AUDIT and INTERNAL CONTROL

transcript

Conf. univ. dr. Camelia DobroţeanuProf. univ. dr. Laurenţiu Dobroţeanu

Master Aprofundat 2009-2010

Detailed requirements:Study materials:

Brink’s Modern Internal Auditing, R. Moeller, ed. Wiley, ediţia 6, 2005Sawyer’s Internal Auditing, L. B. Sawyer et. al, IIA, ediţia 5, 2005Managing the audit function: a corporate audit department procedures guide, M.P. Cangemi, T. Singleton, Ed. Wiley, ediţia 3, 2003Audit Intern, C. L. Dobroţeanu, L. Dobroţeanu, ed. InfoMega, 2007Audit: concepte şi practici. O abordare naţională şi internaţională, L. Dobroţeanu, C. L. Dobroţeanu, Ed. Economică, 2002Teoria şi practica auditului intern, J. Renard, Ministerul Finanţelor, 2002

Marking: Workshop 30%Written examination 70%

Syllabus:I. The system of internal control: conceptual

framework, principles, models (2 lectures)

II. Risk management (1 lecture)

III. Fraud: detection and prevention (1 lecture)

IV. Audit - internal control relationships (1.5 lectures)

V. Audit – internal control – corporate governance (0.5 lectures)

I. Internal Control System

Lecture overview:1. Importance of IC2. Fundamentals of IC3. Essential IC techniques4. COSO framework5. IC assessment: SOX

I.1. Importance of IC

Definition: “IC reflects any action taken by the board, management etc. to improve the risk management and to increase the likelihood that the organization meets its objectives”

Can we define a good IC?

I.1. Importanţa CIGood IC if:

Accomplishes its stated mission; Produces accurate and reliable data;Complies with applicable laws and organization policies;Provides for economical and efficient use of resources;Provides for appropriate safeguarding of assets.

I.2. Fundamentals of IC

acceleratorbrake

steering wheel

driver

I.2. Fundamentals of IC

Controller

Standard

Communicator

Detector/Senzor

1. Performance

Indicator2.

Benchmark

3. Signals departures

4. Transmits messages

I.2. Fundamentals of ICMonitor/measure control element

Are controls within standards?

Correct CE

Monitor to make sure corrections are

working

Continue monitoring CE

NO YES

I.3. Essential IC techniques

1. •Prevention controls

2. •Detection controls

3. •Corrective controls

I.3. Essential IC techniques

Steering controls

Yes/No Controls

Post-Action Controls

e.g. macro-economic trends

e.g. Authorization,

approval

e.g. after dismissal of an

employee

WORKSHOP

Case study: ................

I.4. COSO Framework

IIAAAAFEI

I.4. COSO Framework Internal Control: Integrated

FrameworkIC – a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives of the following categories:

Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and regulations

I.4. COSO FrameworkMonitoringControl

activitiesRisk assessment

Control environment

CommunicationICS

I.4. COSO Frameworka. Control environment:

Integrity and ethical valuesProfessional competenceBoard and audit committeeManagement philosophy and operating styleOrganizational structureAssignment of authority and responsibilityHuman resources policies and practices:

RecruitmentNew employee orientationEvaluation, promotion, compensationDisciplinary actions

Monitorizare

Activităţi de control

Evaluarea riscurilor

Mediul de control

I.4. COSO Frameworkb. Risk assessment:

3-step process:Identification of significant risksAssess the risk likelihood or frequencyConsider the appropriate actions to manage the risk

Monitorizare

Mediul de control

I.4. COSO Frameworkb. Risk assessment (cont.):

Types of risks:Organizational risks from external factorsOrganizational risks from internal factorsSpecific activity-level risks

Monitorizare

Mediul de control

I.4. COSO Frameworkc. Control activities

Types of control activities: top-level reviews direct functional or activity management information processing physical controls performance indicators segregation of duties

Monitorizare

Mediul de control

I.4. COSO Framework

c. Control activities (cont.)Integration of control activities with risk assessmentControls over information systems

general controls – applied to overall information systems application controls – applied to specific sections of the system

Monitorizare

Mediul de control

I.4. COSO Framework

d. CommunicationRelationship of information and ICMeans and methods of communication

Monitorizare

Mediul de control

I.4. COSO Frameworke. Monitoring

Ongoing monitor activities: operating management normal functions communications from external parties organizational structures and supervisory activities physical inventories and asset reconciliation

Monitorizare

Mediul de control

I.4. COSO Frameworke. Monitoring (cont.)

Separate evaluation of ICReviewsInternal audit: compliance, peer reviewSelf-assessmentExternal evaluationAction plan

Reporting IC deficienciesTo whom?How?

Monitorizare

Mediul de control

I.5. IC ASSESSMENT: SOX- TO BE PREPARED BY STUDENTS -

WORKSHOP

Case study: Pam-Pam or Keos

II. Risk Management

II.1. ERM frameworkII.2. COSO: IC framework – ERM

framework

II.1. ERM framework

• 2001 – PWC: developed a framework for ERM assessment – completed in 2004

II.1. ERM frameworkERM: A process implemented by the board,

management and other staff at enterprise strategic level with a view:– To identify events that could adversely affect the

organization;– To manage the risks within the risk appetite

limits – To obtain a reasonable assurance that the

organization’s objectives are achievable.

II.1. ERM frameworkOrganization’s objectives:

• Strategic• Operational • Reporting

• Compliance

II.1. ERM framework Components of ERM framework:

1. Internal environment2. Setting the objectives3. Identification of events4. Risk assessment5. Risk response: AARS (avoid, accept, reduce,

share) 6. Control activities7. Information and communication8. Monitoring

II.1. ERM frameworkObjectives – components relationships:

Internal EnvironmentIdentification of events

Risk assessmentRisk response

Control activitiesInf.&Communic.

Monitoring

mplian

OrganizationD

ivisionBusiness unitBranch

II.1. ERM frameworkERM effectiveness:a. Effective functioning of the 8

components:– There are no material deficiencies

and– Risks managed within the risk appetite

limits

II.1. ERM framework

Effectiveness of ERM (cont.)b. Objectives:

–governance structures know whether the objectives are achievable

II.1. ERM frameworkGovernance structures’ role:

– Supervision of ERM• Understand the risks and risk

response• Know to what extent the

management has implemented an effective ERM

• Review the risk portfolio against the risk appetite

• Monitor the revision of material risk indicators

II.1. ERM framework

COSO responses related ERM – current financial crises:– Reconsideration of current ERM and assessment

of risk appetite

ERM is an integral component of internal control!

II.2. COSO: IC – ERM frameworks• Are there any differences?

– ERM: risk based assessment– COSO-CI: IC framework

• ERM – IC framework components: similar(environment, monitoring, communication and

information, etc.)• Is ERM an improved version of IC

framework?• The controversial role of internal auditors:

– ERM seem to provide assurance that risks are managed!

III. Fraud: detection and prevention

Lecture outlines:

1. The concept of fraud

2. Responsibilities for fraud

prevention&detection - DPF2.1. Risk of fraud assessment - EFR

2.2. “Audit of fraud” and IIA requirements

Illegal actions – deception, betrayal Does not necessarily imply the use of

force or force threatsActions done purposely:

to obtain financial benefits to avoid the payment for or the opportunity

lost of a financial/personal benefit

Benefits:

• direct – e.g.: money

• indirect – e.g.: promotion, power,

influence.

1. The concept of fraudFrauds committed in the organization’s

benefit: Sale of fictitious assets; Forbidden payments: illegal financing of political

campaigns, bribery, etc.; False statement/misuses of transactions; Incorrect assessment of transfer prices (for assets

exchanged between members of the same group).

1. The concept of fraudFrauds committed in the organization’s benefit

(cont.):misrecording or misreporting of transactions to

mislead users of financial reports; Illegal commercial activities;Tax frauds.

Frauds committed in the organization’s

detriment:

Acceptance of bribery;Unlawful seizure of profitable transactions by an

employee; Invoicing goods or services which were actually

not provided to the company.

1. The concept of fraudFrauds committed in the organization’s

detriment(cont.):Misuse of resources or falsification of

accounting records; Intentional omission or misleading

interpretation of events or transactions.

1. The concept of fraudIndications of fraud (Simmons):

intentionally

InjuryVictim

Action

1. The concept of fraudFrauds (Simmons):

Bribery: offering, acceptance, requesting;Theft;Conflict of interest;False statements;Swindle;Mail and internet frauds;Conspiracy;Brake of financial obligations provided by

agreements;Embezzlement.

2. Responsibilities for DPF

2. Responsibilities for DPFBoard + AC – supervise:

antifraud programmes and controls, including identification of fraud risk and implementation of antifraud actions;

the risk of controls avoidance and inappropriate management influence;

whistle-blowing mechanisms;

2. Responsibilities for DPFBoard + AC – supervise (cont.):

regular reporting: nature, stage and actions taken for detected frauds;

IA plan: risk of fraud and whistle-blowing channels for IA;

involvement of independent experts in investigations of frauds.

2. Responsibilities for DPF

IA role – to answer to questions like:What is the risk of fraud within the

organization?What are the programs and internal controls

that have been implemented to face these risks?

What is IA doing to PDRF before it leads to corporate scandals?

2.1. Assessment of the risk of fraud

IA role – the process of ARF:Organize the assessment process – integration of ARF within the current risks assessment process / setting up a separate process.Identify the areas to be assessed - ARF at each of the following level:

organization, units, operations (accounts, etc.); complex transactions (e.g. acquisitions, mergers, combinations, etc.)

IA role – the process of ARF (cont.):Identify the possible scenarios: the organization commits frauds or suffer injuries due to other’s frauds? How? DB – specific issues;Assess the likelihood of fraud commitment.

scale used for assessmentUS practice: three level qualitative values

Assess the relevance of the RF: Impact of RF RR = Impact X LikelihoodUS practice: RR ≥ average – considered by IA

IA role – the process of ARF(cont.):Identify and assess the associated internal controls

Avoidance / ignorance of internal controlsIdentify internal controls unable to mitigate the RF

Integrate the ARF results within the audit plan: a separate section dedicated to audit of fraud based on residual risk

2.2. Audit of fraudG.1210-A2.2 – Responsibilities for fraud

detection (FD): – FD = identification of fraud indications sufficient

to request an investigation. IA responsibilities:

To have sufficient and appropriate knowledge regarding the fraud indications:

The basic elements of a fraud, Techniques used,Types of frauds particular for the audited areas;

2.2. Audit of fraudResponsabilităţile AI (cont.):

să fie vigilent deficienţele SCI: prezenţa mai multor indicii, simultan, creşte probabilitatea ca o fraudă să fi fost comisă;

să evalueze indiciile unei fraude şi să decidă dacă sunt necesare alte măsuri sau să se recomande o anchetă;să înştiinţeze autorităţile competente din cadrul entităţii.

G. 1210.A2-1, Fraud detection

IA responsibilities: To investigate and assess the existence and importance of eventual associations to commit frauds; To establish the required knowledge, abilities and other competencies to conduct an investigation;To set up procedures to be followed in order to identify the fraud authors, the fraud scope, the reasons, impacts, and the techniques used;

2.2. Audit of fraud

2.2. Audit of fraudIA responsibilities:

To coordinate its activities during the investigation with management, legal advisors, and any other expert involved;To be aware of the rights of the supposed authors of fraud.

2.2. Audit of fraudG 1210.A2-1, Fraud detection:

Reporting the results of an audit of fraud engagement – issues to be considered:

Recommendations for implementation and/or strengthening the internal controls;Design audit test that would allow future detection of similar frauds;The need to set up a knowledge file related to the risk of fraud;Privileged information.

2.2. Audit of fraudIIAS 2400:

Immediate reporting to the executive management and the board:

If a relevant fraud has been detected – high certainty;The fraud has had an adverse significant impact on the financial position and financial results reported for the previous years.

AUDIT and INTERNAL CONTROL

Documents