Post on 06-Jul-2018
transcript
8/16/2019 Internal Control Finance Master 2
1/45
Contrôle interne Master 2 FINANCE
I nternal Control
2015/2016
1
8/16/2019 Internal Control Finance Master 2
2/45
Some examples
Contrôle interne Master 2 CCA
Textile industry
An HR employee within a textile company diverted a sum of 500
KMAD within 7 years by creating several fictitious accounts.
This person had the access rights to the employees’ master file
and no control was performed by an independent person on thisdatabase.
Access right issueLack of control
8/16/2019 Internal Control Finance Master 2
3/45
Some examples
Contrôle interne Master 2 CCA
Food & beverage company
The accountant managed his own fiduciary and charged regularly small
amounts for diverse accounting works " analysis of account, inventory” .
He approved himself these invoices on behalf of the company.
Segregation of duties issue
Lack of control
8/16/2019 Internal Control Finance Master 2
4/45
Some examples
Contrôle interne Master 2 CCA
Telecom company
During the implementation of a new accounting system, the total of expense
accounts moved from 10 MMDH to 11 MMDH just after the data transfer.
Old software:
Total of expenses
10 MMDH
New software:
Total of expenses
11 MMDH
Over-booking of 1 MMDH
No verification after the data transfer
8/16/2019 Internal Control Finance Master 2
5/45
Some examples
Contrôle interne Master 2 CCA
Oil companyGap between revenues booked & revenues in Sales Software
Lack of reconciliation
Transfer issue from sales software to accounting software
Batchs not checked periodically.
8/16/2019 Internal Control Finance Master 2
6/45
Some Examples
Contrôle interne Master 2 CCA
Private Hospital
Within the emergency departments of a private hospital, the same person
was responsible for the invoicing and the payment collection.
She was able to divert an amount of 76 KMAD within 18 months.
Segregation of duties issue
8/16/2019 Internal Control Finance Master 2
7/45
Some examples
Contrôle interne Master 2 CCA
Building material company
A storeman in a building material company was able to divert
a sum of 350 KMAD by creating vouchers of fictitious
returns.
Lack of verification on returns
8/16/2019 Internal Control Finance Master 2
8/45
Some examples
Contrôle interne Master 2 CCA
Hardware distribution company
In a hardware distribution company, the person in charge of stock "spare
parts" diverted an amount of 590 KMAD within 3 years.
This person was handling the stock in the system, performing the annualphysical inventory and entering the inventory adjustments in the system.
Segregation of duties issue
8/16/2019 Internal Control Finance Master 2
9/45
Some examples
Contrôle interne Master 2 CCA
Pharmaceutical company
Many employees involved in the fraud
Payment of 552 KMAD related to a fictitious event
- Creation of a fictitious purchase request by the brand manager
- Creation of fictitious Purchase order bu Purchasing responsible.
- Fictitious invoice sent by the event company.- Validation of the invoice & payment by the CFO.
8/16/2019 Internal Control Finance Master 2
10/45
Internal Control
Internal Control is everywhere:
- All kind of companies & activities (Industry, distribution,
services...),
- Financial & non-financial processes ,
- Manual & automated processes,
- All employees (Management, executives...),
- Internal & external parts
10Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
11/45
Internal Control definition
Internal control is a process, effected by an entity’s board ofdirectors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:
reliability of financial reporting
compliance with applicable laws and regulations
Protection of assets
effectiveness and efficiency of operations
11Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
12/45
Internal Control definition
This definition reflects certain fundamental concepts:
Internal control is the framework of systems, processes and
controls established to mitigate risks
Internal control is effected by people. It is not merely policy
manuals and forms, but involves people at every level of an
organization
Internal control can be expected to provide only reasonableassurance, not absolute assurance, on the achievement of
objectives
12Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
13/45
Internal Control definition
compliance with applicable laws and regulations
13Contrôle interne Master 2 CCA
Fiscal law
(CGI)
CNSS
Exchange law
Labor law
Customs
Activity code
Penal code
Commercial
law
Personal data law
Accounting law
8/16/2019 Internal Control Finance Master 2
14/45
Internal Control definition
Reliability of financial information
14Contrôle interne Master 2 CCA
Taking inventories as an examples
Physical inventory
Stock value
Stock protection
Destruction
Assets Liabilities
Tangible &
intangible assets
Equity
Inventories
Vendors (Suppliers)
CustomersOther assets
Other debts
Treasury Treasury
8/16/2019 Internal Control Finance Master 2
15/45
Internal Control definition
Reliability of financial information
15Contrôle interne Master 2 CCA
Taking treasury as an example
Management of collections
Petty cash
Signatory power
Bank reconciliation
Assets Liabilities
Tangible &
intangible assets
Equity
Inventories
Vendors (Suppliers)Customers
Other assets
Other debts
Treasury Treasury
8/16/2019 Internal Control Finance Master 2
16/45
Internal control components (COSO)
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations, established in the United Sates ,
dedicated to providing thought leadership to executive management and governance
entities on critical aspects of organizational governance, business ethics, internal
control, enterprise risk management, fraud, and financial reporting . COSO has
established a common internal control model against which companies and organizations
may assess their control systems. COSO is supported by five supporting organizations,including the Institute of Management Accountants (IMA), the Amercican Accounting
Association (AAA), the American Institute of Certified Public Accountants (AICPA),
the Institute of Internal Auditors, (IIA), and Financial Executives International (FEI)..
16Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
17/45
Internal control components (COSO)
I- Control environment
“Tone from the top”: senior management’s commitment to effective controls,
Clarity of roles and responsibilities: associates should understand, and be
committed to, their roles and responsibilities and these should be aligned to
business objectives,
Awareness: associates should be aware of the relevance and importance of
their activities to enable them to contribute to the achievement of business
objectives,
Cooperation with internal and external auditors: full cooperation should be
given to the auditors, providing them with access to all company records and
personnel; adequate and secure workspace; and truthful and complete answers
to their enquiries,
17Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
18/45
Internal control components (COSO)
I- Control environment
1- Integrity & ethics
The efficiency of internal control procedures depends on the integrity and ethics shown by
the employees:
- There is a code of conduct ?
- There is a conflict of interest policy ? (familial, personal or financial relationships
between an employee and a third party...)
- There is a punishment mechanism for deviations?
18Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
19/45
Internal control components (COSO)
I- Control environment
2- Existence of an audit committee
There is an audit committee?
The audit committee is it independent from the management?
The audit committee is establishing a periodic reports?
19Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
20/45
Internal control components (COSO)
I- Control environment
3- Organizational structure
Appropriateness of an entity’s organisational structure to its size and the nature of itsactivities’?
Bureaucratic organization?
20Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
21/45
Internal control components (COSO)
I- Control environment
4- Delegation of authority
The larger a company’s scale of operations, then the larger the size of the
workforce and, inevitably, the larger the amount of assignment of authority and
responsibility that is required.
There is a delegation procedure within the company?
The delegations are documented?
People have enough knowledge & skills for delegated tasks?
21Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
22/45
Internal control components (COSO)
I- Control environment
5- Human resources policies and practices
Recruitment policies and procedures,
Remuneration & promotion procedures
Disciplinary procedures,
Performance appraisal procedures
Employment termination procedures
22Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
23/45
Internal control components (COSO)
II- Risk assessment
Risk identification
External factors
- Competition,
- Customer bankruptcy
- Changes in the law
- Disasters
- ....
23Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
24/45
Internal control components (COSO)
II- Risk assessment
Risk identification
Internal factors
- Changes at management level,
- Organizational changes,
- Staff turnover
- Volume of manual activities
- ....
24Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
25/45
Internal control components (COSO)
II- Risk assessment
Risk Impact
25Contrôle interne Master 2 CCA
Rating Description Definition
1 Very low Financial loss less than $X million
Local media attention quickly remedied
No impact on the company image.
No injuries to employees or third parties, such as customers or vendors
2 Minor Financial loss of $X million up to $X million
Local reputational damage
Minor injuries to employees or third parties, such as customers or vendors
General staff morale problems and increase in turnover
3 Moderate Financial loss of $X million up to $X million
National short-term negative media coverage
4 High Financial loss of $X million up to $X million Significant loss of market share
Significant impact on the company reputation.
5 Critical Financial loss of $X million or more
International long-term negative
Impact on business continuity.
8/16/2019 Internal Control Finance Master 2
26/45
Internal control components (COSO)
II- Risk assessment
Likelihood
26Contrôle interne Master 2 CCA
Rating Description Definition
1 Up to once
in 2 years
or more
Almost certain 90% or greater chance of occurrence over life of asset or
project
2 Once in 2years up to
once in 25
years
Likely 65% up to 90% chance of occurrence over life of asset or project
3 Once in 25
years up to
once in 50
years
Possible 35% up to 65% chance of occurrence over life of asset or
project
4 Once in 50
years up to
once in 100
years
Unlikely 10% up to 35% chance of occurrence over life of asset or
project
5 Once in
100 years
or less
Rare < 10% chance of occurrence over life of asset or project
8/16/2019 Internal Control Finance Master 2
27/45
Internal control components (COSO)
II- Risk assessment
Vulnerability
27Contrôle interne Master 2 CCA
Rating Description Definition
1 Vey high Company not aware of the risk
No control in place to mitigate the risk
2 High
Control not covering the risk adequatly Controls performed but not documented
3 Medium Control activities are designed and in place
Control activities have been documented and communicated to
employees
Controls can be better monitored
4 Low Standardized controls with periodic testing for effective design and
operation with reporting to management
Automation and tools may be used in a limited way to support control
activities
5 Vey low Real time monitoring by management with continuous improvement
Automation and tools are used to support controls activities and allowthe organization to make rapid changes to the control activities.
8/16/2019 Internal Control Finance Master 2
28/45
Internal control components (COSO)
II- Risk assessment
28Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
29/45
Internal control components (COSO)
II- Risk assessment
Ways of managing risks:
Risk avoidance (éviter le risque) : Completely avoiding an activity that poses a potential risk.
Risk transfer (Transférer le risque) : The risk is transferred to a third-party entity (in most cases
an insurance company).
Risk reduction (Limiter/Réduire le risque) : This can be done by increasing precautions or
limiting the amount of risky activity.
Risk acceptance (Accepter le risque) : Retention is effective for small risks that do not pose any
significant financial threat.
29Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
30/45
Internal control components (COSO)
II- Risk assessment
Audit Risks
Inherent risk
- Inherent risk is the risk posed by an error or omission in a financial statement due to a
factor other than a failure of control
Control Risk
- Control risk is the risk of a material misstatement in the financial statements arising
due to absence or failure in the operation of relevant controls of the entity.
Detection risk
- Detection risk is the risk that the auditors fail to detect a material misstatement in the
financial statements.
30Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
31/45
Internal control components (COSO)
III- Control activities
Control activities are the policies and procedures that help ensure management directives
are carried out. They help ensure that necessary actions are taken to address risks to
achievement of the entity's objectives
31Contrôle interne Master 2 CCA
Segregation of duties
Procedures
IT controls
Approval&authorizations
Reconciliations
Protection & securities
8/16/2019 Internal Control Finance Master 2
32/45
Internal control components (COSO)
III- Control activities
Preventive Controls
Preventive Controls are designed to discourage errors or irregularities from occurring. They are
proactive controls that help to ensure departmental objectives are being met. Examples of preventive
controls are:
Segregation of Duties: Duties are segregated among different people to
reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions
(approval), recording transactions (accounting) and handling the related asset (custody) are divided.
Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain
activities and to execute certain transactions within limited parameters. In addition, management
specifies those activities or transactions that need supervisory approval before they are performed orexecuted by employees. A supervisor’s approval (manual or electronic) implies that he or she has
verified and validated that the activity or transaction conforms to established policies and procedures.
32Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
33/45
Internal control components (COSO)
III- Control activities
Detective controls
Detective Controls are designed to find errors or irregularities after they have occurred. Examples of
detective controls are:
Reviews of Performance: Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and
objectives are being achieved and to identify unexpected results or unusual conditions that require
follow-up.
Reconciliations: An employee relates different sets of data to one another, identifies and
investigates differences, and takes corrective action, when necessary.
Physical Inventories
Audits
33Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
34/45
Internal control components (COSO)
III- Control activities 1- Implementation Of Standard Operating Processes (Procedures)
34Contrôle interne Master 2 CCA
Updated
Communicated /
published
Clear
Verifiable
Coherent with other
SOPs
Training if required
8/16/2019 Internal Control Finance Master 2
35/45
Internal control components (COSO)
35Contrôle interne Master 2 CCA
III- Control activities
2- Segreagation of duties (SOD)
Segregation of duties is essential to minimize the potential for errors or even fraud arising from
the same person having responsibility for custody, management and recording activities.
System access rights should be granted on a "need only" basis and the change process should be
controlled and user profiles monitored
In a perfect system, no one person should handle more than one type of following functions:
Authorization
Recording
Custody of assets
Control
8/16/2019 Internal Control Finance Master 2
36/45
8/16/2019 Internal Control Finance Master 2
37/45
Internal control components (COSO)
III- Control activities
3- IT Controls
37Contrôle interne Master 2 CCA
IT controls
General controls
Applicationcontrols
8/16/2019 Internal Control Finance Master 2
38/45
Internal control components (COSO)
III- Control activities
3- IT Controls General controls
38Contrôle interne Master 2 CCA
Back-up & recovery: procedures, to enable continued processing
despite adverse conditions
Software development: standards - controls designed to ensure IT
projects are effectively managed.
Logical access: policies, standards and processes - controls designed to
manage access based on business need.
Incident management policies and procedures - controls designed to
address operational processing errors.
Physical security: controls to ensure the physical security of
information technology from individuals and from environmental
risks
8/16/2019 Internal Control Finance Master 2
39/45
Internal control components (COSO)
III- Control activities
3- IT Controls applications controls
39Contrôle interne Master 2 CCA
Validity checks - controls that ensure only valid data is input or
processed.
Authorization - controls that ensure only approved business users
have access to the application system
Work flow controls are used to notify application users that a
transaction or process is awaiting their action
Completeness checks - controls that ensure all records were processed
from initiation to completion.
8/16/2019 Internal Control Finance Master 2
40/45
Internal control components (COSO)
III- Control activities
4- Reconciliation controls:
All reconciling items (differences, exceptions etc.) should be properly identified,
justified and documented. Formal sign off by an independent supervisor should
ensure adequate completion of the work.
Bank reconciliation
Stock reconciliation
Sales reconciliation (Sales application vs accounting system)
40Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
41/45
Internal control components (COSO)
III- Control activities
5- Approvals & authorizations
All transactions should be approved in accordance with Management
Authorization Levels. Approvals should be documented and traceable
Approvals should be obtained for all type of transactions:
Validation of purchase requests
Releasing of blocked sales orders
Validation of payment term changes
Validation of customer credit limit change
...... 41Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
42/45
Internal control components (COSO)
IV- Information & communication
Appropriate management information: should be identified, captured and
communicated in a form and timeframe that supports all other control components to
enable effective measurement and monitoring of performance e.g. analysis of variances
with root causes explained; profitability analysis; and review and documented actions as aresult of exception reports
Escalation of non-compliance: any non-compliance with applicable laws and regulations
should be reported to management and a remediation plan implemented immediately.
42Contrôle interne Master 2 CCA
8/16/2019 Internal Control Finance Master 2
43/45
Internal control components (COSO)
V- Monitoring controls
There should be effective procedures to review and check the accuracy and completeness
of input, processing and output from processes.
This is accomplished through ongoing monitoring activities and compliance metrics as
well as separate evaluations and reviews. Ongoing monitoring includes regularmanagement and supervisory activities. The scope and frequency depends on the
assessment of risks and effectiveness of controls
43Contrôle interne Master 2 CCA
I l l & f d
8/16/2019 Internal Control Finance Master 2
44/45
Internal control & fraud
Fraud classification
Accounting fraud
- 1- overstating the revenues (Sur-estimation des revenues):
- Recognition of revenues on the wrong period (cut-off issue)
- Booking of fictitious products
- Overstating the inventory value
2- Underestimating the costs (Sous-estimation des charges):
- Expenses booked as assets
- Underestimating accruals & provisions.
44Contrôle interne Master 2 CCA
Rôl d ôl i d l dé i d l f d
8/16/2019 Internal Control Finance Master 2
45/45
Rôle du contrôle interne dans la détection de la fraude
Fraud classification
Divesrion of collections (détournement des encaissements)
1. Lapping fraud (Diverting a payment from a customer account to an other)
2. Sales not booked in revenue account (non-enregistrement d’une vente)
3. Fraudulent change of selling prices (changement frauduleux des prix de vente)
Diversion of payments (détournement des décaissements)
1. Fictitious purchases (achats fictifs)
2. Fictitous expense reports (Oversated, already reimbursed...)
1. Payroll fraud (Fictitous salaries, overstating working hours, overstating remunerations...)