Dept of Finance & Management
�Background
In January 2005, the Department of Finance & Management embarked on a statewide initiative to strengthen internal controls in Vermont State Government. As public sector managers and employees we are accountable for the resources entrusted to us and for ensuring our programs and services are administered effectively and efficiently. A significant component in fulfilling this responsibility is ensuring that an adequate system of internal control exists within each State government entity.
�The COSO* Definition of Internal Control
Internal control is a process, effected by an entitys board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness
and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations
* Committee of Sponsoring Organizations of the Treadway Commission
3
�Simple Definition
Internal control is what we do to see that the things we want to happen will happen
And the things we dont want to happen wont happen.
4
�Internal Controls Are Common Sense
What do you worry about going wrong? What steps have been taken to assure it doesnt?
How do you know things are under control?
5
�You exercise internal control principles in your personal life when you:
Lock-up valuable belongings Keep copies of your tax returns Balance your checkbook Keep your ATM/debit card PIN number separate from your card Make travel plans
�Why are Internal Controls Important?
Compliance with applicable laws and regulations. Accomplishment of the entitys mission. Relevant and reliable financial reporting. Effective and efficient operations.
Safeguarding of assets.
�Weak Internal Controls
Increase Risk Through
Business Interruption system breakdowns or catastrophes, excessive re-work to correct for errors. Erroneous Management Decisions based on erroneous, inadequate or misleading information. Fraud, Embezzlement and Theft by management, employees, customers, vendors, or the public-at-large.
8
Statutory Sanctions penalties arising from failure to comply with regulatory requirements, as well as overt violations. Excessive Costs/Deficient Revenues expenses which could have been avoided, as well as loss of revenues to which the organization is entitled. Loss, Misuse or Destruction of Assets unintentional loss of physical assets such as cash, inventory, and equipment.
�COSOS Internal Control Framework Five Inter-Related Standards:
Monitoring Risk Assessment
Control Environment
Information & Communication
Control Activities
10
�1. Control Environment
Foundation for all other standards of internal control. Pervasive influence on all the decisions and activities of an organization. Effective organizations set a positive tone at the top. Factors include the integrity, ethical values and competence of employees, and, managements philosophy & operating style.
11
�2. Risk Assessment
Risks are internal & external events (economic conditions, staffing changes, new systems, regulatory changes, natural disasters, etc.) that threaten the accomplishment of objectives. Risk assessment is the process of identifying, evaluating, and deciding how to manage these events What is the likelihood of the event
occurring? What would be the impact if it were to occur? What can we do to prevent or reduce the risk?
12
�3. Control Activities
Tools - policies, procedures, processes -designed and implemented to help ensure that management directives are carried out. Help prevent or reduce the risks that can impede the accomplishment of objectives. Occur throughout the organization, at all levels, and in all functions. Includes approvals, authorizations, verifications, reconciliations, security of assets, reviews of operating performance, and segregation of duties.
13
�4. Communication & Information
Pertinent information must be captured, identified and communicated on a timely basis. Effective information and communication systems enable the organizations people to exchange the information needed to conduct, manage, and control its operations.
14
�5. Monitoring
Internal control systems must be monitored to assess their effectiveness Are they operating as
intended?
Ongoing monitoring is necessary to react dynamically to changing conditionsHave controls
become outdated, redundant, or obsolete?
Monitoring occurs in the course of everyday operations, it includes regular management & supervisory activities and other actions personnel take in performing their duties.
15
�Your Organization Benefits from Strong Internal Controls by:
Reducing and preventing errors in a costeffective manner. Ensuring priority issues are identified and addressed. Protecting employees & resources. Providing appropriate checks and balances. Having more efficient audits, resulting in shorter timelines, less testing, and fewer demands on staff.
16
�Effective Internal Controls
Make sense within each organizations unique operating environment. Benefit rather than encumber management.
Are not stand-alone practices; they are woven into day-to-day responsibilities.
Are cost-effective.
17
�Important Concepts
Internal control is a process; it is a means to an end, not an end itself. Internal control is effected by people; its not merely policy manuals and forms but people at every level of an organization. Internal control can be expected to only provide reasonable assurance, not absolute assurance.
18
�Five Key Internal Control Activities
19
�1. Separation of Duties
Divide responsibilities between different employees so one individual doesnt control all aspects of a transaction. Reduce the opportunity for an employee to commit and conceal errors (intentional or unintentional) or perpetrate fraud.
20
�2. Documentation
Document & preserve evidence to substantiate: Critical decisions and significant events...typically involving the use, commitment, or transfer of resources. Transactionsenables a transaction to be traced from its inception to completion. Policies & Proceduresdocuments which set forth the fundamental principles and methods that employees rely on to do their jobs.
21
�3. Authorization & Approvals
Management documents and communicates which activities require approval, and by whom, based on the level of risk to the organization. Ensure that transactions are approved and executed only by employees acting within the scope of their authority granted by management.
22
�4. Security of Assets
Secure and restrict access to equipment, cash, inventory, confidential information, etc. to reduce the risk of loss or unauthorized use. Perform periodic physical inventories to verify existence, quantities, location, condition, and utilization. Base the level of security on the vulnerability of items being secured, the likelihood of loss, and the potential impact should a loss occur.
23
�5. Reconciliation & Review
Examine transactions, information, and events to verify accuracy, completeness, appropriateness, and compliance. Base level of review on materiality, risk, and overall importance to organizations objectives. Ensure frequency is adequate enough to detect and act upon questionable activities in a timely manner.
24
�The Dept of Finance & Management provides organizations with guidance & support to improve Internal Controls through the following resources: Self-Assessment of Internal Control Internal Control Standards Guide Best Practices series Quarterly Newsletter F&M Policies VISION Procedures Operational Reviews
25
