INTERNAL CONTROL PROGRAM Presented to Managers What Is

INTERNAL CONTROL PROGRAM Presented to Managers

What Is Internal Control INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its mission. Simply put -

What is Internal Controls are actions taken to make sure the right things happen --- -- and the wrong things don’t.

What is the Purpose of Internal Controls t and n e i ffic and e s e n t o tio Prom e opera lity ua tiv q c e e f f c ices e u v r d e o pr ds n a s uct d o r p Safeg uard r again st loss esources du abuse , mism e to waste errors anagemen , t, and fr aud Ensure adhe rence to law s, regulations, contracts an d managemen t directives intain a m d n a Develop data, and reliable nt the e s e r p y l accurate ely reports tim data in

What is is the Purpose of of What Internal Controls Internal Compliance with laws and policies Accomplishment of mission Relevant and reliable data Economical and efficient use of resources Safeguard assets

Internal Control System Components Monitoring Assess internal control performance at ic un m m n Identification and analysis of relevant risks to achievement of objectives io Risk Assessment at Co m r fo Tools that help prevent or reduce risk In io n Control Activities Control Environment Sets the tone for the organization The foundation for all other components of internal control

Who is Responsible for Internal Control Everyone in an organization has responsibility for internal control. Senior Management sets the “tone at the top” that affects integrity, ethics and other factors of a positive control environment.

Components of the Control Environment Component Management Responsibilities ØEstablish the overall management style, philosophy and “tone” ØApprove and monitor the organization’s mission and strategic plan ØEnsure and provide accountability ØRecognize and respond to risks – both internal and external ØAccept regulatory control imposed by others ØSupport and be responsive to internal and external audits and evaluations

Components of the Control Environment Component Management Responsibilities ØEstablish and communicate a code of conduct ØComply with the organization’s values and code of conduct ØEstablish methods for reporting ethical violations ØEnforce disciplinary practices for all ethical violations ØEstablish levels of knowledge and skill required for every position ØVerify qualifications of job candidates ØProvide training programs that help employees increase their knowledge and skills

Components of the Control Environment Component Management Responsibilities ØEmploy minimal and guarded use of control overrides ØDemonstrate responsiveness to issues raised as the result of the evaluations and audits ØEnsure employees’ opinions and contributions are welcomed, valued and recognized ØSupport and participate in ongoing education to ensure everyone understands the system of internal control and their role in it

Control Environment Setting the proper control environment is crucial to the effective implementation of all the other elements of internal control. Staff will take their cue from the attitude and example displayed by management.

RISK AND RISK ASSESSMENT

Risk and Risk Assessment � RISKS are events that threaten the accomplishment of objectives. They ultimately impact an organization’s ability to accomplish its mission. Risk is things that can go wrong and things that need to happen that affect efforts to succeed.

Risk Categories Risks can be categorized as follows: ØStrategic ØFinancial ØLegal/Compliance ØOperational

Risk Categories �Strategic Risks are those which affect an institution’s ability to achieve its goals. �Financial Risks are those which may result in a loss of asset. �Legal or Compliance Risks are those that may result in non-compliance with either external laws and regulations or internal policies and procedures. �Operational Risks are those which affect the day-to-day processes.

Risk Management �Address the risks identified from the vulnerability assessment: Ø Risk assumption – impact and likelihood low (do not establish control activities) Ø Risk control – take action to lower the probability or eliminate the risk (establish control activities) Ø Risk avoidance – abandon plan; risks uncontrollable and unacceptable (do not carry out the function)

EVALUATING RISK LIKELIHOOD HIGH II IV Area of Minimal Concern I Area of Most Concern III LOW Area of Least Concern LOW Area of Moderate Concern IMPACT Evaluate each risk in terms of its impact and likelihood. HIGH

EVALUATING RISK LIKELIHOOD HIGH II IV Area of Minimal Concern I Area of Most Concern III LOW Area of Least Concern LOW Area of Moderate Concern IMPACT Likelihood is the probability that an HIGH unfavorable event would occur if there were no control activities in place.

EVALUATING RISK LIKELIHOOD HIGH II IV Area of Minimal Concern I Area of Most Concern III LOW Area of Least Concern LOW IMPACT Area of Moderate Concern HIGH Impact is the effect on an organization if the unfavorable event were to occur. The effect is the ultimate harm that may be done or the opportunity that may be lost.

EVALUATING RISK LIKELIHOOD HIGH II IV Area of Minimal Concern I Area of Most Concern III LOW Area of Least Concern LOW IMPACT Area of Moderate Concern HIGH It is also critical to determine the cause for each risk in order to design control activities that will effectively limit the risk.

RISK CYCLE Goals Review Continually Isolate Risk Areas Implement Controls Assess Impact And Probability Design Risk Strategy Source: “ Internal Control A Manager’s Guide” By K. H. Spencer Pickett

References � Standards for Internal Control in New York State Government, Office of the State Comptroller. � Control Environment – Tone at the Top, New York State Internal Control Association