Internal Controls Flashcards
What are the five components of a comprehensive framework of internal controls (as outlined in the COSO Report) (5)?
- Control Environment
- Risk Monitoring and Assessment
- Control-related policies and procedures
- Information and communication
- Monitoring
An analysis of management’s fundamental responsibilities would need to address all of the following (4):
- Effectiveness
- Efficiency
- Compliance
- Financial Reporting
The comprehensiveness of an entity’s internal control framework can be assessed on the basis of whether it does all of the following (5):
- Provides a favorable control environment
- Continually assesses risk
- Establishes and maintains effective control-related policies and procedures
- Effectively communicates information
- Monitors the effectiveness of control policies and procedures as well as the resolution of potential problems identified by controls
A favorable control environment is (3):
- management is knowledgeable about internal controls
- management is committed to establishing and maintaining controls
- management communicates its support for internal controls to staff at all levels
Limitations of Internal Controls (3):
- cost considerations will prevent management from ever installing a “perfect” system
- subject to management override
- risk of collusion
Managements responsibilities for internal controls can be categorized as follows:
- Design
- Implementation
- Monitoring
- Reporting
Define “Effectiveness”
the extent to which management is achieving its goals and objectives (directly relates to management’s ability to communicate its directives to employees and ensure those directives are being carried out)
Define “Efficiency”
attaining goals and objectives with least expenditure of scarce resources
Management must demonstrate “Compliance” with?
restrictions imposed by policy, regulation, law or contract (i.e. annual appropriated budget, grantor requirements, state oversight requirements, IRS requirements, bond covenants, and local laws/regulations)
Management must use “Financial Reporting” effectively to?
ensure that decision makers, both inside and outside the government, have the financial data they need to make informed decisions
Who is primarily responsible for internal controls?
Management
Who is ultimately responsible for internal controls?
Governing body
The audit committee’s purpose (3):
- To ensure that the auditor of the financial statements is truly independent of management
- To provide an objective perspective on matters related to internal controls and the audit of the financial statements
- To provide a communications link between management, the independent auditor and the governing board
Which of the five elements of a comprehensive internal control framework can be viewed as the most important?
Control environment (because the effectiveness of the other four elements ultimately will depend on it)
What is the focus of risk monitoring?
A comprehensive internal control framework requires that management attempt on an ongoing basis to identify potential risks that could hinder it from fully realizing any of the four objectives (effectiveness, efficiency, compliance with laws and regulations, proper financial reporting).
Significant changes need to be monitored and assessed by management for potential risk. What are some of the types of changes requiring particular attention from management? (6)
- Changes in the operating environment
- Changes in personnel
- Changes in information systems and technology
- Rapid growth
- New programs and services
- Changes in structure
Examples of inherent risk: (6)
- Complexity increases dangers
- Cash receipts
- Direct third-party beneficiaries (i.e. food stamps)
- Degree of centralization
- Prior problems
- Prior unresponsiveness to identified control weaknesses
A balanced assessment of risk should take these two factors into consideration:
- Significance
2. Likelihood of occurrence
As part of control-related policies and procedures, a suitable accounting system should: (6)
- Assemble all relevant information
- Analyze assembled data
- Classify assembled data
- Record assembled data
- Furnish data needed for internal and external financial reporting on a timely basis
- Maintain accountability over the government’s assets
Management’s implicit assertions when issuing financial reports: (5)
- Existence or occurrence
- Completeness
- Rights and obligations
- Allocation
- Presentation and disclosure
The first step toward controlling financial reporting is to ensure that
all transactions are properly authorized in accordance with management’s policies (require advance approval, require written documentation of approval)
The second step toward achieving management’s financial reporting objectives is
to ensure that accounting records are properly designed (sequential numbering of documents, automatic duplicates, gathering info for multiple purposes, avoiding unnecessary information)
Ways to secure assets and records include: (4)
- Controlled access
- Physical security
- Backup for computer records
- Disaster recovery
An incompatible duty is
one that would put a single individual in the position of being able to both commit an irregularity and then conceal it
The information component of the internal control framework may be considered to be functioning properly when
current, accurate and appropriate information is made available on a timely basis to those who need it
To be truly effective, communication must be
multidirectional
Why is it essential that management monitor control-related policies and procedures on an ongoing basis?
to ensure that they are continuing to function properly
In order to evaluate controls over accounting and financial reporting, management should begin by
breaking down what a government does into manageable groupings of similar or related activities, commonly known as control cycles
Once control-related policies and procedures have been identified, the next step is to
determine whether there are appropriate compensating controls in place to counteract or contain each identified risk
Two key factors to be considered in assessing vulnerability are:
inherent risk
the quality of the control environment
In order to initiate the process of testing controls, management should:
document how transactions and events are supposed to be handled in the particular department, activity or control cycle selected for evaluation (flow chart, walk through)
These situations may predispose a given individual to consider committing fraud: (4)
- Financial stress
- Addiction
- Disaffection (feel they have been mistreated)
- Pathologies
The most important cause of fraud is:
Opportunity (which not only permits fraud to occur, but actually promotes it)
Costs of fraud: (4)
- Diversion of public resources from their intended purpose
- Loss of confidence in the government
- Loss to the reputation of innocent third parties (guilt by association)
- Cost to the perpetrator
Kiting
borrowing funds from a government then concealing their absence
Lapping
borrowing funds by failing to credit a payment made to an account, then later reimbursing the account with payment intended for another account (and on and on)
Bid rigging
circumventing the competitive bid process
Payroll fraud
paying salaries that have not been earned
Healthcare beneficiary fraud
cheating on health insurance coverage by listing as beneficiaries individuals who do not qualify (or no longer qualify) as family members
False claims
billing for goods/services not received (substituting an inferior good)
Double payments
billing twice for same goods or services
Charge-off fraund
making an unexpected collection on a delinquent account, then writing it off as uncollectible
Disposal fraud
profiting personally from the disposal of surplus items
Travel-claim fraud
cheating on travel claims by claiming expenses they did not actually incur
Pilfering
petty theft of supplies and similar items of small monetary value
Misuse of assets and services
small-scale misuse of assets and services (such as phone, copier, fax)
Petty cash fraud
“borrowing” from the petty cash fund and concealing the missing cash by producing a false register tape
Internal controls that can stop fraud before it happens include: (5)
- Properly designed records (i.e. original documentation)
- Segregation of incompatible duties
- Periodic reconciliations
- Periodic verifications
- Analytical review
The following guidelines can significantly increase the likelihood of detecting fraud when it does occur: (5)
- Remember that anyone can commit fraud
- Do not dismiss tips, even when obtained from hostile sources
- Use analytical review to identify potential problems
- Carefully examine unusual transactions
- Carefully examine supporting documentation
Steps to investigate fraud: (8)
- Obtain professional legal help
- Maintain objectivity
- Seek out the “best evidence”
- Obtain documents only from official custodians
- Maintain a “chain of custody” over potential evidence
- Exercise care in conducting interviews
- Retain all written records
- Discuss the investigation only with competent authorities
