EFFECTIVE WORK PROCESSES: Internal Controls and Risk Assessment. Presented by the Office for Audit and Advisory Services

(1)

EFFECTIVE WORK PROCESSES:

Internal Controls and Risk Assessment

(2)

What if someone told you …



There was a way to make your

work processes more effective ?



There was a better way to

organize and understand your

work issues and problems ?



You could be more confident in

your process accuracy and

efficiency?

(3)

Understanding Controls and Risks



You probably think about risks every day.



Identifying and managing your risks will help you

when asking for new initiatives.



Understanding your internal controls will help you

prepare for managerial review or internal audit.



Having good working internal controls will result in

(4)

Our goals for this class



What are your internal controls,

how to find them, and how to know

if they are working?



What is a risk assessment and

how to execute one in order to find

your risks?



What to do with this new

information on your internal

(5)

Internal Controls Exercise

Let’s do an exercise,

to find

some internal controls…



What are some things you want to protect?

(in your business and academic processes)



Why are these things valuable?

(6)

Internal Controls Pyramid

Six different

components of

Internal Controls

Four core

components are

held together

with Data

(information)

and Procedures

(communication)

CONTROL ENVIRONMENT RISK ASSESSMENT CONTROL ACTIVITIES MONITOR IN FO RM AT IO N C O M M U N IC A T IO N

(7)

Control Environment

The tone of the

organization as set by

management.

Examples include:

• Policies / Procedures

• Strategy

• Reporting Structure

Control Environment

(8)

Risk Assessment

Risk

Assessment

Find potential areas of

loss or impact on work

Examples include:

• Financial Loss

• Damage to

Reputation

• Out of compliance w/

Laws/Regulations

(9)

Control Activities CONTROL ENVIRONMENT RISK ASSESSMENT CONTROL ACTIVITIES MONITOR IN FO RM AT IO N C O M M U N IC A T IO N

Includes activities,

processes directly

added to reduce risks.

Examples include:

• Approvals

• Reconciliations

• Segregation of

Duties

(10)

Examples of Control Activities

Segregation of Duties –

Someone who enters transactions cannot approve them.

Approval –

Supervisor must take authority for a transaction.

Authorization –

Use known information to validate entry into a system.

Verification –

Entries are checked for accuracy.

Reconciliation –

(11)

Information and Communication

Sharing Information

between processes/

people

Examples include:

• Meetings

• Websites

• Reports

• Committees

(12)

Monitoring CONTROL ENVIRONMENT RISK ASSESSMENT CONTROL ACTIVITIES MONITOR IN FO RM AT IO N C O M M U N IC A T IO N

Oversight component to

check accuracy &

efficiency.

Examples include:

• Audits

• Compliance

Assessment

(13)

News Articles about Internal Controls

Why internal controls are important at colleges and universities:

 Yale Forces Out Tenured Professor for Financial Misconduct

 American U. Faces a Tussle at the Top: Reports of Lavish Spending Lead Professors and Students to Call for

President’s Ouster

 Cornell’s Medical School Will Pay $4.3 Million to Settle Federal Lawsuit over Fraud in NIH Grant

 Why Can’t Colleges Hold On to Their Data? A String of

High-Profile Security Breaches Raises Questions About the Safety of Personal Information

(14)

Processes at Northwestern



Academic

– (Faculty & Student Processes, Quality, Communication)



Legal



Financial



Operational

– (Athletics, Relations, Facilities,

Systems/Technical, Purchasing, Safety)



Research



Executive

(15)

Risk Management at Northwestern



Office of Risk Management

– Owns and Manages Risk Transfer, Risk Liability & Management processes.

(Meets with students, faculty, & staff on insurance and liability issues.)



Office for Audit and Advisory Services

– Administers and facilitates the Enterprise Risk Management (ERM) process.

(16)

Northwestern’s ERM Process Highest Order of Excellence Research Academic Excellence Community Assumption of some level of RISK is necessary to

accomplish our goals.

ERM relates risks to University Strategies

Risk can represent an OPPORTUNITY or a

THREAT to an institution.

ERM Categorizes All Types of Risk • Academic Risks • Compliance Risks • Financial Risks • Operational Risks • Reputational Risks • Research Risks • Strategic Risks

(17)

Rollout of ERM at Northwestern

Meetings with

Schools / Admin Units to Identify & Prioritize

Risks

Discussions with Departments to Determine Risk Impact & Frequency

Work with Areas to Identify & Understand Risk Mitigation Strategies Identify Excessive or Insufficient Controls and Facilitate Changes

(18)

Financial Processes to be Discussed

 Cash, Revenues, and Petty Cash  Purchasing and Disbursements  Budgeting

 Sponsored Programs  Payroll and Personnel  Capital Equipment

(19)

Cash, Revenues, and Petty Cash Control Activities 

Proper classification



Segregation of duties



Security of receipts



Timely deposits

(20)

Cash, Revenues, and Petty Cash Control Activities

PROPER CLASSIFICATION

1. ACCOUNT CODES

2. SPONSORED PROGRAM OR GIFT

http://www.research.northwestern.edu/osr/criteria_print.html

3. SALES TAX

4. UNRELATED BUSINESS INCOME TAX

(21)

SEGREGATION OF DUTIES

1. CASH AND CHECKS

 OPENING THE MAIL

 ENDORSING THE CHECKS  RECEIVING THE CASH  PREPARING THE CRT  COMMITTING THE CRT  MAKING THE DEPOSIT

 RECONCILING THE DEPOSIT

2. INVOICING

 CREATING AND SENDING THE INVOICE  RECEIVING PAYMENT

(22)

SECURITY OF RECEIPTS

1. CHECK ENDORSEMENT

2. SECURING CASH AND CHECKS

3. CASH REGISTERS

4. INTERNET PAYMENTS

5. CREDIT CARD TERMINALS

(23)

TIMELY DEPOSITS

1. BURSAR DEPOSIT GUIDELINES

2. CASH REGISTER RECEIPTS

(24)

PETTY CASH

1. CUSTODIAN

2. SECURING THE FUND

3. DOCUMENTATION

4. PAY-OUT FORMS

5. REPLENISHMENT

(25)

The financial assistant is responsible for recording all of the cash and checks received by the department. He also

prepares the Cash Receipt Ticket and makes the deposit every Wednesday. In addition, he prepares a monthly spreadsheet of all deposits made, which is given to the business administrator to be used in the reconciliation process.

 What could go wrong here?

(26)

A check for $30,000 from an outside company for research support is received in the department. The financial

assistant is instructed to deposit the funds via a Cash

Receipt Ticket in order to avoid the additional fees and “red tape” associated with processing a gift. The financial

assistant is also instructed to deposit the money into an existing designated chart string so that a new chart string does not need to be opened.

(27)

Purchasing and Disbursements Control Activities



Segregation of duties



Purchasing processes



Expense Reports

(28)

SEGREGATION OF DUTIES

1. SECURITY ROLES IN NUFINANCIALS

 THE FORM

 ROLE REVIEW

2. RECONCILIATION

 LINE-BY-LINE

(29)

PURCHASING PROCESSES

1. PREFERRED VENDORS 2. iBuyNU 3. PURCHASE ORDERS

4. DIRECT PAYMENT REQUESTS

5. INDEPENDENT CONTRACTORS

6. BID DOCUMENTATION (BD-1)/SINGLE SOURCE JUSTIFICATION (SSJ-1)

(30)

MATCH EXCEPTION REPORT (SC027)

This report lists all vouchers that cannot complete with the 2- or 3-way matching process. This report only includes vouchers that are associated with a purchase order (non-catalog or iBuyNU purchases). Use the table located at

http://cafe.northwestern.edu/documents/jobaids/Aid-MatchExceptionGuide.pdf to interpret the match rule

exceptions (error messages) and determine how to resolve the issue.

(31)

OPEN ENCUMBRANCE REPORT (SC016)

This report helps users understand why encumbrances associated with certain purchase orders are still open. It

helps users to reconcile budgets, and track purchase orders that have not been finalized.

(32)

EXPENSE REPORTS

1. TRAVEL  TIME GUIDELINES  BUSINESS PURPOSE  RECEIPTS  APPROVAL

 WHAT SHOULD BE INCLUDED?

2. NON-TRAVEL

 ALL PURCHASES SHOULD BE INITIATED THROUGH NUFINANCIALS

(33)

COMPLIANCE WITH POLICY

BURSAR http://www.northwestern.edu/bursar/docs/cashmenu.html PURCHASING http://www.northwestern.edu/uservices/purchasing/policy.pdf TRAVEL http://www.northwestern.edu/finsys/ps/policies/travel.pdf ENTERTAINMENT http://www.northwestern.edu/finsys/ps/policies/entertainment.pdf HUMAN RESOURCES http://www.northwestern.edu/hr/policies/

(34)

True or False:

1. The only requirement for an approver of a T&E expense

report is that they work in the same department as the person submitting the T&E.

2. An NU employee who is providing additional services

outside of their normal duties should be paid with a check processed by Accounts Payable as a consultant.

3. It is better to use existing account codes than to have an additional account code opened for a purchase

(35)

Budget Reconciliation Control Activities



Monthly reconciliations



Budget status awareness

(36)

Determine the

of your budget!

erify transactions

dentify problems

udget status

(37)

BUDGET STATUS AWARENESS

1. BUDGET PLANNING

2. MONTHLY REVIEW

3. HOW ARE WE DOING?

(38)

COSTING METHODOLOGY REVIEW

1.

RECHARGE ACTIVITY

2. RECHARGE RATE

http://www.northwestern.edu/coststudies/

(39)

Sponsored Program Accounting Control Activities



Proper use of restricted funds



Animal and human testing compliance



Effort reporting

(40)

PROPER USE OF RESTRICTED FUNDS

1. PRINCIPAL INVESTIGATOR  AUTHORIZATION  OVERSIGHT 2. CLASSIFICATION OF EXPENSES 3. SUBCONTRACTS 4. EXPORT GUIDELINES http://www.research.northwestern.edu/osr/export_controls.html 5. GRANT CLOSING

(41)

ANIMAL AND HUMAN SUBJECT TESTING

1. INSTITUTIONAL REVIEW BOARD

http://www.research.northwestern.edu/oprs/irb/policies/

2. ANIMAL CARE AND USE COMMITTEE

(42)

EFFORT REPORTS

1

.

MONITORING TIME SPENT ON RESEARCH

2.

QUARTERLY CERTIFICATION

http://www.northwestern.edu/asrsp/effort.html

(43)

OFFICE FOR SPONSORED RESEARCH

1.

PROPOSALS

2.

REVENUE

(44)

True or False:

1. It is appropriate for the business administrator to certify effort for a principal investigator.

2. When a sponsored program is about to end, it is important to make sure all the money has been spent.

3. It is the principal investigator’s responsibility to ensure that

transactions posted to their grant chart strings are appropriate.

4. If a sponsored project results in the development of a new invention, it is the responsibility of the principal investigator to solicit an agency to create the patent for this invention.

(45)

The business administrator for a department is

having difficulty getting the faculty members to

complete their effort reports by the ASRSP due

dates. What are two actions you would

recommend to address this problem?

1. ___________________________________

(46)

Payroll and Personnel Control Activities



Segregation of duties



Review of time reports



Monitor vacation, PFH, and sick days

(47)

SEGREGATION OF DUTIES

1. NO ONE EMPLOYEE HAS CONTROL OVER ALL ASPECTS OF HIRING

 SUBMITTING PAYROLL INFO TO HR

 PROVIDING DIRECT DEPOSIT INFORMATION

 RECONCILING THE PAYROLL TRANSACTIONS

2. SPECIAL AND ADDITIONAL PAY

http://www.northwestern.edu/hr/payroll/specialpayins.pdf http://www.northwestern.edu/hr/payroll/addpaypolicy.pdf

(48)

TIME REPORTS

1.

APPROVAL

2. OVERTIME

3. HOURLY PAY RATE

4. WORK STUDY AND TEMPORARY WORK

(49)

MONITORING OF TIME OFF

1. NON-EXEMPT

(50)

HIRING AND TERMINIATION PROCEDURES

1. THE HR ROLE IN HIRING

2. NEW HIRE PROCEDURES

3. WRITTEN JOB DESCRIPTIONS

4. CONFLICT OF INTEREST

5. TERMINATION CHECKLIST

(51)

Equipment, Safety, and Security Control Activities



Capital equipment inventory



Disposals are reported



Security of office area and equipment



Physical safety concerns are addressed:

 Risk Management  Research Safety

(52)

CAPITAL EQUIPMENT

1. TAGGING CAPITAL EQUIPMENT

2. EQUIPMENT DISPOSAL

http://www.northwestern.edu/equipment-inventory/formdisp.html

3. SURPLUS PROPERTY EXCHANGE

http://www.northwestern.edu/uservices/office/surplusproperty/index.html

4. WHAT ABOUT EQUIPMENT UNDER $5,000

http://www.northwestern.edu/equipment-inventory/formyour.html

(53)

PHYSICAL SECURITY

1. LAB SAFETY

http://www.research.northwestern.edu/ors/

2. BUILDING SAFETY

http://www.northwestern.edu/risk/

(54)

An NU researcher purchased a new microscope

worth $25,000, and disposed of an old microscope

with a cost of $10,000 by setting it in the hall hoping

the custodians would dispose of it.

 Any problems noted in this scenario?

(55)

Information Technology Control Activities



Infrastructure Controls

 System updates, Device security



Asset Controls

 Inventory, Software updates



Process Controls

(56)

Information Technology Control Challenges



Distributed IT Systems

 Computers in Schools, Student Residences, Offices

 Connectivity to Internet, within NU, peers, etc.



Distributed & Centralized IT

 NUIT – provide some central services including centralized infrastructure, access to Internet

 Schools – some areas have own data centers, IT staff



Centralized Management

(57)

Information Technology Control Activities

An employee is logged in at his laptop computer to

NUFinancials and Email. His NetID password is

written on a post-it note by the keyboard. After

responding to an email, the employee leaves his

office for a meeting.

(58)

Conclusions



Internal Controls affect all aspects of work at NU

including academic processes, administrative

processes, and financial processes.



Understanding your Internal Controls and risks will

assist you in doing your work and handling audits.



You should use the risk assessment tools available

to assist yourself in determining where your risks

and controls exist in your area.

(59)

Thank you

Questions?

The Office for Audit and Advisory Services Evanston Office

1800 Sherman Ave, Suite 4-500, Evanston Campus Phone: 847-491-3304 Fax: 847-467-1412

Chicago Office

Abbott Hall, Ste 800, Chicago Campus A-327 Phone: 312-503-2632 Fax: 312-503-3595

Email: [email protected]