Internal Control Finance Master 2

8/16/2019 Internal Control Finance Master 2

1/45

Contrôle interne Master 2 FINANCE

I nternal Control

2015/2016

1


2/45

Some examples

Contrôle interne Master 2 CCA

Textile industry

An HR employee within a textile company diverted a sum of 500

KMAD within 7 years by creating several fictitious accounts.

This person had the access rights to the employees’ master file

and no control was performed by an independent person on thisdatabase.

Access right issueLack of control


3/45

Some examples


Food & beverage company

The accountant managed his own fiduciary and charged regularly small

amounts for diverse accounting works " analysis of account, inventory” .

He approved himself these invoices on behalf of the company.

Segregation of duties issue

Lack of control


4/45

Some examples


Telecom company

During the implementation of a new accounting system, the total of expense

accounts moved from 10 MMDH to 11 MMDH just after the data transfer.

Old software:

Total of expenses

10 MMDH

New software:

Total of expenses

11 MMDH

Over-booking of 1 MMDH

No verification after the data transfer


5/45

Some examples


Oil companyGap between revenues booked & revenues in Sales Software

Lack of reconciliation

Transfer issue from sales software to accounting software

Batchs not checked periodically.


6/45

Some Examples


Private Hospital

Within the emergency departments of a private hospital, the same person

was responsible for the invoicing and the payment collection.

She was able to divert an amount of 76 KMAD within 18 months.



7/45

Some examples


Building material company

A storeman in a building material company was able to divert

a sum of 350 KMAD by creating vouchers of fictitious

returns.

Lack of verification on returns


8/45

Some examples


Hardware distribution company

In a hardware distribution company, the person in charge of stock "spare

parts" diverted an amount of 590 KMAD within 3 years.

This person was handling the stock in the system, performing the annualphysical inventory and entering the inventory adjustments in the system.



9/45

Some examples


Pharmaceutical company

Many employees involved in the fraud

Payment of 552 KMAD related to a fictitious event

- Creation of a fictitious purchase request by the brand manager

- Creation of fictitious Purchase order bu Purchasing responsible.

- Fictitious invoice sent by the event company.- Validation of the invoice & payment by the CFO.


10/45

Internal Control

Internal Control is everywhere:

- All kind of companies & activities (Industry, distribution,

services...),

- Financial & non-financial processes ,

- Manual & automated processes,

- All employees (Management, executives...),

- Internal & external parts

10Contrôle interne Master 2 CCA


11/45

Internal Control definition

Internal control is a process, effected by an entity’s board ofdirectors, management and other personnel, designed to provide

reasonable assurance regarding the achievement of objectives in the

following categories:

reliability of financial reporting

compliance with applicable laws and regulations

Protection of assets

effectiveness and efficiency of operations



12/45


This definition reflects certain fundamental concepts:

Internal control is the framework of systems, processes and

controls established to mitigate risks

Internal control is effected by people. It is not merely policy

manuals and forms, but involves people at every level of an

organization

Internal control can be expected to provide only reasonableassurance, not absolute assurance, on the achievement of

objectives



13/45


compliance with applicable laws and regulations


Fiscal law

(CGI)

CNSS

Exchange law

Labor law

Customs

Activity code

Penal code

Commercial

law

Personal data law

Accounting law


14/45


Reliability of financial information


Taking inventories as an examples

Physical inventory

Stock value

Stock protection

Destruction

Assets Liabilities

Tangible &

intangible assets

Equity

Inventories

Vendors (Suppliers)

CustomersOther assets

Other debts

Treasury Treasury


15/45


Reliability of financial information


Taking treasury as an example

Management of collections

Petty cash

Signatory power

Bank reconciliation

Assets Liabilities

Tangible &

intangible assets

Equity

Inventories

Vendors (Suppliers)Customers

Other assets

Other debts

Treasury Treasury


16/45

Internal control components (COSO)

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations, established in the United Sates ,

dedicated to providing thought leadership to executive management and governance

entities on critical aspects of organizational governance, business ethics, internal

control, enterprise risk management, fraud, and financial reporting . COSO has

established a common internal control model against which companies and organizations

may assess their control systems. COSO is supported by five supporting organizations,including the Institute of Management Accountants (IMA), the Amercican Accounting

Association (AAA), the American Institute of Certified Public Accountants (AICPA),

the Institute of Internal Auditors, (IIA), and Financial Executives International (FEI)..



17/45


I- Control environment

“Tone from the top”: senior management’s commitment to effective controls,

Clarity of roles and responsibilities: associates should understand, and be

committed to, their roles and responsibilities and these should be aligned to

business objectives,

Awareness: associates should be aware of the relevance and importance of

their activities to enable them to contribute to the achievement of business

objectives,

Cooperation with internal and external auditors: full cooperation should be

given to the auditors, providing them with access to all company records and

personnel; adequate and secure workspace; and truthful and complete answers

to their enquiries,



18/45



1- Integrity & ethics

The efficiency of internal control procedures depends on the integrity and ethics shown by

the employees:

- There is a code of conduct ?

- There is a conflict of interest policy ? (familial, personal or financial relationships

between an employee and a third party...)

- There is a punishment mechanism for deviations?



19/45



2- Existence of an audit committee

There is an audit committee?

The audit committee is it independent from the management?

The audit committee is establishing a periodic reports?



20/45



3- Organizational structure

Appropriateness of an entity’s organisational structure to its size and the nature of itsactivities’?

Bureaucratic organization?



21/45



4- Delegation of authority

The larger a company’s scale of operations, then the larger the size of the

workforce and, inevitably, the larger the amount of assignment of authority and

responsibility that is required.

There is a delegation procedure within the company?

The delegations are documented?

People have enough knowledge & skills for delegated tasks?



22/45



5- Human resources policies and practices

Recruitment policies and procedures,

Remuneration & promotion procedures

Disciplinary procedures,

Performance appraisal procedures

Employment termination procedures



23/45


II- Risk assessment

Risk identification

External factors

- Competition,

- Customer bankruptcy

- Changes in the law

- Disasters

- ....



24/45


II- Risk assessment

Risk identification

Internal factors

- Changes at management level,

- Organizational changes,

- Staff turnover

- Volume of manual activities

- ....



25/45


II- Risk assessment

Risk Impact


Rating Description Definition

1 Very low Financial loss less than $X million

Local media attention quickly remedied

No impact on the company image.

No injuries to employees or third parties, such as customers or vendors

2 Minor Financial loss of $X million up to $X million

Local reputational damage

Minor injuries to employees or third parties, such as customers or vendors

General staff morale problems and increase in turnover

3 Moderate Financial loss of $X million up to $X million

National short-term negative media coverage

4 High Financial loss of $X million up to $X million Significant loss of market share

Significant impact on the company reputation.

5 Critical Financial loss of $X million or more

International long-term negative

Impact on business continuity.


26/45


II- Risk assessment

Likelihood



1 Up to once

in 2 years

or more

Almost certain 90% or greater chance of occurrence over life of asset or

project

2 Once in 2years up to

once in 25

years

Likely 65% up to 90% chance of occurrence over life of asset or project

3 Once in 25

years up to

once in 50

years

Possible 35% up to 65% chance of occurrence over life of asset or

project

4 Once in 50

years up to

once in 100

years

Unlikely 10% up to 35% chance of occurrence over life of asset or

project

5 Once in

100 years

or less

Rare < 10% chance of occurrence over life of asset or project


27/45


II- Risk assessment

Vulnerability



1 Vey high Company not aware of the risk

No control in place to mitigate the risk

2 High

Control not covering the risk adequatly Controls performed but not documented

3 Medium Control activities are designed and in place

Control activities have been documented and communicated to

employees

Controls can be better monitored

4 Low Standardized controls with periodic testing for effective design and

operation with reporting to management

Automation and tools may be used in a limited way to support control

activities

5 Vey low Real time monitoring by management with continuous improvement

Automation and tools are used to support controls activities and allowthe organization to make rapid changes to the control activities.


28/45


II- Risk assessment



29/45


II- Risk assessment

Ways of managing risks:

Risk avoidance (éviter le risque) : Completely avoiding an activity that poses a potential risk.

Risk transfer (Transférer le risque) : The risk is transferred to a third-party entity (in most cases

an insurance company).

Risk reduction (Limiter/Réduire le risque) : This can be done by increasing precautions or

limiting the amount of risky activity.

Risk acceptance (Accepter le risque) : Retention is effective for small risks that do not pose any

significant financial threat.



30/45


II- Risk assessment

Audit Risks

Inherent risk

- Inherent risk is the risk posed by an error or omission in a financial statement due to a

factor other than a failure of control

Control Risk

- Control risk is the risk of a material misstatement in the financial statements arising

due to absence or failure in the operation of relevant controls of the entity.

Detection risk

- Detection risk is the risk that the auditors fail to detect a material misstatement in the

financial statements.



31/45


III- Control activities

Control activities are the policies and procedures that help ensure management directives

are carried out. They help ensure that necessary actions are taken to address risks to

achievement of the entity's objectives


Segregation of duties

Procedures

IT controls

Approval&authorizations

Reconciliations

Protection & securities


32/45



Preventive Controls

Preventive Controls are designed to discourage errors or irregularities from occurring. They are

proactive controls that help to ensure departmental objectives are being met. Examples of preventive

controls are:

Segregation of Duties: Duties are segregated among different people to

reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions

(approval), recording transactions (accounting) and handling the related asset (custody) are divided.

Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain

activities and to execute certain transactions within limited parameters. In addition, management

specifies those activities or transactions that need supervisory approval before they are performed orexecuted by employees. A supervisor’s approval (manual or electronic) implies that he or she has

verified and validated that the activity or transaction conforms to established policies and procedures.



33/45



Detective controls

Detective Controls are designed to find errors or irregularities after they have occurred. Examples of

detective controls are:

Reviews of Performance: Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and

objectives are being achieved and to identify unexpected results or unusual conditions that require

follow-up.

Reconciliations: An employee relates different sets of data to one another, identifies and

investigates differences, and takes corrective action, when necessary.

Physical Inventories

Audits



34/45


III- Control activities 1- Implementation Of Standard Operating Processes (Procedures)


Updated

Communicated /

published

Clear

Verifiable

Coherent with other

SOPs

Training if required


35/45




2- Segreagation of duties (SOD)

Segregation of duties is essential to minimize the potential for errors or even fraud arising from

the same person having responsibility for custody, management and recording activities.

System access rights should be granted on a "need only" basis and the change process should be

controlled and user profiles monitored

In a perfect system, no one person should handle more than one type of following functions:

Authorization

Recording

Custody of assets

Control


36/45


37/45



3- IT Controls


IT controls

General controls

Applicationcontrols


38/45



3- IT Controls General controls


Back-up & recovery: procedures, to enable continued processing

despite adverse conditions

Software development: standards - controls designed to ensure IT

projects are effectively managed.

Logical access: policies, standards and processes - controls designed to

manage access based on business need.

Incident management policies and procedures - controls designed to

address operational processing errors.

Physical security: controls to ensure the physical security of

information technology from individuals and from environmental

risks


39/45



3- IT Controls applications controls


Validity checks - controls that ensure only valid data is input or

processed.

Authorization - controls that ensure only approved business users

have access to the application system

Work flow controls are used to notify application users that a

transaction or process is awaiting their action

Completeness checks - controls that ensure all records were processed

from initiation to completion.


40/45



4- Reconciliation controls:

All reconciling items (differences, exceptions etc.) should be properly identified,

justified and documented. Formal sign off by an independent supervisor should

ensure adequate completion of the work.

Bank reconciliation

Stock reconciliation

Sales reconciliation (Sales application vs accounting system)



41/45



5- Approvals & authorizations

All transactions should be approved in accordance with Management

Authorization Levels. Approvals should be documented and traceable

Approvals should be obtained for all type of transactions:

Validation of purchase requests

Releasing of blocked sales orders

Validation of payment term changes

Validation of customer credit limit change

...... 41Contrôle interne Master 2 CCA


42/45


IV- Information & communication

Appropriate management information: should be identified, captured and

communicated in a form and timeframe that supports all other control components to

enable effective measurement and monitoring of performance e.g. analysis of variances

with root causes explained; profitability analysis; and review and documented actions as aresult of exception reports

Escalation of non-compliance: any non-compliance with applicable laws and regulations

should be reported to management and a remediation plan implemented immediately.



43/45


V- Monitoring controls

There should be effective procedures to review and check the accuracy and completeness

of input, processing and output from processes.

This is accomplished through ongoing monitoring activities and compliance metrics as

well as separate evaluations and reviews. Ongoing monitoring includes regularmanagement and supervisory activities. The scope and frequency depends on the

assessment of risks and effectiveness of controls


I l l & f d


44/45

Internal control & fraud

Fraud classification

Accounting fraud

- 1- overstating the revenues (Sur-estimation des revenues):

- Recognition of revenues on the wrong period (cut-off issue)

- Booking of fictitious products

- Overstating the inventory value

2- Underestimating the costs (Sous-estimation des charges):

- Expenses booked as assets

- Underestimating accruals & provisions.


Rôl d ôl i d l dé i d l f d


45/45

Rôle du contrôle interne dans la détection de la fraude

Fraud classification

Divesrion of collections (détournement des encaissements)

1. Lapping fraud (Diverting a payment from a customer account to an other)

2. Sales not booked in revenue account (non-enregistrement d’une vente)

3. Fraudulent change of selling prices (changement frauduleux des prix de vente)

Diversion of payments (détournement des décaissements)

1. Fictitious purchases (achats fictifs)

2. Fictitous expense reports (Oversated, already reimbursed...)

1. Payroll fraud (Fictitous salaries, overstating working hours, overstating remunerations...)

Internal Control Finance Master 2

Documents

Transcript of Internal Control Finance Master 2