RISK BASED APPROACH TO INTERNAL CONTROLS

1
RISK BASED APPROACH TO INTERNAL CONTROLS

• Presented by Oscar S. Lewis

2
BiographyOscar S. Lewis

• From Atlanta, GA
• BS University of South Carolina
• MBA Georgia State University
• 15 years in manufacturing positions, primarily in
  pharmaceuticals and medical devices
• 10 years in service and distribution industries

3
Oscar S. Lewis Continued

• Instructor University of Phoenix Finance and
  accounting
• Board of Directors Institute of Management
  Accountants
• CBM - APBM

4
Risk Based Approach to Internal Controls

• Part I
• What are Internal Controls?

5
What are Internal Controls?

• Internal controls are defined by the American
  Institute of Certified Public Accountants as the
  plan of organization and the procedures and
  records that are concerned with the safeguarding
  of assets and the reliability of financial
  records.

6
Why are they important?

• You are building reliability in, not finding
  things after the fact. Its like qualityyou
  will find it less expensive to build it in rather
  than inspect it in. There is a limit to what you
  can really expect from your external auditors.
  Finding fraud after the fact is an expensive and
  time consuming process. It is easier, and
  cheaper, to design a system to prevent it.

7
What is their purpose?

• The purpose is the same as the definitionthe
  safeguarding of assets and the reliability of
  financial records.
• Another purpose is to ensure stakeholders,
  whether they are stockholders, bond holders,
  partners, lenders, employees, vendors and
  customers that an organized system exists to help
  the organization manage risks, both internal and
  external.

8
Background

• Internal controls have been around for many
  years. The presence of these was confirmed by
  outside auditors each year during the audit.
• Increased emphasis because of Sarbanes-Oxley.
  SARBOX was set up to help assure the public that
  financial reporting was fair that corporations
  were not trying to profit at the expense of their
  stakeholders.

9
Current Environment

• Sarbanes-Oxley legislation requires public
  companies to certify their internal controls
• New York and California took this further, and
  very large private companies and non-private
  organizations have an increased level of
  compliance with internal controls
• Washington state is discussing taking
  Sarbanes-Oxley further also

10
First Key to Internal Controls

• Ethics

11
Risk Based Approach to Internal Controls

• Part II
• The Internal Control Framework - COSO

12
COSO

• Committee on Sponsoring Organizations established
  by the Treadway Commission in the late 1980s to
  address the fraud issues associated with savings
  and loan institutions.
• In recent times, COSO has issued guidance on
  internal controls and enterprise risk management,
  which have enabled publicly traded corporations
  to deal with issues of fraud, controls, risk, and
  compliance.

13
COSO - Continued

• After Sarbanes-Oxley (SOX) legislation (2002),
  COSO has been the prominent SEC-approved internal
  controls framework used by corporations to ensure
  that their internal controls over financial
  reporting are effective in accordance with SOX
  regulations 302 and 404.
• More recently, on October 26, 2005, COSO released
  its guidance to small businesses, with the
  exposure draft and comment period running through
  December 31, 2005.
• The objective of this guidance is to enable
  smaller publicly traded businesses to cost
  effectively comply with SOX regulations.

14
Sarbanes-Oxley

• What is SARBOX, and why should we as Management
  Accountants care?

15
History of the Act

• The House passed Rep. Michael Oxley's bill (H.R.
  3763) on April 25, 2002, by a vote of 334 to 90.
  The House then referred the "Corporate and
  Auditing Accountability, Responsibility, and
  Transparency Act" or "CAARTA" to the Senate
  Banking Committee with the support of President
  George W. Bush and the SEC. At the time, however,
  the Chairman of that Committee, Senator Paul
  Sarbanes (D-MD), was preparing his own proposal,
  Senate Bill 2673..
• Senator Sarbanes bill passed the Senate Banking
  Committee on June 18, 2002, by a vote of 17 to 4.
  On June 25, 2002, WorldCom revealed it had
  overstated its earnings by more than 72 billion
  during the past five quarters, primarily by
  improperly accounting for its operating costs.
  Sen. Sarbanes introduced Senate Bill 2673 to the
  full Senate that same day, and it passed 97-0
  less than three weeks later on July 15, 2002.
• The House and the Senate formed a Conference
  Committee to reconcile the differences between
  Sen. Sarbanes' bill (S. 2673) and Rep. Oxley's
  bill (H.R. 3763). The conference committee relied
  heavily on S. 2673 and most changes made by the
  conference committee strengthened the
  prescriptions of S. 2673 or added new
  prescriptions. (John T. Bostelman, The
  Sarbanes-Oxley Deskbook 2-31.)
• The Committee approved the final conference bill
  on July 24, 2002, and gave it the name "the
  Sarbanes-Oxley Act of 2002." The next day, both
  houses of Congress voted on it without change,
  producing an overwhelming margin of victory 423
  to 3 in the House and 99 to 0 in the Senate. On
  July 30, 2002, President George W. Bush signed it
  into law, stating it included "the most
  far-reaching reforms of American business
  practices since the time of Franklin D.
  Roosevelt." (Elisabeth Bumiller "Bush Signs Bill
  Aimed at Fraud in Corporations", The New York
  Times, July 31, 2002, page A1).

16
Who does SARBOX affect?

• The legislation is wide ranging and establishes
  new or enhanced standards for all U.S. public
  company boards, management, and public accounting
  firms. The Act contains 11 titles, or sections,
  ranging from additional Corporate Board
  responsibilities to criminal penalties, and
  requires the Securities and Exchange Commission
  (SEC) to implement rulings on requirements to
  comply with the new law.
• Some believe the legislation was necessary and
  useful, others believe it does more economic
  damage than it prevents, and yet others observe
  how essentially modest the Act is compared to the
  heavy rhetoric accompanying it.
• The first and most important part of the Act
  establishes a new quasi-public agency, the Public
  Company Accounting Oversight Board, which is
  charged with overseeing, regulating, inspecting,
  and disciplining accounting firms in their roles
  as auditors of public companies. The Act also
  covers issues such as auditor independence,
  corporate governance and enhanced financial
  disclosure. It is considered by some as one of
  the most significant changes to United States
  securities laws since the New Deal in the 1930s.

17
Provisions

• The Sarbanes-Oxley Act's major provisions include
  the following
• Creation of the Public Company Accounting
  Oversight Board (PCAOB)
• A requirement that public companies evaluate and
  disclose the effectiveness of their internal
  controls as they relate to financial reporting,
  and that independent auditors for such companies
  "attest" (i.e., agree, or qualify) to such
  disclosure
• Certification of financial reports by chief
  executive officers and chief financial officers
• Auditor independence, including outright bans on
  certain types of work for audit clients and
  pre-certification by the company's Audit
  Committee of all other non-audit work
• A requirement that companies listed on stock
  exchanges have fully independent audit committees
  that oversee the relationship between the company
  and its auditor

18
Provisions Continued

• Ban on most personal loans to any executive
  officer or director
• Accelerated reporting of insider trading
• Prohibition on insider trades during pension fund
  blackout periods
• Additional disclosure
• Enhanced criminal and civil penalties for
  violations of securities law
• Significantly longer maximum jail sentences and
  larger fines for corporate executives who
  knowingly and willfully misstate financial
  statements, although maximum sentences are
  largely irrelevant because judges generally
  follow the Federal Sentencing Guidelines in
  setting actual sentences

19
Private Companies and Non-Profits

• Sarbanes-Oxley legislation requires public
  companies to certify their internal controls
• New York and California took this further, and
  very large private companies and non-private
  organizations have an increased level of
  compliance with internal controls
• Washington state is discussing taking
  Sarbanes-Oxley further also

20
Private Companies and Non-Profits

• What happens if government contracts require
  SARBOX compliance?
• What happens if public company Boards require
  their companies to only do business or to donate
  to SARBOX compliant organizations?

21
Greatest Risks to Private Companies

• Tone at the Top
• If the importance of internal controls are poorly
  communicated from the top, there may be no real
  focus on promoting ethical behavior within the
  organization.
• Lack of Controls
• Company may lack controls to prevent such things
  as
• Inappropriate revenue recording
• Unauthorized revenue transactions
• Excess inventory purchases
• Purchases of products and services at higher
  costs
• Unapproved payroll changes
• Unauthorized wire transfers
• Inappropriate investment of excess funds
• Unnecessary fixed-asset purchases
• Theft
• Segregation of Duties
• Smaller companies are particularly prone to
  ineffective segregation of duties.

22
Greatest Risks to Private Companies

• Information used to monitor operations may be
  flawed or inappropriate
• Lack of detail, inattention to details provided
  or over reliance on reports whose source data is
  not reliable
• Employees lack of understanding
• Employees may not understand or appreciate the
  importance of performing certain procedures or
  what procedures should be performed to ensure
  compliance with internal controls processes
• Policies, processes and procedures are not well
  documented and not updated regularly
• Inadequate security
• Financial and physical assets need to be secured,
  as does IT assets and intellectual property
• Regulatory Non-compliance

23
Implementing SOX in the Private Sector

24
Benefits to the Private Company

• Not all companies are the same
• Some will eventually enter public markets
• Some may be positioning for sale
• Some may intend on remaining closely held
• All companies can benefit by adopting
  opportunities and best practices SOX is driving
• Bottom Line
• Increased focus on internal controls maximizes
  the value of the business

25
Benefits to the Private Company

• Financial Reporting Benefits
• Heightened credibility provided to all
  stakeholders
• Better information to manage the business
• Reduced risk of errors or irregularities
• Operational Benefits
• Clarity on roles and responsibilities of
  management and staff
• Greater control over management of business
  growth
• Reduced costs obtained from greater operating
  efficiency
• Maximized operating performance
• Regulatory Benefits
• Decreased risk of litigation or business
  disruption
• Lowered risk of employee or customer litigation
• Increased credibility with regulatory agencies
• More credibility in contractual relationships
  with vendors and customers

26
Pre-IPO/Pre-Acquisition Companies

• Embracing new rules decreases risks associated
  with the filing or deal
• Particularly with regards to valuation and
  minimizing post-deal surprises
• State of SOX readiness may have a significant
  impact on valuation to timing to market
• Risks of non-compliance minimized for potential
  investors, acquirers and underwriters
• A well documented internal control framework
  demonstrates readiness for SOX requirements

27
Closely-Held Companies

• Solid internal control plan helps owners protect
  and preserve wealth
• Evaluating controls contributes to more
  efficient, effective and value-added business
  process, which may result in increased
  profitability
• Closely-held businesses may not stay that way
  forever

28
Non-Profits

• SOX compliance even helps non-profits
• Grantors reacting favorably to private
  organizations using SOX as basis for tightening
  internal controls, improving documentation and
  improving business practices
• May open access to new sources of grants and
  contracts
• Ethically, right thing to do as stewards of
  public money

29
Opportunities and Best Practices

• Fully adopting all of SOX is impractical for
  private company or non-profit
• Knowledge of SOX requirements coupled with
  analysis of control environment may reveal
  opportunities to adopt SOX best practices
• 404 Readiness
• Documentation of internal controls shows external
  third parties that management has designed and
  documented an appropriate internal control
  environment
• Independent Directors
• Public companies are required to have independent
  directors
• Private companies can fall prey to a group think
  mentality
• Even in small companies, independent directors
  can bring a fresh perspective and new eyes to
  managing the organization
• Code of Business Conduct
• A code of conduct delivers benefits to any
  organization by setting the tone
• The commitment to integrity and ethical values
  documented in the code should be incorporated
  into every transaction

30
Where is your company today?
Level One Unreliable
Level Two Informal
Level Three Standardized
Level Four Monitored
Level Five Optimized
31
Internal Controls

• How do we approach Internal Controls?

32
Process and Controls

• A process is the outline you follow to achieve a
  certain result.
• In the case of Internal Controls, a process is
  the methodology you would go through to set up an
  Internal Control for a certain asset or groups of
  assets
• Example The process of setting up Internal
  Controls for Cash

33
Process and Controls - Continued

• The first step is outlining what risks you are
  trying to manage, or what assets you are trying
  to protect
• After deciding what to protect, determine who
  will design and own the process
• This person must buy in to the entire Internal
  Controls framework, and must agree to be the
  process owner. They are in charge of their
  particular process

34
Components

• Operations These are the various internal
  operations, such as Accounts Payable or
  Purchasing, that should have controls
• Financial Reporting This is the controls for
  reporting results to senior management and
  stakeholders
• Compliance This is reporting to the Audit
  Committee on how well your controls are working

35
Risk Assessment

• While you want to install all controls quickly,
  in a smaller organization, this is not always
  possible
• Prioritize by some method preferably by size of
  risk
• Example, if you do not accept cash payments or
  credit cards, this does not have as high a
  priority as managing accounts payable, which may
  be critical in terms of size of the risk

36
Setting Up a Control

• Define what it is you want to control, i.e.
  Purchasing
• Decide upon a process owner, the person who will
  design this process and work with people to help
  implement the process and make it useful
• Get buy-in from the process owner
• Teach/train them in how to write a control

37
Control Set-Up

• Remembersay what you do (document your
  processes) and do what you say (follow your
  process)
• After implementation, check to see whether its
  being followed or perhaps it needs to be amended
  in some fashion to be more workable for your
  organization
• Remember, what may be possible at Boeing may not
  be possible at Freds Machine Shop with 10
  employees, only two of who work in the office area

38
Communications

• It is vital to include as many people who will be
  affected by a control as possible to help with
  the design
• Let everyone know what is going on, and why
• Sell the idea that controls help the
  organization they are not there to slow anyone
  down or to make employees check on each other.
  Rather, they are there to protect the
  organization, and the employees from unnecessary
  risk

39
Monitoring and Feedback

• Remember, the process is a loop, not a straight
  line
• Monitor the process, look for gaps, make sure the
  process is being followed, or try to amend the
  process where it may be more useful for the
  organization
• Remember, there are ancillary controls that can
  be set up to help cover gaps in your normal, day
  to day control system

40
Risk Based Approach to Internal Controls

• PART III
• Corporate Culture

41
Setting the Tone at the Top

• Leadership begins at the top of an organization
• You build an ethical culture by setting the
  example for the people around you
• If your leaders do not buy in to the need for an
  ethical culture, your organization will struggle
  with ethical decisions, taking time away from
  operational decisions

42
Leadership Examples

• Normandy landings
• Major General Maxwell Taylor 101st Airborne
• Major General James Gavin 82nd Airborne
• Brig. General Teddy Roosevelt Jr. 4th Infantry
• General Norman Cota 29th Infantry

43
More Leadership Examples

• Boeing CEO (July 26, 2006) Boeing will not take
  a tax deduction for the fines and penalties
  associated with the procurement scandal
• Squad sergeant 2nd Battallion, 7th Marine
  Regiment I could not live with myself if I
  ordered one of my men to do something I could do,
  and he got hurt. I promised to bring them all
  home, and I did.

44
Workplace Environment

• Set up a workplace that makes ethics a priority
• Set up a workplace that allows a certain level of
  give and take
• Give employees the tools they need to be
  successful
• Management must show ethical considerations in
  day to day activities

45
Employees

• Worker attitude towards their employer are often
  cited as a factor in fraud cases, especially when
  internal communications systems are lacking
  2002 Report to the Nation on Occupational Fraud
  and Abuse ACFE (Fraud Examiners)
• Providing an environment that emphasizes ethical
  behavior in all instances

46
Ethics Training

• Everyone has to be trained, from senior
  management on down
• Everyone has to be re-trained every year or two
  to keep the subject foremost in their minds
• Outside training is available from a number of
  sources

47
Confirmation

• Ethical behavior should be part of the Corporate
  culture and should be affirmed as it happens
• Employees a will see a confirmation of ethical
  standards when they see, hear, or read comments
  by senior management

48
Discipline

• Ethical lapses should have disciplinary actions
  associated with them
• Such disciplinary actions should go up to and
  include termination for serious offences, along
  with potential criminal penalties for serious
  violations

49
Conflicts of Interest

• Include a statement on conflicts of interest in
  your Ethics policy
• Make certain that contracts and transactions are
  done on an arms-length basis
• Make certain that all conflicts of interest are
  disclosed in writing to the Board

50
Risk Based Approach to Internal Controls

• PART IV
• Evaluating Internal Controls

51
Identifying Key Risks

• 2002 Report to the Nation on Occupational Fraud
  and Abuse by the ACFE detailed 663 cases of fraud
  causing more than 7 billion in losses
• Occupational fraud is defined as the use of
  ones occupation for personal enrichment through
  the deliberate misuse or misapplication of the
  employing organizations resources or assets

52
Identifying Key Risks

• Four common elements in these occupational fraud
  schemes
• The activity is clandestine
• It violates the perpetrators fiduciary duties to
  the victim organization
• It is committed for the purpose of direct or
  indirect financial benefit to the perpetrator
• It costs the victim assets, revenue or reserves

53
Identifying Key Risks

• Most common way fraud was detected was through an
  employee tip
• Next two most common ways were through accidental
  discovery and through an internal audit
• The single most effective anti-fraud measure is
  an internal control system
• The next two are background checks and regular
  fraud audits

54
Understanding Internal Controls

• The foundation for any Internal Control system is
  workplace ethics and discipline
• Remember that internal controls cannot stop all
  fraudulent activities it can slow them down and
  can help in detecting them quicker
• Everyone in the organization has to be taught the
  value of the control system

55
Mitigating Controls

• Mitigating controls are controls that are in
  place to reduce business risk
• They are a subset of the Internal Control
  framework
• Preventative Controls are intended to deter
  inappropriate events from happening. These are
  the best types of controls, but they are
  typically the most expensive to implement

56
Mitigating Controls

• Detective Controls are controls that are in place
  to detect and correct undesirable events that
  have already occurred
• Directive Controls are designed to encourage a
  desired event to occur
• For more on this subject, a good website is the
  University of Pennsylvania
• http//www.upenn.edu/audit/oacp/audit/operationala
  udit/operational_audit_risk_and_controls.htm

57
Perform Walk-Throughs

• Once a system has been designed, you must test it
  in operation
• Some things will be found to be impractical
• Controls should be designed not only for
  protecting the company assets, but also for ease
  of use and practical application

58
Documentation

• As mentioned earlier, internal control systems
  are similar to quality systems say what you do
  and do what you say
• The best way to establish a control system is to
  document the way things are done today, and work
  from there
• This is help identify weaknesses, and help with
  the setting of priorities

59
Testing

• Every control area should be tested periodically
• Remember, the system is a process, not a
  once-a-year check-off for the auditors and senior
  management
• Testing will show gaps, and these gaps will need
  to be addressed, again giving priority to the
  gaps which show the most exposure to the
  organization

60
Monitor and Feedback

• The process of internal controls is a loop, not a
  straight line
• You monitor an area, collecting feedback on a
  continuing basis, and make changes as required to
  mitigate the risks

61
Risk Based Approach to Internal Controls

• Part V
• Fraud Prevention

62
Misappropriation of Assets

• Wikopedia definition - Misappropriation of assets
  is the intentional, illegal use of the property
  or funds of the organization for one's own use or
  other unauthorized purpose, particularly by a any
  person with a fiduciary duty.

63
Information Technology

• IT fraud inside an organization is relatively
  rare. It is more closely related to the
  financial side of manipulating the system of gain
• The IT side has large risks associated with it
  outside of fraud

64
IT Management

• These risks include
• Password management
• Back up and security procedures
• Transaction registers/audit trails
• Document retention and destruction
• Hardware and software acquisition and upgrade
  schedules

65
Password Management

• Use a two-level password system where possible
• Example, Joe logs on with authorization to get
  into the purchasing module
• Then, when Joe issues purchase orders, he
  authorizes these through a second password input
• The two passwords may be the same, but this will
  deter people from entering POs when Joe is away
  from his desk, but his workstation is on

66
Transaction Registers/Audit Trails

• Make sure that your organizations software has
  transaction registers and/or audit trails
  identified and accessible to follow transactions
  back to the source
• This will enable management and the auditors to
  find who did an entry, and track it back to the
  original documentation

67
Risk Based Approach to Internal Controls

• Part VI
• Fraud Detection and Deterrence

68
Policies Programs

• Establishing adequate internal control procedures
  is the number one deterrent to internal fraud and
  embezzlement
• SOA sections 302 and 404 emphasize the importance
  of internal controls and mandate disclosures as
  to the effectiveness of these controls.

69
Policies and Programs - Continued

• Section 302 The signing officers acknowledge
  responsibility for establishing, maintaining and
  evaluating the controls system
• Section 404 Requires management to document and
  evaluate the design and usefulness of the
  internal controls over financial reporting,
  provide an annual report as to their
  effectiveness, and have the Outside Auditors
  attest to the report

70
Legal Action

• Generally, there will be a statement in the
  controls handbook that the organization will not
  tolerate theft or fraud
• There will be a statement that all property,
  including information on workstations, is the
  property of the organization
• A statement of intent to prosecute if evidence
  warrants, and a demand for restitution upon
  conviction

71
Legal Action - Continued

• A statement that holds vendors, contractor and
  consultants responsible for costs associated with
  any fraud perpetuated by them or by workers in
  their employ
• A conflict of interest statement signed by
  directors, employees, contractors and consultants
  who have contractual responsibility to the
  organizations vendors

72
Possible Red Flags

• New vendors being signed up by one person
• Invoices without purchase orders
• People in responsible positions driving new cars
  or buying more than they might be able to afford
  on their salary
• Checks going to vendors that are endorsed by
  another firm or an employee

73
Red Flags - Continued

• An employee having financial difficulty
• An employee going through an especially difficult
  time, such as divorce, death in the family,
  unexpected medical bills
• An employee who uses the same vendor that the
  organization does for home construction or remodel

74
Auditing Techniques

• There are a number of techniques for auditing and
  measuring controls
• Check the AICPA or IIA or CFE websites for
  suggested auditing techniques
• The key is to vary what you are looking for
  dont always check petty cash, and go no further.
  Its like an inventory cycle countdont always
  look at the same items. Look at the high value
  areas, but also take one or two low value areas
  just to check for compliance

75
Notification of Fraud

• Notification, especially for a public company, is
  required
• For a non-public organization or non-profit, it
  should be reported to the Audit Committee for a
  decision on who else this should be reported to
• If it includes an employee, the employee should
  be placed on a leave of absence pending the
  outcome of an investigation

76
Risk Based Approach to Internal Controls

• Part VII
• Resources Available

77
Resources Available

• Institute of Management Accountants - IMA
  national website www.imanet.org
• AICPA
• Institute of Internal Auditors (IIA)
• Protiviti Consultants Specialists in SARBOX
  implementation and compliance division of
  Robert Half
• COSO

78
More Resources

• Copedia An online internal control and
  accounting handbook software
• Parson Consulting website
• Securities and Exchange Commission website
• Department of Commerce website
• University of Pennsylvania Audit website
• Association of Certified Fraud Examiners

79
Appendix

• Setting up a control system
• Template examples

80
Internal Control Assessment Tool
81
Activities