AUDIT and INTERNAL CONTROL
description
Transcript of AUDIT and INTERNAL CONTROL
1
AUDIT and INTERNAL CONTROL
Conf. univ. dr. Camelia DobroţeanuProf. univ. dr. Laurenţiu Dobroţeanu
Master Aprofundat 2009-2010
2
Detailed requirements:Study materials:
Brink’s Modern Internal Auditing, R. Moeller, ed. Wiley, ediţia 6, 2005Sawyer’s Internal Auditing, L. B. Sawyer et. al, IIA, ediţia 5, 2005Managing the audit function: a corporate audit department procedures guide, M.P. Cangemi, T. Singleton, Ed. Wiley, ediţia 3, 2003Audit Intern, C. L. Dobroţeanu, L. Dobroţeanu, ed. InfoMega, 2007Audit: concepte şi practici. O abordare naţională şi internaţională, L. Dobroţeanu, C. L. Dobroţeanu, Ed. Economică, 2002Teoria şi practica auditului intern, J. Renard, Ministerul Finanţelor, 2002
Marking: Workshop 30%Written examination 70%
3
Syllabus:I. The system of internal control: conceptual
framework, principles, models (2 lectures)
II. Risk management (1 lecture)
III. Fraud: detection and prevention (1 lecture)
IV. Audit - internal control relationships (1.5 lectures)
V. Audit – internal control – corporate governance (0.5 lectures)
4
I. Internal Control System
Lecture overview:1. Importance of IC2. Fundamentals of IC3. Essential IC techniques4. COSO framework5. IC assessment: SOX
5
I.1. Importance of IC
Definition: “IC reflects any action taken by the board, management etc. to improve the risk management and to increase the likelihood that the organization meets its objectives”
Can we define a good IC?
6
I.1. Importanţa CIGood IC if:
Accomplishes its stated mission; Produces accurate and reliable data;Complies with applicable laws and organization policies;Provides for economical and efficient use of resources;Provides for appropriate safeguarding of assets.
7
I.2. Fundamentals of IC
acceleratorbrake
steering wheel
driver
8
I.2. Fundamentals of IC
Controller
Standard
Communicator
Detector/Senzor
1. Performance
Indicator2.
Benchmark
3. Signals departures
4. Transmits messages
9
I.2. Fundamentals of ICMonitor/measure control element
Are controls within standards?
Correct CE
Monitor to make sure corrections are
working
Continue monitoring CE
NO YES
10
I.3. Essential IC techniques
1. •Prevention controls
2. •Detection controls
3. •Corrective controls
11
I.3. Essential IC techniques
Steering controls
Yes/No Controls
Post-Action Controls
e.g. macro-economic trends
e.g. Authorization,
approval
e.g. after dismissal of an
employee
12
WORKSHOP
Case study: ................
13
I.4. COSO Framework
IMA
AICPA
IIAAAAFEI
COSO:
14
I.4. COSO Framework Internal Control: Integrated
FrameworkIC – a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives of the following categories:
Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and regulations
15
I.4. COSO FrameworkMonitoringControl
activitiesRisk assessment
Control environment
CommunicationICS
16
I.4. COSO Frameworka. Control environment:
Integrity and ethical valuesProfessional competenceBoard and audit committeeManagement philosophy and operating styleOrganizational structureAssignment of authority and responsibilityHuman resources policies and practices:
RecruitmentNew employee orientationEvaluation, promotion, compensationDisciplinary actions
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
17
I.4. COSO Frameworkb. Risk assessment:
3-step process:Identification of significant risksAssess the risk likelihood or frequencyConsider the appropriate actions to manage the risk
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
18
I.4. COSO Frameworkb. Risk assessment (cont.):
Types of risks:Organizational risks from external factorsOrganizational risks from internal factorsSpecific activity-level risks
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
19
I.4. COSO Frameworkc. Control activities
Types of control activities: top-level reviews direct functional or activity management information processing physical controls performance indicators segregation of duties
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
20
I.4. COSO Framework
c. Control activities (cont.)Integration of control activities with risk assessmentControls over information systems
general controls – applied to overall information systems application controls – applied to specific sections of the system
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
21
I.4. COSO Framework
d. CommunicationRelationship of information and ICMeans and methods of communication
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
22
I.4. COSO Frameworke. Monitoring
Ongoing monitor activities: operating management normal functions communications from external parties organizational structures and supervisory activities physical inventories and asset reconciliation
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
23
I.4. COSO Frameworke. Monitoring (cont.)
Separate evaluation of ICReviewsInternal audit: compliance, peer reviewSelf-assessmentExternal evaluationAction plan
Reporting IC deficienciesTo whom?How?
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
24
I.5. IC ASSESSMENT: SOX- TO BE PREPARED BY STUDENTS -
25
WORKSHOP
Case study: Pam-Pam or Keos
26
II. Risk Management
II.1. ERM frameworkII.2. COSO: IC framework – ERM
framework
27
II.1. ERM framework
• 2001 – PWC: developed a framework for ERM assessment – completed in 2004
28
II.1. ERM frameworkERM: A process implemented by the board,
management and other staff at enterprise strategic level with a view:– To identify events that could adversely affect the
organization;– To manage the risks within the risk appetite
limits – To obtain a reasonable assurance that the
organization’s objectives are achievable.
29
II.1. ERM frameworkOrganization’s objectives:
• Strategic• Operational • Reporting
• Compliance
30
II.1. ERM framework Components of ERM framework:
1. Internal environment2. Setting the objectives3. Identification of events4. Risk assessment5. Risk response: AARS (avoid, accept, reduce,
share) 6. Control activities7. Information and communication8. Monitoring
31
II.1. ERM frameworkObjectives – components relationships:
Internal EnvironmentIdentification of events
Risk assessmentRisk response
Control activitiesInf.&Communic.
Monitoring
Stra
tegic
Opera
tiona
lRap
ortin
gCo
mplian
ce
OrganizationD
ivisionBusiness unitBranch
32
II.1. ERM frameworkERM effectiveness:a. Effective functioning of the 8
components:– There are no material deficiencies
and– Risks managed within the risk appetite
limits
33
II.1. ERM framework
Effectiveness of ERM (cont.)b. Objectives:
–governance structures know whether the objectives are achievable
34
II.1. ERM frameworkGovernance structures’ role:
– Supervision of ERM• Understand the risks and risk
response• Know to what extent the
management has implemented an effective ERM
• Review the risk portfolio against the risk appetite
• Monitor the revision of material risk indicators
35
II.1. ERM framework
COSO responses related ERM – current financial crises:– Reconsideration of current ERM and assessment
of risk appetite
ERM is an integral component of internal control!
36
II.2. COSO: IC – ERM frameworks• Are there any differences?
– ERM: risk based assessment– COSO-CI: IC framework
• ERM – IC framework components: similar(environment, monitoring, communication and
information, etc.)• Is ERM an improved version of IC
framework?• The controversial role of internal auditors:
– ERM seem to provide assurance that risks are managed!
37
III. Fraud: detection and prevention
38
Lecture outlines:
1. The concept of fraud
2. Responsibilities for fraud
prevention&detection - DPF2.1. Risk of fraud assessment - EFR
2.2. “Audit of fraud” and IIA requirements
39
1. The concept of fraud
Illegal actions – deception, betrayal Does not necessarily imply the use of
force or force threatsActions done purposely:
to obtain financial benefits to avoid the payment for or the opportunity
lost of a financial/personal benefit
40
1. The concept of fraud
Benefits:
• direct – e.g.: money
• indirect – e.g.: promotion, power,
influence.
41
1. The concept of fraudFrauds committed in the organization’s
benefit: Sale of fictitious assets; Forbidden payments: illegal financing of political
campaigns, bribery, etc.; False statement/misuses of transactions; Incorrect assessment of transfer prices (for assets
exchanged between members of the same group).
42
1. The concept of fraudFrauds committed in the organization’s benefit
(cont.):misrecording or misreporting of transactions to
mislead users of financial reports; Illegal commercial activities;Tax frauds.
43
1. The concept of fraud
Frauds committed in the organization’s
detriment:
Acceptance of bribery;Unlawful seizure of profitable transactions by an
employee; Invoicing goods or services which were actually
not provided to the company.
44
1. The concept of fraudFrauds committed in the organization’s
detriment(cont.):Misuse of resources or falsification of
accounting records; Intentional omission or misleading
interpretation of events or transactions.
45
1. The concept of fraudIndications of fraud (Simmons):
intentionally
trust
InjuryVictim
Action
46
1. The concept of fraudFrauds (Simmons):
Bribery: offering, acceptance, requesting;Theft;Conflict of interest;False statements;Swindle;Mail and internet frauds;Conspiracy;Brake of financial obligations provided by
agreements;Embezzlement.
47
2. Responsibilities for DPF
Fraud
48
2. Responsibilities for DPFBoard + AC – supervise:
antifraud programmes and controls, including identification of fraud risk and implementation of antifraud actions;
the risk of controls avoidance and inappropriate management influence;
whistle-blowing mechanisms;
49
2. Responsibilities for DPFBoard + AC – supervise (cont.):
regular reporting: nature, stage and actions taken for detected frauds;
IA plan: risk of fraud and whistle-blowing channels for IA;
involvement of independent experts in investigations of frauds.
50
2. Responsibilities for DPF
IA role – to answer to questions like:What is the risk of fraud within the
organization?What are the programs and internal controls
that have been implemented to face these risks?
What is IA doing to PDRF before it leads to corporate scandals?
51
2.1. Assessment of the risk of fraud
IA role – the process of ARF:Organize the assessment process – integration of ARF within the current risks assessment process / setting up a separate process.Identify the areas to be assessed - ARF at each of the following level:
organization, units, operations (accounts, etc.); complex transactions (e.g. acquisitions, mergers, combinations, etc.)
52
2.1. Assessment of the risk of fraud
IA role – the process of ARF (cont.):Identify the possible scenarios: the organization commits frauds or suffer injuries due to other’s frauds? How? DB – specific issues;Assess the likelihood of fraud commitment.
scale used for assessmentUS practice: three level qualitative values
Assess the relevance of the RF: Impact of RF RR = Impact X LikelihoodUS practice: RR ≥ average – considered by IA
53
2.1. Assessment of the risk of fraud
IA role – the process of ARF(cont.):Identify and assess the associated internal controls
Avoidance / ignorance of internal controlsIdentify internal controls unable to mitigate the RF
Integrate the ARF results within the audit plan: a separate section dedicated to audit of fraud based on residual risk
54
2.2. Audit of fraudG.1210-A2.2 – Responsibilities for fraud
detection (FD): – FD = identification of fraud indications sufficient
to request an investigation. IA responsibilities:
To have sufficient and appropriate knowledge regarding the fraud indications:
The basic elements of a fraud, Techniques used,Types of frauds particular for the audited areas;
55
2.2. Audit of fraudResponsabilităţile AI (cont.):
să fie vigilent deficienţele SCI: prezenţa mai multor indicii, simultan, creşte probabilitatea ca o fraudă să fi fost comisă;
să evalueze indiciile unei fraude şi să decidă dacă sunt necesare alte măsuri sau să se recomande o anchetă;să înştiinţeze autorităţile competente din cadrul entităţii.
56
G. 1210.A2-1, Fraud detection
IA responsibilities: To investigate and assess the existence and importance of eventual associations to commit frauds; To establish the required knowledge, abilities and other competencies to conduct an investigation;To set up procedures to be followed in order to identify the fraud authors, the fraud scope, the reasons, impacts, and the techniques used;
2.2. Audit of fraud
57
2.2. Audit of fraudIA responsibilities:
To coordinate its activities during the investigation with management, legal advisors, and any other expert involved;To be aware of the rights of the supposed authors of fraud.
58
2.2. Audit of fraudG 1210.A2-1, Fraud detection:
Reporting the results of an audit of fraud engagement – issues to be considered:
Recommendations for implementation and/or strengthening the internal controls;Design audit test that would allow future detection of similar frauds;The need to set up a knowledge file related to the risk of fraud;Privileged information.
59
2.2. Audit of fraudIIAS 2400:
Immediate reporting to the executive management and the board:
If a relevant fraud has been detected – high certainty;The fraud has had an adverse significant impact on the financial position and financial results reported for the previous years.
60
61
62
63