Академический Документы
Профессиональный Документы
Культура Документы
Control Environment,
Tone at the Top and Ethics
David McCoy
State Controller
Agenda
1. Elements of a strong control environment
a. Appropriate tone at the top; managements attitudes, beliefs, practices
b. Characteristics of good controls
c. Right combination at the entity, IT and transaction levels controls
d. Operating effectiveness of controls
e. Reporting protocols for control breakdowns
Background
Internal Controls
Effected by people
Responsibility for good internal controls rests with managers
All personnel play an important role
Five standards:
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Entity-Level Controls
Control Environment
Fraud Controls, including Controls Over Management Override
Transactions
Information
Systems
Financial
Statement
Close
Process
Financial
Statements
Control Environment
Control Environment
Control Environment
Examples:
Codes of conduct
Tone at the top and communications
Attitudes toward ethical values
Control Environment
Examples:
10
Control Environment
Examples:
Aggressiveness of risk taking and policies
Information sharing and disclosure
11
Control Environment
Examples:
Reporting structure and lines of command
12
Control Environment
Examples:
Job descriptions
Appropriate staffing
Delegation of authority
13
Control Environment
Examples:
Leadership development
Succession planning
Responsibilities and expectations
14
Risk Assessment
15
Risk Assessment
16
Risk Assessment
17
Risk Assessment
18
Risks
19
Control Activities
Control Activities
21
Approvals
Authorizations
Verifications
Reconciliations
Reviews of operating performance
Security of assets
Segregation of duties
22
Nature of Controls
Manual Control:
Independent review of general ledger reconciliations
Authorization of employee expense reports
IT Application Control:
Automated three-way match
Data input validation checks (e.g., orders can only be
processed using a valid customer number)
Restricted user access
23
Types of Controls
24
Classification of Controls
Manual Controls
Manual
Prevent
IT-Dependent Manual
Controls
Manual Detect
Automated Controls
Application Controls
Automated
Prevent
Automated
Detect
26
27
Monitoring
30
Monitoring
Monitoring Controls
Monitoring controls
Typically detective in nature, fewer in number, more efficient
to test
32
Identification of Deficiencies
33
Monitoring
SECTION 2
TONE AT THE TOP
35
36
37
38
39
40
Code of Conduct
41
SECTION 3
ETHICS PROGRAMS
42
Ethics Programs
Components of a program
Vision
Ethics training for employees
A means for communicating with employees
Reporting mechanism
Audit system
Investigation system
43
45
46
Gathering Information
47
48
Problems
Over-emphasis on rules at the expense of judgment
Employees might conclude that anything not forbidden is
permitted
Heavy focus on actions that harm the organization may lead
to cynicism about the purpose of the code
Other approaches
Focus on a strong culture and leadership rather than on a
written code
Rely upon extensive government regulation and internal
auditing
49
Vision
Ethics is seen as a way to improve the organization
Promotes trust, integrity and accountability
50
Training
Ethics training maps are developed for management levels
in addition to functional areas
Training is delivered using live and computer-based
delivery methods
Training content development is coordinated by dedicated
resources to allow for appropriate and consistent coverage
Training curriculum and content linked to compliance risk
assessment
Training includes testing of comprehension, and updates
and refresher programs are driven by results
51
Communication
Formalized organization-wide upward communication
processes are in place
Ethics has become an integral component of all
management communications
Management participates with staff in ethics
compliance-related activities
Organization-wide communication process in place to guide
decisions based on information, risk and requirements
52
Reporting
A formal reporting hotline has been established
Hotline is available through multiple means (telephone,
online, mail)
Reporting mechanisms communicated to personnel
Administration of reported complaints is prioritized, codified
and followed consistently
Organizations have executive-level ethics committee and
management ethics council to discuss organization-wide
ethics process issues
53
Audit
Formal compliance auditing and monitoring calendars in
place
Independent monitoring of resources
Proactive, real-time auditing and monitoring in place for
highest risk controls to prevent non-compliance
Proactive compliance embedded into daily operations
54
55
Code of Conduct
Input: learning from events
Provide training
Test
Which employees
to train on which
policies
56