1
FINANCIAL ACCOUNTING & INTERNAL AUDITSHow financial accounting and internal audits can benefit government agencies.
Lydia Lafleur, CIALSU Center for Internal Auditing
2
Agenda
• Accounting and Auditing Standards• Internal Auditing• Internal Controls• Governance• Fraud• Management Responsibilities
3
Information & Measurement System
Financial Accounting
Business Activities
Decision Makers
Identifies Records Communicates
External UsersInvestors, Creditor, Suppliers, etc.
Internal UsersManagers, Supervisors, Directors, etc.
FASB: Financial Accounting Standards Board
4
Stakeholders• Citizens and taxpayers• Legislative and oversight bodies• Creditors and investors
Governmental AccountingGASB: Governmental Accounting Standards Board
GASB Concept Statement No. 1, Objectives of Financial Reporting:
“…financial reporting should provide information to assist users in assessing the service efforts, costs, and accomplishments of the governmental entity.”
Accountability• Fiscal• Operational
Characteristics of Financial Reports• Understandability• Reliability• Relevance• Timeliness• Consistency• Comparability
5
Auditing Standards• Institute of Internal Auditors Professional Practices Framework
• Generally Accepted Government Auditing Standards (GAGAS) (The Yellow Book)
• Other Guidance• Standards for Internal Control in the Federal Government (The
Green Book)• Internal Control Management and Evaluation Tool
• Structured approach to assessing the internal control structure
6
Accountability• Management and officials are responsible for:
• Carrying out public functions• Providing service to the public effectively, efficiently, economically,
ethically, and equitably• Providing reliable, useful, and timely information
• Users need to know whether:1. Management and officials manage government resources and
use their authority properly and in compliance with laws
2. Programs are achieving the objectives and desired outcomes
3. Services are provided efficiently, economically, ethically and equitably
Generally Accepted Government Auditing Standards Introduction
7
Internal Auditing Definition
• Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the organization. It assists an organization in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control, and governance processes.
Institute of Internal Auditors
8
Internal Auditing
Organization
Corporate Governance Risks Controls
Plan• Triple Bottom Line - Environmental - Social - Economic
Add-Value
ConsultingAssurance
Audit Planning
Types of Audits:
1. Financial Audits
2. Attestation Engagements
3. Performance Audits
9
Internal Controls
Plan Organize
G & O R x C = r G & O
Adequate Controls
Reasonable Assurance
RLI x CL x CI = rLI
G = GoalsO = ObjectivesR = RiskL = LikelihoodI = ImpactC = Controlsr = Residual Risk
10
Internal Controls
Goals & Objectives Specific Measurable Attainable Relevant Timely
Goals & Objectives
"Purpose"
Controls
Control Environment"Commitment"
Management Plan
• Tactical• Strategic
Organize Staff Direct Monitor
"Capability"
Control Activities Segregation
• Access• Accountability• Authority
Reconcile• Completeness
Authority Transactions
• Manage Accountability Safeguard
Selection• Alternatives
Design In Place Functioning
• Compliance
"Monitoring & Learning"
Continuous Improvement Model
COCO• Purpose• Commitment• Capability• Monitor & Learn
Preventive Detective Directive
HardSoft
11
Financial
Compliance
Operations
Systems
Risk Analysis
Control Environment
Monitoring
Control Activities
Methodology used for assessing the quality of internal controls.
Hard Controls:• Segregation of Duties (AAA)• Safeguarding of assets• Transactions recorded• Accountability• Periodic Reconciliation
Common factors used in identifying and assessing materiality of risks.
Soft Controls:• Corporate Culture• Tone at the Top
Information &
Com
munication
Management Controls:Planning
• To achieve goals
• Tactical
• Strategic
Organizing
• Delegation
Staffing
• Right People
Directing
• Policies and Procedures
Monitoring
• Communication and information
• Analytics and Analysis
• Change management
COSO
Committee of Sponsoring Organizations of the Treadway Commission
12
Un
it B
Challenge:• Evolving from Control Activities
to the Control Environment
COSO Control (Addressing Governance)
Aggregate
Entity
Process
Unit
“Systemic cultural problem” Mark Emmert, NCAA President
“Management should periodically check the batteries in their moral compass.” GES
Act
ivit
y 2
Monitoring
Information & Communication
Control Activities
Control Environment
Un
it A Act
ivit
y 1
Complia
nce
Fin
anci
al
Reporti
ng
Oper
atio
ns
Risk Assessment
Tone at the TopTone at the Middle
13
Update Formalizes Fundamental Concepts Embedded in the Original Framework as Principles
Control Environment1. Demonstrates commitment to integrity and ethical values2. Exercises oversight responsibility3. Establishes structure, authority and responsibility4. Demonstrates commitment to competence5. Enforces accountability
Risk Assessment 6. Specifies suitable objectives7. Identifies and analyzes risk8. Assesses fraud risk9. Identifies and analyzes significant changes
Control Activities 10. Selects and develops control activities11. Selects and develops general controls over technology12. Deploys through policies and procedures
Information & Communication
13. Uses relevant information14. Communicates internally15. Communicates externally
Monitoring Activities 16. Conducts ongoing and / or separate evaluations17. Evaluates and communicates deficiencies
Source: COSO, “Internal Control – Integrated Framework”, September 2012
14
Quality Drift (Cascading Process)
Control Environment
Management ControlsP-O-S-D-M
Control Activities
Objective
Subjective
15
Controls
Sub
ject
ivity
Complexity
Control Environment
Management Controls
Control Activities
Parkinson’s Law:
Complexity leads to decay
Challenges:• Hard to Soft• Objective to Subjective• Simple to Complex• Evolution to Revolution
16
Criteria of Control: CoCo
Purpose
Commitment
Capability
Monitoring
Action
17
Internal Auditing: Adding Value
Integration• GRC
External
Entity
Process
Unit
Control Environment
Management Controls
Control Activities
Evolution of the Profession
Controls
RiskBoard
Audit Committee• Charter
Internal Audit• Charter
Governance
(Mature) (Embryo) (Radar)
•Opportunities•Threats
Evaluation• Check the box• Reality
Quality
Question: Can you be in 100% compliance and go out of business? (Evaluation Audit). Does compliance equal quality?
Objective Subjective
Obj
ect
ive
Sub
ject
ive
18
Issues:• Accountability – Governance, Risks, and Controls• King III • Transparency• Sustainability
Board Selection Process
Audit Committee
CAE
Risk Committee
CRO• Global• Strategic
(CRMA)
Compensation Committee• Stock options• Bonus plans
• Counter-productive
• Salaries• Up, up, up, and
away• The Bear• Charley Mac
• Shareholder Input
Governance
Personal Opinion:The CEO and CFO should not be involved in selecting members of the Board, Audit Committee, Risk Committee, or Compensation Committee
AAA
COB CEO
Obj.
Sub.
SOD
The Big Risk
19
Organizational Governance (Roles and Responsibilities)
Employees Specific Job Descriptions
Cont
rol E
nviro
nmen
t
Control Activities
Delineation of G
oals & O
bjectives(Integration &
Linkage)
Governance BOARD & SUB-COMMITTEES
Plan – Organize – Staff – Direct – Monitor (P-O-S-D-M)
Executive Management P-O-S-D-M
Process OwnerP-O-S-D-M
Organizations Should Be Organized
Process OwnerP-O-S-D-M
Process OwnerP-O-S-D-M
20
ERM – Conceptual Framework
Division
Business U
nitS
ubsidiary
Entity
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Info. & Communication
Internal Environment
Monitoring
Strate
gic
Opera
tions
Repor
ting
Compli
ance
Co
ntr
ol C
omp
one
nts
ObjectivesFocus: • Internal Environment• Strategies• Integration
COSO Risk
21
Governance
Governance Infrastructure (Integration & Linkage)
Audit Committee of Board of Directors (Oversight)
CEO (Responsibility)
Chief Risk Officer (CRO)
(Execution)
Enterprise Risk Management (ERM)
Auditor in Charge (AIC)Micro (Engagement Planning-Risk Driven)
Chief Audit Executive (CAE)Audit Plan (Risk Driven)
Macro (Resource Allocation)
Ove
rsig
ht
ER
M
Ove
rsig
ht
Com
preh
ensi
ve R
epor
t
Audit
Priority
Fee
dbac
k
Inpu
t
Inpu
t
Governance
Go
vernan
ceGo
vern
ance
Rep
ortin
g
Rep
ortin
g
22
LawSpecific
Controls(The way it should be.)
Performance Drift
Criteria
Agent of Change
Negotiation
Recommendation Criteria Plan
Tactical Strategic
CSA
Reengineering• Evolution• Revolution
Best Practices
Benchmarking
PlanImplementationMonitor Analysis
Inappropriately Included
Inappropriately Excluded
Internal
External
Revenue Cost Effectiveness Efficiency Goals
Effect
(What difference does it make?)
Condition
(The way it is.)
Cause
(How we got to where we are?)
Management Plan Organize Staff Direct Monitor
Recommendation
Persuasion
Follow-up Issue Addressed Recommendation Implemented Management Solution Risk Accepted
Meeting
The Reporting Model (Risks and Controls)
Ris
k
Op
po
rtu
nit
ies
Pro
acti
ve
Pre
view
Pa
rtia
lly
C
on
tro
lla
ble
Co
nsu
ltin
g
Ris
k T
hre
ats
Rea
ctiv
e
Rev
iew
Ass
ura
nce
Co
ntr
oll
ab
le
Objective
Subjective
Policy
General
23
The Fraud Risk Triangle
OpportunityIncentive/Pressure
The Fraud Risk Triangle (FRT) consists of three key elements which are generally correlated with fraud. The FRT was developed by a criminologist, Donald R. Cressey, in 1973.
Attitude/Rationalization
How do you address the Fraud Triangle?
24
Opportunity
OOO
Attitude Rationalization
RRR
The Fraud Risk TriangleIncentive Pressure
PPP
Over-ride
OROROR
The Fraud DiamondOpportunity
Pressure Rationalization
AbilityKennesaw State
25
Management Responsibility Pre-Control Post-Control
RLFIF * CLF
* ClF = rLFIF
Prevent Detect Residual riskRisk tolerance Risk appetite Affordable risk
(Analytics) (Analytics)
Control OverrideControl Failure
Override Control
RLFIF rLFIF
Management Functions
Plan Tactical, Strategic
Organize Delegation, Accountability
Staff Competencies, Training
Direct Policies, Procedure
Monitor Supervision, Oversight, Change management
26
Management Responsibility
• Setting policies and strategic direction
• Directing employees in performance of routine activities
• Custody of entity’s assets
• Reporting to those in charge of governance
• Implementation of audit recommendations
• Design, implement, and maintain internal controls
• Develop performance measurement system
27
Questions?