You are on page 1of 28

INTERNAL CONTROLS 101

Office of the Provincial


Controller Division

Lets start the day with a quick


refresh
Today we have some great speakers who are internal control
experts to provide presentations and answer your questions on
Internal Controls
Lets get the day started with some general concepts and
terminology to remind ourselves of the basics we already know
and use everyday.
As public sector managers and employees we are accountable for
the resources entrusted to us and for ensuring our programs and
services are administered effectively and efficiently.
A significant component in fulfilling this responsibility is ensuring
that an adequate system of internal control exists and work

Office of the Provincial


Controller Division

The COSO* Definition of Internal


Control
Internal control is a process, effected by an entitys
board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:

Effectiveness and efficiency of operations


Reliability of financial reporting
Compliance with applicable laws and regulations

* Committee Of Sponsoring Organizations of the Treadway


Commission

Office of the Provincial


Controller Division

Simple Definition
Internal control is what we do to see that the
things we want to happen will happen

And the things we dont want to happen


wont happen.
Office of the Provincial
Controller Division

Internal Controls Are Common Sense


What do you worry about going wrong?
What steps have been taken to assure it
doesnt?
How do you know things are under control?

Office of the Provincial


Controller Division

Internal Controls are everywhere:


You exercise internal control principles in your
personal life when you:
Lock your house when you leave
Keep copies of important papers in your safety
deposit box
Balance your checkbook
Keep your ATM/debit card PIN number separate
from your card
Make travel plans

Office of the Provincial


Controller Division

Objectives of Internal Controls


Strategic high-level goals and objectives, aligned
with and supporting the mission.
Operational effective and efficient use of
resources.
Reporting integrity and reliability of reporting.
Compliance compliance with applicable laws and
regulations.
Stewardship protection and conservation of assets.

Office of the Provincial


Controller Division

Business analysis, program design


or
think C.A.R.E.S.

Compliance with applicable laws and regulations.


Accomplishment of the entitys mission (objectives
and goals).
Relevant and reliable financial reporting.
Effective and efficient operations.

Safeguarding of assets.

Can anyone think of anything in the Public Service that is not


impacted by internal controls?

Office of the Provincial


Controller Division

The big picture


Internal controls are a key component to Enterprise Risk Management
(ERM)
a process, effected by an entitys board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be within
its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives.

The Provincial government has embraced a risk based approach through


all aspects of its operations
Results based plans
Transfer Payment Accountability Directive
Quarterly risk reporting
Certificate of Assurance and Audit
Accountability and Transparency (Accountability Directive FAA, FTAA etc.)

Office of the Provincial


Controller Division

Weak Internal Controls Increase Risk


Through

Business Interruption - system breakdowns or catastrophes,


excessive re-work to correct for errors.

Erroneous Management Decisions - based on erroneous,


inadequate or misleading information.

Fraud, Embezzlement and Theft -by management,


employees, customers, vendors, or the public-at-large.

Statutory Sanctions- penalties arising from failure to comply


with regulatory requirements, as well as overt violations.

Excessive Costs/Deficient Revenues - expenses which could


have been avoided, as well as loss of revenues to which the
organization is entitled.

Loss, Misuse or Destruction of Assets -unintentional loss of


physical assets such as cash, inventory, and equipment.
Office of the Provincial
Controller Division

10

But too much of a good thing.


When looking at controls
More is not necessarily better
Controls that do not work together leaving holes
Cost of duplicated or inefficient controls.
Controls that do not align with the importance of the risks

Complex and poorly implemented controls


Not understood or followed
Inconsistently applied
Control effectiveness can degrade over time

No value for money


Controls cost money
Duplication of ineffective controls do not provide benefits

Office of the Provincial


Controller Division

11

COSOS Internal Control


Framework
Five Inter-Related Standards:
Monitoring

Risk
Assessment

Control
Environment
Information &
Communication

Control
Activities

Office of the Provincial


Controller Division

12

1. Control Environment

Foundation for all other standards of internal control.


Pervasive influence on all the decisions and activities of
an organization.
Effective organizations set a positive tone at the
top.
Factors include the integrity, ethical values and
competence of employees, and, managements
philosophy & operating style.
Examples of soft controls:

Management philosophy
Organizational structure
Communication
Competency of employees

Office of the Provincial


Controller Division

13

Public Service of Ontario Act (PSOA)


The following are the purposes of this Act:
1.To ensure that the public service of Ontario is effective in serving the public, the
government and the Legislature.
2.To ensure that the public service of Ontario is non-partisan, professional, ethical and
competent.
3.To set out roles and responsibilities in the administration of the public service of Ontario.
4.To provide a framework in law for the leadership and management of the public service of
Ontario.
5.To set out rights and duties of public servants concerning ethical conduct.
6.To set out rights and duties of public servants concerning political activity.
7.To establish procedures for the disclosure and investigation of wrongdoing in the public
service of Ontario and to protect public servants who disclose wrongdoing from reprisals.

Office of the Provincial


Controller Division

14

2. Risk Assessment

Risks are internal & external events (economic


conditions, staffing changes, new systems,
regulatory changes, natural disasters, etc.) that
threaten the accomplishment of objectives.
Risk assessment is the process of identifying,
evaluating, and deciding how to manage these
events What is the likelihood of the event
occurring? What would be the impact if it were to
occur? What can we do to prevent or reduce the risk?

Have any of you been through a risk assessment with Internal Audit or an
outside party?

Office of the Provincial


Controller Division

15

3. Control Activities

Tools - policies, procedures, processes -designed and


implemented to help ensure that management
directives are carried out.
Help prevent or reduce the risks that can impede the
accomplishment of objectives.
Occur throughout the organization, at all levels, and
in all functions.
Includes training, approvals, authorizations,
verifications, reconciliations, security of assets,
reviews of operating performance, and segregation of
duties.
Types of Controls

Preventative
Detective
Office of the Provincial
Controller Division

16

4. Communication and Information

Pertinent information must be captured, identified


and communicated on a timely basis.
Effective information and communication systems
enable the organizations people to exchange the
information needed to conduct, manage, and
control its operations.

Office of the Provincial


Controller Division

17

5. Monitoring
Internal control systems must be monitored to
assess their effectiveness Are they operating as
intended?
Ongoing monitoring is necessary to react
dynamically to changing conditionsHave controls
become outdated, redundant, or obsolete?
Monitoring occurs in the course of everyday
operations, it includes regular management &
supervisory activities and other actions personnel
take in performing their duties.
Periodic testing can be done by the process owner,
internal audit and external audit.

Office of the Provincial


Controller Division

18

Benefits from Strong Internal


Controls

Reducing and preventing errors in a costeffective manner.


Ensuring priority issues are identified and
addressed.
Protecting employees & resources.
Providing appropriate checks and balances.
Having more efficient audits, resulting in
shorter timelines, less testing, and fewer
demands on staff.

Office of the Provincial


Controller Division

19

Effective Internal Controls

Make sense within each organizations


unique operating environment.

Benefit rather than encumber


management.

Are not stand-alone practices; they are


woven into day-to-day responsibilities.

Are cost-effective.

Office of the Provincial


Controller Division

20

Important Concepts

Internal control is a process;

it is a means to an end, not an end itself.

Internal control is effected by people; its


not merely policy manuals and forms but
people at every level of an organization.

Internal control can be expected to only


provide reasonable assurance, not absolute
assurance.
Office of the Provincial
Controller Division

21

Five Key
Internal Control
Activities

Office of the Provincial


Controller Division

22

1. Separation of Duties

Divide responsibilities between different


employees so one individual doesnt control
all aspects of a transaction.
Reduce the opportunity for an employee to
commit and conceal errors (intentional or
unintentional) or perpetrate fraud.

Office of the Provincial


Controller Division

23

2. Documentation
Document & preserve evidence to substantiate:
Critical decisions and significant
events...typically involving the use,
commitment, or transfer of resources.
Transactionsenables a transaction to be
traced from its inception to completion.
Policies & Proceduresdocuments which set
forth the fundamental principles and methods
that employees rely on to do their jobs.

Office of the Provincial


Controller Division

24

3. Authorization & Approvals

Management documents and communicates


which activities require approval, and by whom,
based on the level of risk to the organization.
Ensure that transactions are approved and
executed only by employees acting within the
scope of their authority granted by
management.

DOA

Office of the Provincial


Controller Division

25

4. Security of Assets

Secure and restrict access to equipment,


cash, inventory, confidential information,
etc. to reduce the risk of loss or
unauthorized use.
Perform periodic physical inventories to
verify existence, quantities, location,
condition, and utilization.
Base the level of security on the
vulnerability of items being secured, the
likelihood of loss, and the potential impact
should a loss occur.
Office of the Provincial
Controller Division

26

5. Reconciliation & Review

Examine transactions, information, and events


to verify accuracy, completeness,
appropriateness, and compliance.
Base level of review on materiality, risk, and
overall importance to organizations objectives.
Ensure frequency is adequate enough to detect
and act upon questionable activities in a timely
manner.

Timing of reconciliations and monitoring

Office of the Provincial


Controller Division

27

Today, tomorrow and the next day


Think about C.A.R.E.S. when ever you are
providing analysis or developing policies or
implementing programs
Beware of the pitfalls more is not always better,
controls must be maintainable
Think about the things that worry you in your job
and try to think of how internal controls could help
elevate your worry.

Office of the Provincial


Controller Division

28

You might also like