(864) 297-8717(864) 297-8719 (FAX)EMAIL:Bei@BurdetteEngr ...
[email protected] 864 680 6191 - GFOASC...6/16/2016 1 Key Internal Control Concepts Presented by...
Transcript of [email protected] 864 680 6191 - GFOASC...6/16/2016 1 Key Internal Control Concepts Presented by...
6/16/2016
1
Key Internal Control Concepts
Presented by
Steven L. Blake CPA, CFE, CICA, [email protected] 864‐680‐6191
Agenda
2
• 8:45 BEGIN
• 10:00 TAKE A 10 MINUTE BREAK
• 12‐12:15 LUNCH [COURSE WILL CONTINUE THROUGH LUNCH TIME AS LUNCH IS HERE
• 2:00 TAKE A 10 MINUTE BREAK
• 4:00 END
Internal Control Definition
3
• An Historical Overview
6/16/2016
2
Internal Control Definition
4
• Foreign Corrupt Practices Act ‐ 1977– Intended to stop corporate bribery,
– Strengthen the accuracy of corporate books as companies were falsifying corporate records to hide the payments and
– Outlawed secret, of‐the‐books “slush” funds making illegal campaign contributions within the United States.
Internal Control Definition
5
• Foreign Corrupt Practices Act ‐ 1977– First used the words “internal control” in the context of improving the reliability of the audit process which constituted the foundation of our system of corporate disclosure and
– Required companies to have and use internal controls to prevent and detect violations of the FCPA.
Internal Control Definition
6
• There was a problem discovered early on in legal proceedings related to prosecution of FCPA violations: what is internal control?
• How much is enough?
• Who is responsible and at what level?
6/16/2016
3
Internal Control Definition
7
• Hence the National Commission on Fraudulent Financial Reporting (the Treadway Commission) was formed in 1985– Original Chair, James C. Treadway, Jr. a Paine Webber attorney and former SEC Commissioner
– Released a report on fraudulent financial reporting in October 1987
– COSO was formed as a result of the report
Internal Control Definition
8
• COSO = the Committee of Sponsoring Organizations of the Treadway Commission– 5 Original Sponsors: AICPA, American Accounting Association [AAA], Financial Executives International [FEI], Institute of Internal Auditors [IIA] and Institute of Management Accountants [IMA]
Internal Control Definition
COSO is a voluntary private sector organization dedicated to improving
the quality of financial
reporting through business ethics, effective internal controls, and
corporate governance.
9
6/16/2016
4
Internal Control Definition
10
• COSO produced its first framework in 1992
• Republished in 1994 with minor changes
• Reorganized in December 2011; expanded into principles and attributes; republished 2013
Internal Control Definition
11
• In a 2006 CFO magazine poll, 82% of respondents claimed they used COSO’s framework for internal control.
• Other frameworks mentioned– SAS 55/78 (AICPA)
– COBIT
– PCAOB AS2
Internal Control Definition
12
• In no legal way does COSO’s framework apply to government or NGO’s
• Sarbanes‐Oxley does not apply either
• However, as we shall see later, COSO’s framework is evaluated by anyone who is required to have a member of the AICPA audit their financial statements
6/16/2016
5
6/16/2016
6
WHY THE UPDATE?
• “IN THE 20 YEARS SINCE THE INCEPTION OFTHE ORGINAL FRAMEWORK, BUSINESS ANDOPERATING ENVIRONMENTS HAVE CHANGEDDRAMATICALLY, BECOMING INCREASINGLYCOMPLEX, TECHNOLOGICALLY DRIVEN ANDGLOBAL.”
• AT THE SAME TIME . . .
WHY THE UPDATE?
• “… STAKEHOLDERS ARE MORE ENGAGED,SEEKING GREATER TRANSPARENCY ANDACCOUNTABILITY FOR THE INTEGRITY OFSYSTEMS OF INTERNAL CONTROL THATSUPPORT BUSINESS DECISIONS ANDGOVERNANCE OF THE ORGANIZATION.”
• SOURCE: COSO September 2012
6/16/2016
7
COSO HISTORY
THE “CUBE”
6/16/2016
8
6/16/2016
9
Components Principles
6/16/2016
10
ENTERPRISE RISK MANAGEMENT
COSO ERM Definition
6/16/2016
11
Another Definition
• Enterprise Risk Management (ERM) is a process-driven tool that enables senior management to visualize, assess and manage significant risks that may adversely impact the attainment of key organizational objectives
(source: University System of Georgia, Board of Regents ERM program)
Two Approaches
• A compliance burden and efforts arejust to document controls to meetminimum requirements.
• Creates value added opportunitiesfor improvement in key businessprocesses.
Second Group Accomplishments
• Re‐engineer processes to capture orimprove efficiencies
• Automating controls whereapplicable
• Locating and strengtheningdeficiencies
• Strengthen Financial Competencies
6/16/2016
12
Second Group Accomplishments
Our focus for the rest of this class willbe on the accomplishments of thesecond group. How to leverage whatthey have done and how to “take ithome”
6/16/2016
13
6/16/2016
14
INTEGRATION OF CONTROLS AND PRINCIPLES/COMPONENTS
6/16/2016
15
6/16/2016
16
6/16/2016
17
6/16/2016
18
6/16/2016
19
6/16/2016
20
Effective Internal Control
• When it is determined that the entity has effective internal control, the board and management have reasonable assurance of the following categories of objectives: Operating Reporting Compliance
• The Framework establishes that components and principles are what are needed to have an effective system of internal control. It does not however prescribe a process by which management assesses its effectiveness.
6/16/2016
21
6/16/2016
22
OK – SO WHAT DOES THIS MEAN TO ME?
Auditing Rules
1. Statement on Auditing Standards No. 92
2. Statement on Auditing Standards No. 99
3. Statement on Auditing Standards No. 109
4. Statement on Auditing Standards No. 113
65
OK – SO WHERE AM I NOW?
6/16/2016
23
Capability Maturity Model
INTEGRATED RISK MANAGEMENT & I/C MATURITY MATRIX
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4
ALWAYS IN
CRISIS
MANAGEMENT
MODE
FORMAL
INTERNAL
CONTROLS
IC
COMPLEMENTED
WITH RISK MGT
AN
INTEGRATED
APPROACH
WITH
PRIMARY
FOCUS ‐
EXTERNAL F/R
BUT PERFORMED
IN A SILO
GOVERNANCE
& MNGMT
PARTICIPATION
NON EXISTENT OR
AD HOC
INTERNAL CONTROL ONLY
RM/IC AS A SILO
INTEGRATED RM/IC
The Cycle of Learning
6/16/2016
24
WHERE DO I GO FROM HERE?
• Fraud Definitions
• Specific Schemes
• Internal Control Best Practices
• Detection and Deterrence Methods
Part I
• Definitions
Recognizing & Defining Fraud
• Definition
• Warning signs
• The “Typical” Embezzler
• Fraud Diamond
6/16/2016
25
Fraud Defined
• Deliberately falsified information, in the form of a report, done with the intent to sway a decision-maker [ a lie ]
• Asset Misappropriation – using, converting or removing entity assets for personal use. [ theft ]
• Abuse of Public Office [ corruption ]
Warning Signs
• Organizational culture of arrogance and/or entitlement; failure to listen to staff
• Accounting policies that rely too heavily on management’s judgment
• Departure of key senior management
• Overly centralized control of financial reporting, especially in large organizations with a qualified finance staff
Warning Signs
• Failure to pay bills on time or as timely as in prior years
• Accounting policies seem overly aggressive, especially when given the qualifications of the accounting staff
• Periods of prolonged success even during periods when the industry is down
• Transactions lacking economic purpose
6/16/2016
26
The Typical Embezzler
• Trusted, generally long‐term employee
• Generally in a management‐like role
• Dedicated, works long hours
• Rarely takes vacation, dislikes the policy of mandatory vacations. Makes excuses why they cannot go on vacation.
• Resents and will not cooperate with cross‐training.
• Seen as likable and generous
Fraud Diamond
Learning Objectives
• Increase awareness of what fraud looks like
• Provide tools to both early detect and potentially deter fraud
• Discuss risk management techniques to monitor on an on‐going basis
6/16/2016
27
Recognizing Fraud
• Warning signs
• The “Typical” Embezzler
• Fraud Diamond
The Typical Embezzler
• Trusted, generally long‐term employee
• Generally in a management‐like role
• Dedicated, works long hours
• Rarely takes vacation, dislikes the policy of mandatory vacations. Makes excuses why they cannot go on vacation.
• Resents and will not cooperate with cross‐training.
• Seen as likable and generous
Fraud Diamond
6/16/2016
28
Part II
• Specific Schemes
Scheme Categories
• Asset Misappropriation– Kiting, skimming
– Shell games
• Bribery and Corruption– Illegal gratuities
– Conflicts of interest
• Fraudulent Statements
Asset Misappropriation
• Cash
• Inventory
• Office Supplies
• Expense Reports
• Company Vehicles, Cell Phones
• Accounts Receivables, Revenues
• Falsifying Hours on a Timesheet
6/16/2016
29
Survey on Misappropriation
• Research indicates the potential for material fraud exists inthe American workplace. According to a 2003 surveysponsored by Ernst & Young LLP, 20% of American workersare personally aware of fraud in the workplace.
• Respondents to this survey estimated employers lost 20% ofevery dollar to some type of workplace fraud and werepersonally aware of fraud due to the following:
– Theft of office items.
– Claiming extra hours worked.
– Expense accounts.
– Taking kickbacks from suppliers.
Bribery and Corruption
• By far the most common in government officials
• Common in procurement also
• Generally begins by an ethics issue related to a conflict of interest [individual interest takes precedent over organizational interest]
• Breach of Fiduciary Duty
Fraudulent Financial Reporting
• Manipulation, falsification or alteration of accounting records or supporting documentation;
• Misrepresentations or intentional omissions; and/or
• Intentional misapplication of accounting principles
6/16/2016
30
Medicare – Medicaid and other Federal Programs
• Pulitzer Prize winning website: http://www.politifact.com
• “Pants on Fire” ratings on political statements
• Articles on “fraud” versus “error” rates
• Fraud versus abuse
Legal Definition of Fraud
• A false representation of a matter of fact
• That deceives or intends to deceive another
• So that the other acts on that false representation of fact
• To their legal injury
Part III
• Internal Control Best Practices
6/16/2016
31
Best Practice Policies
• Awareness/Training
• Recognition
• Trust, but verify
Part III
• DETECTION AND DETERRENCE
Risk Management Frameworks
• COSO ERM Framework
• ACFE Fraud Risk Management
• ISO 31000 Risk Management Principles and Guidelines
• IT CoBIT Framework
6/16/2016
32
How do I Start?
Risk Management
• Only four ways to manage risk:
– Avoidance – cease doing what it is that creates risk
– Sharing – buy insurance if it can be insured
– Reduction – Build a prevention system
– Acceptance – the default position if none of the above are done.
Risk Assessment Measurements
• Impact
• Likelihood
6/16/2016
33
Risk Procedures Integration
• Fraud Detection
• Fraud Deterrence
• Fraud Prevention
Traditional Outlooks
• External audits provide assurance
• People are for the most part honest
• These are good economic times
Risk Awareness
• Across departments
• By Type
• Embedded into existing management systems
6/16/2016
34
Risk Appetite
• Can be Subjective
• Based on Cost Benefit
• Capability Maturity Model
Levers of Control
• Belief System
• Boundary System
• Diagnostic System
• Interactive Control System
Belief System
• The entity’s core values used to INSPIRE and DIRECT actions
6/16/2016
35
Boundary System
• Ethical limits beyond which behavior is prohibited
Diagnostic System
• The entity’s system(s) that ensure theeffective and efficient achievement of goals;i.e. budgets
Interactive Control System
• The entity’s top level development ofstrategy, risk assessment and monitoring ofcompetitive conditions and technologychanges
6/16/2016
36
Fraud Risk
• The risk/vulnerability an entity has to the possibility that someone in their organization is capable of overcoming the elements of the fraud triangle/diamond
• This risk differs from any other risk because by nature it is intentional misconduct designed to evade detection.
Inherent and Residual Risk
• Inherent risk exists in the system before any type of system/management intervention
• Residual risk exists in the system after system or management actions are taken.
What to do with Risk or “Risk Responses”
• Risk Avoidance,
• Risk Reduction,
• Risk Sharing,
• and Risk Acceptance
6/16/2016
37
Specific Process Interventions
• TIMELY Reconciliations
• Segregation of Duties
• Cross-training
• Mandatory vacations where others perform your duties and answer you phone calls
• Analytical procedures
• “Turn the Light on” decisions
Bottom Line
• One size does not fit all!
• You must build your system within the resources that you have.
• Therefore, trying what someone else has done, without their resources could be devastating.
Segregation of Duties
• Custody
• Authorization
• Record‐keeping/ Reconciliation
6/16/2016
38
Fraud Risk
• The risk/vulnerability an entity has to the possibility that someone in their organization is capable of overcoming the elements of the fraud diamond
• This risk differs from any other risk because by nature it is intentional misconduct designed to evade detection.
113
Class Exercise
Discuss the pros and cons of having an audit committee
What duties would an audit committee perform to strengthen the financial reporting process?
Who should be on an audit committee?
113
114
What is a Risk Assessment?
A process that defines how an organization:
• Identifies risks to the achievement of its mission, goals, & objectives
• Measures the significance of each identified risk
• Determines the most appropriate business response to each risk
• Monitors how well the responses are carried out
114
6/16/2016
39
Publications
• IFAC: Evaluating and Improving Internal Control in Organizations
• COSO: Internal Control an Integrated Framework
• ISACA: COBIT 5 Framework
115
ISACA Principles
• Meeting Stakeholder Needs
• Covering the Entity End‐to‐end
• Applying a single, integrated framework
• Enable a Holistic Approach
• Separating Governance from Management
116
IFAC Holistic Risk Assessment
• Eight all important questions:
1. Are the various departments that deal with a specific risk or have responsibility for associated controls working together?
117
6/16/2016
40
Holistic Risk Assessment
2. Does the organization have an accurate and comprehensive understanding of its current risks?
3. Does the organization understand how various risks might have common causes or mutually reinforcing consequences?
118
Holistic Risk Assessment
4. Are the organization's risks within the limits for risk‐taking as determined in its risk‐management strategy and policies on internal control?
119
Holistic Risk Assessment
5. Are risks treated on an individual basis or does the organization understand the overall effect of uncertainty on its objectives?
6. Does the organization sufficiently know the effectiveness of its controls and how they could be further improved?
120
6/16/2016
41
Holistic Risk Assessment
7. How can the organization be certain it knows the correct answers to the preceding questions?
8. What are the processes for monitoring and evaluating, and are the processes effective?
121
First Steps to Improvement
• Understanding the controls themselves
• Whether they are working as designed or not
• Not just compliance anymore ‐ proactive
122
Ownership Creates Execution
• Engage ALL people in participating in the process
• Keep people mission/goal/objective oriented
• .If they are not engaged, they will not be successful
123