Internal Control

Concepts and Applications

Kansas State University
Internal Audit
 Internal Audit Office
214 Anderson Hall
Phone 2-7308

Steve LaFever, MSA, CPA, Director, Phone: 2-5460 sdlafever@ksu.edu

Toynia Smith, CIA, Senior Internal Auditor, Phone 2-5413, toynia@ksu.edu
Jana Clark, MBA, CIA, Internal Auditor, 2-6746, jjoy@ksu.edu
 Mission
• Our mission is to serve the University by providing independent assurance
and consulting services to add value, strengthen internal controls, improve
compliance with Federal, State, Kansas Board of Regents, and University
rules and regulations and improve operations.
 Philosophy and Vision

• Internal Audit provides value-added audit and advisory services with

objectivity, transparency, and independence using the Institute of Internal
Auditors’ professional and ethical standards as guidance.
• We develop our staff through continuous training to provide management
with expert service to improve operations and provide value-added change
with utmost integrity.
 Audit Process
Audit Selection
The Annual Audit Plan is prepared using a University risk assessment and
requests from University administrators including Vice Presidents, Deans and
Directors.
 Audit Process

Review of Internal Controls and Testing

• During the review of internal controls and tests of transactions phase of the audit, the
auditor meets with staff and management to understand the unit's procedures and internal
controls. The auditor identifies controls that reduce risk, as well as any missing controls.
• The auditor tests a sample of transactions, with emphasis placed on higher risk items, to
verify that controls are functioning as intended, or determine where improvements are
needed.
Audits of revenues and expenditures typically include tests of revenues, accounts
receivable, purchases, business procurement card purchases, inventory, property, travel, and
payroll.
 Reporting Process-Draft Report
• The auditor-in-charge meets informally with management to discuss probable
report observations to ensure the recommendations are feasible.
• The report is drafted and sent to management for review prior to discussion at the
exit conference.
• At the exit conference, it is agreed with management that responses with action
plans and an implementation date are expected to be submitted to Internal Audit
within 30 days. The Vice President for Administration and Finance may approve
extensions given extenuating circumstances.
• The University President will be informed if a timely management response is not
received.
 Final Report
• The final report reflects changes discussed at the exit conference as well as
management's action plan.
• The report is addressed to administrators including the Department Head,
Director, Dean, Vice President for Administration and Finance and other
appropriate personnel.
• If fraud or material financial weaknesses are found, the final audit report is
sent to the Kansas Board of Regents in compliance with the Kansas Board
of Regents Policy.
 Follow-up Review

• After audit recommendations are scheduled to be implemented, Internal

Audit will follow-up with management to determine whether the
recommendations were successfully implemented.
• To perform the follow-up, the auditor inquires about progress in
implementing the recommendation and reviews a limited sample of
transactions related to the recommendation.
 What is Internal Control?
• Internal control refers to the processes and procedures used to provide a
“reasonable” level of assurance that goals and objectives will be achieved.
• They include anything which serves to safeguard university assets or to
improve the effectiveness and efficiency of operations.
• In general terms, internal controls are simply good business practices.
• It is important to remember that implementing internal controls is a
continuous process requiring everyone’s attention to ensure goals and
objectives are achieved.
The Internal Control Shield
Levels of Controls
 Five Types of Internal Controls
• Preventive controls, the first line of defense, are designed to keep errors and irregularities
from occurring in the first place - stops something from happening.
• Detective controls are designed to detect errors or irregularities that may have occurred -
finds out what happened, alerts you as it happens or shortly after.
• Corrective controls are designed to correct errors or irregularities that have been detected –
follow detective controls, recovery from consequences of an error or unexpected event.
• Directive controls are those designed to establish the desired outcomes – tells you what
should happen.
• Compensating controls are those used to compensate for controls that are otherwise
lacking. Generally, close supervision is used to compensate for lack of separation of duties.
 Preventive Controls
Preventive Controls Examples.
• Segregation of duties, remember the “ARC” (separates Accountability (or
Authorization) from Reconciliation, from Custody (of asset). No person should
perform more than one function.
• Physical controls over assets
• Authorized signers
• University payables review and approval of travel vouchers prior to processing
• Reminders of policies, procedures, and expectations
 Detective Controls

Detective Control examples:

• Account reconciliations
• Management review of reconciliations
• Physical inventories
• P-Card logging, reconciliation, and approval
• Review of budget to actual
• Year to year expenditure trending
 Corrective Controls

Corrective Control examples:

• Error communication and reporting
• Systems Documentation or processes
• Improvement initiatives
 Directive Controls
Directive controls:
• Kansas State University Policies and Procedures Manual
• Kansas Board of Regents Policy and Procedures
http://www.kansasregents.org/resources/PDF/2582-
BoardPolicyManual.pdf
• • College policies
• • Unit procedures
 Who is Responsible for Internal Control?

• PPM 3210
• Everyone within the University has some role in internal controls.
• The roles vary depending upon the level of responsibility and the nature of involvement by the individual.
• The Kansas Board of Regents, President and senior executives establish the presence of integrity, ethics,
competence and a positive control environment.
• The directors and department heads have oversight responsibility for internal controls within their units.
• Managers and supervisory personnel are responsible for executing control policies and procedures at the detail level
within their specific unit.
• Each individual within a unit is to be cognizant of proper internal control procedures associated with their specific
job responsibilities.
PrimaryAssumptions of Internal Control
Management Responsibility
The establishment and maintenance of a system of internal
control is the responsibility of management.
Reasonable Assurance
The cost of achieving the objectives of internal control should
not outweigh its benefits.
Methods of Data Processing
The techniques of achieving the objectives will vary with
different types of technology.
 Components of Internal Control
http://www.k-state.edu/internalaudit/internal-controls/

• Internal control consists of

five interrelated components,
each of which is an integral
part of the management
process and plays a specific
role in departmental internal
control procedures.
 Control Environment
• The control environment sets the tone of the organization, influencing the
control consciousness of its people. After all, the core of any educational
institution is its people.
• Leaders of each department, area or activity establish a local control
environment.
• It is the foundation for all other components of internal control, providing
discipline and structure.
 Control Environment Continued
Control environment factors include:
• Integrity and ethical values;
• The commitment to competence;
• Leadership philosophy and operating style;
• The way management assigns authority and responsibility, and organizes and develops its
people;
• Policies and procedures.
 How YOU Can Improve the Control
Environment
• Communicate clearly
• Accuracy counts…do not rush
• Don’t just talk the talk, walk the walk
• Use exceptions/errors as opportunities to teach what’s right
• Don’t let abuse or misuse go
• Don’t be a party to circumvention of controls
• Perform an annual risk assessment in tandem with a review/update of your
unit’s strategic plan
 Control Principles/Activities
• These are the policies and procedures that help assure management
that directives are being implemented at all levels of the organization
and include:
Transaction Authorization- Authorization to initiate or approve transactions
should be limited to specific personnel. Authorizations can be limited by type
of transactions or amount of transactions.
• Used to ensure that employees are carrying out only authorized transactions
• General (everyday procedures) or specific (non-routine transactions)
authorizations
 Control Principles/Activities Cont.

Separation of duties- provides that one employee does not

have the responsibility for all phases of a transaction.

• Generally, an employee with physical access to an asset

should not also be responsible for accounting records
relating to that asset.
• The employee should also not authorize the transaction. A
compensating control in the event separation of duties is
not possible is close supervision
Control Principles/Activities Include Cont.
• Accurate documentation of transactions in a timely manner and retention of
records in an organized manner.
• Validation to ensure that all recorded transactions fairly represent the economic
events that actually occurred, are lawful in nature, and have been executed in
accordance with management's general authorization.
• Physical safeguarding of assets including maintaining an inventory and limiting
access to assets.
• Audit trails of transactions
• Reconciliations of ledgers to accounting records should be prepared
periodically and reconciling items should be resolved timely.
Control Principles/Activities Include Cont.
Independent Verification
Examples of independent verification controls include:
• reconciling subsidiary account totals with general ledger control account
balances.
• reviewing computer generated reports that summarize transaction
processing activities.
• comparing physical inventory counts with quantities in the perpetual
inventory records.
Control Principles/Activities Include Cont.
• Counting physical assets periodically, recording results of the
counts, and comparing to accounting records. Discrepancies
should be reported to appropriate administrators and investigated.
• Error handling to ensure that errors detected at any stage of
processing receive prompt corrective action and are reported to
the appropriate level of management.
• Training, supervising, and monitoring the performance of
employees to help certify that control processes function properly.