FM Controls 101

Internal Controls– What are they and why should I care?

Donald Harvey, CPA,CIA

1
2
Course Objective

1. Understand what internal control is and define the

various types of internal controls.

2. Understand the approach you should use to identify

controls within your work stream.

3
What is Internal Control?

• Internal control is a process, effected by an entity’s

board of directors , management and other
personnel, designed to provide reasonable assurance
regarding the achievement of the following objectives:
– Effectiveness and efficiency of operations
– Reliability of financial reporting
– Compliance with applicable laws and regulations

Reasonable Assurance: includes the understanding that there is a remote likelihood that material misstatements will
not be prevented or detected on a timely basis.

4
 12/07/21

Internal Control Key Concepts

• Internal control is a “process”. It’s a means to an end, not

an end in itself.
• Internal control is affected by “people”. It’s not merely
policy manuals and forms, but people at every level of the
organization.
• Management, not auditors, must establish and maintain the
entity’s controls
• No system can be regarded as completely effective
• Should be applied to both manual and computerized
systems

5
 Elements of Internal Controls
Internal Controls consists of five interrelated components

1.Control Environment

2.Risk Assessment

3.Control Activities

4.Information and Communication

5.Monitoring

6
 Elements of Internal Controls

1.Control Environment: The control environment establishes the overall tone for
the organization and is the foundation for all other components of internal control.

•There are seven sub-components of the control environment:

• Integrity and ethical values
• Commitment to competence and development of people
• Management’s philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resources policies and procedures
• Participation by those charged with governance (i.e. board of directors, audit
committee)

7
 Elements of Internal Controls (cont.)

2.Risk Assessment: For an entity to exercise effective control, it must establish

objectives and understand the risks it faces in achieving those objectives.

•The process of identifying and analyzing risks is an ongoing iterative process. The
sub-components for the risk assessment include:

• Entity-wide objectives: Does the entity have approved entity-wide objectives

that are aligned with the strategic plan?
• Activity-level objectives: Are activity-level objectives consistent with entity-
wide objectives and are the relevant?
• Risk Analysis: Are there mechanisms to identify risks and to prevent the
entity from achieving its objectives from both internal and external sources?
Is the process thorough and relevant?
• Mechanisms for change: Are there adequate mechanisms to identify change
for routine events and for events that may have a pervasive impact on the
entity?
8

8
 Elements of Internal Controls (cont.)
3.Control Activities: Control activities are the controls implemented to prevent or
detect errors or fraud that could result in material misstatement in financial
statements. Control activities occur throughout the organization, at all levels, and in
all functions.
• Authorization & Approvals – All • Physical Safeguards and
transactions are pre-approved by Security – Access to physical
responsible personnel assets and information systems
• Completeness – All valid are controlled and properly
transactions are included in the restricted to authorized personnel
accounting • Error Handling – Errors detected
• Accuracy – All valid transactions are at any stage of processing receive
accurate, consistent with the prompt corrective action and are
originating transaction data, and reported to the appropriate level of
information is recorded in a timely management.
manner • Segregation of Duties – Duties
• Validity – All recorded transactions are assigned to individuals in a
fairly represent the economic events manner that ensures that no one
that actually occurred, are lawful in individual can control both the
nature, and have been executed in recording function and the
accordance with management’s procedures relative to processing
9 general authorization. a transaction.
9
 Elements of Internal Controls (cont.)
4.Information and Communication: Pertinent information must be identified,
captured and communicated in a form and timeframe that enables people to carry
out their responsibilities.

•Types of information to consider when evaluating the information and

communication component of a company’s internal control.
• Accounting Systems
• Policy Manuals (including financial reporting manuals)
• Management’s Reports
• Accounting Policy Updates
• Technical Updates
• Training
• Newsletters
• Staff Meetings

10

10
 Elements of Internal Controls (cont.)

5.Monitoring: Effective monitoring is a process that assesses the quality of the

system’s performance over time. It includes the regular management activities as
well as separate evaluations by central units, Internal Audit, or other independent
parties.

•Examples of monitoring controls:

• Management Reviews
• Internal Audits
• Audit Committee Activities
• Disclosure Committee Activities
• Self-Assessment Review

11

11
 Types of Internal Controls
There are two primary types of internal controls:
•Preventive Controls: designed to keep errors or irregularities from
occurring in the first place

•Detective Controls: designed to detect errors or irregularities that may

have occurred

12

12
How Do I Use This?
When documenting sub-processes make sure that both preventive and detective
controls are in place for each of the seven control activities.

Control Activities
1. Authorization & Approvals
2. Completeness
3. Accuracy
4. Validity
5. Physical Safeguards and Security
6. Error Handling
7. Segregation of Duties
Control Types
1. Preventive Controls
2. Detective Controls

13

13
 Workstream Approach -‘What Can Go Wrong’
Use the ‘What Can Go Wrong’ Approach to identify and document the controls
related to your workstream.
Proposed Workstream Approach:
1.Identify and document controls related to the A-133 Audit Findings for your
workstream (first priority)
2.Identify and document other primary controls for your workstream by using the
control activities (second priority)
Process What Can Go Wrong Control Activity Controls (P-Preventive; D-Detective)
What ensures that timecards correctly
Completeness Time reports are reviewed & approved before payment (P)
summarize time worked?

-Access to data/transaction files is appropriately restricted (P)

Payroll
What ensure that payments are not -System will not generate paychecks for terminated employees (P)
Validity
made for time not worked? -Time reports are reviewed & approved before payment (P)
-Costs by department are compared to budget (D)

-Approvals is required for changes to vendor master files (P)

-Disbursements greater than specified dollar amounts require
Expenditures What ensures that expenditures are real? Validity additional approval (P)
-System matches purchase order, receiving report, and invoice prior
to payment (P)
14

14
 Who is accountable for assurance that
appropriate internal controls are in place?

Management!!!!

15

15
Who is responsible for the performance of
internal control activities?

Everyone!!!!

16

16
Questions!

17

17