Internal Control Systems

Download Report

Transcript Internal Control Systems

Internal Control Systems
and Fraud Detection
ACCT 7320, Controllership
September 8, 2009
Includes materials from a presentation by Ben Randles and Parker Nanney, 2006
1
Topics of Discussion
 Internal Control Systems
Development
1. Background and History
2. Objectives
3. Responsible Parties
 Fraud Prevention/ Detection
1. Five Components of an Internal Control System
2. Case Analysis
2
Internal Controls Defined by COSO
www.coso.org
(Committee of Sponsoring Organizations of the Treadway Commission)
The process implemented by the board of directors,
management, and those under their direction to
provide reasonable assurance that control objectives
are achieved with regard to the following:
1.
2.
3.
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
3
Key Concepts (COSO)
 Internal control is a process. It is a means to an end, not
an end in itself.
 Internal control is carried out by people. It’s not merely
policy manuals and forms, but people at every level of
an organization.
 Internal control can be expected to provide only
reasonable assurance, not absolute assurance, to an
entity’s management and board.
 Internal control is geared to the achievement of
objectives in one or more separate but overlapping
categories.
4
Control Objectives
 Authorization
 Reconciliation
 Recording
 Safeguarding
 Valuation
5
Who’s Responsible for Internal Controls?
 Five responsible parties:





Board of Directors
Senior Management
Financial Management
Internal Audit Staff
Independent Auditor
6
Board of Directors
 Ultimately responsible for control
environment
 Difficult to monitor on their own
 Often leads to the formation of an audit
committee
7
Senior Management
 Actually responsible over control environment
 Responsible for accurate financial reporting
 Maintain a properly documented control system
 Maintain a proper environment to enforce controls
 Identify inherent business risks
 Identify the potential for errors in the transaction
processing system
8
Senior Management
 Assessment
 Management’s assessment and report on their
internal controls
 Public companies must comply
 Financial statements are truthful & reliable
 Controls are capable of consistently
producing accurate financial statements
9
Financial Management
 Real responsibility over controls
 Know the requirements for a control system
 Verify the adequacy of controls
 Enforce conformance to controls
 Assume direct responsibility for financial
statements
10
Internal Audit Staff
 Reports on the existence and
effectiveness of controls
 Report to management or the audit
committee
 Has no power to change the control
system
11
Independent Auditor
 Test control systems that create the
financial statements
 Submit a report along with the
audited financial statements
 Reports on the reliability of
management’s SOX “302” report that
an effective system of ICs is in place
12
Auditing Standard No. 5 of the Public Company
Accounting Oversight Board Released 2007
The external auditor must:

Assess both the design and operating effectiveness of selected internal
controls related to significant accounts and relevant assertions, in the
context of material misstatement risks;

Understand the flow of transactions….sufficiently to identify points at which
a misstatement could arise;

Evaluate company-level (entity-level) controls, which correspond to the
components of the COSO framework;

Perform a fraud risk assessment;

Evaluate controls designed to prevent or detect fraud, including
management override of controls;

Evaluate controls over the period-end financial reporting process;

Scale the assessment based on the size and complexity of the company;

Rely on management's work based on factors such as competency,
objectivity, and risk;

Evaluate controls over the safeguarding of assets; and

Conclude on the adequacy of internal control over financial reporting.
13
Five Components of Internal Control
Systems*
Control Environment
Risk Assessment
Control Procedures
Information and
Communication
Monitoring
Components are interrelated as a process to achieve
the three categorical objectives.
*From Louwers et al. textbook.
Control Environment
 Integrity and Ethical Values
 Philosophy and Operating Style
 Excessive Emphasis on Profits?
 Aggressive Financial Reporting?
 Unwilling to Pay for Good Controls?
 Rapid Pace of Growth?
 High Management Turnover?
 Organizational Structure
 Overly Complex?
 Excessive Decentralization?
 Dominated by One Person?
 Numerous Acquisitions?
15
Control Environment cont’d.
 Assigning Authority and Responsibility
 Written policies and procedures
 Hold employees accountable
 Human Resources Policies and Procedures
 Thorough background checks and adequate training
 However, only 12% of fraudsters had previous fraudrelated convictions
 Required vacations or periodic job rotations
16
Risk Assessment - Fraud


Typical U.S. organization loses 6% of its annual revenues to
fraud.
Three types of fraud:
Median Loss:
1.
2.
3.
Misappropriation of assets
Corruption
Fraudulent Financial Statements
$93,000 (most common)
$250,000
$1,000,000 (least common)
17
Risk Assessment – Fraud
18
Association of Certified Fraud Examiners
From the news:
19
Methods of Fraud by Industry
(Main method highlighted)
Industry
Skimming
Cash Larceny
Billing
Check
Tampering
Corruption
Mfg
16.9%
9.2%
35.4%
23.1%
38.5%
Banking
14.3%
17.9%
19.6%
7.1%
35.7%
Service
28.6%
28.6%
32.1%
32.1%
25.0%
Government
28.3%
30.2%
30.2%
11.3%
32.1%
Insurance
17.4%
8.7%
50.0%
17.4%
28.3%
Retail
40.0%
42.5%
10.0%
7.5%
15.0%
Health Care
21.6%
29.7%
35.1%
21.6%
37.8%
Education
25.8%
6.5%
41.9%
29.0%
29.0%
Construction
23.5%
5.9%
17.6%
58.8%
11.8%
Communication
30.8%
23.1%
53.8%
15.4%
46.2%
Utility
0.0%
7.7%
61.5%
7.7%
38.5%
20
Risk Assessment – Fraud Indicators

Repeated 401k Withdrawals or Contribution
Reductions


Bad Debt Write-Offs


Are there constant discrepancies between expected and
actual inventory?
Invoicing Discrepancies


Is there an increasing trend or large difference from industry
standards?
Inventory Discrepancies


Is the employee running short on cash?
Are numerous invoices adjusted for a lower invoice total?
Lack of Supervision

How long have employees worked without management
supervision?
21
Risk Assessment – Fraud Indicators

Large Personal Expenditures


No Competitive Bidding


Assets are missing…presumably sold, but where is the
cash?
No Vacations


Is the purchasing manager being paid by suppliers?
No Payment From Sale of Assets


How can the A/P clerk afford a brand-new Bentley?
Why does the office manager refuse to take a vacation?
Supplier Address and Employee Address Match

So one of our employees is a vendor, eh?…don’t think so.
22
Control Activities
Hotlines are the “hottest” method of fraud detection.
Initial Detection of Overall Frauds
39.60%
18.40%
21.30%
23.80%
10.90%
0.90%
Notified
by Police
External
Audit
Internal
Controls
Accident
Internal
Audit
Tips
23
Control Activities
Median Loss Based on Whether Organization Had
Hotline
$160,000
$140,000
$120,000
$100,000
$80,000
$60,000
$40,000
$20,000
$0
$135,500
$56,500
Hotline
No Hotline
24
Control Activities

Segregation of Duties


Authorization, Recording, and Custody functions must be
separate
Performance Reviews

Independent Reconciliations, Budget-Variance
Investigations, Account Balance Confirmations, Surprise
Asset Counts, etc.


Physical Controls

Physical access to assets limited to authorized users.


Bank and inventory reconciliations, compare payables and
revenues to source documents, review uncashed checks, old
accounts receivable, and utilization of fixed assets
Restrict access to checks, signature plates, warehouse
inventory, computer data, etc.
Information Processing Controls

Input, Processing, and Output Controls

Expense and investment authorizations/amount limitations
25
Information and Communication
 Establish an effective AIS that provides an audit trail.
 Collect external data necessary to run the business
 Communicate roles in internal control system to
personnel
Monitoring
 Oversee controls and ensure they are working
properly.
 Make adjustments as necessary
26
Interesting TV special from Spring 2009!
27
References










http://www.findarticles.com/p/articles/mi_m1154/is_n10_v76/ai_6697934
#continue
Bragg, Steven M. and Roehl-Anderson, Janice M. Controllership – The Work
of the Managerial Accountant, 7th Edition, 2004. 115-127.
Louwers, Timothy J.; Ramsay, Robert J; Sinason, David H; Strawser, Jerry
R. Auditing and Assurance Services, 2005. 138-168.
Romney, Marshall B., and Steinbart, Paul John. Accounting Information
Systems, 8th Edition, 2000.
http://www.sec.gov/rules/proposed/s74002/card941503.pdf#search='sox%
20404
http://www.acfe.com/fraud/view.asp?ArticleID=13
http://www.acfe.com/fraud/view.asp?ArticleID=307
http://www.acfe.com/fraud/view.asp?ArticleID=23
http://www.coso.org/Publications/executive_summary_integrated_framewo
rk.htm
http://www.nysscpa.org/cpajournal/2002/1202/features/f123402.htm
28