Presented by:
Michael Carr, CPA, MSA, MST
Director
508-212-3088
EMERGING CONTRACTORS
MITIGATING CONTROL RISK
CITRINCOOPERMAN.COM

TODAYS AGENDA
• Introduction
• Components of Internal control systems
• Preventive, detective, and corrective controls
• Cost-benefit concept for developing controls in
small departments
• Super-Users

An organization’s financial resources can be
protected from loss, waste, or theft by:
 Developing proper internal control systems
• Ensuring reliable data processing
• Promoting operational efficiency
 Having proper management oversight
• Mitigating controls for small departments where
segregation of duties is not possible
INTRODUCTION

Internal controls should achieve four main
objectives:
 Safeguard assets
 Check accuracy and reliability of data
 Promote efficiency
 Encourage ethics and compliance
INTRODUCTION

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
COMPONENTS OF INTERNAL CONTROLS

Control environment
 Establishes the tone of a Company
 Influences the awareness of the employees
 Factors in the control environment:
• Integrity and values
• Management philosophy and operating style
• Assignment of authority and responsibility
• Attention and direction of management
COMPONENTS OF INTERNAL CONTROLS

Risk assessment
 Recognize that ALL organizations have risk
 What is the risk factor we are analyzing?
• Sources of risk can be internal OR external
• Must identify, analyze, and provide action to achieve the
organizations goals
COMPONENTS OF INTERNAL CONTROLS

Control activities
 Organizations policies and procedures
• Managements directives
• Protection of assets
 Includes a combination of:
• Manual controls (owner, employees, etc.)
• Automated controls (software, etc.)
COMPONENTS OF INTERNAL CONTROLS

Control activities
 Should be grouped into categories:
• Authorizations (before)
• Approvals (after)
• Verification (after)
• Reconciliations (after)
• Segregation of duties (continuous, when cost is beneficial)
COMPONENTS OF INTERNAL CONTROLS

Information and communication
 Information (accounting systems)
• Records
• Processes
• Reporting
• Accountability for assets, liabilities and equity (ensuring
assertions are met)
 Communication
• Helps employees understand their roles and
responsibilities in the control environment and over
financial reporting
• Creates and enforces accountability
COMPONENTS OF INTERNAL CONTROLS

Monitoring
 Assesses the quality of internal control performance
over time
 Evaluating the design and operation of controls timely
 Initiating corrective action when controls are identified
as not functioning properly
COMPONENTS OF INTERNAL CONTROLS

Preventive controls (before)
 Designed to prevent potential problems from
occurring
Detective controls (during)
 Designed to discover occurrences of adverse events
Corrective controls (after)
 To remedy problems discovered during through the
detective controls
PREVENTIVE, DETECTIVE, CORRECTIVE CONTROLS

Preventive and detective controls should be viewed
and designed together, as they are interrelated
 Detective controls should always be designed to
determine if preventive controls are working
PREVENTIVE, DETECTIVE, CORRECTIVE CONTROLS

Segregation of Duties
 SOD concept – No one person should have control
over an ENTIRE process
• i.e. – The person who does A/R billings, should not also
be in charge of cash receipts and/or reconciling cash
 Cost vs. Benefit
• Can we achieve the control objective without having to
hire another employee?
 Additional management oversight
• Has the process or procedure out grown the current
environment?
 If the process has grown to where oversight alone is not
enough, additional personnel may be required.
COST-BENEFIT FOR DEVELOPING CONTROLS

Management oversight should focus on:
 The main risk areas -
• Cash
• Payroll
 Fake employees
 Inflated salary
 Benefit payments
• Fake vendors
• Personal expenses
• Kick backs (personal projects completed for awarding of jobs)
• Theft of materials / tools
COST-BENEFIT FOR DEVELOPING CONTROLS

Management oversight
 Preventive
• Software access rights
• Approved vendor listing (restrict access to add in
software)
• Control over check stock (locked)
• No signature stamps (avoid!)
 Detective
• Receipt and review of bank statements
• Receipt and review of payroll reports
• Receipt and review of daily cash collections reports
• Review of certain bids and why subs were selected over
others
COST-BENEFIT FOR DEVELOPING CONTROLS

What is a “super user”?
 A necessary user for all companies who has access to
all areas of the software and/or all areas of the
database.
 Can include:
• Company owners
• IT/System Admins
• Help Desk employees
• Developers
• Third party vendors
• Applications
• Accounting personnel (CFO?)
SUPER-USERS

Super user impact to controls:
 Risk of management override
 Fraud risk (fake vendors, employees, etc.)
 No individual accountability (depending on system setup)
 Can render segregation of duty controls outside of the
software useless
 Can impact audit strategy and communication with those
charged with governance
 Potential issues with regulators (access to sensitive
information)
• Virtually all compliance regulations require a segregation of duties
around super user access
SUPER-USERS

QUESTIONS