Embed Size (px)
DESCRIPTION
Instilling good governance and ensuring full compliance with an effective internal control program. Presented at Corruption and Compliance South & South East Asia Summit, September 2012, Hilton Hotel, Singapore.
Citation preview
effective internal controls
Presented by Er ic Roring Pesik at C o r r u p t i o n a n d C o m p l i a n c e S o u t h & S o u t h E a s t A s i a S u m m i t
S e p t e m b e r 2 0 1 2 H i l t o n H o t e l , S i n g a p o r e
“These slides cannot replace the full live presentation, so I have added quotes and narration from my live presentation to supplement the visuals.”
effective internal controls
“I am here to talk about instilling good governance and ensuring full compliance with an effective internal controls program.”
“There are two main topics: First, what are internal controls? And second, how do you ensure they are effective?”
internal controls
finance & accounting procedures
finance & accounting procedures
“When we envision internal controls in modern organizations, the typical things one thinks about are finance and accounting procedures, such as revenue recognition rules, balance sheets, and cash flow statements.”
corporate IT systems
corporate IT systems
“Or you might also think about your corporate IT systems , such as ORACLE, SAP, and the databases and programs that keep track corporate transactions.”
company policies & procedures
company policies & procedures
“Or you might think about general company policies & procedures, such as the rules we all follow to get our expense reports approved.”
humanize internal controls
humanize internal controls
“These are typical examples of internal controls. But they can be as obscure or esoteric. Internal controls should make sense to the people that have to comply with them.”
simplify internal controls
“Instead of the typical corporate internal controls, I offer you a simple internal control...”
restaurant guest check
restaurant guest check
“Everyone has seen a restaurant guest check. You knows what it is and how it works. But how many people this of this as an internal control?”
restaurant procedures
restaurant procedures
“We recognize restaurant procedures, and we participate without question or thought.”
take your order
take your order
“When the waitress takes your order, the first internal control comes into play when you tell the waitress what you want. She writes it down. This simple data entry drives restaurant operations.”
take your order
“The waitress repeats your order as additional an control to verify the data, and correct it if it is incorrect.”
prepare your order
prepare your order
“The segregation of duties is another internal control because the kitchen must translate the written data into an allowed order on the menu.”
prepare your order
“The kitchen uses the order to manage production , preparing the meal as described in the guest check, and pulling raw materials from inventory.”
prepare your order
“The segregation of duties is also a fraud prevention control. The kitchen operates to the written order, preventing the waitress from recording an inexpensive item but delivering an expensive item.”
serve your order
serve your order
“When your order is ready the waitress uses the order to verify customer requirements against kitchen production output.
serve your order
“There is a final verification when your meal arrives. If you dispute the order, the wait staff can compare your dispute against the written order.”
pay for your order
pay for your order
“After you eat, you must pay. The cashier reviews the guest check to calculate sales price and record the sales revenue from your meal.”
receipt for order
receipt for order
“The restaurant keeps the order for records retention. The manager can audit these records to monitor the business operations.”
receipt for order
“Total sales as shown in the guest checks should match the revenue in the cash register.”
receipt for order
“Production orders as shown in the guest checks should match the changes in inventory.”
receipt for order
“The guest check allows top level review of restaurant operations. If there are discrepancies, management can investigate.”
restaurant guest check
restaurant guest check
“It doesn’t feel like an internal control. It’s not bureaucratic. It helps restaurant employees do their job more effectively, so they use it effectively.”
human scale controls
“The restaurant guest check is a human scale control. It is easy to understand and requires no special skill or technical knowledge.”
1. simple 2. effective 3. efficient
“It is simple because it only requires a small piece of paper passed from user to user without special tools or equipment.”
“It is effective because one item drives nearly every aspect of the business: sales, customer services, operations, production, inventory, revenue, accounting, planning, management oversight...”
“It is an efficient control because it does not interfere with how each employee does his or her job. This internal control helps employee their job more efficiently.”
organic controls
“This internal control was developed organically. It wasn’t implemented by legal or finance or compliance. It was developed over time by the users themselves to make their job easier.”
“There are probably similar internal controls in your company developed by the users themselves.”
internal control integrated framework
“Let’s look at the opposite end of the spectrum. The Internal Control - Integrated Framework was commissioned the Committee of Sponsoring Organizations of the Treadway Commission.”
“This is a formal framework for internal control systems that is employed by a majority of multinational companies.”
“There are four key concepts in the Internal Controls - Integrated Framework.”
internal control is a process
internal control is a process
“Internal control is a means to an end, not an end in itself.”
affected by people
affected by people
“Internal controls are not just things, they are people at every level of an organization. Internal controls rely on people for their effectiveness and are affected by the inherent faults of people.”
reasonable assurance
reasonable assurance
“Internal controls cannot provide absolute assurances. There are no fool-proof internal controls.”
achieve objectives
achieve objectives
“Internal control should be directed at achieving company objectives. An internal control that is not tied to a corporate objective is not an effective internal control.”
1. process 2. people 3. assurances 4. objectives
“Internal controls are processes effected by people that provide reasonable assurances that you are meeting or achieving your corporate objectives.”
integrated framework
human framework
human laziness
human laziness
“Internal controls protect against the human desire to skip steps and take shortcuts.”
human carelessness
human carelessness
“Internal controls need to protect against mistakes and human carelessness.”
human dishonesty
human dishonesty
“Human controls need to protect against human dishonesty.”
1. laziness 2. carelessness 3. dishonesty
human framework
“Internal controls protect against the inherent risk of having humans participate in your business.”
internal controls methods
“The integrated framework describes methods we put in place to protect against the human framework.”
segregation of duties
segregation of duties
“Separating authorization, custody, and record keeping roles helps prevent fraud or error by one person.”
retention of records
retention of records
“Maintaining documentation allows us to document and substantiate transactions.”
supervision or monitoring
supervision or monitoring
“Supervision or monitoring allows us to observe and review ongoing operational activity.”
information processing
information processing
“Information processing allows us to verify data entry, comparing file totals with control accounts, and control access to data, files, and programs.”
authorization of transactions
authorization of transactions
“Authorization of transactions ensure that transactions are reviewed and approved by an appropriate person.”
top-level reviews
top-level reviews
“Top level reviews allow reporting and analysis of actual results versus organizational goals and key performance indicators.”
electronic security
electronic security
“Electronic security provides passwords and access logs to protect data and programs from unauthorized access.”
physical security
physical security
“Physical security provides cameras, locks, and physical barriers to protect cash, property, and inventory.”
1. segregation of duties 2. retention of records 3. supervision or monitoring 4. information processing 5. authorization of transactions 6. top-level reviews 7. electronic security 8. physical security
internal controls methods
“The eight categories of internal control methods are overlapping and nonexclusive.”
“How to you make them effective?”
effective internal controls
risk focused
“Internal controls must be risk focused. They must be tailored to actual risks your company faces.”
risk assessment
risk assessment
“To implement risk-focused internal controls, you have to do a formal risk assessment. This is something everyone talks about, but rarely does.”
“Everyone has seen a typical risk matrix. It is a tool to compare two dimensions of data, the probability of risk and the magnitude of harm, to help you measure threats.”
High Magnitude Low Probability
Low Magnitude Low Probability
High Magnitude High Probability
Low Magnitude High Probability
risk matrix
Probability of Risk
Mag
nitu
de o
f Los
s
“How many people have actually plotted out risks their company faces? This should not be merely a thought experiment, but a formal risk assessment.”
who determines risk?
who determines risk?
“Most companies’ risk profiles are determined by the personal opinions of a small number of individuals.”
risk experts
risk experts
“Lawyers, accountants, risk officers, experienced business professionals are all risk experts. Their job is to understand the risks our companies face based on their professional experience, training, and individual expertise.”
subjective opinions
subjective opinions
“But individual opinions are too subjective, especially when risk assessments are made by limited individuals insulated from day-to-day operations.”
objective data
objective data
“Relying on risk experts is not enough. To develop effective internal controls, you need to supplement subjective individual opinions with objective risk data.”
objective data
“Without objective risk data, you do cannot have a risk-focused program. And you cannot demonstrate to regulatory authorities that you have appropriate controls in place.”
sources of data
“The data in this presentation is derived from reports from the Association of Certified Fraud Examiners. This presentation was delivered in Asia, and uses Asia data. But global data is similar.”
categories of risk
“Probability is the frequency of fraud in each category. The percentages exceed 100% because any event may involve more than one risk category.”
probability of the risk
2%
4%
7%
7%
9%
11%
13%
14%
19%
19%
51%
Cash Register
Payroll
Financial Statement
Check Tampering
Cash Larceny
Cash on Hand
Skimming
Expense Account
Non-Cash
Billing
Corruption
“Corruption is the most frequent risk, occurring in more than half of all events.”
“The magnitude of loss is the median loss for each event, in thousands of US dollars.”
magnitude of the loss
$23
$23
$33
$60
$72
$90
$100
$128
$131
$175
$1,730
Cash Register
Cash on Hand
Expense Account
Skimming
Payroll
Non-Cash
Cash Larceny
Billing
Check Tampering
Corruption
Financial Statement
“Financial statement fraud is infrequent, but it is the most costly form of fraud when it occurs.”
“The adjusted risk profile combines the probability and magnitude together and then scales the result from 1-10, lowest to the highest.”
adjusted risk profile
0.0
0.2
0.2
0.4
0.6
0.7
0.7
1.3
2.0
7.4
10.0
Cash Register
Cash on Hand
Payroll
Expense Account
Skimming
Cash Larceny
Check Tampering
Non-Cash
Billing
Corruption
Financial Statement
“Financial statement risk and corruption risks are both high risk because of the high occurrence and high cost. Corruption is a current hot topic, but the data shows financial statement fraud is a greater risk.”
perpetrators of risk
probability of the risk
0.0%0.4%0.4%
1.5%2.2%2.2%
2.9%2.9%3.3%
4.0%4.0%
10.7%14.0%
15.1%15.4%
21.0%
LegalResearch and Dev
Internal AuditInformation Technology
Human ResourcesMfg and Production
Board of DirectorsMarketing/Pub Relations
Customer ServiceFinance
Warehousing/InventoryPurchasing
Exec/Upper MgmtAccountingOperations
Sales
“The sales department is the most frequent source of risk, probably because corruption is the most frequent category of risk. But the top 5 overall departments are similar, all with double digits risks.”
magnitude of the loss
$13 $46
$71 $95 $100 $105
$150 $180
$200 $239 $248
$450 $500
$566 $800
$829
Internal AuditCustomer Service
Information TechnologySales
Research and DevOperations
Mfg and ProductionAccounting
Human ResourcesWarehousing/Inventory
Marketing/Pub RelationsFinance
PurchasingLegal
Board of DirectorsExec/Upper Mgmt
“Upper management and the board of directors are the source of the greatest median loss per event, probably because financial statement fraud is the most costly form of fraud.”
adjusted risk profile
0.00.00.20.20.20.20.30.4
1.01.01.1
1.71.7
2.83.5
10.0
Internal AuditResearch and Dev
Information TechnologyMfg and Production
Human ResourcesLegal
Customer ServiceMarketing/Pub Relations
Board of DirectorsWarehousing/Inventory
SalesFinance
OperationsPurchasingAccounting
Exec/Upper Mgmt
“The adjusted risk profile shows upper and executive management is the source of greatest source of risk to the company.”
external data
“External data is not enough. It helps you benchmark your risk analysis, but the key to developing risk-focused controls is collecting your own internal data.”
internal data
company constituents
company constituents
“When you need unfiltered data about your company, you cannot rely on risk experts, because they don’t know what is happening with manager-level and line-level employees.”
company constituents
“You need to discover open secrets that everyone knows on the shop floor but that never reach management.”
human laziness
human laziness
“Employees know who is lazy in their organization. They might not turn in their co-workers, but they will tell you the steps people skip.”
human carelessness
human carelessness
“Employees know who is careless in their organization. They might not turn in their co-workers, but they will tell you the mistakes people make.”
human dishonesty
human dishonesty
“Employees know who is dishonest in their organization. They might not turn in their co-workers, but they will tell you how people steal from the company.”
risk experts
ordinary employees
ordinary employees
“Ordinary employees are the real risk experts in your company.”
formal risk assessment
formal risk assessment
“A formal risk assessment is time consuming. It requires putting all your constituents in a room having each of them teach you about the risks they see every day.”
risk inventory
risk inventory
“Your risk assessment will produce a risk inventory - a list of every risk your employees identify.”
risk inventory
“Analyze the probability and magnitude of each item in your risk inventory to develop your company’s risk matrix.”
probability of occurrence
magnitude of loss
risk matrix
“Once you develop your company’s matrix, you must select appropriate internal control methods to mitigate the risks.”
internal controls methods
1. segregation of duties 2. retention of records 3. supervision or monitoring 4. information processing 5. authorization of transactions 6. top-level reviews 7. electronic security 8. physical security
“But your work is not done. You also have to assess the effectiveness of your proposed controls.”
effectiveness of controls
cost of mitigating or avoiding
cost of mitigating or avoiding
“Every internal control has a price. It may be the financial cost to implement, or the loss of operational efficiencies due to burdensome process steps or procedures.”
cost of mitigating or avoiding
“Do not allow the cost of mitigation to exceed the value of the risk. You need to know the effectiveness of each internal control.”
follow the money
“Effectiveness is measured by the reduction in median losses of organizations with an internal control versus organizations without the same internal control.”
effective loss reduction
23.2%25.0%25.0%
30.0%30.6%
34.9%40.0%40.0%
46.6%46.8%
50.0%50.0%51.5%
59.0%59.2%
Rewards for WhistleblowersManagement Certification of F/S
External Audit of F/SIndependent Audit Committee
Internal Audit DepartmentExternal Audit of ICOFR
Anti-Fraud PolicyManagement Review
Code of ConductJob Rotation/Mandatory Vacation
Fraud Training for EmployeesFraud Training for Managers/Execs
Surprise AuditsEmployee Support Programs
Hotline
“Hotlines were the most effective, but the top 5 internal controls yielded 50% or greater median loss reduction.”
benefit of loss reduction
$119 $150 $150
$140 $145
$140 $120 $120
$140 $100 $100 $100 $97
$100 $100
$155 $200 $200 $200
$209 $215
$200 $200
$262 $188
$200 $200 $200
$244 $245
Rewards for WhistleblowersManagement Certification of F/S
External Audit of F/SIndependent Audit Committee
Internal Audit DepartmentExternal Audit of ICOFR
Anti-Fraud PolicyManagement Review
Code of ConductJob Rotation/Mandatory Vacation
Fraud Training for EmployeesFraud Training for Managers/Execs
Surprise AuditsEmployee Support Programs
Hotline
“Companies without hotlines suffered median losses of $245k per event. Companies with hotlines suffered only $100k median losses per event.”
“Since hotlines have the greatest effective loss reduction, let’s do a quick case study to examine hotlines further and compare them with other sources of risk detection.”
risk detection
detection method
0.7%
1.7%
2.4%
2.7%
4.4%
5.5%
5.8%
8.9%
11.3%
14.3%
42.3%
IT Controls
Notified by Police
Confession
Surveillance/Monitoring
Document Examination
Account Reconciliation
External Audit
By Accident
Management Review
Internal Audit
Tip
“Tips are the source of 42.3% of risk detection. They are the greatest detection source.”
source of tips
1.8%
2.5%
3.7%
12.1%
13.4%
17.8%
49.2%
Perpetrator'sAcquaintance
Competitor
Shareholder/Owner
Vendor
Anonymous
Customer
Employee
“Employees are the greatest source of tips. But about half of all tips come from sources other than employees.”
companies with hotlines
33.8%
42.3%
47.1%
No Hotline
Tips Overall
With Hotline
companies without hotlines
33.8%
42.3%
47.1%
13.3%No Hotline
Tips Overall
With Hotline
“Companies with hotlines receive 13% more tips than companies without.”
importance of hotlines
importance of hotlines
“Hotlines are the most effective internal control, reducing median losses by almost 60%. Tips are the number one source for detecting risk, resulting in 13% more tips.” “Why is this important?”
whistleblower bounties
whistleblower bounties
“Regulators are paying whistleblower bounties to get tips. If you don’t have a hotline, you are telling 13% of people with tips to take them somewhere else.”
whistleblower bounties
“They will follow the money.”
follow the money
“Follow the money, follow the risk.”
recap
effective internal controls
1. simple 2. effective 3. efficient
1. process 2. people 3. assurances 4. objectives
1. laziness 2. carelessness 3. dishonesty
1. segregation of duties 2. retention of records 3. supervision or monitoring 4. information processing 5. authorization of transactions 6. top-level reviews 7. electronic security 8. physical security
risk focused
objective data
follow the money
“Follow the money, follow the risk.”
questions?
License and Credits
This presentation, excluding the images, is provided under creative commons attribution license. http://creativecommons.org/licenses/by/3.0/ You are free to share, copy, distribute, and transmit this work; to remix, adapt this work; and to make commercial use of the work; under the condition that you attribute this work to me by including the following attribution “Effective Internal Controls by Eric Pesik. Used with permission,” and URL Link: http://www.slideshare.net/ericpesik/
Microsoft Office Online: Except as noted below, all images in this presentation are from Microsoft Office Online. Used with permission from Microsoft: http://office.microsoft.com/en-us/images/
Flickr Creative Commons: The following images are from flickr creative commons and are licensed and used under creative commons attribution license: http://creativecommons.org/licenses/by/2.0/deed.en
Art Coffee House Waitress by Wonderlane http://www.flickr.com/photos/wonderlane/293137892/
Waitress by Adikos http://www.flickr.com/photos/adikos/4319818916/
Rutherford Grill by Neeta Lind http://www.flickr.com/photos/neeta_lind/2517034517/
Serving Food by Adrian Nier http://www.flickr.com/photos/adriannier/4004167201/
Donut Shop Owner by Robert Couse-Baker http://www.flickr.com/photos/29233640@N07/7104455917/
Two chorizo burritos with cheese and sour cream by Rick http://www.flickr.com/photos/spine/1994814081/
Waiter by Hans Van Den Berg http://www.flickr.com/photos/myimage/4353456304/
Blue Telephone by UggBoy♥UggGirl http://www.flickr.com/photos/uggboy/5345135964/
Association of Certified Fraud Examiners: All data is from the Association of Certified Fraud Examiners, Report to the Nations on Occupational Fraud and Abuse, 2010 Global Fraud Study based on 1,843 cases of occupational fraud that were reported by the Certified Fraud Examiners who investigated them. http://www.acfe.com
Committee on Sponsoring Organizations of the Treadway Commission: The Internal Control — Integrated Framework was commissioned by the Committee on Sponsoring Organizations of the Treadway Commission. It establishes a common definition of internal control that services the needs of different parties for assessing and improving their control systems. http://www.coso.org
