SlideShare a Scribd company logo

internal-controls akuntansi sistem informasi(1).ppt

Download as PPT, PDF
D
DoddychandraDoddy

The document outlines the framework for establishing effective internal controls within government agencies, highlighting key components such as risk assessment, control activities, and monitoring. It emphasizes compliance with federal standards and the importance of quality information and communication in internal control systems. Additionally, it discusses the consequences of inadequate internal controls, including potential fraud and mismanagement of funds.

Business
1 of 35
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Internal controls risk m anagem ent service
Learning goals • Defining Internal Control & Understanding the Internal Control Framework • GAO’s Standards for Internal Control in the Federal Government • OMB Uniform Grant Guidance—requirements for internal controls • ED’s A123 Internal Control Review Process • Internal Controls and YOU • Implementing Strong Internal Controls in Your Agency • Consequences of Not having Strong Internal Controls-Avoiding the Pitfalls • Case Study • Case Study Discussion & Analysis • Conclusion/Wrap Up • Questions
Defining internal control • Internal Control: a process effected by an entity’s oversight body, management and/or other personnel that provides reasonable assurance that the objectives of an entity will be achieved. These objectives and related risks can be classified into one or more categories: • 1. Operations: effectiveness and efficiency of operations and safeguarding of assets necessary to carry out operations. • 2. Reporting: reliable reporting for both internal and external use; this includes financial and non-financial reporting. • 3. Compliance: compliance with applicable laws and regulations. • What is an Internal Control System: a continuous built in component of operations, effected by people, that provides reasonable assurance, not absolute assurance that an entity’s objectives will be achieved. • How does all of this come together—the five components of Internal Control, as established by the General Accountability Office (GAO).
GAO’s Standards for Internal Controls • Recently revised: GAO revised their standards--aka the Green Book--in 2014, which then became effective in 2016. • Standards to guide agency’s operations: GAO established these standards so that government agencies know what internal control is (and isn’t), how it should work effectively within agencies, how entities should use the Green Book and identification of the five key components of internal control. (The revised version highlights 17 principles within these 5 components.) • Resource not just for federal entities: The Green Book may also be used and adopted by state & local government agencies, as well as non profits. Management can determine how to appropriately apply the elements of within the Green Book to their particular agencies’ needs.
Five Components of Internal Control
Control Environment Control environment: this is the foundation of any internal control system. 5 principles 1. Management demonstrates commitment to integrity and ethical values. 2. Management/oversight body oversees the entity’s internal control system. 3. Management establishes an organizational structure, assigns responsibilities and delegates authority to achieve the agency’s mission and objectives. 4. Management demonstrates a commitment to recruit, train and retain competent people. 5. Management evaluates performance and holds individuals accountable for their internal control responsibilities. Management establishes the control environment and this is the system under which employees will operate.
Control Environment (cont.) The Control Environment should ensure controls are in place, covering areas such as: • Hiring Practices • Training Programs • Whistleblower Policies • Code of Ethics • Clear lines of responsibility and authority • Grants/program administration • Fiscal management and operations Monitor & Update the Control Environment
Control Environment (cont.) The Control Environment should be documented. Types of documentation that can be used are: • Process narratives • Organizational Charts • Flowcharts • Questionnaires • Memorandums • Checklists • Etc.
Risk assessment Risk Assessment: identifying and assessing the potential risks facing the agency, and developing the appropriate risk mitigation tools and strategies to minimize risk occurrences. 4 Principles 1. Management defines agency objectives so that risks can be identified and risk tolerance (or risk appetite) levels can be established. 2. Management identifies, analyzes and responds to risks related to the agency achieving its mission and objectives. 3. Management considers the risk for potential fraud. 4. Management identifies, analyzes and responds to significant changes that could impact the internal control system. At all levels, management establishes the organizational priorities for how it handles its risk assessment process.
Risk assessment (Cont.) Risk Assessment Categories to help identify and assess risks: Strategic Risk—political risk, talent and succession planning risk, risk from dependence on other organizations Financial Risk—risk of audit findings and other things that would undermine reporting integrity Compliance Risk—fraud, theft, embezzlement and/or noncompliance with regulations and requirements Operational Risk—risk that Programs may fail to meet their objectives, mishandle federal grant funds, natural disasters, lack of accessible technology, etc. Risk assessment is critical especially when agencies are facing constrained resources because it allows for targeted and strategic use of available resources.
Risk assessment (Cont.) Risk Assessment vs. Risk Management Risk Assessment is an element of internal control within the risk management process that allows management to identify and assess key risks to achieving its objectives; this assessment forms the basis upon which control activities are determined. Risk Management is a process applied in a strategic manner across the entity, that is designed to identify and manage risks to stay within a risk appetite or risk tolerance level, to provide reasonable assurance about achieving entity goals and objectives.
Risk assessment (Cont.) Once objective is established, apply these risk assessment factors Materiality of the amount of funds/dollars in question Complexity or difficulty of the process History of accounting or procedural (operational) adjustments Propensity for change or deviations in the process or controls This helps to assess the risk, the risk likelihood and potential impact.
Internal Risks • Use of qualitative/quantitative methods • Change in management • Weak or unresponsive tone set by leadership • Human capital—quality and/or quantity of personnel • Rapid growth or reduction • Change in processes External Risks • Technological advances • Impact of program changes • Changing legislature • Decentralized organization operations • Natural disasters • Changing client or constituent needs or expectations Risk assessment (cont.)
Risk assessment (cont.) Risk Strategies
Control activities Control Activities: actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the agency’s information system. 3 Principles 1. Management designs control activities to achieve objectives and respond to risks. 2. Management designs the entity’s information system and related control activities to respond to risks. 3. Management implements control activities through written policies. Control Activities should be established by management.
Control activities (cont.) Control Activities are the heart of the internal control system. Understanding the Types of internal control activities • Preventive—these controls help management to avoid problems before they occur. Prevent the occurrence of negative events. • Detective—these controls help to uncover issues after they’ve occurred. Identify the occurrence of a negative event. • Corrective—these controls detect if risk is present, and then elicits a response and/or corrective action.
Control Activities (cont.) Examples of Control Activities • Approvals and authorizations (Preventive) • Reconciliations (Detective) • Independent Reviews (Detective) • Segregation of Duties (Preventive) • Training (Preventive) • Corrective Action Plan (Corrective) • Monitoring (Corrective) • Update/Implement SOPs (Corrective and/or Preventive) • Asset Security (Preventive)
Control Activities (cont.) Manual vs. automated controls Manual controls require action(s) to be taken by an employee; automated controls are built into the network infrastructure and software applications. Automated controls are always preferable. Manual controls: •Obtain supervisor’s approval for Overtime •Reconciliation of bank accounts Automated controls: •Password protections •Data entry validation checks
Control activities (cont.) Compensating Control • If a weakness or limitation exits within the control environment, a compensating control may be implemented to help mitigate risk. • Compensating controls can be preventive or detective. • Potential compensating controls could be: automation of certain transaction data and management review. • Compensating controls are put in place when management knows the recommended control activity is not possible with existing resources. • Segregation of duties is a very important compensating control activity. • Creates checks and balances within critical functions • One person is not responsible for initiation and approval • Fraud and error are major risks in payroll management • Always establish segregation of duties in financial and operational functions
Information and communication Information and Communication: high quality information that management and personnel communicate and use to support the internal control system. 3 Principles 1. Management should use quality information to achieve the agency’s goals and objectives. 2. Management should internally communicate the necessary quality information to achieve the entity’s objectives. 3. Management should externally communicate the necessary information to achieve the agency’s mission and objectives. Management establishes expectations regarding what a quality information and communication system should look like, and staff follows suit.
Information and communication (Cont.) Information employees and stakeholders need to know. • Agency initiatives • Goals • Challenges • Opportunities • Feedback • Questions • Policies and Procedures • Standards • Expectations • Incentives/Rewards • Consequences for non compliance Communication strategies have evolved in the era of social media. Agencies utilize email, text messages, Twitter, Facebook, LinkedIn, apps, mail, phone, etc. to communicate internally and externally.
monitoring Monitoring: activities management establishes to assess the quality of performance over time and to promptly resolve management reviews or audit findings. This helps to determine if controls are working as they should. 2 Principles 1. Management establishes and operates monitoring activities to assess the internal control system and evaluate results. 2. Management remediates identified internal control deficiencies in a timely manner. Management makes monitoring a priority and uses the results of monitoring to improve and strengthen internal controls and agency operations.
Monitoring (cont.) Monitoring activities help to determine whether internal controls are present and functioning as intended. Types of Evaluations • Ongoing Evaluations • Built into business practices • Provide timely information • Frequently conducted • Separate Evaluations • Conducted periodically • Variation in scope and frequency Evaluations can sometimes reveal deficiencies or findings. These need to be addressed and rectified in a timely manner.
Monitoring (cont.) Monitoring/Validating Controls Deficiency in Design • A critical control is not properly designed and does not meet the control objective, or is simply ineffective. Deficiency in Operations • A critical control is designed properly but does not perform in the intended manner and is unable to address the identified risks. Monitor frequently for effectiveness • Review supporting documentation • Review reconciliations • Review policies and procedures and observe demonstrations to ensure procedures are being followed properly
Monitoring (cont.) The Importance of supporting documentation Documentation should always be maintained to determine SOPs and protocols are being followed and authorized activities have occurred. Documentation must contain adequate information that: • Identifies who performed the work and when • Indicates the nature, timing, extent and results of the procedures performed • Enables understanding of the evidence obtained • Supports the conclusions, activities and/or purchases that are made
OMB Uniform Grant guidance Part 200—Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards, §200.303 “Internal Controls” Non Federal Entities must execute the following (5) five actions: • (a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the award. See the Green Book and Internal Control Integrated Framework by COSO (Committee of Sponsoring Organizations of the Treadway Commission). • (b) Comply with Federal statutes, regulations, and the terms and conditions of Federal awards. • (c) Evaluate and monitor the non Federal entity’s compliance with statute, regulations and terms of conditions of Federal awards.
OMB Uniform Grant guidance (cont.) Part 200—Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards, §200.303 “Internal Controls” Five actions cont. • (d) Take prompt action when instances of non compliance are identified including non compliance identified in audit findings. • (e) Take reasonable measures to safeguard protected personally identifiable information (PII). TAKEAWAYS: 1. Establish and implement an internal control system that complies with laws and requirements. 2. Evaluate and monitor compliance with laws and requirements. 3. Identify and communicate findings/deficiencies with key stakeholders. 4. Develop and implement a corrective action plan when deficiencies occur. Ensure CAP completion. 5. Implement procedures to protect important information. 6. Look for ways to constantly improve internal control system.
Ed’s A-123 Internal control review process • Internal Control Review Shift: in 2008, A-123 internal control reviews at ED shifted from financial compliance audits to include the evaluation of the internal operations of ED grant-making offices. • Federal Managers Integrity Act (FMFIA): agencies must establish internal control and financial systems that provide reasonable assurance that the three objectives of internal control are achieved (effectiveness and efficiency, compliance and reliable financial reporting). FMFIA requires reporting of programs, financial reporting and financial management systems. • OMB Circular A-123 “Management’s Responsibility for Internal Controls:” promulgates the FMFIA requirement and defines management’s responsibility for implementing internal control within their agencies. • Every year ED conducts A-123 internal control reviews. Operational (programmatic/grants management) challenges are usually noted; controls and corrective actions are implemented to address concerns. • Training: employees take a mandatory annual Internal Control training to fortify knowledge and understanding of requirements.
Your agency’s internal control review process • Every unit within your organization should have an established and transparent internal control system, codified by SOPs. This includes: property & procurement, budget, payroll, accounting office, human resources, federal grants office, etc. • Establish a system that allows for clear understanding of the entire process from start to finish. • Get staff invested and educated about what the internal control system looks like within your agency.
Internal controls and you • Understand what internal control is and is not. There are requirements, but make sure your work is aligned with those requirements and not adding additional stress, burden or undue complexity. • Management establishes the internal control system. Employees must know and understand the internal control system, what their responsibilities are and how their actions contribute to and effect the overall system and their discreet duties. • Standardize your process. Follow procedures and document operational activities. • Personal Ownership: Take responsibility for your role and communicate any challenges or concerns to management. • Group Effort: Everyone is responsible for implementing strong internal controls in their every day work environment. • Value: Create meaning and purpose in work, so that executing the process is engrained in staff culture and is not viewed as burdensome or time consuming.
Internal controls and you (cont.) Basic concepts to make Internal Controls work for you! • Establish responsibility—know who is supposed to be doing what. Key tasks need to be assigned to specific individual(s) and communicated across the agency. • Segregate Duties—maintain proper custody of assets, record transactions, authorize transactions and reconcile transactions. Create a checks and balance system to avoid theft, fraud or improprieties. • Restrict Access—do not allow just anyone to have access to critical or sensitive information. Access should be given only to those who need to complete assigned duties. • Document Procedures and Transactions—supporting documentation is critical to every business practice and operational function. Always retain documentation (electronic and manual). • Independently Verify—corroborate information.
Implementing strong internal controls within your agency An Internal Control System is a Critical Component of Effective Grants Management 1. Any organization that is awarded federal grant funds must build a system of internal controls to effectively manage the grant funds it receives. 2. A weak internal control system can lead to mismanagement of federal grant funds. 3. Severe mismanagement can lead to serious problems, such as: special conditions, restrictions on grants including: route payments/disbursements, high risk designation, federal intervention (including monitoring and/or Technical Assistance), etc. 4. Consider developing an Internal Audit division within your agency. If your agency already has one, make sure it’s built up and operating with fidelity.
Implementing strong internal controls within youR agency (cont.) Build competence, understanding and sustainability. Build capacity; have the right people at the table and invest in training and professional development. Implement: don’t be afraid to try new things, experiment and determine what works best for your agency, and continuously review the processes implemented.
Avoiding the pitfalls What happens when things go wrong and the internal control system fails? 1. Audit findings 2. Financial misstatements 3. Business or government losses 4. Federal Intervention 5. Criminal Investigations 6. Loss of public trust 7. Fraud or collusion 8. Program sustainability compromised 9. Reputational harm 10. Loss of funds
conclusion

More Related Content

PPSX
Internal controls
Geetali Tare
 
PPTX
Final presentation internal controls
Rishab Nahata
 
PPTX
INTERNAL CONTROL-PPT.pptx
HeldaMaryA
 
PPTX
Information system control and audit
Astri Stiawaty
 
PPT
Internal Controls Topic 2.ppt
yahyamuthamia
 
PDF
Emerging Contractors Mitigating Control Risk
Marie Pagnotta
 
PPT
FIN-Internal_Controls_Primer_Presentation.ppt
ssusere1a0f0
 
PPT
FIN-Internal_Controls_Primer_Presentation.ppt
bm6tkbry4q
 
Internal controls
Geetali Tare
 
Final presentation internal controls
Rishab Nahata
 
INTERNAL CONTROL-PPT.pptx
HeldaMaryA
 
Information system control and audit
Astri Stiawaty
 
Internal Controls Topic 2.ppt
yahyamuthamia
 
Emerging Contractors Mitigating Control Risk
Marie Pagnotta
 
FIN-Internal_Controls_Primer_Presentation.ppt
ssusere1a0f0
 
FIN-Internal_Controls_Primer_Presentation.ppt
bm6tkbry4q
 

Similar to internal-controls akuntansi sistem informasi(1).ppt (20)

PPT
Finance Internal_Controls presentation ppt
bm6tkbry4q
 
PPT
FIN-Internal_Controls_Primer_Presentation.ppt
KinhDoanhKhoaKinhTe
 
PPT
FIN-Internal_Controls_Primer_Presentation.ppt
Abdiansyah Prahasto
 
PPTX
2010 training English.for Agribusiness and value pptx
bojasenbeta28
 
PPT
Financial Management for Business Associations
Hammad Siddiqui
 
PPTX
topic 3 internal controls..audit.pptx
vailethmwaisanila
 
PDF
Internal control system
Madiha Hassan
 
PDF
Internal control system
Madiha Hassan
 
PPT
Assessing risks and internal controls training
shifataraislam
 
PPTX
Appreciation of Internal Controls
Dheeru Singh
 
PPTX
Chapter 4 - Risk and Internal Control.ppt
HairizalHarun1
 
PPTX
3. financial controllership
Judy Ricamara
 
PPT
DECEMBER INTERNAL CONTROL FOR EFFICIENT AND EFFECTIVE SERVICE DELIVERY-1.ppt
1111964
 
PPTX
The Importance of Internal Controls in Fraud Prevention
Rea
 
PPTX
Chapter 2 internal control
Dr Manu H Natesh
 
PPTX
Significance of Internal Controls
SonuBhojwani1
 
PDF
Internal Control
Salih Islam
 
PPTX
Week 4_Lecture_Internal Control_Student.pptx
Tfno
 
PPT
Internal financial control - how ready are you - Webinar
Ali Zeeshan
 
PDF
Internal control
SALIH AHMED ISLAM
 
Finance Internal_Controls presentation ppt
bm6tkbry4q
 
FIN-Internal_Controls_Primer_Presentation.ppt
KinhDoanhKhoaKinhTe
 
FIN-Internal_Controls_Primer_Presentation.ppt
Abdiansyah Prahasto
 
2010 training English.for Agribusiness and value pptx
bojasenbeta28
 
Financial Management for Business Associations
Hammad Siddiqui
 
topic 3 internal controls..audit.pptx
vailethmwaisanila
 
Internal control system
Madiha Hassan
 
Internal control system
Madiha Hassan
 
Assessing risks and internal controls training
shifataraislam
 
Appreciation of Internal Controls
Dheeru Singh
 
Chapter 4 - Risk and Internal Control.ppt
HairizalHarun1
 
3. financial controllership
Judy Ricamara
 
DECEMBER INTERNAL CONTROL FOR EFFICIENT AND EFFECTIVE SERVICE DELIVERY-1.ppt
1111964
 
The Importance of Internal Controls in Fraud Prevention
Rea
 
Chapter 2 internal control
Dr Manu H Natesh
 
Significance of Internal Controls
SonuBhojwani1
 
Internal Control
Salih Islam
 
Week 4_Lecture_Internal Control_Student.pptx
Tfno
 
Internal financial control - how ready are you - Webinar
Ali Zeeshan
 
Internal control
SALIH AHMED ISLAM
 
Ad

Recently uploaded (20)

PDF
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
PDF
DOC-20250806-WA0002._20250806_112011_0000.pdf
dhanusriss08
 
PDF
Chapter 5_Foreign Exchange Market in .pdf
sophatphoniu
 
PPTX
Probability Distribution, binomial distribution, poisson distribution
gayusakktivel
 
PDF
SIMNET Inc – 2023’s Most Trusted IT Services & Solution Provider
sidnik500
 
DOCX
unit 1 COST ACCOUNTING AND COST SHEET
MANJU N
 
PDF
Training And Development of Employee .pdf
nivethavm864
 
PDF
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
PDF
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
PDF
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
PDF
A Brief Introduction About Julia Allison
Julia Allison
 
PPTX
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
PPTX
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
PPT
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
PPTX
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
PDF
Outsourced Audit & Assurance in USA Why Globus Finanza is Your Trusted Choice
Globus finanza
 
PDF
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
PDF
How to Get Funding for Your Trucking Business
Jake Thornhill
 
PDF
IFRS Notes in your pocket for study all the time
jjj81507
 
PPTX
New Microsoft PowerPoint Presentation - Copy.pptx
itsmesumedh96
 
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
DOC-20250806-WA0002._20250806_112011_0000.pdf
dhanusriss08
 
Chapter 5_Foreign Exchange Market in .pdf
sophatphoniu
 
Probability Distribution, binomial distribution, poisson distribution
gayusakktivel
 
SIMNET Inc – 2023’s Most Trusted IT Services & Solution Provider
sidnik500
 
unit 1 COST ACCOUNTING AND COST SHEET
MANJU N
 
Training And Development of Employee .pdf
nivethavm864
 
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
A Brief Introduction About Julia Allison
Julia Allison
 
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
Outsourced Audit & Assurance in USA Why Globus Finanza is Your Trusted Choice
Globus finanza
 
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
How to Get Funding for Your Trucking Business
Jake Thornhill
 
IFRS Notes in your pocket for study all the time
jjj81507
 
New Microsoft PowerPoint Presentation - Copy.pptx
itsmesumedh96
 
Ad

internal-controls akuntansi sistem informasi(1).ppt

  • 2. Learning goals • Defining Internal Control & Understanding the Internal Control Framework • GAO’s Standards for Internal Control in the Federal Government • OMB Uniform Grant Guidance—requirements for internal controls • ED’s A123 Internal Control Review Process • Internal Controls and YOU • Implementing Strong Internal Controls in Your Agency • Consequences of Not having Strong Internal Controls-Avoiding the Pitfalls • Case Study • Case Study Discussion & Analysis • Conclusion/Wrap Up • Questions
  • 3. Defining internal control • Internal Control: a process effected by an entity’s oversight body, management and/or other personnel that provides reasonable assurance that the objectives of an entity will be achieved. These objectives and related risks can be classified into one or more categories: • 1. Operations: effectiveness and efficiency of operations and safeguarding of assets necessary to carry out operations. • 2. Reporting: reliable reporting for both internal and external use; this includes financial and non-financial reporting. • 3. Compliance: compliance with applicable laws and regulations. • What is an Internal Control System: a continuous built in component of operations, effected by people, that provides reasonable assurance, not absolute assurance that an entity’s objectives will be achieved. • How does all of this come together—the five components of Internal Control, as established by the General Accountability Office (GAO).
  • 4. GAO’s Standards for Internal Controls • Recently revised: GAO revised their standards--aka the Green Book--in 2014, which then became effective in 2016. • Standards to guide agency’s operations: GAO established these standards so that government agencies know what internal control is (and isn’t), how it should work effectively within agencies, how entities should use the Green Book and identification of the five key components of internal control. (The revised version highlights 17 principles within these 5 components.) • Resource not just for federal entities: The Green Book may also be used and adopted by state & local government agencies, as well as non profits. Management can determine how to appropriately apply the elements of within the Green Book to their particular agencies’ needs.
  • 5. Five Components of Internal Control
  • 6. Control Environment Control environment: this is the foundation of any internal control system. 5 principles 1. Management demonstrates commitment to integrity and ethical values. 2. Management/oversight body oversees the entity’s internal control system. 3. Management establishes an organizational structure, assigns responsibilities and delegates authority to achieve the agency’s mission and objectives. 4. Management demonstrates a commitment to recruit, train and retain competent people. 5. Management evaluates performance and holds individuals accountable for their internal control responsibilities. Management establishes the control environment and this is the system under which employees will operate.
  • 7. Control Environment (cont.) The Control Environment should ensure controls are in place, covering areas such as: • Hiring Practices • Training Programs • Whistleblower Policies • Code of Ethics • Clear lines of responsibility and authority • Grants/program administration • Fiscal management and operations Monitor & Update the Control Environment
  • 8. Control Environment (cont.) The Control Environment should be documented. Types of documentation that can be used are: • Process narratives • Organizational Charts • Flowcharts • Questionnaires • Memorandums • Checklists • Etc.
  • 9. Risk assessment Risk Assessment: identifying and assessing the potential risks facing the agency, and developing the appropriate risk mitigation tools and strategies to minimize risk occurrences. 4 Principles 1. Management defines agency objectives so that risks can be identified and risk tolerance (or risk appetite) levels can be established. 2. Management identifies, analyzes and responds to risks related to the agency achieving its mission and objectives. 3. Management considers the risk for potential fraud. 4. Management identifies, analyzes and responds to significant changes that could impact the internal control system. At all levels, management establishes the organizational priorities for how it handles its risk assessment process.
  • 10. Risk assessment (Cont.) Risk Assessment Categories to help identify and assess risks: Strategic Risk—political risk, talent and succession planning risk, risk from dependence on other organizations Financial Risk—risk of audit findings and other things that would undermine reporting integrity Compliance Risk—fraud, theft, embezzlement and/or noncompliance with regulations and requirements Operational Risk—risk that Programs may fail to meet their objectives, mishandle federal grant funds, natural disasters, lack of accessible technology, etc. Risk assessment is critical especially when agencies are facing constrained resources because it allows for targeted and strategic use of available resources.
  • 11. Risk assessment (Cont.) Risk Assessment vs. Risk Management Risk Assessment is an element of internal control within the risk management process that allows management to identify and assess key risks to achieving its objectives; this assessment forms the basis upon which control activities are determined. Risk Management is a process applied in a strategic manner across the entity, that is designed to identify and manage risks to stay within a risk appetite or risk tolerance level, to provide reasonable assurance about achieving entity goals and objectives.
  • 12. Risk assessment (Cont.) Once objective is established, apply these risk assessment factors Materiality of the amount of funds/dollars in question Complexity or difficulty of the process History of accounting or procedural (operational) adjustments Propensity for change or deviations in the process or controls This helps to assess the risk, the risk likelihood and potential impact.
  • 13. Internal Risks • Use of qualitative/quantitative methods • Change in management • Weak or unresponsive tone set by leadership • Human capital—quality and/or quantity of personnel • Rapid growth or reduction • Change in processes External Risks • Technological advances • Impact of program changes • Changing legislature • Decentralized organization operations • Natural disasters • Changing client or constituent needs or expectations Risk assessment (cont.)
  • 15. Control activities Control Activities: actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the agency’s information system. 3 Principles 1. Management designs control activities to achieve objectives and respond to risks. 2. Management designs the entity’s information system and related control activities to respond to risks. 3. Management implements control activities through written policies. Control Activities should be established by management.
  • 16. Control activities (cont.) Control Activities are the heart of the internal control system. Understanding the Types of internal control activities • Preventive—these controls help management to avoid problems before they occur. Prevent the occurrence of negative events. • Detective—these controls help to uncover issues after they’ve occurred. Identify the occurrence of a negative event. • Corrective—these controls detect if risk is present, and then elicits a response and/or corrective action.
  • 17. Control Activities (cont.) Examples of Control Activities • Approvals and authorizations (Preventive) • Reconciliations (Detective) • Independent Reviews (Detective) • Segregation of Duties (Preventive) • Training (Preventive) • Corrective Action Plan (Corrective) • Monitoring (Corrective) • Update/Implement SOPs (Corrective and/or Preventive) • Asset Security (Preventive)
  • 18. Control Activities (cont.) Manual vs. automated controls Manual controls require action(s) to be taken by an employee; automated controls are built into the network infrastructure and software applications. Automated controls are always preferable. Manual controls: •Obtain supervisor’s approval for Overtime •Reconciliation of bank accounts Automated controls: •Password protections •Data entry validation checks
  • 19. Control activities (cont.) Compensating Control • If a weakness or limitation exits within the control environment, a compensating control may be implemented to help mitigate risk. • Compensating controls can be preventive or detective. • Potential compensating controls could be: automation of certain transaction data and management review. • Compensating controls are put in place when management knows the recommended control activity is not possible with existing resources. • Segregation of duties is a very important compensating control activity. • Creates checks and balances within critical functions • One person is not responsible for initiation and approval • Fraud and error are major risks in payroll management • Always establish segregation of duties in financial and operational functions
  • 20. Information and communication Information and Communication: high quality information that management and personnel communicate and use to support the internal control system. 3 Principles 1. Management should use quality information to achieve the agency’s goals and objectives. 2. Management should internally communicate the necessary quality information to achieve the entity’s objectives. 3. Management should externally communicate the necessary information to achieve the agency’s mission and objectives. Management establishes expectations regarding what a quality information and communication system should look like, and staff follows suit.
  • 21. Information and communication (Cont.) Information employees and stakeholders need to know. • Agency initiatives • Goals • Challenges • Opportunities • Feedback • Questions • Policies and Procedures • Standards • Expectations • Incentives/Rewards • Consequences for non compliance Communication strategies have evolved in the era of social media. Agencies utilize email, text messages, Twitter, Facebook, LinkedIn, apps, mail, phone, etc. to communicate internally and externally.
  • 22. monitoring Monitoring: activities management establishes to assess the quality of performance over time and to promptly resolve management reviews or audit findings. This helps to determine if controls are working as they should. 2 Principles 1. Management establishes and operates monitoring activities to assess the internal control system and evaluate results. 2. Management remediates identified internal control deficiencies in a timely manner. Management makes monitoring a priority and uses the results of monitoring to improve and strengthen internal controls and agency operations.
  • 23. Monitoring (cont.) Monitoring activities help to determine whether internal controls are present and functioning as intended. Types of Evaluations • Ongoing Evaluations • Built into business practices • Provide timely information • Frequently conducted • Separate Evaluations • Conducted periodically • Variation in scope and frequency Evaluations can sometimes reveal deficiencies or findings. These need to be addressed and rectified in a timely manner.
  • 24. Monitoring (cont.) Monitoring/Validating Controls Deficiency in Design • A critical control is not properly designed and does not meet the control objective, or is simply ineffective. Deficiency in Operations • A critical control is designed properly but does not perform in the intended manner and is unable to address the identified risks. Monitor frequently for effectiveness • Review supporting documentation • Review reconciliations • Review policies and procedures and observe demonstrations to ensure procedures are being followed properly
  • 25. Monitoring (cont.) The Importance of supporting documentation Documentation should always be maintained to determine SOPs and protocols are being followed and authorized activities have occurred. Documentation must contain adequate information that: • Identifies who performed the work and when • Indicates the nature, timing, extent and results of the procedures performed • Enables understanding of the evidence obtained • Supports the conclusions, activities and/or purchases that are made
  • 26. OMB Uniform Grant guidance Part 200—Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards, §200.303 “Internal Controls” Non Federal Entities must execute the following (5) five actions: • (a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the award. See the Green Book and Internal Control Integrated Framework by COSO (Committee of Sponsoring Organizations of the Treadway Commission). • (b) Comply with Federal statutes, regulations, and the terms and conditions of Federal awards. • (c) Evaluate and monitor the non Federal entity’s compliance with statute, regulations and terms of conditions of Federal awards.
  • 27. OMB Uniform Grant guidance (cont.) Part 200—Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards, §200.303 “Internal Controls” Five actions cont. • (d) Take prompt action when instances of non compliance are identified including non compliance identified in audit findings. • (e) Take reasonable measures to safeguard protected personally identifiable information (PII). TAKEAWAYS: 1. Establish and implement an internal control system that complies with laws and requirements. 2. Evaluate and monitor compliance with laws and requirements. 3. Identify and communicate findings/deficiencies with key stakeholders. 4. Develop and implement a corrective action plan when deficiencies occur. Ensure CAP completion. 5. Implement procedures to protect important information. 6. Look for ways to constantly improve internal control system.
  • 28. Ed’s A-123 Internal control review process • Internal Control Review Shift: in 2008, A-123 internal control reviews at ED shifted from financial compliance audits to include the evaluation of the internal operations of ED grant-making offices. • Federal Managers Integrity Act (FMFIA): agencies must establish internal control and financial systems that provide reasonable assurance that the three objectives of internal control are achieved (effectiveness and efficiency, compliance and reliable financial reporting). FMFIA requires reporting of programs, financial reporting and financial management systems. • OMB Circular A-123 “Management’s Responsibility for Internal Controls:” promulgates the FMFIA requirement and defines management’s responsibility for implementing internal control within their agencies. • Every year ED conducts A-123 internal control reviews. Operational (programmatic/grants management) challenges are usually noted; controls and corrective actions are implemented to address concerns. • Training: employees take a mandatory annual Internal Control training to fortify knowledge and understanding of requirements.
  • 29. Your agency’s internal control review process • Every unit within your organization should have an established and transparent internal control system, codified by SOPs. This includes: property & procurement, budget, payroll, accounting office, human resources, federal grants office, etc. • Establish a system that allows for clear understanding of the entire process from start to finish. • Get staff invested and educated about what the internal control system looks like within your agency.
  • 30. Internal controls and you • Understand what internal control is and is not. There are requirements, but make sure your work is aligned with those requirements and not adding additional stress, burden or undue complexity. • Management establishes the internal control system. Employees must know and understand the internal control system, what their responsibilities are and how their actions contribute to and effect the overall system and their discreet duties. • Standardize your process. Follow procedures and document operational activities. • Personal Ownership: Take responsibility for your role and communicate any challenges or concerns to management. • Group Effort: Everyone is responsible for implementing strong internal controls in their every day work environment. • Value: Create meaning and purpose in work, so that executing the process is engrained in staff culture and is not viewed as burdensome or time consuming.
  • 31. Internal controls and you (cont.) Basic concepts to make Internal Controls work for you! • Establish responsibility—know who is supposed to be doing what. Key tasks need to be assigned to specific individual(s) and communicated across the agency. • Segregate Duties—maintain proper custody of assets, record transactions, authorize transactions and reconcile transactions. Create a checks and balance system to avoid theft, fraud or improprieties. • Restrict Access—do not allow just anyone to have access to critical or sensitive information. Access should be given only to those who need to complete assigned duties. • Document Procedures and Transactions—supporting documentation is critical to every business practice and operational function. Always retain documentation (electronic and manual). • Independently Verify—corroborate information.
  • 32. Implementing strong internal controls within your agency An Internal Control System is a Critical Component of Effective Grants Management 1. Any organization that is awarded federal grant funds must build a system of internal controls to effectively manage the grant funds it receives. 2. A weak internal control system can lead to mismanagement of federal grant funds. 3. Severe mismanagement can lead to serious problems, such as: special conditions, restrictions on grants including: route payments/disbursements, high risk designation, federal intervention (including monitoring and/or Technical Assistance), etc. 4. Consider developing an Internal Audit division within your agency. If your agency already has one, make sure it’s built up and operating with fidelity.
  • 33. Implementing strong internal controls within youR agency (cont.) Build competence, understanding and sustainability. Build capacity; have the right people at the table and invest in training and professional development. Implement: don’t be afraid to try new things, experiment and determine what works best for your agency, and continuously review the processes implemented.
  • 34. Avoiding the pitfalls What happens when things go wrong and the internal control system fails? 1. Audit findings 2. Financial misstatements 3. Business or government losses 4. Federal Intervention 5. Criminal Investigations 6. Loss of public trust 7. Fraud or collusion 8. Program sustainability compromised 9. Reputational harm 10. Loss of funds

Editor's Notes

  • #3: What are internal Controls? Before we define it, we first need to think about what we are trying to control. In order for there to be a control, we must be trying to control something, i.e., a risk to an identified objective. So, we need to start with our objectives; what are we trying to achieve in our organization and the departments we work in? Once we establish those objectives, we can identify what risks might exist to achieving our objectives and from there, we can determine what controls we might be able to put in place to control those risks. Remember, without a risk, there is no need for an internal control.
  • #5: Internal Controls are: Continuous, since they are not just one single event but built directly into operations, and they are dynamic to accommodate for an ever-changing environment; Effected by people; in other words, internal controls aren’t going to happen by themselves. If we’re introducing the risk to the process, then we also have to introduce and implement the control. Able to provide reasonable assurance, not absolute assurance. Even the best designed controls are subject to other limitations . Adaptable to the entire entity or to a particular division, business process, or other level of the organization. Five Components of Internal Control Control Environment Risk Assessment Control Activities Information and Communication Monitoring These five components all operate along the three main objectives discussed earlier: operations, reporting and compliance.
  • #6: Management sets the tone to help establish the expected standards of conduct and expectation. The control environment effectuates the integrity and value of an organization as well as identifies what managements philosophy is and its operating style.
  • #7: As previously mentioned, management is in charge of setting the stage for the agency-wide control environment. As such, managers should establish departmental policies in light of their unique mission, objectives and risk factors. As a part of your regular business processes, agencies should continually monitor and update the control environment and identify opportunities for continuous improvement.
  • #8: In order for the control environment to be effective, it must be identified and documented.
  • #10: A risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risks can be introduced by changes, for instance: new leaders, new products, new grant programs, new and emerging technologies, etc.
  • #14: The first risk strategy is avoidance, which means that the process in question should not be pursued. This would be a likely option to choose if the risk likelihood was found to be very high, and the impact to be catastrophic. The second strategy is mitigation, where we would improve controls to reduce the likelihood and impact of the process. This is where many control activities will be done. The third strategy is transfer, where responsibility is shifted to an external party. Another strategy is acceptance; this is where the organization decides to accept the risk. This would make sense if the risk likelihood was found to be somewhat unlikely, and the impact to be moderate or minimal. The final strategy listed is creation, where risk activities are strategically sought to maximize opportunities. These types of decisions should lie with senior management only.