Internal Control Tim Grow CPA Charleston Office Managing

Internal Control Tim Grow, CPA Charleston Office Managing Shareholder © Elliott Davis, PLLC © Elliott Davis, LLC

Internal Control Internal control is a process, effected by an entity’s board of directors, management and others, designed to provide reasonable assurance regarding the achievement of objectives in the following areas: 2 © Elliott Davis, LLC © Elliott Davis, PLLC • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations

The Need for Internal Control In order to establish effective controls an organization should first identify its relevant: • Objectives of control • Risks • Controls to manage risk © Elliott Davis, LLC © Elliott Davis, PLLC 3

Internal Control Process Internal control is a process established to provide reasonable assurance of the achievement of objectives related to: • Operations • Reporting • Compliance The responsibility to develop and maintain effective internal controls lies with management and the board of directors. © Elliott Davis, LLC © Elliott Davis , PLLC 4

Characteristics Basic characteristics of internal control include: • • © Elliott Davis, LLC © Elliott Davis, PLLC Continuity Dependent on the cooperation of personnel The ability to provide reasonable assurance Adaptability 5

Consequences of Weak Controls Weak internal controls create a number of undesirable consequences such as: • • © Elliott Davis, LLC © Elliott Davis, PLLC Fraud Collusion Loss of reputation Inefficient operations 6

COSO The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an initiative of 5 groups, including the AICPA. COSO established an internal control framework in 1992. The COSO framework is the foundation of the internal control processes in most organizations today. © Elliott Davis, LLC © Elliott Davis, PLLC 7

COSO Framework The COSO integrated framework embodies 5 integral components of internal control • Control environment • Risk assessment • Control activities • Information and communication • Monitoring activities © Elliott Davis, LLC © Elliott Davis, PLLC 8

Control Environment The COSO framework defines the Control Environment as a set of processes, standards, and structures that promote effective internal control The Control Environment is impacted by the ethics and integrity of the organization, in particular the “tone at the top” established by management. © Elliott Davis, LLC © Elliott Davis, PLLC 9

Components of the Control Environment* The Control Environment includes: - The training and support of employees - Organizational structure - Management’s philosophy and operating style (what you permit you promote) - Hiring procedures i. e. hiring competent /qualified employees - Overall ethics of the organization © Elliott Davis, LLC © Elliott Davis, PLLC 10

Control Environment Strategies Integrity Strategy • Aims to establish effective internal control by communication of organizational values and vision, and create an environment that promotes ethical behavior Compliance Strategy • Seeks to limit unwanted behaviors by enforcing strict standards of conduct © Elliott Davis, LLC © Elliott Davis, PLLC 11

Documentation of the Control Environment* An entity should document the controls and processes in place that relate to its control environment. Types of documentation include: • Flowcharts • Narratives • Questionnaires • Memos • Organizational Charts © Elliott Davis, LLC © Elliott Davis, PLLC 12

COSO Risk Assessment In the COSO framework, Risk Assessment is the process through which an entity both identifies and assesses its prevalent risks. A risk is the possibility that something will happen that adversely affects the entity’s achievement of its objectives. Having risks is “OK” all organizations have them © Elliott Davis, LLC © Elliott Davis, PLLC 13

Risk Management VS. Risk Assessment Risk management is a process designed to identify and manage risks with the purpose of keeping risks within a tolerable range so that an entity has reasonable assurance that it will achieve its objectives. Risk assessment is an element within the risk management process. It allows management to create an assessment of key risks which forms a basis on which to determine control activities. © Elliott Davis, LLC © Elliott Davis, PLLC 14

Risk Assessment, Continued* Risk assessment is composed of four primary factors: • Materiality of the amounts • Complexity of the process • History of accounting adjustments • Propensity for changes in financial processes An entity should conduct risk assessment on both the process level and the entity level. © Elliott Davis, LLC © Elliott Davis, PLLC 15

Risk Responses There are five predominant risk strategies: • Avoidance - Don’t do it • Mitigation – Lessen it’s impact • Transfer – Move the risk • Acceptance – Tolerate it • Creation – Develop a response © Elliott Davis, LLC © Elliott Davis, PLLC 16

COSO – Control Activities Control activities are performed at all levels within an entity, and consist of the activities that help achieve the risk mitigation goals established by management. Types of control activities: • Manual • Automated • Preventative, detective, and corrective • Compensating © Elliott Davis, LLC © Elliott Davis, PLLC 17

Manual Control VS. Automated Control Manual Controls require action to be taken by organizational personnel, for instance: • Reconciliation of bank accounts • Matching purchase orders to invoices Automated Controls are built into the entity’s software system and network, for instance: • Batch controls • System generated exceptions © Elliott Davis, LLC © Elliott Davis, PLLC 18

Preventive Control VS. Detective Control A preventive control is a proactive control activity. Its goal is to eliminate negative events before they occur. Preventive controls are stronger than detective controls. Detective controls are reactive control activities. The purpose of a detective control is to identify a negative event after its actual occurrence. © Elliott Davis, LLC © Elliott Davis, PLLC 19

Compensating Controls In some instances a weakness or limitation within the control environment can be mitigated by relying on a compensating control: • Can be detective or preventive • Common in small organizations; for example when proper segregation of duties is difficult to accomplish. © Elliott Davis, LLC © Elliott Davis, PLLC 20

COSO – Information and Communication and information are integral to the accomplishment of an entity’s objectives. • Communication should be an ongoing process of sharing, obtaining, and creating relevant information and delivering it to appropriate personnel. • Information must not only be accessible but also timely. © Elliott Davis, LLC © Elliott Davis, PLLC 21

COSO – Monitoring Activities Monitoring activities can be either ongoing or separate assessments of internal control that are used to determine whether internal control components are implemented and operating effectively. • Ongoing monitoring activities are built into the business processes and are the most timely. • Separate monitoring activities are those that are conducted periodically and may involve varying levels of detail and frequency. © Elliott Davis, LLC © Elliott Davis, PLLC 22

Monitoring Activities, Cont’d Steps of the monitoring process include: • Identify what is being tested • Determine the type and extent of testing • Create tests • Conduct tests for effectiveness • Document testing and results • Assess test results • Communicate findings © Elliott Davis, LLC © Elliott Davis, PLLC 23

Implementation So…now I know what I’m trying to achieve, how do I implement? © Elliott Davis, LLC © Elliott Davis, PLLC 24

Overview • Document an understanding of processes and controls (hopefully the entity already has some of this documentation) • Identify key controls (best done collaboratively) • Evaluate for design effectiveness • Test for implementation • Consider testing for operating effectiveness © Elliott Davis, LLC © Elliott Davis, PLLC 25

Document an Understanding • Authorization – How does management approve transactions, vendors, policies, etc. ? • Initiating and recording – How are transactions initiated? How do transactions get into the accounting system (including subledgers) • Processing – How is activity on the account processed (for example, batch processing, end-of-day processing, real time processing)? • Reporting – What general ledger accounts and other information are used to prepare reports? How is information reported in the financials? © Elliott Davis, LLC © Elliott Davis, PLLC 26

Key Controls “A key control is a control that provides reasonable assurance that material errors will be prevented or detected in a timely manner. ” - Institute of Internal Auditors © Elliott Davis, LLC © Elliott Davis, PLLC 27

Evaluate Effectiveness • Ask “What could go wrong? ” • Consider potential misstatements whether caused by fraud or error • Consider mitigating controls • Consider design © Elliott Davis, LLC © Elliott Davis, PLLC 28

Mitigating Controls • Lessen the impact or puts a cap on the amount of potential error • A mitigating control is instrumental in identifying possible errors when a key control is not in place. It can often prevent the error from being material © Elliott Davis, LLC © Elliott Davis, PLLC 29

Test for Implementation - Walkthroughs Selecting a few transactions and walking them through the transaction cycle focusing on key controls Objective of walkthroughs: • Confirm understanding of key elements of processes and related controls • Determine whether the entity has implemented the controls • Determine whether changes have occurred that may impact the effectiveness of the process or control © Elliott Davis, LLC © Elliott Davis, PLLC 30

Evaluate for Operating Effectiveness Accomplished through • Inquiry • Observation • Inspection • Re-performance © Elliott Davis, LLC © Elliott Davis, PLLC 31

Conclusion • Internal Control Never Stops • It should be the bedrock for the organization • It will be as effective as it is given priority • Things get ugly when it fails • Effective internal control will rarely be given its due © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC