Download presentation
1
School Board Audit Committee Training Module 3 Evaluation of Internal Controls
Click to edit Master text styles Second level Third level Fourth level
2
Session Objectives After completing this session you will:
Understand the Audit Committee’s responsibilities related to internal controls Understand internal controls and why they are important Distinguish between preventative and detective controls Appreciate the competing demands of process efficiency and effectiveness Understand how internal controls moderate inherent risk, reducing the likelihood and /or significance of a risk (resulting in residual risk) Be Familiar with the COSO Framework Control Environment Risk Assessment Internal Controls Information & Communication Monitoring 2
3
Audit Committee Duties related to Internal Controls [ON Regulation 361/10 9(2)]
To review the overall effectiveness of internal controls. To review the scope of the internal and external auditor’s reviews of internal controls, as well as the findings, recommendations and management’s responses. To discuss with School Board officials the significant financial risks and the measures the officials have taken to monitor and manage these risks.
4
A definition of the internal control process
Operations Effective and efficient use of resources It is a “process effected by an entity’s board of directors/trustees, management, and other personnel, designed to provide reasonable assurance regarding the achievement of business objectives” Compliance Compliance with law and regulations Financial Preparation of reliable financial statements Internal controls are needed to help achieve key business objectives
5
Internal control objectives
The objectives of an internal control system are as follows: Enforce organizational policies and rules Promote the effectiveness and efficiency of operations and optimize the use of resources Increase the reliability of financial/management/ministry reporting Ensure compliance with applicable laws and regulations Why do we need them?
6
“The system of Internal Control is dependent on people”
Whereas manuals and forms are tools used by people, it is people that make or break the internal control system. Without proper control education and motivation, people cannot and will not make the internal controls system work. Individuals will support the internal control system when they understand the system’s benefits to their personal interests and then to the organization. Without such an understanding, employees are apathetic at best and at worst, will fight the system. A control must have Substance over Form, and NOT Form over Substance. Example: Directors are required to review and approve invoices prior to payment. However; if the director approves a stack of invoices at the end of a week in a five minute period, you must question whether the control is not operating effectively.
7
“Internal controls can be expected to provide only reasonable assurance, not absolute assurance”
Internal controls should not be expected to guarantee that risks are mitigated or that undesirable conditions are prevented. Internal controls do not prevent failures caused by poor management judgment, or changing economic conditions. Management should not expect that all potential losses can be avoided. On the other hand, no entity should fail to install proper controls. A system of internal controls will provide the discipline and structure to provide the checks and balances to reduce risk exposure and enhance achievement of organizational (process) objectives. Example: Only overtime that has been approved can be paid by payroll. However, there is a possibility that employees may claim overtime to which they are not entitled, which could be potentially approved and paid.
8
“Effectiveness is doing the things that achieve results, and efficiency is doing these things the right way” An organization must operate both effectively and efficiently, otherwise it risks failure. When an organization is effective, it is serving its stakeholders well. In the context of a school board, this includes serving students, parents, teachers, and the community at large. When an organization is efficient, it is wisely using the resources entrusted to it and achieving the best outcomes possible.
9
Types of internal controls
Preventative controls Preventive Controls are designed to prevent an error or misappropriation from occurring. They are considered to be before-the-fact controls that will prevent an undesirable outcome from occurring. Detective controls are designed to detect errors after they have occurred and spur a prompt investigation. They are considered after-the-fact controls as they will not identify an undesirable outcome until after it has occurred. However, effective detective controls will help identify issues in a timely manner and may reduce severity of losses. Detective controls
10
Discussion – Control type exercise
An accounting department receives a listing of aged accounts receivable that details the amount and number of days the account has been past due. Preventative Detective School board facilities may be rented for community use, after school hours. The custodian of the school whose facilities were rented, performs a site inspection after community use and reports any damages he/she finds. Beth works in the accounting department and can process payments for employee expense reports that have been approved in the system. However, Beth does not have the ability to approve expense reports. Purchase Orders are required in order to allow the School Board to purchase goods or services. Buyers cannot obtain a purchase order from procurement unless 3 quotes are submitted.
11
Other types of internal controls
Compensating controls At times what appears to be a weakness in control may not be a problem. The weakness is offset by compensating controls found elsewhere in the control structure. These controls are intended to compensate for system shortcomings and are a back-up approach to limiting risk exposure. Organizations use directive controls to guide management behavior and decisions, as well as to direct organization policy and activities. Directive controls Monitoring Controls (usually a management control) to monitor effectiveness of an entity’s internal controls and help in identifying problems in a proactive, rather than reactive manner. Monitoring controls
12
Discussion – Control exercise
Within your groups, perform the following: Consider various business cycles in your School Board (i.e. payroll, expenditures/payments/revenues) . What do you think some of the key controls are in this business cycle? How would you classify these controls? (preventative, detective, compensating, directive or monitoring). As an audit committee member what are some examples of due diligence activities you could perform relating to the oversight of internal controls.
13
Internal controls can aid in the reduction of the likelihood and significance of risk
A quick refresher… Inherent risk is the assessed level of risk before considering controls. Residual risk is the assessed level of risk once internal controls are assessed. Process Inherent risk Internal controls Quiz audience – what are the two levels that risk can be assessed at? Significance of risk Process Residual risk Likelihood of occurrence
14
How can internal controls add value to the organization?
Internal controls help provide reasonable assurance that the organization: Adheres to laws, regulations, and provincial directives Promotes orderly, economical, efficient, and effective operations that achieve planned outcomes Safeguards resources against fraud, waste, abuse, and mismanagement Develops and maintains reliable financial and management information and fairly discloses that data through timely reporting Demonstrates appropriate care of tax payer funds Internal controls DO NOT provide absolute assurance over the appropriateness, efficiency and effectiveness of business processes as there is a risk of: Bad judgment Error / mistake Collusion Cost / benefit constraints
15
COSO framework The process which ensures that relevant information is identified and communicated in a timely manner The process to determine whether internal control is adequately designed, executed, effective and adaptive The policies and procedures that help ensure that actions identified to manage risk are executed and timely The evaluation of internal and external factors that impact an organization’s performance The control conscience of an organization. The “tone at the top”
16
Control environment The control environment is the foundation for the internal control system. Without the control environment, the other components will collapse like a house built without a foundation. A number of elements influence the control environment: Governance model Organizational structure Management’s philosophy and operating style Assignment of authority and responsibility Integrity and ethical values Human Resource policies and practices Commitment to competence People are the critical aspect of the internal control system. Monitoring Control activities Control environment Communication Information Risk assessment
17
Risk assessment As discussed in Module 2, Risk assessment is identifying and analyzing the events and conditions (risks) that may prevent the achievement of the entity's objectives. Every entity faces both internal and external risks from a variety of sources. Through proper assessment, the entity can determine how to reduce or eliminate the impact of those risks. Monitoring Control activities Control environment Communication Information Risk assessment
18
Control activities Control activities provide the means to prevent the occurrence of identified risks, or if they cannot be prevented, to detect them as early as possible. Control policies and procedures must be established and executed to help ensure that the actions identified by management as necessary to address risks are effectively carried out. Includes both manual and automated controls, internal and external. Monitoring Control activities Control environment Communication Information Risk assessment
19
Information and communication
Relevant information needed to conduct, manage and control operations is captured and communicated throughout the organization. Information systems produce reports containing operational, financial and compliance related information that make it possible to run and control the organization. Relevant information must be identified, captured and communicated in a form and timeframe that enables people both inside the organization and external stakeholders to carry out their responsibilities. Monitoring Control activities Control environment Communication Information Risk assessment Factors to Consider: How is information obtained and provided to management? l Are there systems to capture relevant external information? l Is internal information regarding financial results generated by the entity’s financial information systems, and is that information reported regularly? l Are entity-wide operating results (as compared to budget) prepared bi-weekly or monthly? l Is information that managers need to make decisions about the company’s objectives available? l Are entity-wide reports regarding profit margins on products and services prepared for the management committee? l Is there an adequate IT system? Is information going to the right people at the right time? l Do managers receive analytical information so they can identify what action is needed? l Do financial controllers meet periodically with line management to discuss operational results? l Is information provided in sufficient detail, varying by the different levels of management? l Do financial controllers get an appropriate amount of detailed information when reviewing financial results? l Is information summarized appropriately? l Is information provided timely to allow for effective monitoring? l Are there established and agreed upon deadlines for period-end reporting? Do those deadlines allow for a review by the CFO and CEO? l Is the information provided relevant and accurate? Is there a process for identifying and responding to the changing I&C needs? l Is there a mechanism for identifying emerging information needs? l Does the entity have an existing committee to address information needs arising from new accounting standards? Does the entity’s existing committee have representatives from the different departments or divisions affected by the new accounting standards? l Are information needs developed by executives with sufficiently broad responsibilities? l Has a long-range information technology plan been developed and linked to the entity’s strategic initiatives? Does that plan include the preparation of high-quality financial reporting for external use? l Does the long-range plan include consideration of the accounting department’s needs and the requirements of financial reporting? l Does management devote substantial time to the consideration of information systems needs for the accounting and controlling function? l Are the entity-level resources devoted to information systems for financial reporting proportionate to resources devoted to other areas of the organization? How effective is the communication of what employees must do, as related to internal control? l Does the company use training, meetings, or on-the-job supervision to effect communication? l Are new employees in the corporate accounting department required to attend training on their role in the internal control structure and how it affects others? l Do employees know the objectives of the company, as related to financial reporting, and how their activities affect those objectives? l Does the CFO or person in a similar position meet with corporate controllers, at least annually, to discuss their role in meeting the company’s objectives related to financial reporting? l Do employees know how their activities interact with the duties of other employees? l Do those responsible for financial reporting at the entity-level meet annually to discuss the company’s objectives and each person’s role in meeting those objectives? What channels are available for whistle blowing, and how does management react as it relates to financial reporting? l Is there a way to communicate upstream, anonymously if so desired, other than through a direct supervisor? l Does the audit committee have established procedures, as required by Section 301 of the Sarbanes-Oxley Act? l Have the channels established by management or the audit committee been used in the past? l What is the implication if the company states no problems have been reported? l What if management reports that problems have not resulted in disciplinary actions? l What are some of the financial reporting examples of suspected improprieties that were communicated to the audit committee? l What type of feedback is provided to employees that report suspected problems? l For those employees that initiated suspected improprieties regarding financial reporting to the audit committee, what is their current employment relationship with the company? l Are there realistic mechanisms in place for employees to provide recommendations? l Does management responsible for corporate accounting and control provide incentives (cash or otherwise) for employees to provide insights that improve their ability to achieve financial reporting objectives? l How many incentives have been provided in the past twelve months? How does management communicate across and outside the company? l Is there communication throughout the organization about the company’s entity-wide objectives regarding financial reporting? l Does the CFO meet regularly with divisional management to communicate expectations regarding financial reporting objectives for the company as a whole?
20
Monitoring Internal control systems need to be monitored. Monitoring is a process that assesses the quality of the internal control system's performance over time The purpose of the monitoring activity is to assure the ongoing quality of the internal control system. This function monitors the internal control system. Monitoring is the capstone component covering all the other components. Monitoring Control activities Control environment Communication Information Risk assessment
21
Monitoring Activities
Ongoing monitoring activities are built into the normal recurring activities of the entity . Examples are as follows: Regular managerial activities (e.g. variance analysis) Code of conduct compliance statements Internal feedback (e.g., internal audit reports) External feedback (e.g. Ministry communications/questions) Training seminars and planning sessions
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.