[email protected] 864 680 6191 - GFOASC...6/16/2016 1 Key Internal Control Concepts Presented by...

6/16/2016

1

Key Internal Control Concepts

Presented by

Steven L. Blake CPA, CFE, CICA, [email protected] 864‐680‐6191

Agenda

2

• 8:45 BEGIN

• 10:00 TAKE A 10 MINUTE BREAK

• 12‐12:15 LUNCH [COURSE WILL CONTINUE THROUGH LUNCH TIME AS LUNCH IS HERE

• 2:00 TAKE A 10 MINUTE BREAK

• 4:00 END

Internal Control Definition

3

• An Historical Overview

6/16/2016

2


4

• Foreign Corrupt Practices Act ‐ 1977– Intended to stop corporate bribery,

– Strengthen the accuracy of corporate books as companies were falsifying corporate records to hide the payments and

– Outlawed secret, of‐the‐books “slush” funds making illegal campaign contributions within the United States.


5

• Foreign Corrupt Practices Act ‐ 1977– First used the words “internal control” in the context of improving the reliability of the audit process which constituted the foundation of our system of corporate disclosure and

– Required companies to have and use internal controls to prevent and detect violations of the FCPA.


6

• There was a problem discovered early on in legal proceedings related to prosecution of FCPA violations: what is internal control?

• How much is enough?

• Who is responsible and at what level?

6/16/2016

3


7

• Hence the National Commission on Fraudulent Financial Reporting (the Treadway Commission) was formed in 1985– Original Chair, James C. Treadway, Jr. a Paine Webber attorney and former SEC Commissioner

– Released a report on fraudulent financial reporting in October 1987

– COSO was formed as a result of the report


8

• COSO = the Committee of Sponsoring Organizations of the Treadway Commission– 5 Original Sponsors: AICPA, American Accounting Association [AAA], Financial Executives International [FEI], Institute of Internal Auditors [IIA] and Institute of Management Accountants [IMA]


COSO is a voluntary private sector organization dedicated to improving

the quality of financial

reporting through business ethics, effective internal controls, and

corporate governance.

9

6/16/2016

4


10

• COSO produced its first framework in 1992

• Republished in 1994 with minor changes

• Reorganized in December 2011; expanded into principles and attributes; republished 2013


11

• In a 2006 CFO magazine poll, 82% of respondents claimed they used COSO’s framework for internal control.

• Other frameworks mentioned– SAS 55/78 (AICPA)

– COBIT

– PCAOB AS2


12

• In no legal way does COSO’s framework apply to government or NGO’s

• Sarbanes‐Oxley does not apply either

• However, as we shall see later, COSO’s framework is evaluated by anyone who is required to have a member of the AICPA audit their financial statements

6/16/2016

5

6/16/2016

6

WHY THE UPDATE?

• “IN THE 20 YEARS SINCE THE INCEPTION OFTHE ORGINAL FRAMEWORK, BUSINESS ANDOPERATING ENVIRONMENTS HAVE CHANGEDDRAMATICALLY, BECOMING INCREASINGLYCOMPLEX, TECHNOLOGICALLY DRIVEN ANDGLOBAL.”

• AT THE SAME TIME . . .

WHY THE UPDATE?

• “… STAKEHOLDERS ARE MORE ENGAGED,SEEKING GREATER TRANSPARENCY ANDACCOUNTABILITY FOR THE INTEGRITY OFSYSTEMS OF INTERNAL CONTROL THATSUPPORT BUSINESS DECISIONS ANDGOVERNANCE OF THE ORGANIZATION.”

• SOURCE: COSO September 2012

6/16/2016

7

COSO HISTORY

THE “CUBE”

6/16/2016

8

6/16/2016

9

Components Principles

6/16/2016

10

ENTERPRISE RISK MANAGEMENT

COSO ERM Definition

6/16/2016

11

Another Definition

• Enterprise Risk Management (ERM) is a process-driven tool that enables senior management to visualize, assess and manage significant risks that may adversely impact the attainment of key organizational objectives

(source: University System of Georgia, Board of Regents ERM program)

Two Approaches

• A compliance burden and efforts arejust to document controls to meetminimum requirements.

• Creates value added opportunitiesfor improvement in key businessprocesses.

Second Group Accomplishments

• Re‐engineer processes to capture orimprove efficiencies

• Automating controls whereapplicable

• Locating and strengtheningdeficiencies

• Strengthen Financial Competencies

6/16/2016

12

Second Group Accomplishments

Our focus for the rest of this class willbe on the accomplishments of thesecond group. How to leverage whatthey have done and how to “take ithome”

6/16/2016

13

6/16/2016

14

INTEGRATION OF CONTROLS AND PRINCIPLES/COMPONENTS

6/16/2016

15

6/16/2016

16

6/16/2016

17

6/16/2016

18

6/16/2016

19

6/16/2016

20

Effective Internal Control

• When it is determined that the entity has effective internal control, the board and management have reasonable assurance of the following categories of objectives: Operating Reporting Compliance

• The Framework establishes that components and principles are what are needed to have an effective system of internal control. It does not however prescribe a process by which management assesses its effectiveness.

6/16/2016

21

6/16/2016

22

OK – SO WHAT DOES THIS MEAN TO ME?

Auditing Rules

1. Statement on Auditing Standards No. 92




65

OK – SO WHERE AM I NOW?

6/16/2016

23

Capability Maturity Model

INTEGRATED RISK MANAGEMENT & I/C MATURITY MATRIX

LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4

ALWAYS IN

CRISIS

MANAGEMENT

MODE

FORMAL

INTERNAL

CONTROLS

IC

COMPLEMENTED

WITH RISK MGT

AN

INTEGRATED

APPROACH

WITH

PRIMARY

FOCUS ‐

EXTERNAL F/R

BUT PERFORMED

IN A SILO

GOVERNANCE

& MNGMT

PARTICIPATION

NON EXISTENT OR

AD HOC

INTERNAL CONTROL ONLY

RM/IC AS A SILO

INTEGRATED RM/IC

The Cycle of Learning

6/16/2016

24

WHERE DO I GO FROM HERE?

• Fraud Definitions

• Specific Schemes

• Internal Control Best Practices

• Detection and Deterrence Methods

Part I

• Definitions

Recognizing & Defining Fraud

• Definition

• Warning signs

• The “Typical” Embezzler

• Fraud Diamond

6/16/2016

25

Fraud Defined

• Deliberately falsified information, in the form of a report, done with the intent to sway a decision-maker [ a lie ]

• Asset Misappropriation – using, converting or removing entity assets for personal use. [ theft ]

• Abuse of Public Office [ corruption ]

Warning Signs

• Organizational culture of arrogance and/or entitlement; failure to listen to staff

• Accounting policies that rely too heavily on management’s judgment

• Departure of key senior management

• Overly centralized control of financial reporting, especially in large organizations with a qualified finance staff

Warning Signs

• Failure to pay bills on time or as timely as in prior years

• Accounting policies seem overly aggressive, especially when given the qualifications of the accounting staff

• Periods of prolonged success even during periods when the industry is down

• Transactions lacking economic purpose

6/16/2016

26

The Typical Embezzler

• Trusted, generally long‐term employee

• Generally in a management‐like role

• Dedicated, works long hours

• Rarely takes vacation, dislikes the policy of mandatory vacations. Makes excuses why they cannot go on vacation.

• Resents and will not cooperate with cross‐training.

• Seen as likable and generous

Fraud Diamond

Learning Objectives

• Increase awareness of what fraud looks like

• Provide tools to both early detect and potentially deter fraud

• Discuss risk management techniques to monitor on an on‐going basis

6/16/2016

27

Recognizing Fraud

• Warning signs

• The “Typical” Embezzler

• Fraud Diamond

The Typical Embezzler

• Trusted, generally long‐term employee

• Generally in a management‐like role

• Dedicated, works long hours

• Rarely takes vacation, dislikes the policy of mandatory vacations. Makes excuses why they cannot go on vacation.

• Resents and will not cooperate with cross‐training.

• Seen as likable and generous

Fraud Diamond

6/16/2016

28

Part II

• Specific Schemes

Scheme Categories

• Asset Misappropriation– Kiting, skimming

– Shell games

• Bribery and Corruption– Illegal gratuities

– Conflicts of interest

• Fraudulent Statements

Asset Misappropriation

• Cash

• Inventory

• Office Supplies

• Expense Reports

• Company Vehicles, Cell Phones

• Accounts Receivables, Revenues

• Falsifying Hours on a Timesheet

6/16/2016

29

Survey on Misappropriation

• Research indicates the potential for material fraud exists inthe American workplace. According to a 2003 surveysponsored by Ernst & Young LLP, 20% of American workersare personally aware of fraud in the workplace.

• Respondents to this survey estimated employers lost 20% ofevery dollar to some type of workplace fraud and werepersonally aware of fraud due to the following:

– Theft of office items.

– Claiming extra hours worked.

– Expense accounts.

– Taking kickbacks from suppliers.

Bribery and Corruption

• By far the most common in government officials

• Common in procurement also

• Generally begins by an ethics issue related to a conflict of interest [individual interest takes precedent over organizational interest]

• Breach of Fiduciary Duty

Fraudulent Financial Reporting

• Manipulation, falsification or alteration of accounting records or supporting documentation;

• Misrepresentations or intentional omissions; and/or

• Intentional misapplication of accounting principles

6/16/2016

30

Medicare – Medicaid and other Federal Programs

• Pulitzer Prize winning website: http://www.politifact.com

• “Pants on Fire” ratings on political statements

• Articles on “fraud” versus “error” rates

• Fraud versus abuse

Legal Definition of Fraud

• A false representation of a matter of fact

• That deceives or intends to deceive another

• So that the other acts on that false representation of fact

• To their legal injury

Part III

• Internal Control Best Practices

6/16/2016

31

Best Practice Policies

• Awareness/Training

• Recognition

• Trust, but verify

Part III

• DETECTION AND DETERRENCE

Risk Management Frameworks

• COSO ERM Framework

• ACFE Fraud Risk Management

• ISO 31000 Risk Management Principles and Guidelines

• IT CoBIT Framework

6/16/2016

32

How do I Start?

Risk Management

• Only four ways to manage risk:

– Avoidance – cease doing what it is that creates risk

– Sharing – buy insurance if it can be insured

– Reduction – Build a prevention system

– Acceptance – the default position if none of the above are done.

Risk Assessment Measurements

• Impact

• Likelihood

6/16/2016

33

Risk Procedures Integration

• Fraud Detection

• Fraud Deterrence

• Fraud Prevention

Traditional Outlooks

• External audits provide assurance

• People are for the most part honest

• These are good economic times

Risk Awareness

• Across departments

• By Type

• Embedded into existing management systems

6/16/2016

34

Risk Appetite

• Can be Subjective

• Based on Cost Benefit

• Capability Maturity Model

Levers of Control

• Belief System

• Boundary System

• Diagnostic System

• Interactive Control System

Belief System

• The entity’s core values used to INSPIRE and DIRECT actions

6/16/2016

35

Boundary System

• Ethical limits beyond which behavior is prohibited

Diagnostic System

• The entity’s system(s) that ensure theeffective and efficient achievement of goals;i.e. budgets

Interactive Control System

• The entity’s top level development ofstrategy, risk assessment and monitoring ofcompetitive conditions and technologychanges

6/16/2016

36

Fraud Risk

• The risk/vulnerability an entity has to the possibility that someone in their organization is capable of overcoming the elements of the fraud triangle/diamond

• This risk differs from any other risk because by nature it is intentional misconduct designed to evade detection.

Inherent and Residual Risk

• Inherent risk exists in the system before any type of system/management intervention

• Residual risk exists in the system after system or management actions are taken.

What to do with Risk or “Risk Responses”

• Risk Avoidance,

• Risk Reduction,

• Risk Sharing,

• and Risk Acceptance

6/16/2016

37

Specific Process Interventions

• TIMELY Reconciliations

• Segregation of Duties

• Cross-training

• Mandatory vacations where others perform your duties and answer you phone calls

• Analytical procedures

• “Turn the Light on” decisions

Bottom Line

• One size does not fit all!

• You must build your system within the resources that you have.

• Therefore, trying what someone else has done, without their resources could be devastating.

Segregation of Duties

• Custody

• Authorization

• Record‐keeping/ Reconciliation

6/16/2016

38

Fraud Risk

• The risk/vulnerability an entity has to the possibility that someone in their organization is capable of overcoming the elements of the fraud diamond

• This risk differs from any other risk because by nature it is intentional misconduct designed to evade detection.

113

Class Exercise

Discuss the pros and cons of having an audit committee

What duties would an audit committee perform to strengthen the financial reporting process?

Who should be on an audit committee?

113

114

What is a Risk Assessment?

A process that defines how an organization:

• Identifies risks to the achievement of its mission, goals, & objectives

• Measures the significance of each identified risk

• Determines the most appropriate business response to each risk

• Monitors how well the responses are carried out

114

6/16/2016

39

Publications

• IFAC: Evaluating and Improving Internal Control in Organizations

• COSO: Internal Control an Integrated Framework

• ISACA: COBIT 5 Framework

115

ISACA Principles

• Meeting Stakeholder Needs

• Covering the Entity End‐to‐end

• Applying a single, integrated framework

• Enable a Holistic Approach

• Separating Governance from Management

116

IFAC Holistic Risk Assessment

• Eight all important questions:

1. Are the various departments that deal with a specific risk or have responsibility for associated controls working together?

117

6/16/2016

40

Holistic Risk Assessment

2. Does the organization have an accurate and comprehensive understanding of its current risks?

3. Does the organization understand how various risks might have common causes or mutually reinforcing consequences?

118


4. Are the organization's risks within the limits for risk‐taking as determined in its risk‐management strategy and policies on internal control?

119


5. Are risks treated on an individual basis or does the organization understand the overall effect of uncertainty on its objectives?

6. Does the organization sufficiently know the effectiveness of its controls and how they could be further improved?

120

6/16/2016

41


7. How can the organization be certain it knows the correct answers to the preceding questions?

8. What are the processes for monitoring and evaluating, and are the processes effective?

121

First Steps to Improvement

• Understanding the controls themselves

• Whether they are working as designed or not

• Not just compliance anymore ‐ proactive

122

Ownership Creates Execution

• Engage ALL people in participating in the process

• Keep people mission/goal/objective oriented

• .If they are not engaged, they will not be successful

123

[email protected] 864 680 6191 - GFOASC...6/16/2016 1 Key Internal Control Concepts Presented by...

Documents

Transcript of [email protected] 864 680 6191 - GFOASC...6/16/2016 1 Key Internal Control Concepts Presented by...