INtERNAl CoNtRols TRAiNiNG, Exams of Credit and Risk Management

Download INtERNAl CoNtRols TRAiNiNG and more Exams Credit and Risk Management in PDF only on Docsity! INTERNAL CONTROLS TRAINING ve FINANCE 1 UNIVERSITY OF MICHIGAN Internal Controls • Fraud • Separation of duties • SOA Reconciliation What do you think of when someone mentions Internal Controls? • University Audits • P-Cards • Article on front page of Ann Arbor News 2 Internal Controls Myths and Facts MYTHS: Internal control starts with a strong set of policies and procedures. Internal control: That’s why we have internal auditors! Internal control is a finance thing. Internal controls are essentially negative, like a list of “thou-shalt-nots.” Internal controls take time away from our core activities of research, instruction, and patient care. FACTS: Internal control starts with a strong control environment. While internal auditors play a key role in the system of control, management is the primary owner of internal control. Internal control is integral to every aspect of business. Internal control makes the right things happen the first time. Internal controls should be built “into,” not “onto” business processes. Source: Institute of Internal Auditors, 2003 5 Risk and Internal Controls What are risks? A risk is anything that could jeopardize: • Achieving our goals • Operating effectively and efficiently • Protecting the university’s assets from loss • Providing reliable financial data • Complying with applicable laws, policies, and procedures 6 Risk and Internal Controls Questions to ask yourself: • What can go wrong? • How could someone steal from us? • What policies are we most affected by? • What types of transactions in our area provide the greatest risk? • How can someone bypass the internal controls? • What potential risk areas could cause adverse publicity? 7 Top Ten Areas of Decentralized Control/Compliance Attention Where have there been recent unfortunate publicized events across the country? 1. Use of P-Cards for personal benefit 2. Undocumented/approved compensation and/or benefit arrangements 3. Imprudent travel and entertainment expenses 4. Inappropriate charging of restricted funds (e.g., gifts, grants, etc.) 5. Localized receipt of cash and off book bank accounts 6. Purchasing practices not appropriately followed 7. Untimely or cursory reviews of departmental expense activity 8. Undocumented and/or approved expense transfers 9. Inaccurate account coding of expense and revenue activity 10. International activities not in compliance with policies * List developed by John Mattie, PwC U.S. Education & Nonprofit Practice Leader – presented at UM Internal Controls Forum in March 2013 10 Types of Internal Controls Controls can be either automated or manual • Automated Controls – Incorporated into application logic / algorithms – Example: System automatically searches for a matching PO before paying an invoice • Manual Controls – Performed by individuals outside of the system or application – Example: Supervisor’s signature on P-Card statement 11 Types of Internal Controls Controls can be either preventive or detective • Preventive Controls – Built into the process or system to avoid or minimize risk. Helps make processes more efficient and can reduce cost of corrective actions. – Example: Access Controls - - Only individuals with approved M1 access can perform transactions in MPathways • Detective Controls – Provides a process assessment to identify potential issues for further review – Example: Unit reconciles Gross Pay Register to ensure all transactions are correct – Example: Payroll reviews any invalid shortcode charges 12 CAVR and Your Checkbook When you reconcile your checkbook every month, you are going through the CAVR steps: Completeness • Did the bank process all the checks that I wrote this month? • Did the bank process all the checks correctly - - the right amount? • Were all the checks processed by the bank written by me? Did someone else have access to my checkbook? 15 Accuracy Validity Restrictiveness • CAVR and the Gross Pay Register Completeness • All employees that should be in a unit, are in the unit • The pay for a new hire starting in the middle of a month is correct • Additional pay was approved by appropriate person Person processing changes in pay is not reconciling GPR Accuracy Validity Restrictiveness • 16 Types of Internal Controls Automated Controls Manual Controls Preventive Detective Preventive Detective Completeness Accuracy Validity Restrictiveness 17 Component General Description Examples of UM Activity Control Environment Sets tone of organization Standard Practice Guides Statement on Stewardship Finance, Audit and Investment Committee Risk Assessment Identification and analysis of relevant risks Internal Audit Risk Assessment Risk Management, Compliance Offices Control Activities Policies and procedures that govern day-to-day activity P-Card Approvals, SOA reconciliations, separation of duties, written procedures, access controls Information and Communication Flow of timely, accessible and pertinent information Foundations of Supervision, metric reporting, management reviews, websites, annual performance reviews Monitoring Assessment of controls Internal Audit, annual gap analysis, M- Reports, Oversight reports Internal Control Framework 20 What is Fraud? Fraud - Typically requires 3 key elements: 1) Did something bad/wrong - - misrepresentation of facts 2) Done intentionally 3) Resulted in unauthorized personal gain 21 Who Commits Fraud? Those having: • Pressure - Usually caused by financial need or desire for lavish lifestyle • Ability to rationalize – Make excuses and do not think of crime as stealing • Opportunity – Typically arises from weak controls or too much independence/ control given to someone 22 How Occupational Fraud is Committed Occupational Fraud by Category – Median Loss Source: 2020 ACFE Report to the Nations on Occupational Fraud & Abuse - study of 2,504 fraud cases 25 $130,000 $200,000 $1,000,000 $125,000 $200,000 $975,000 $114,000 $250,000 $800,000 $100,000 $200,000 $954,000 $0 $200,000 $400,000 $600,000 $800,000 $1,000,000 $1,200,000 Asset Misappropriation Corruption Financial Statement Fraud 2020 2018 2016 2014 How is Fraud Detected? 26 Source: 2020 ACFE Report to the Nations on Occupational Fraud & Abuse - study of 2,504 fraud cases 42% 14% 16% 7% 7% 15% 39% 17% 13% 6% 6% 20% 40% 15% 13% 7% 5% 21% 43% 15% 12% 5% 4% 6% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Tip Internal Audit Management Review By Accident Account Reconciliation Other 2020 2018 2016 2014 Control Weaknesses that Contributed to Fraud 27 Source: 2020 ACFE Report to the Nations on Occupational Fraud & Abuse - study of 2,504 fraud cases Lack of internal  controls 32% Override of existing  controls 18% Lack of manangement  review 18% Poor tone at the top 10% Lack of competent  personnel in oversight  roles 6% Other 16%