control activities) Risk avoidance – abandon plan; risks uncontrollable and unacceptable (do not carry out the function)
LOW HIGH LOWHIGH IMPACT LIKELIHOOD II IV Area of Most ConcernArea of Minimal Concern I Area of Least Concern III Area of Moderate Concern Evaluate each risk in terms of its impact and likelihood.
LOW HIGH LOWHIGH IMPACT LIKELIHOOD II IV Area of Most ConcernArea of Minimal Concern I Area of Least Concern III Area of Moderate Concern Likelihood is the probability that an unfavorable event would occur if there were no control activities in place.
LOW HIGH LOWHIGH IMPACT LIKELIHOOD II IV Area of Most ConcernArea of Minimal Concern I Area of Least Concern III Area of Moderate Concern Impact is the effect on an organization if the unfavorable event were to occur. The effect is the ultimate harm that may be done or the opportunity that may be lost.
LOW HIGH LOWHIGH IMPACT LIKELIHOOD II IV Area of Most ConcernArea of Minimal Concern I Area of Least Concern III Area of Moderate Concern It is also critical to determine the cause for each risk in order to design control activities that will effectively limit the risk.
Goals Isolate Risk Areas Assess Impact And Probability Design Risk Strategy Implement Controls Review Continually Source: “ Internal Control A Manager’s Guide” By K.H. Spencer Pickett
Standards for Internal Control in New York State Government, Office of the State Comptroller. Control Environment – Tone at the Top, New York State Internal Control Association