Internal Controls

Training

1
 Internal Controls
What do you think of when someone mentions
Internal Controls?

• Fraud • University Audits

• Separation of • P-Cards
duties • Article on front
• SOA Reconciliation page of Ann Arbor
News

2
 Internal Control Definition
Internal Control is a process designed to provide reasonable
assurance regarding the achievement of objectives in the
following three categories:

 Effectiveness and Efficiency of Operations - Processes

are doing what they are intended to do (i.e., achieving
their objectives), and doing so in an efficient manner - -
i.e., making good use of available resources.

 Compliance with Laws and Regulations - Actions are

consistent with all applicable laws and regulations.

 Reliability of Financial Reporting - Accuracy and reliability

of Financial Statements.

3
 Internal Control Framework

Central Financial Processes

• Reviewed annually by external auditors
- Reviewed periodically by internal audit

Unit Financial Functions

• Highly decentralized process with individual control processes
• Relies heavily on institutional knowledge and often undocumented processes
• Oversight may rely on faculty and other non-financial leadership

Optimized Control Environment

• Ongoing integrated process to connect central process owners with Units
4
 Internal Controls Myths and Facts
MYTHS: FACTS:

Internal control starts with a strong set of Internal control starts with a strong control
policies and procedures. environment.

Internal control: That’s why we have While internal auditors play a key role in the
internal auditors! system of control, management is the
primary owner of internal control.
Internal control is a finance thing. Internal control is integral to every aspect
of business.
Internal controls are essentially Internal control makes the right things
negative, like a list of “thou-shalt-nots.” happen the first time.
Internal controls take time away from
our core activities of research, Internal controls should be built “into,” not
instruction, and patient care. “onto” business processes.

Source: Institute of Internal Auditors, 2003

5
 Risk and Internal Controls
What are risks?
A risk is anything that could jeopardize:
• Achieving our goals
• Operating effectively and efficiently
• Protecting the university’s assets from loss
• Providing reliable financial data
• Complying with applicable laws, policies, and
procedures

6
 Risk and Internal Controls
Questions to ask yourself:
• What can go wrong?
• How could someone steal from us?
• What policies are we most affected by?
• What types of transactions in our area provide
the greatest risk?
• How can someone bypass the internal controls?
• What potential risk areas could cause adverse
publicity?
7
 Assessing Risk

Likelihood of
Occurrence
Mitigate
and
Control Control
Risk
Risk

Share
Accept Risk
Risk

Impact

8
 Risk and Internal Controls
What could go wrong in your unit?
• Fire breaks out in research lab
• Key local system/application goes down
• Key employee calls in sick
• Media becomes aware of P-Card fraud
• Safety or security incident with
faculty/student/staff member overseas
• Cash missing from departmental funds
• Faculty hires family member inappropriately

9
 Top Ten Areas of Decentralized
Control/Compliance Attention
Where have there been recent unfortunate publicized events across the
country?
1. Use of P-Cards for personal benefit
2. Undocumented/approved compensation and/or benefit arrangements
3. Imprudent travel and entertainment expenses
4. Inappropriate charging of restricted funds (e.g., gifts, grants, etc.)
5. Localized receipt of cash and off book bank accounts
6. Purchasing practices not appropriately followed
7. Untimely or cursory reviews of departmental expense activity
8. Undocumented and/or approved expense transfers
9. Inaccurate account coding of expense and revenue activity
10. International activities not in compliance with policies
* List developed by John Mattie, PwC U.S. Education & Nonprofit Practice Leader – presented at UM Internal Controls Forum in
March 2013

10
 Types of Internal Controls
Controls can be either automated or manual
• Automated Controls – Incorporated into
application logic / algorithms
– Example: System automatically searches for a
matching PO before paying an invoice
• Manual Controls – Performed by individuals
outside of the system or application
– Example: Supervisor’s signature on P-Card
statement

11
 Types of Internal Controls
Controls can be either preventive or detective
• Preventive Controls – Built into the process or
system to avoid or minimize risk. Helps make
processes more efficient and can reduce cost of
corrective actions.
– Example: Access Controls - - Only individuals with approved
M1 access can perform transactions in MPathways
• Detective Controls – Provides a process assessment
to identify potential issues for further review
– Example: Unit reconciles Gross Pay Register to ensure all
transactions are correct
– Example: Payroll reviews any invalid shortcode charges

12
 Types of Internal Controls
While Automated Controls are generally more effective,
Preventive Controls are typically more efficient

Automated Automated
Detective PREVENTIVE

Level of
Reliability
(Effective) Manual Manual

Detective PREVENTIVE

Level of Economic Value (Efficient)

13
 Types of Internal Controls
Controls - particularly related to information processing -
support the following objectives or assertions:

Completeness • All transactions are processed (once

and only once)

Accuracy • All transactions are processed

correctly

Validity • All transactions are authorized or

approved by appropriate person

Restrictiveness • Access to certain functions is restricted

to appropriate persons
14
 CAVR and Your Checkbook
When you reconcile your checkbook every month,
you are going through the CAVR steps:
Completeness • Did the bank process all the
checks that I wrote this month?
Accuracy • Did the bank process all the checks
correctly - - the right amount?
• Were all the checks processed by
Validity
the bank written by me?
Restrictiveness • Did someone else have access to
my checkbook?
15
 CAVR and the Gross Pay Register

Completeness • All employees that should be in a

unit, are in the unit
Accuracy • The pay for a new hire starting in
the middle of a month is correct
Validity • Additional pay was approved by
appropriate person
Restrictiveness • Person processing changes in pay
is not reconciling GPR

16
 Types of Internal Controls

Automated Manual
Controls Controls
Preventive Detective Preventive Detective

Completeness
Accuracy
Validity
Restrictiveness
17
 Top Ten Financial Related Audit Findings
Based on FY2015 - FY2016 Financial Related Results

*1. Tracking & Management of Inventory / Assets

*2. Physical / System Access After Termination
*3. Conflict of Interest / Commitment
*4. Accounts Receivable / Billing Accuracy – Rates / Coding
*5. Separation of Duties
6. Training – Cash / Merchant / Concur Approver (New)
*7. Employment / Time Keeping Approval (New)
*8. Lack of Defined / Documented Process (New)
9. Cash Handling – Receiving Checks / Timeliness of Deposits
*10. SOA Reconciliation
* Includes one or more high priority audit findings

18
 The Five Components of a Strong
Internal Control Framework
Monitoring Control Activities
 Assessment of a control system’s  Policies/procedures that ensure
performance over time. management directives are
 Combination of ongoing and carried out.
separate evaluation.  Range of activities including
 Management and supervisory approvals, authorizations,
activities. verifications, recommendations,
performance reviews, asset
 Internal audit activities. security and segregation of
duties.

Information and Communication Control Environment Risk Assessment

 Pertinent information identified,  Sets tone of organization-  Risk assessment is the
captured and communicated in a influencing control consciousness identification and analysis of
timely manner. of its people. relevant risks to achieving the
 Access to internal and externally  Factors include integrity, ethical entity’s objectives-forming the
generated information. values, competence, authority, basis for determining control
responsibility. activities.
 Flow of information that allows for
successful control actions from  Foundation for all other
instructions on responsibilities to components of control.
summary of findings for
management action.

All five components must be in place for internal control to be effective.

19
 Internal Control Framework

Component General Description Examples of UM Activity

Control Sets tone of organization Standard Practice Guides

Environment Statement on Stewardship
Finance, Audit and Investment Committee

Risk Assessment Identification and analysis Internal Audit Risk Assessment

of relevant risks Risk Management, Compliance Offices

Control Activities Policies and procedures P-Card Approvals, SOA reconciliations, separation
that govern day-to-day of duties, written procedures, access controls
activity

Information and Flow of timely, accessible Foundations of Supervision, metric reporting,

Communication and pertinent information management reviews, websites, annual
performance reviews

Monitoring Assessment of controls Internal Audit, annual gap analysis, M-

Reports, Oversight reports

20
 What is Fraud?

Fraud - Typically requires 3 key elements:

1) Did something bad/wrong - -
misrepresentation of facts
2) Done intentionally
3) Resulted in unauthorized personal gain

21
 Who Commits Fraud?
Those having:
• Pressure - Usually caused by
financial need or desire for lavish
lifestyle
• Ability to rationalize – Make
excuses and do not think of crime
as stealing
• Opportunity – Typically arises
from weak controls or too much
independence/ control given to
someone

22
 Who Commits Fraud?

• 55% between ages of 31-45

• 69% are Male
• 42% 1-5 yrs experience ($100k Median Loss)
• 23% >10 yrs experience ($250k Median Loss)
• 88% Never charged or convicted

Source: 2016 ACFE Report to the Nations on Occupational Fraud & Abuse - study of 2,410 fraud cases
23
 How Occupational Fraud is Committed
Occupational Fraud by Category - Frequency

Source: 2016 ACFE Report to the Nations on Occupational Fraud & Abuse - study of 2,410 fraud cases
24
 How Occupational Fraud is Committed
Occupational Fraud by Category – Median Loss

Source: 2016 ACFE Report to the Nations on Occupational Fraud & Abuse - study of 2,410 fraud cases
25
How is Fraud Detected?

Source: 2016 ACFE Report to the Nations on Occupational Fraud & Abuse - study of 2,410 fraud cases
26
 Control Weaknesses that
Contributed to Fraud

Source: 2016 ACFE Report to the Nations on Occupational Fraud & Abuse - study of 2,410 fraud cases
27
 Internal Controls and Efficiency
It’s not always about fraud:
• Controls help prevent/detect human error
– System input errors
• Automation can eliminate risk and increase
efficiency
– Direct time entry eliminating hardcopy
timesheets
• Redundant or unnecessary steps
– Reconciling GPR to SOA
28
University of Michigan Compliance Hotline
• 1-866-990-0111
[Link]
• A website and dedicated phone number available to all
faculty and staff as an additional avenue to report
potential concerns in three specific areas:
– Financial Management
– Regulatory Adherence
– Patient Safety
• Does not replace existing reporting mechanisms in the
Health System or on campus
• Managed by a third-party vendor; allows 24-hour
availability and callers may remain anonymous
29
 Internal Control Related
Resources
 The Office of Internal Controls website: [Link]
 Provides guidance, support tools, and documents
 Helps units across campus manage financial related processes
 Contact The Office of Internal Controls: [Link]
 Brent Haase, Internal Controls Manager: 734.763.0260 or haasebr@[Link]
 Kay Bressler, Internal Controls Data Analyst: 734.763-4359 or bressler@[Link]
 Emily Shields, Internal Controls Analyst: 734.615.0121 or shiea@[Link]

 University Audits website: [Link]

 Compliance Resource Center website: [Link]

 Compliance Hotline website: [Link]

30