Internal Audit Indonesia's

Juli 15, 2010

Entity Level Internal Audit Methodology

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

How does it work?

Overview
IIA Standards
Hints
Information Technology
Fraud

How does it work?

This graphic represents the flow of phases of an entity level internal audit project. Each phase in blue has several corresponding tools that you will see if you click on the phase. The first phase is Determine Client Expectations. The second phase – Understand and Analyze the Business – has four important components. These components are on the bottom part of the graphic and are linked to the second phase by the gold triangle that says “Entity Level Business Risk Analysis”.

The next phase is Identify Target Processes and Risks. Once these have been analyzed you move on to Communicate Results. The Next Steps phase includes suggestions for following up and measuring quality.

The grey bar at the bottom of the graphic symbolizes the communication with clients and management that is crucial at all phases.

Delve down into the methodology to find overviews of each phase and tools to help you carry out a successful entity level internal audit.

Overview of Entity Level Methodology


Companies are under constant competitive pressure to identify and manage business risks and improve the performance of their business processes. They are demanding higher levels of assurance about:


Internal audit can respond to these demands through the use of Business Process Auditing (BPA). The BPA approach allows internal auditors to combine their existing skills and competence with new tools and knowledge bases to provide high value assurance and improvement services to their companies. These services include:


Financial statement audits focus on financial measures of business performance and usually involve only those business processes associated with processing accounting transactions and reporting financial information. Generally Accepted Accounting Principles (GAAP) is the assurance standard against which financial auditors compare the financial statements.

The BPA approach also takes into account over 70 business risks found in the Protiviti Risk ModelSM. The assurance standard can be best practices, peer performance within the industry (based on financial or nonfinancial measures), or operating policies and performance expectations set by the company itself.

The objectives of BPA are to:


Business Process Auditing is designed to analyze and respond to important questions such as:

Using The BPA Approach

The BPA approach is designed to be adaptable and creative. While all the “phases” and “steps” of the BPA are generally needed to complete an effective audit, the BPA tools and specific methods can be used in a very flexible manner. The BPA can be used to audit sub-processes, to perform compliance audits or to audit a function. Many of the tools are alternatives, not required approaches. The tools range from guidelines and checklists to templates and problem-solving methods.

The flexibility of the BPA allows for the great variety in the following:


The Entity Level BPA methodology focuses on understanding and analyzing the business. These phases are intended to provide an understanding of company strategies, metrics, processes, and high level risks and controls. This understanding is primarily used to identify the target processes and risks during the audit planning process.

IIA Standards


The BPA approach meets the Institute for Internal Auditors (IIA) standards for the professional practice of internal auditing. The standards can also be found in their entirety within this website in the Competency Center.

Hints


1. Communicate with management not just at the start of the audit but also and throughout the audit. Communication should include the objectives,the audit process, reporting format and protocols, where to spend resources, and assistance required.
2. Concentrate on the information to be included in the audit report throughout the entire audit (beginning to end).
3. Empower the in-charge auditor to discuss findings with management throughout the audit.
4. Focus on the entire business process rather than a specific function or department.
5. Focus on business risks and on improving process performance.

Information Technology


Companies are placing increasing reliance on information technology in almost every aspect of their business. The internal auditor cannot gain a satisfactory understanding of a company’s business, business processes, and risks without an understanding of how information technology (IT) is used.

The internal audit team must answer the following questions regarding Information Technology:


The internal audit team should assess the level of the company’s IT complexity and the level and nature of IT skills that will be needed in the engagement.

IT skills can be used in the following Business Process Audit phases:

1. Determine Client Expectations:
Identify the auditee’s expectations with regards to IT and identify ways in which the audit team can meet and exceed these expectations.
2. Understand and Analyze the Business:

3. Identify Target Processes/Risks:

4. Analyze Target Processes/Risks:

5. Communicate Results:
The audit team should communicate to the auditee its findings and recommendations regarding the functioning of IT processes as well as IT-related business risks in other processes.

Reviewing Information Technology

A review of the use and management of IT should be included in the audit to identify information technology risks and controls. Information Processing/Technology Risks can be defined as follows:

Access Risk:

The risk that access to information (data or programs) will be inappropriately granted or refused. IT access risks include risks of improper segregation of duties in IT processes and in application systems use, risks associated with the integrity of data and databases, and risks associated with information confidentiality.

Integrity Risks:


Relevance Risks:


Availability Risk:

The risk that information will not be available when needed, for reasons including loss of communications, loss of basic processing capability, operational difficulties, natural disasters, vandalism, sabotage, and accidents.

The potential business impacts associated with IT-related risks include the following:


Prioritizing IT Risks:

The techniques used in prioritizing IT audits follow the same basic techniques as for other types of audits:

Determining the auditable information systems activities requires that the audit team survey all known data processing centers, distributed processing applications and end-user computing applications to obtain an inventory of hardware, software, policies and procedures, and existing applications, including those in current development. Other useful information includes budgetary data and long-range plans. The objective in gathering this information is to define the overall information systems audit universe.

Criteria that may be used to prioritize the IT audit universe include:


Information Technology Controls

IT controls are sometimes categorized as either general controls or application controls. This is not always a useful distinction. In older information systems environments, where there was a separate IT function which was responsible for all computer resources, this function performed all aspects of developing and maintaining the operating environment and all application systems used in business processes. The controls over the risks in these activities were “general controls” because they applied generally to all IT resources.

Many businesses today have a variety of IT environments, typically run by the individual divisions, departments or locations of the business. If there is a central IT function, it is likely to have little or no control over these environments. While the same IT risks may exist in each environment, it is not possible to assess one set of “general controls” and assume that they will mitigate IT risks throughout the organization. The audit team needs to identify and understand each technology platform related to key business processes, and assess the risks and controls relevant to each important application and its technology environment, to the extent that the environment is dedicated to a process or business unit.

To the extent that they are applicable in an auditee environment, general controls and application controls can be described as follows:

General Controls:

1. Relate to IT organization, management, and operations processes and help to ensure a controlled environment within which applications can be developed, maintained, and used.
2. May relate to communications systems and networks as well as the computer itself.
3. Are general only to the extent that they are pervasive over all or most applications in both the data processing and user environments.
4. Affect the strengths and weaknesses of individual applications.
5. May include:


Application Controls:

1. Are specific to each application. Each application has its own inherent risks. The developers of the application build in controls, and the users establish additional controls around the application, in order to address these risks. Therefore, risks and controls need to be considered for each application separately. The input, processing and output processes related to the application need to be evaluated.
2. Are designed for the flow of transactions for a particular process and application, to meet the following general control objectives:

When an application control is identified as critical, the related general controls must also be effective to ensure the consistent and continuous operation of the application control over time.

Additional details regarding General and Application Controls can be found in the Systems Auditability and Control (SAC) Report, Module 2, Audit & Control Environment, pages 2-5 to 2-17.

Using Information Technology During the Audit

Information technology systems provide the internal auditor with the opportunity to use the computer to enhance the efficiency of the audit.

Information Technology can be used to support the conduct of more complete, efficient and effective audit engagements in the following ways:

Fraud


Fraud is intentional deception, commonly described as lying, cheating, or stealing. Fraud can be perpetrated against customers, creditors, investors, suppliers, insurers, or governmental authorities and can be seen in the form of tax fraud, stock fraud, and short weights and counts.

The risk of fraudulent activities and ethical violations must be taken seriously. No organization or institution appears to be exempt from fraud. How much fraud is there? Estimates of fraud include:

A survey involving over 3,000 large and mid-size companies indicated that:

Fraud schemes are becoming more complex and, therefore, more difficult to detect. While some internal auditors are already fraud sensitive, using fraud assessment tools can improve the likelihood that complex frauds will be detected.

The Institute of Internal Auditors (IIA) professional standards state that the internal auditor is responsible for:

IIA standards also state that the internal auditor is not responsible for:


Foreign Corrupt Practices Act (FCPA)

The issue of fraudulent financial reporting has been examined by the National Commission on Fraudulent Financial Reporting (the Treadway Commission). The report of the Commission emphasized the importance of an ethical “tone at the top,” effective controls, written codes of conduct, internal auditors, and audit committees as deterrents to fraudulent reporting. The FCPA mandates that controls be established which are adequate to either prevent or detect illegal payments, with a reasonable degree of probability.

Given this primary role of management in establishing and monitoring the control system, a key concern is whether a high likelihood exists that management could override the control system. A higher probability of management override is associated with:


The Fraud Environment

The environment within a company is generally developed and maintained by senior management and the board of directors. To deter fraud, the environment should be a demanding one. Management should clearly set forth written policies demonstrating its commitment to fair dealing, its position on conflicts of interest, its requirement that only honest employees be hired, its insistence on strong internal controls that are well policed, and its resolve to prosecute the guilty.

There are three conditions that, when combined, move people to commit fraudulent acts:

Neither managers nor internal auditors can do much about an individual’s situational pressures. Managers can reduce the perceived opportunities by installing appropriate controls, and internal auditors can evaluate the adequacy and effectiveness of these controls.

One of the most effective ways to deter dishonest conduct is by not hiring dishonest employees. Management should at least verify backgrounds of employees. Senior management should insist on proper hiring practices; internal auditors should see that those practices are carried out as intended.

The possibility of detecting fraud increases with auditor awareness of where fraud may occur, with the use of modern techniques, and with an inquisitive audit approach that pursues suspicious conditions.

The Narrow Objective of Fraud Audits

A fraud audit has the narrow objective of uncovering the presence, scope, and means of intentional misstatement of records or misappropriation of assets. A fraud audit tends to be more detailed in approach, since it must uncover that which has been intentionally hidden. Flows of accounting numbers, as well as assets, may have to be reconstructed without an audit trail. The term fraud indicates some sort of deceptive act which harms another party. It is this deception which makes the discovery of fraud far more difficult than the discovery of errors.

The Impetus for Fraud Audits

An auditor must be alert to clues which suggest possible irregularities. Alertness and healthy skepticism may well be two of the auditor’s most important skills. Critical inquiry as to what irregularities are possible should be followed by an assessment of their likelihood, given the controls, supervisory practices, and the overall control environment. Anything detected as questionable should be resolved. Most often, the impetus for a fraud audit offers some sign of an unusual transaction or missing record.

Although the dollar magnitude may be relatively small, a fraud is considered to be qualitatively material. the reasons for this definition are that:
1. Frauds, by their very nature, can balloon quickly if not deterred
2. The existence of fraud in and of itself indicates a weakness in controls; and
3. Frauds imply integrity issues that may have far-reaching consequences.
For example, if management made illegal payments, the company and the individual executives involved could face legal consequences and highly adverse publicity.

A key indicator of the more likely types of exposure faced by an auditee is the auditee’s past experience. Past occurrences of fraud have implications about management’s attitudes and integrity. In addition, such occurrences can serve as a signal to employees as to what type of reaction can be expected if they are discovered to be involved in an impropriety. A lack of corrective and/or disciplinary actions in the past can encourage future problems.

Usually, it is less expensive to prevent fraud than to detect it. Therefore, fraud prevention should take precedence over detection. Internal controls alone do not prevent fraud; they merely facilitate its detection. Fraud prevention measures include:

Fraud prevention requires creating a work environment that values honesty. Senior managers who are role models for integrity and fairness in their daily interactions with their peers and subordinates can create such an environment. Prevention also means regularly monitored and enforced internal controls. Therefore, prevention strategies include tight controls, ethical codes, fair treatment, awareness training, applicant screening, and honest role models.

Detection strategies include monitoring variance reporting systems, internal auditing, compliance auditing, and intelligence gathering.

Fraud auditing is creating an environment that encourages the detection and prevention of frauds in commercial transactions. Fraud auditing cannot be reduced to a simple checklist. It is an awareness, in the broadest sense, of many components, such as the human element, organizational behavior, knowledge of fraud, evidence and standards of proof, an awareness of the potentiality of fraud, and an appreciation of so-called red flags.

Fraud prevention within a company would include having in place, and communicating to all employees, an effective corporate code of conduct that should also include conflict-of-interest policy guidelines signed by employees. This will provide a clear understanding of the intent of management and the level of expectations. The company’s agreements, especially with its vendors, should contain a clause that allows the company to inspect the vendors’ records in the normal course of business.

The COSO Internal Control – Integrated Framework

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

1. What is COSO?
2. What is the Internal Control – Integrated Framework?
3. How is the COSO framework applied at the entity level during the Section 404 assessment process?
4. How is the COSO framework applied at the activity or process level during the Section 404 assessment process?
5. Must the Section 404 compliance team address each of the five COSO elements in each critical process affecting a significant financial reporting element?
6. Since the COSO framework includes internal controls over operational effectiveness and efficiency and over compliance with applicable laws and regulations, to what extent must management evaluate these controls to support the internal control report?
7. If a company already uses the COSO framework, is there anything more it needs to do to comply with Section 404?
8. Will the COSO framework on enterprise risk management affect the Section 404 assessment?

1. What is COSO?

The SEC ruled that the criteria on which management’s evaluation is based must be derived from a suitable, recognized control framework that is established by a body or group that has followed due process procedures, including the broad distribution of the framework for public comment. As defined in the Commission’s rules, a “suitable framework” must: be free from bias; permit reasonably consistent qualitative and quantitative measurements of a company’s internal control; be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company’s internal controls are not omitted; and be relevant to an evaluation of internal control over financial reporting. The SEC points out in its rules that the COSO Internal Control – Integrated Framework satisfies this requirement. It acknowledges that frameworks other than COSO that satisfy the intent of the statute without diminishing the benefits to investors may be developed within the United States in the future. Other frameworks in other countries may also meet this requirement, e.g., CoCo, Turnbull, King or other country-specific authoritative frameworks.

COSO stands for “Committee of Sponsoring Organizations” and is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative often referred to as the Treadway Commission. The Commission studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

The sponsoring organizations are the American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (IIA), Financial Executives International (FEI), Institute of Management Accountants (IMA) and American Accounting Association (AAA). COSO so far has produced four documents, one in 1992 on the Internal Control – Integrated Framework, one in the mid-1990s on derivatives, one in 2004 on the Enterprise Risk Management – Integrated Framework and the most recent in 2005, which provides guidance to smaller public companies applying the integrated internal controls framework to report on internal control over financial reporting.

2. What is the Internal Control – Integrated Framework?

The COSO Internal Control – Integrated Framework defines internal control as a “process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) reliability of financial reporting, (b) effectiveness and efficiency of operations, and (c) compliance with applicable laws and regulations.” The Integrated Framework uses three dimensions, illustrated in the adjacent cube, that provide management with criteria by which to evaluate internal controls.

The first dimension is objectives. Internal controls are designed to provide reasonable assurance that objectives are achieved in the following categories: effectiveness and efficiency of operations (including safeguarding of assets), reliability of financial reporting, and compliance with applicable laws and regulations (left to right, across the top of the cube).


The second dimension required by COSO is an entity-level focus and an activity-level focus (front to back, across the right side of the cube). Internal controls must be evaluated at two levels: at the entity level, and at the activity or process level.

The third dimension includes the five components of internal controls (bottom to top, on the face of the cube):

  1. Control environment – Sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
  2. Risk assessment – This component is the entity’s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
  3. Control activities – Includes the policies and procedures that help ensure management directives are carried out.
  4. Information and communication – This component consists of processes and systems that support the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities.
  5. Monitoring – Consists of the processes that assess the quality of internal control performance over time.

These five components provide the framework for effective internal control over financial reporting and, in similar fashion, provide a framework more generally for disclosure controls and procedures. They provide the context for evaluating internal control over financial reporting.

These three dimensions represent the Integrated Framework. The framework works in the following manner: For any given objective, such as reliability of financial reporting, management must evaluate the five components of internal control at both the entity level and at the activity (or process) level.

Management must decide on a control framework on which to base its assertions regarding – and its evaluation of – the effectiveness of internal control. We recommend the COSO framework. It meets the test of an authoritative framework as it is widely accepted and reasonably intuitive. The SEC’s rules and interpretive guidance for Section 404 refer to the COSO framework and define “internal control over financial reporting” consistently with the framework. The U.S. professional auditing literature historically has embraced the COSO framework since it was issued. When the PCAOB issued, and subsequently revised, its auditing standard for an audit of the effectiveness of internal control over financial reporting, the Board reaffirmed the COSO report as providing “a suitable and available framework for purposes of management’s assessment” in accordance with Section 404. Banks complying with FDICIA (see Questions 6 and 7) have also used COSO.

If management decides not to use COSO, an alternative framework must be selected. Any framework management chooses to use must meet the SEC’s criteria. If a company chooses to use a non-COSO framework, we suggest that management “map” the framework to COSO to demonstrate coverage of the key COSO components for the benefit of the external auditor and other parties who may challenge the use of the framework. For example, in its interpretive guidance to management, the SEC states the following: Both the COSO framework and the Turnbull Report state that determining whether a system of internal control is effective is a subjective judgment resulting from an assessment of whether the five components [as discussed above] … are present and functioning effectively. Although CoCo states that an assessment of effectiveness should be made against twenty specific criteria, it acknowledges that the criteria can be regrouped into the five-component structure of COSO.

3. How is the COSO framework applied at the entity level during the Section 404 assessment process?

COSO is applied at two levels – the entity level and the activity or process level. At the entity level, each of the five components is broken down into attributes to support the assessment. “Attributes” define the nature of a component. For example, as illustrated in the accompanying graphic, the control environment component is further defined using seven attributes. For each attribute, COSO provides appropriate “points of focus” representing some of the more important issues relevant to the attribute. Not all points of focus are necessarily relevant to every entity. Additional points of focus may be relevant to some entities. COSO recommends that, for purposes of a controls evaluation, every organization should tailor the points of focus to fit the organization’s facts and circumstances; e.g., smaller companies with management closer to the front lines and more knowledgeable of business realities will often have a different approach than larger companies with several layers of management and multiple operating units.

Both the SEC and PCAOB refer to these controls as “entity-level controls.” These are the controls that management relies on to establish the appropriate “tone at the top” relative to financial reporting. They often have a pervasive or indirect impact on the effectiveness of controls at the process, transaction or application level. At the entity level, management must address the various attributes COSO provides for each component. The following illustration shows the various attributes provided for each of the five components and illustrates points of focus for one attribute – human resource policies and procedures:


To continue with this illustration, human resource policies and procedures are designed to recruit and retain competent people who can achieve the entity’s stated objectives and execute its strategies successfully. The points of focus provided above for “human resource policies and practices” are illustrative and are not intended as a comprehensive list. As noted earlier, management may tailor them to the organization; i.e., management may add, delete and modify points of focus. Management may also add more specific granular questions or issues addressing each point of focus. For example, the first illustrative point of focus above is, “Are there policies, procedures and effective processes for hiring, compensating, promoting, training and terminating employees?” For this point of focus, more granular criteria (not intended as all-inclusive) might include:

To summarize the previous illustration as to how the COSO framework is applied at the entity level:

With respect to conducting the assessment at the entity level, there are several points to keep in mind:

Depending on how the reporting entity (the “issuer” for SEC reporting purposes) divides into control units (see Questions 54 and 55), the stated attributes and points of focus may apply to one unit but not to another. All assessments of the control environment for the various control units must be taken into account for management to reach an overall enterprisewide conclusion with respect to the control environment.

For example, consider a reporting entity with several highly autonomous operating units included in its consolidated statements. Assume that each of the operating units represents a control unit along with the reporting entity. For purposes of assessing the control environment:

In summary, the extent of top management’s control over the consolidated reporting entity, the diversity in the nature and types of operations and business units, the unique risks inherent in those operations and business units, and other factors impact the project team’s approach to assessing the entity-level controls.

4. How is the COSO framework applied at the activity or process level during the Section 404 assessment process?

Just as it is applied at the entity level, the COSO framework is also applied at the activity or process level. When assessing the “design effectiveness” of process-level controls over financial reporting and documenting that assessment, the five COSO components are considered, as shown in the following illustration:


From a practical standpoint, when performing a review of internal control over financial reporting, most of the attention at the process level focuses on control activities and the monitoring of those activities. Once the assertions related to reliability of financial reporting are generally understood and documented (see Questions 71and 72 for two illustrative groups of financial reporting assertions), control activities most directly address those assertions. Monitoring provides assurances that the control activities are performing as intended.

Control Activities
The control activities in place should provide reasonable assurance that management’s financial reporting objectives or assertions are met. It is important to note that the SEC’s interpretive guidance states that, through a top-down, risk-based approach, management focuses on those controls that are needed to prevent or detect a material misstatement in the financial statements. In this regard, management may identify controls for a financial reporting element that are preventive, detective or a combination of both. Management is not required to identify the entire population of controls, just those controls that adequately address the risk of a material misstatement. To illustrate, if a particular risk is addressed by an entity-level control or by a few controls within a process, the SEC’s interpretive guidance states that management is not required to identify and document all controls within the process.

The SEC states that “[e]ntity-level controls may be designed to operate at the process, application, transaction or account level and at a level of precision that would adequately prevent or detect on a timely basis misstatements in one or more financial reporting elements that could result in a material misstatement of the financial statements.” The Commission also states that other entity-level controls comprise the control environment (e.g., the “tone at the top” and entitywide programs, such as codes of conduct and fraud prevention) and “have an important, but indirect, effect on the likelihood that a misstatement will be prevented or detected on a timely basis.” Therefore, the so-called direct entity-level controls may be considered a “control activity” because they operate at a sufficient level of precision to support a conclusion that they are effective in preventing or detecting material misstatements and reduce financial reporting assertion risk to an acceptable level. The so-called indirect controls – those with an indirect effect on the likelihood a misstatement will be detected or prevented – are also important, because their absence increases the risk of a control failure. The existence of direct entity-level controls, along with controls that monitor the effectiveness of other controls, allow the evaluator to reduce the scope of testing process-level controls.

The distinction between direct and indirect entity-level controls is important from the standpoint of testing process-level controls. An entity-level control to monitor the results of operations may be designed to detect potential misstatements and investigate whether a breakdown in lower-level controls occurred. In these instances the SEC states: “If the amount of potential misstatement that could exist before being detected by the monitoring control is too high, then the control may not adequately address the financial reporting risks of a financial reporting element.” Therefore, the control is indirect in nature.

Once the key control activities are identified, management must evaluate their design and operational effectiveness:

There are many examples of control activities applied at the process level. Illustrative examples of control activities are provided in our response to Question 93.

Monitoring Activities
At the process level, monitoring activities address the effectiveness of the key control activities built into the process, as well as the effectiveness of the control environment, risk assessment and information/communication components. Monitoring activities consist of both ongoing monitoring and separate evaluations. Ongoing monitoring arises from regular management and supervisory activities, comparisons, reconciliations, and other formal and informal mechanisms in the ordinary course of business that provide continuous feedback as to the effectiveness of internal controls. Examples of ongoing monitoring activities include:

Senior and unit management, process owners and internal audit periodically take a fresh look at the components of internal controls (including the ongoing monitoring procedures) to evaluate their effectiveness. These initiatives are called “separate evaluations.” Internal audit reviews are a common example.

Monitoring requires protocols and processes for capturing, reporting and following up on deficiencies to ensure all significant deficiencies, or deficiencies that could eventually become significant, are considered and resolved in a timely manner.

The preceding discussion has focused on the two COSO components that are most prevalent at the activity or process level – control activities and monitoring. With respect to the risk assessment, control environment and information/communication COSO components, generic questions may be developed for application at the activity or process level to facilitate evaluation of those components at that level. To illustrate, following are examples of generic questions applicable to each of these three components that may be customized to virtually any significant process.

Risk Assessment
Business processes are exposed to risk from external and internal sources. These risks must be assessed in terms of their impact on the achievement of process objectives. Process owners must either establish a process or be part of an established process to effectively identify and evaluate the risks in the external and internal environment that present threats to the achievement of process objectives.

Following are appropriate questions pertaining to the risk assessment component at the activity or process level:

Control Environment
Process owners must establish an effective control environment to provide discipline, structure and a strong foundation for control within the process. The control environment consists of the control owners and other personnel responsible for executing the process and the environment in which they operate. It sets the tone for the effective functioning of the process, influencing the control consciousness of everyone involved in making the process work. It is the foundation for all other components of internal control within the process.

Following are appropriate questions pertaining to the control environment at the activity or process level:

Information/Communication
Relevant and reliable information is essential to understanding what is really happening in the external environment and in the entity’s business processes. The right performance measures and effective communication processes are essential to ensure that important messages relating to internal control are communicated and managed within a process.

Following are appropriate questions pertaining to the information/communication component at the activity or process level:

5. Must the Section 404 compliance team address each of the five COSO elements in each critical process affecting a significant financial reporting element?

At the process level, most of the controls will consist of control activities and monitoring. The remaining three COSO components – control environment, risk assessment and information/communication – can be addressed by tailoring relevant questions listed in Question 42 to the appropriate processes. There are a variety of ways these three components can be documented at the process level. Some auditors have insisted that all five components be addressed for each critical process. Others point out that the risk assessment component is generally applied at the entity and business-unit levels. Elements of the control environment and information/communication clearly apply to the processes because process owners set the tone for their subordinates, and must have information with which to manage the process and communicate with others on important topics. Monitoring at the process level often includes ongoing supervisory activities by process owners, including review and follow-up on exceptions and issues identified through reports, reconciliations, comparisons, confirmations and other sources of process performance information (see Question 42 for other examples). Monitoring also includes separate evaluations by internal auditors and others.

6. Since the COSO framework includes internal controls over operational effectiveness and efficiency and over compliance with applicable laws and regulations, to what extent must management evaluate these controls to support the internal control report?

Section 404 does not require management to evaluate internal controls over operations, except to the extent that such controls may overlap with financial controls (see illustration). For example, defining processes, documenting procedures, analyzing root causes and supervising activities are examples of operational controls that may also be relevant to financial reporting activities.

There are potentially strong sources of value extending beyond mere compliance with Section 404. Sections 302 and 404 of Sarbanes-Oxley provide the “launching pad” to improve processes and the internal control structure and enhance entity-level and process-level monitoring of financial reporting processes. Because Sarbanes-Oxley forces public companies to assess weaknesses in their business processes, including their controls over processing information, the line between reliable financial reporting and operational effectiveness and efficiency can be a blurry one. Financial reporting processes for many companies are often dependent on people and manually intensive detective controls and are sometimes inadequately defined. Because this dependency leads to a focus on detecting and correcting errors leading to costly rework, it provides a significant opportunity to “build in” (versus “inspect in”) quality, optimize costs and compress time within the organization’s processes while simultaneously reducing its financial reporting risks. Compressing time in the close process can be especially important due to the accelerated SEC filing deadlines for Forms 10-K and 10-Q of large accelerated filers and accelerated filers (see Question 242). In today’s environment, it is impossible to improve cost, quality and time process performance without also automating controls and improving the balance of preventive and detective controls.

With respect to compliance with laws and regulations, financial reports issued to the public are governed by SEC rules and regulations with which companies must comply. Thus, some compliance controls may be germane to financial reporting, e.g., monitor the SEC regulatory environment, assess impact of changes, clearly articulate company reporting policies and communicate such policies throughout the organization. In the final Section 404 rule, the SEC said that Section 404, in general, does not cover compliance with laws and regulations. Notwithstanding the SEC’s statement, if a company is NOT complying with specific laws and regulations, the question arises as to whether that noncompliance must be identified and assessed by the company’s disclosure controls to determine whether there is a possible impact on the financial statements or on other disclosures in the company’s current or periodic public reports.

Management always has the option to expand the review of its processes, risks and controls to other categories of objectives, e.g., operational effectiveness and efficiency, and compliance with applicable laws and regulations. If management chooses to do so, however, that action is a business decision and not a Sarbanes-Oxley-driven initiative. (See Question 22.)

7. If a company already uses the COSO framework, is there anything more it needs to do to comply with Section 404?

The COSO framework has been available for companies to use since the early 1990s. Many internal audit departments use it in organizing and documenting assessments of internal controls. However, just because the framework has been used by internal auditors or by anyone else does not mean a company is prepared to demonstrate compliance with Section 404. Use of the COSO framework in the past does mean that the documentation available will be more useful and comprehensive for purposes of preparing Section 404 documentation.

8. Will the COSO framework on enterprise risk management affect the Section 404 assessment?

No. When COSO released the Enterprise Risk Management Conceptual Framework and the accompanying Application Techniques in September 2004, it made clear that this framework would not replace the Internal Control – Integrated Framework. The Integrated Framework will continue as a viable and authoritative framework for companies to use when evaluating the effectiveness of internal controls.

Ten Ways to Tune Up Your Fraud Risk Management Approach

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

By Christ Milienu and Ann M. Butera

Given the current economic climate, it is not surprising that the potential for fraud has increased. Of the 507 Certified Fraud Examiners who responded to a 2009 Association of Certified Fraud Examiners survey, more than half indicated that the number of frauds has increased during the past year. Additionally, 49 percent observed an increase in the dollar amount lost to fraud during the same period. Unsurprisingly, a report issued by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) indicates mortgage fraud has reached an all-time high with more than 64,000 reported incidents in 2008.

Despite these findings, not all organizations are stepping up their fraud assessments and risk management efforts. While it is true that whistleblowers identify most frauds, internal audit departments can still play a vital role in increasing enterprise-wide anti-fraud awareness and practices.

Following are some specific actions you can take as an internal auditor:

1. Create a separate category within audit planning work papers to document significant potential fraud risks and controls associated with the area under review. The description of the fraud risk should include how it could occur (in a scenario that would have a meaningful negative impact to the auditee).

2. Think about the ways perpetrators could benefit from a particular service or product and then imagine the conversion methods that they could or would need to use to gain reward. Be sure to consider potential frauds that could be committed internally by employees and externally by clients or vendors.

3. Review any process maps that have been prepared as part of the current or prior years’ audit planning package or Sarbanes-Oxley compliance efforts and use them to identify how fraud could occur within each process.

4. Create process maps that outline how fraud could happen and identify the controls within the process that are essential to detect or prevent fraud from occurring.

5. Convene brainstorming meetings with clients to discuss an area’s potential fraud risk exposures. Evaluate management’s fraud awareness by asking them to articulate the primary fraud risks in their business; identify the primary controls established to mitigate these risks; and describe the primary monitoring mechanisms used to track the effectiveness of these controls.

6. Review operational controls designed for ensuring transactional accuracy or the elimination of unintended error with a much more stringent and critical focus when attempting to ascertain their effectiveness in preventing or detecting fraud. A fraudster can easily forge a reviewer’s signoff and compromise the effectiveness of manual controls that rely on the integrity of the person originating the transaction to submit it for authentication.

7. Document and evaluate the segregation of duties structure within the area under review as this is an essential component of an effective system of anti-fraud measures. Consider whether fraudsters could override the segregation by creating the illusion of another employee performing their job functions.

8. Look for automated system controls that enforce effective segregation by using unique and confidential authorization because they are always superior to manual controls that attempt to segregate job duties. Monitoring level controls such as a review of maintenance journals or system logs of activity can also be effective at deterring fraud if they:

  • Focus on identifying suspicious or unusual activity both at an individual or collective level.
  • Apply to a sufficient percentage of the population of transactions.
  • Occur at a timely point in the process.
  • Have effective escalation and reporting protocols to ensure the appropriate disposition of unusual items.

9. Establish procedures that help to ensure the authenticity and integrity of information provided by clients. For example, you may want to recommend that credit and lending departments take the following steps to help avoid losses caused by misrepresentation of income, assets and/or debt and forged or fraudulent documents:

  • Request verification of employment directly from the borrower’s reported employer(s);
  • Request verification of deposit directly from the borrower’s reported financial institution(s);
  • Request tax history directly from the IRS using Form 4506 or 4506-T (two-year history for self-employed borrowers);
  • Secure current credit scores from a third-party credit-reporting agency.

10. Determine the residual fraud risk for each scenario identified as a potential exposure. This risk ranking should reflect the level of potential materiality and estimated likelihood for each fraud scenario on an individual basis and, where appropriate, a collective basis. The ranking should include an analysis of the effectiveness of each anti-fraud control based on the nature of the control (preventive or detective) and the estimated length of time it would take for detection to occur.

Internal auditors should use their risk assessment expertise to clearly define and report on the level of significant potential fraud risk exposures that management believes are acceptable to conduct business. This assessment should also include any recommendations for improving controls that could reduce the level of fraud risk exposure. While internal auditors cannot always prevent fraud, their actions can contribute to an organizational culture that is more aware, alert, and prepared to detect fraud. Remember to think like a criminal, and always ask if management’s fraud deterring controls can be avoided, compromised or eliminated in order to perpetrate a crime.

About the Authors
Christ Milienu, is Vice President, Internal Audit Manager for Old National Bank in Evansville, Indiana. Milienu specializes in audit theory, risk assessment, project management, team building and staff development.

Ann M. Butera, MBA, CRP, President of The Whole Person Project, Inc., an organizational development consulting and training firm, is a frequent conference speaker, and serves on the audit committee for a financial services firm. Butera welcomes your reactions and questions, and can be reached at annbutera@cs.com or 516-354-3551.

Build a whistleblower program without blowing the budget

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

By Pamela Verick Stone, Protiviti Director

Business scandals. Financial frauds. The Sarbanes-Oxley Act of 2002.

These are a few reasons companies have a need to provide a means for people to report wrongdoing — and protect those who make such reports.

For smaller employers, developing a whistleblower program can be a big job. It takes time and resources, both of which can be especially difficult for smaller employers to spare.

For companies that employ internal auditors, they are on the front lines of the issue — often identifying “red flags” of fraud and misconduct, or receiving letters reporting wrongdoing, thrusting them into whistleblower investigations.

We’re going to discuss ways in which small companies can handle these whistleblower program requirements — and minimize the amount of time and resources needed to do it. Let’s start with important whistleblower program considerations.

Sarbanes-Oxley Act of 2002

Section 806 of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley Act”) requires whistleblower protections for employees. It bars employers from taking certain actions against employees who disclose certain information and calls for special damages and attorney’s fees to be paid to whistleblowers whose protections are violated.

Section 1107 of the Act allows for fines or imprisonment of up to 10 years for those who intentionally interfere with or retaliate against anyone who provides truthful information to law enforcement authorities regarding the commission of a federal offense.

COSO Framework

The COSO – Internal Control Integrated Framework calls for companies to establish channels of communication for people to report suspected improprieties. Companies need to:

  • Provide employees a way to communicate their concerns or complaints about potential unethical or unlawful behavior.
  • Consider how employees may communicate through someone other than a director superior, such as an ombudsman or corporate counsel.
  • Allow for anonymous reporting.
  • Determine whether employees actually use the communication channel.
  • Provide whistleblowers with feedback and immunity from reprisals.
  • Ensure timely and appropriate follow-up by management on whistleblower tips received from customers, vendors, regulators or other external parties.

PCAOB Standard No. 2

Paragraph 24 of the Public Company Accounting Oversight Board Standard No. 2 states that auditors should evaluate all controls specifically intended to address the risks of fraud that have a “reasonable possible likelihood” of having a material effect on the company’s financial statements.

These controls include the adequacy of the company’s procedures for handling complaints and for accepting confidential submissions of concerns about questionable auditing or accounting matters.

SAS 99

Statement on Auditing Standards No. 99 (“SAS 99”) says employees should be given the means to obtain advice internally before making decisions that appear to have significant legal or ethical implications.

SAS 99 also says employees should be able to communicate concerns about potential Code of Conduct violations without fear of retribution. In addition, they should be able to raise issues anonymously, if preferred.

Federal Sentencing Guidelines

Federal sentencing guidelines call for employers to have and to publicize a reporting system that may include mechanisms that allow for anonymity and confidentiality. The guidelines also state that employees and others should be able to report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

As we can see, the statutory and regulatory requirements and recommendations are quite similar. All mention the need for confidential reporting and warn against retaliating against those who report wrongdoing.

Many companies meet these standards and statutory requirements by establishing telephone hotlines for reporting. An ethics/compliance officer, fraud officer, general counsel, internal audit director or another trusted person typically receives or monitors the calls and their handling.

Whistleblower Protections

A company’s size can complicate whistleblower protection. Small size often means that employees know one another or are familiar with various areas of the company. After a whistleblower complaint is made, employees in a small company may be able to narrow the source of the complaint or the department from whence it came.

Retaliation against the suspected source of the complaint from anyone in the company could put the organization at risk. In addition, gossip and the rumor mill also can hinder productivity.

Section 806 of the Sarbanes-Oxley Act protects employees who provide information or assist in an investigation from discharge, demotion, suspension, threats, harassment or any form of discrimination.

Employees may file a complaint with the U.S. Department of Labor or ask for de novo review in federal district court if the Secretary of Labor does not respond within 180 days. Remedies include all relief necessary to make the employee whole, including reinstatement with the same seniority status, back pay with interest and compensation for other losses, such as litigation expenses, expert witness fees and reasonable attorney fees.

Company Considerations

Because of these problems and penalties, training and education regarding company whistleblower policies and protections is vital. Everyone in the organization — including top managers, employees, contractors, subcontractors and agents — needs to understand the policies and protections.

This can be accomplished in a variety of ways: employee handbooks, codes of ethics or conduct, intranet and internet education, new-hire training among them.

Elements of Effective Whistleblower Programs

One key element of all whistleblower programs is a reporting mechanism appropriate to the organization. It must be communicated to employees, actively monitored, offer confidentiality and anonymity, and give those who use the program the ability to obtain advice regarding their complaint.

Rules pertaining to intake procedures, information retention, evaluation and escalation procedures, case tracking and monitoring, closeout procedures and management reporting need to be in place. These are typically addressed through the company’s incident response plan and case management system.

Investigative protocols and procedures that enable the company to evaluate what types of issues need to be pursued, and the skills needed to pursue them, also are needed. Depending on the nature of the allegation, the available resources, the urgency of the response and the need for confidentiality, the company will need to decide whether to handle the matter internally or seek outside help.

Finally, the company must fix problems raised by legitimate complaints. To properly do this, disciplinary, prosecution and recovery guidelines are needed.

Minimize Time and Resources

The “magic” to maximizing organizational time and resources for small companies is a basic, commonsense approach: “keep it simple.” A consistent, repeatable process that is documented and reviewed with employees can be as effective as the most ornate organizational and process matrix.

Some things to think about:

1. Reporting mechanisms. Want to outsource your hotline but think the costs outweigh the benefits? Vendors offer various service packages and some tailor their offerings specifically for small companies — outsourcing may not be as expensive as you first thought. Some small companies have even explored the use of an external answering service that will take down basic information and relay it to your organization’s “first responder” — much like a doctor’s office. Alternatively, some companies have a separate telephone line equipped with voicemail that is maintained by either corporate compliance or general counsel. For written letters, you may consider the use of a Post Office box that is checked on a regular basis. Or maybe an email box with assigned and secured privileges is right for you. Do employees know from who they can obtain advice on issues that may be of concern? Hotlines can sometimes be misused because employees don’t know where to go for information, or issues can be resolved prior to escalation to higher levels. Providing a channel for employees to obtain advice is as important as those for reporting concerns. Some small companies provide contact information for either a compliance officer or human resource representative when employees call seeking advice. It’s important that your employees clearly understand where they can obtain advice and report issues of concern.

2. Communications. While many organizations communicate with employees about reporting mechanisms through email or their intranet, not everyone in a small company may have online access. Consider other ways to reach people — either through a message on or included with their paycheck/pay stub, posters in public view (such as a lunch or break room), voicemail, employee newsletters, employee “kiosks,” etc. Clear, concise and ongoing messaging is important, too. Also consider what language(s) you may need to communicate your message in and the accuracy of your translation.

3. Incident response. Understanding the “who, what, when, where and how” of an issue is important for all companies. But for those that are small, this can be particularly sensitive given their size or the potential matter at hand. The use of a form, or “checklist,” during the intake process is key to obtaining, and evaluating, much needed information in a consistent manner that will then be immediately provided to your company’s “first responder(s).” Depending upon your size, you may only have one person dedicated as your “first responder.” Others may use a “decision tree” to help guide the individual receiving the information to get it to the right person — and this can be critical when time matters most. Whatever your escalation model, consider the issue of back-up. If your first responder can’t be reached, you should have a plan in place on what to do next in order to ensure that potential issues are raised and resolved efficiently and effectively. Something else your company needs to consider is data privacy and retention. How will you protect the person and information that has been provided to you? How long will you keep it? How will you store it? You may want to seek the advice of counsel and human resources to determine what is best for your small company.

4. Case management. Once an issue is reported within your company, it is important to track what’s being done about it. Some companies have purchased case management systems that are tied to, or complement, their hotline services. Other small companies use an internal database, spreadsheet or word template that is updated on a routine basis. Whatever your company chooses, emphasis should be placed on the ability to understand the current status of an issue, who’s working on it, how long it’s been open and what’s being done to investigate or remediate it. Procedures should also be in place to report, or communicate, the matter to management, the board, regulators and law enforcement as appropriate, and to “close out” the matter when the review or investigation is completed.

5. Investigative protocols and procedures. When issues arise, small companies often must decide the most appropriate manner in which to investigate the matter without causing disruption to operations and while still maintaining the integrity of the investigative process. For some small companies, the skillset necessary to thoroughly examine reported matters may not be “in-house.” The role of counsel, particularly as it relates to the preservation of privilege and confidentiality, as well as the responsibilities of the Audit Committee for certain accounting-related matters, should also be taken into the company’s consideration of its investigative protocols and procedures. Many small companies simply rely on outside counsel to handle such matters for them.

6. Remediation. It’s important for your company to set forth its expectations regarding ethical behavior, as well as potential consequences for related infractions. Many companies, regardless of size, include this information in their Code of Conduct and/or employee handbook. Disciplinary, prosecution and recovery guidelines help to reinforce your company’s “tone at the top,” as well as provide a clear, consistent approach in handling difficult or sensitive matters. For some small companies, the impact of disciplinary matters upon overall operations may be a consideration in remediation efforts. Emphasis should be placed on the company’s need to truly resolve internal control or behavioral issues in a timely and thorough manner that will help strengthen overall operating effectiveness, rather than on short-term solutions that may provide an “easy” or “temporary” fix.

Summary

For small companies, a successful whistleblower program can be achieved by developing simple strategies that are cost effective, ensure confidentiality and complement their organizational culture, while at the same time meeting regulatory requirements.

Ongoing awareness and support of the program by the board, management and employees is critical, as is active monitoring. The whistleblower program should evolve with the company so that growth or changes within the organization are appropriately reflected in the sophistication of the program, thereby providing a sustainable method for the prevention and detection of fraud and misconduct.

Pamela Verick Stone is a Director in Protiviti’s Financial Investigations & Litigation Consulting practice where she focuses on investigations and leads our fraud risk management initiative. Pam has 16 years of risk management experience, including development of anti-fraud programs and controls, fraud risk assessment, fraud and misconduct investigations, Sarbanes-Oxley assistance and development of compliance and ethics programs for both the public and private sector. Prior to joining Protiviti, Pam was a Director in the Forensic practice of a Big 4 professional services firm where she served as a global product champion for fraud and misconduct diagnostic services.

Business Self-Assessment Methodology

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

Business Self-Assessment Overview
Four Components of Business Self-Assessment
Integrated Business Self-Assesment – Entity Level
Integrated Business Self-Assesment – Process Level
Key Definitions
Related Resources

Business Self-Assessment Methodology Overview

Business Self-Assessment is Protiviti’s dynamic self-assessment approach that leverages organizational knowledge to improve business performance at the entity or process level. Utilizing risk as its foundation, BSA uniquely integrates the assessment of strategic objectives, risks, controls and process-improvement opportunities.

Business Self-Assessment helps organizations improve business performance by enabling them to:

BSA focuses on Strategy, Risk, Control, and Process.

What is Self-Assessment?
Self-assessment is the process through which management, auditees or process owners assess the extent to which their current practices are sufficient and appropriate to achieve their strategic objectives.

Forms of Self-Assessment
Self-assessment, in general, can be executed in a number of ways including the following:

The Methodology
BSA is a Protiviti process that addresses strategy, risk, control and process. BSA is unique in comparison to Control Self-Assessment in that it utilizes a top-down approach beginning with an organization’s key strategies and the risks that may threaten the achievement of those strategies.

While BSA can be accomplished in a number of ways, our experience indicates that facilitated meetings with technology are the most effective. This technique uses effective facilitation of group discussions and real-time data collection and analysis to produce action-oriented results that can be used by an organization to improve business performance.

BSA is flexible. It must be tailored to each unique client environment and can be an integral part of an organization’s comprehensive risk-management process. Experience has shown that facilitated meetings using technology and integrating strategy, risk, control and process are the most effective means of assessing risk. The “right” choice depends on the client’s needs and business environment.

BSA is most effective when delivered by a team with knowledge of strategy, risk, control and process. The blend of required experience depends on the manner in which BSA is to be delivered. Strong facilitation skills and experience implementing the methodology are critical when BSA takes the form of a facilitated meeting.

BSA can be conducted through the execution of each component on a stand-alone basis or the integration of more than one component at either the entity or process level.

The four components of BSA are as follows:

Strategy Self-Assessment
The objective of strategy self-assessment is to understand, prioritize and reach consensus on strategic objectives for the company or a specific business process within the company. An understanding of key strategic objectives is critical to the successful implementation of Business Self-Assessment.

Risk Self-Assessment
The objective of risk self-assessment is to identify, prioritize, measure and source business risks within the company or a specific business process within the company. Business risk is the threat that an event, action or inaction will threaten the ability of a company or process to achieve its objectives and execute its strategies successfully.

Control Self-Assessment
The objective of control self-assessment is to evaluate the effectiveness of a business risk management process within a company or the internal controls within a specific business process. Controls are the policies and procedures that, when implemented effectively and efficiently, help minimize or reduce the impact of risk on a company or business process to an acceptable level.

Process Self-Assessment
The objective of process self-assessment is to enhance the performance of a specific business process within the company. Participant feedback and “best practices” may be used to identify and analyze performance gaps, source root causes and agree on next steps.

Click on any component to read the complete description:

Integrated Business Self-Assessment

-

Entry LevelINTEGRATED BUSINESS SELF-ASSESSMENT – Entity Level

The execution of Business Self-Assessment (BSA) at the entity level, in its fullest form, involves much more than one meeting or self-assessment session. It is a continuous self-assessment process that reflects the fact that organizations and their environments are dynamic which results in an ever-changing risk profile for the organization. Proper planning and effective facilitation skills are critical to the success of an individual self-assessment session (See more on proper planning and effective facilitation skills). A typical self-assessment session at the entity level ranges from 4 to 8 hours in length and includes strategy, risk and control self-assessment. Process self-assessment is not typically included in an entity level session. The execution of an entity level session also includes appropriate Introduction and Closing segments.

Strategy Self-Assessment

The objective of this component of an integrated self-assessment session is to ensure that there is a common understanding of the key strategies of the organization among session participants. The definition of Business Risk incorporates an organization’s strategic objectives and, as a result, it is important that all participants have a common understanding of the organization’s key strategies.

This common understanding can be accomplished by:

1. Researching the organization’s strategies in advance of the session and documenting the 3 or 4 key strategies on a flipchart/overhead slide for presentation to the group. This research can be accomplished through interviews, surveys or the review of organization’s documents. The facilitator would then ask the group “Does this accurately reflect the key strategies of your organization?”

2. Brainstorming the key strategies during the session. The facilitator will lead this activity and may include a prioritization of the strategies using the electronic voting technology. A rating scale or paired-comparison vote would be effective in this process.

Often, due to time constraints, it is beneficial to utilize the first method described above. Once there is a common understanding of the organization’s key strategies, it is a good idea to post the strategies in the meeting room for easy reference throughout the session.

Risk Self-Assessment

The objective of this component of an integrated self-assessment session is to identify, prioritize, measure and source business risks within the organization. Business risk is the threat that an event, action or inaction will adversely affect an organization’s ability to achieve its business objectives or execute its strategies successfully.

Risk self-assessment at the entity level entails a comprehensive look at those business risks that affect the organization as a whole. These risks are generally not specific to one business process but rather are applicable at the organization-wide level. Examples of entity level business risks include competitor risk, political risk and regulatory risk.

The risk self-assessment component of a self-assessment session includes the following phases:

  1. Identification / Creation of Risk Universe
  2. Prioritization of Identified Risks
  3. Sourcing of Risks

1. Identification / Creation of Risk Universe
The first phase of risk self-assessment at the entity level involves the identification of business risks applicable to the organization. This list of business risks is called the Risk Universe. It is important that participants fully understand the definition of business risk and that the facilitator continues to reinforce the relationship between strategies and risk. Brainstorming techniques are used by the facilitator to obtain participant ideas with respect to all of the business risks that may impact the organization. The Protiviti Risk Model is used as a framework for the risk identification process (See the Protiviti Risk Model). Once all of the participant ideas have been captured, risks are grouped into common risk areas in an attempt to produce a concise risk universe for voting purposes.

2. Prioritization of Identified Risks
During this phase of risk self-assessment at the entity level, risks are prioritized based on the following criteria:

  1. Significance: The impact that the event, action or inaction would have on the organization if it were to occur.
  2. Likelihood: The probability that the event of action would occur assuming no controls are in place to mitigate the risk.

Voting technology is typically used to capture responses from the session participants. (See Computer voting methods and tips) The output from this phase is a Risk Map that plots the risk universe in terms of their relative significance and likelihood. Other criteria that can be used to evaluate risk include manageability and tolerance.

3. Sourcing of Risks
During this phase of risk self-assessment at the entity level, risks are sourced to the business processes in which they reside. Typically, prior to the session, the process classification scheme has been tailored to reflect the key business processes in place within the organization. The facilitator then leads the participants through an exercise of allocating each risk to the business process(es) in which it resides. It is likely that a risk will reside in more than one process. For example, customer satisfaction risk typically resides in all business processes that have interaction with customers. For a manufacturing company, these processes might include ordering, shipping and delivery, and billing.

The objective of this phase is to identify those business processes that have an increased level of inherent risk. This information is particularly useful to the internal audit team since it can be used to focus internal audit effort on the business processes that contain increased risk. This process also helps to establish management buy-in regarding the business processes that will be audited since the risk information was provided by management.

During a self-assessment session, this phase is often executed after the completion of the control self-assessment component.

Control Self-Assessment

The objective of this component of an integrated self-assessment session is to assess whether risks are appropriately controlled within an organization. The business risks identified and prioritized during the earlier phases of the session are utilized during this phase. Participants are asked to evaluate the organization’s current level of control effectiveness over a particular risk compared to the significance of the risk. The output is a Control Map that visually depicts the voting results (See a sample Control Map). This Control Map assists in the identification of risk areas that are under-controlled, over-controlled, or appropriately controlled. Detailed discussions are typically lead by the facilitator regarding the results depicted in the Control Map.

Process Self-Assessment

The objective of process self-assessment is to enhance the performance of a specific business process within an organization. Participant feedback and “best practices” may be used to identify and analyze performance gaps, source root causes and agree on next steps. Because of the nature of process self-assessment, it is generally not performed at the entity level.

Integrated Business Self-Assessment

- Process Level

The execution of Business Self-Assessment (BSA) at the process level involves all four components of the BSA Methodology — strategy, risk, control and process. Proper planning and effective facilitation skills are critical to the success of a process level self-assessment session. A typical self-assessment session at the process level ranges from 4 to 8 hours and would include appropriate Introduction and Closing segments.

Strategy Self-Assessment

The objective of this component of an integrated self-assessment session is to ensure that there is a common understanding of the key objectives of the business process under review among session participants. The definition of Process Risk incorporates the key objectives of a process and, as a result, it is important that all participants have a common understanding of such objectives.

This common understanding can be accomplished by:

1. Researching the organization’s strategies in advance of the session and documenting the 3 or 4 key strategies on a flipchart/overhead slide for presentation to the group. This research can be accomplished through interviews, surveys or the review of organization’s documents. The facilitator would then ask the group “Does this accurately reflect the key strategies of your organization?”

2. Brainstorming the key strategies during the session. The facilitator will lead this activity and may include a prioritization of the strategies using the electronic voting technology. A rating scale or paired-comparison vote would be effective in this process.

Often, due to time constraints, it is beneficial to utilize the first method described above. Once there is a common understanding of the key objectives of the process, it is a good idea to post the objectives in the meeting room for easy reference throughout the session.

Risk Self-Assessment

The objective of this component of an integrated self-assessment session is to identify, prioritize and measure business risks within the business process under review. Process Risk is the threat that an event, action or inaction will adversely affect the ability of a process to achieve its objectives.

Risk self-assessment at the process level entails a comprehensive look at those risks that affect one specific process within an organization. These risks are not necessarily applicable to the organization as a whole but rather are specific to one business process. Examples of process level risks include data integrity risk, efficiency risk and performance gap risk.

The risk self-assessment component of a self-assessment session includes the following phases:

  1. Identification / Creation of Risk Universe
  2. Prioritization of Identified Risks


1. Identification / Creation of Risk Universe
The first phase of risk self-assessment at the process level involves the identification of risks applicable to the specific business process under review. This list of risks is called the Risk Universe. It is important that participants fully understand the definition of process risk and that the facilitator continue to reinforce the relationship between process objectives and risk. Brainstorming techniques are used by the facilitator to obtain participant ideas with respect to all of the risks that may impact the business process under review. The Protiviti Risk Model is used as a framework for the risk identification process. (See the
Protiviti Risk Model).Once all of the participant ideas have been captured, risks are grouped into common risk areas in an attempt to produce a concise risk universe for voting purposes.

2. Prioritization of Identified Risks
During this phase of risk self-assessment at the process level, risks are prioritized based on the following criteria:

  1. Significance: The impact that the event or action would have on the business process, if it were to occur.
  2. Likelihood: The probability that the event of action would occur assuming no controls are in place to mitigate the risk.

Voting technology is typically used to capture responses from the session participants (See Computer voting methods and tips). The output from this phase is a Risk Map that plots the risk universe in terms of their relative significance and likelihood. Other criteria that can be used to evaluate risk include manageability and tolerance.

Control Self-Assessment

The objective of this component of an integrated self-assessment session is to assess whether risks are appropriately controlled within the specific business process under review. The risks identified and prioritized during the earlier phases of the session are utilized during this phase. Participants are asked to evaluate the current level of control effectiveness over a particular risk within the business process compared to the significance of the risk. The output is a Control Map that visually depicts the voting results. (See a sample Control Map).This Control Map assists in the identification of risk areas that are under-controlled, over-controlled, or appropriately controlled. Detailed discussions are typically lead by the facilitator regarding the results depicted in the Control Map.

Alternatively, participants may be asked to vote on both the desired and current effectiveness of key controls. The resulting “gaps” are then discussed.

Process Self-Assessment

The objective of process self-assessment is to enhance the performance of a specific business process within an organization. Participant feedback and “best practices” may be used to identify and analyze performance gaps, source root causes and agree on next steps.

Process self-assessment entails a detailed examination of the primary components of one specific process within an organization. Key stakeholders and those involved in the process on a daily basis discuss potential performance gaps and ways to close them to enhance business performance. The gaps may be caused by an inefficient step in the process or a control that is not operating effectively or is inappropriate based on the risk level. Action plans that include timelines and responsibilities are developed to help ensure that issues identified during the self-assessment are addressed.

The process self-assessment component of a self-assessment session includes the following phases:

  1. Definition of Process
  2. Identification of Primary Components of Current Process
  3. Discussion of Opportunities to Improve the Process
  4. Discussion of Tactics to Improve the Process

Definition of Process
The first phase of process self-assessment at the process level involves the definition of the process. The process should be defined in terms of its primary function and the other process areas within the organization that it impacts.

Identification of Primary Components of Current Process
The next phase of process self-assessment involves the identification of the primary components of the process as its currently exists. The facilitator should remind participants to discuss the process as it exists rather than how it might exist in the future. Thoughts about improvements should be captured in the Parking Lot (See related documentation on creating a Parking lot). There are a number of ways to conduct this discussion:

  1. Option One: The process owner can prepare a flowchart or summary of the primary components of the process in advance of the meeting. The document can be distributed to participants and enlarged and posted in the room. The facilitator can lead a discussion of the process and make necessary changes directly to the enlarged document.
  2. Option Two: The facilitator can lead a discussion of the primary components of the process. After each participant has finished documenting the primary components (one on each post-it note), they can be collected and organized on wall charts. The steps can be organized based on the flow indicated by the participants.

Discussion of Opportunities to Improve the Process
The next phase of process self-assessment is to discuss opportunities to improve the process. Process components are discussed based on the following criteria:

  1. Importance – The relative importance of each process component to the successful execution of the process.
  2. Current Performance – The current performance of each component in the process.

Voting technology is typically used to capture responses from the session participants. The output from this phase is a Process Performance Map that plots the process steps in terms of their relative importance and current performance (See a Process Performance Map). Other criteria that can be used to evaluate a process include cost of implementation and willingness to change.

Discussion of Tactics to Achieve Strategic Objectives
During this phase of process self-assessment, participants begin to discuss potential performance gaps and ways to close them to enhance business performance. The gaps may be caused by an inefficient step in the process or a control that is not operating effectively or is inappropriate based on the risk level. It is often helpful to break the large group into smaller groups of 2 to 3 people for this activity; each small group can identify the tactics and then present them to the larger group for feedback. Once the tactics have been identified and agreed upon, the facilitator should lead participants through a process to assign responsibility and agree on the dates by which the tactics should be accomplished (See Action Planning Matrix). In most cases, one of the tactics will be to perform additional planning in a different forum, because it is likely that some of the individuals responsible for implementation may not be participants in the process self-assessment session.

Strategy Self-Assessment

Overview
The objective of strategy self-assessment is to understand, prioritize and reach consensus on strategic objectives for the company or a specific business process within the company. An understanding of key strategic objectives is critical to the successful implementation of Business Self-Assessment.

Entity Level Strategy Self-Assessment
Strategy self-assessment at the entity level entails a comprehensive look at the strategic objectives of the organization as a whole. These strategies are generally achieved through the collaboration of multiple process areas. Examples of entity level strategies include increasing earnings by an agreed upon percentage or amount, decreasing costs by an agreed upon percentage or amount, providing high-quality products or services that are competitively priced, or increasing customer satisfaction.

Strategy self-assessment at the entity level can either be conducted on an integrated basis with the other phases of Business Self-Assessment (BSA) or on a stand-alone basis. Strategy self-assessment is a recurring process of understanding, prioritizing and reaching consensus on strategic objectives to reflect the fact that organizational strategies change as the organization and environment in which it operates evolves.

The results of strategy self-assessment at the entity level can be used for various purposes. Results can be used to:

Process Level Strategy Self-Assessment
Strategy self-assessment at the process level entails a comprehensive look at the strategic objectives of one specific process within an organization. Although these strategies generally support those of the organization as a whole, they can be achieved by the process area without the involvement of other areas. Examples of process level strategies in the billing process include providing accurate invoices to customers in a timely manner and ensuring that process controls are operating effectively and efficiently to minimize risk to an acceptable level.

Although strategy self-assessment at the process level can be conducted on a stand-alone basis, it is typically conducted on an integrated basis with the other phases of Business Self-Assessment (BSA).

The results of strategy self-assessment at the process level can be used for various purposes. Results can be used to:

Risk Self-Assessment

Overview
The objective of risk self-assessment is to identify, prioritize, measure and source business risks within the company or a specific business process within the company. Business risk is the threat that an event, action or inaction will threaten the ability of a company or process to achieve its objectives and execute its strategies successfully.

Entity Level Risk Self-Assessment
Risk self-assessment at the entity level entails a comprehensive look at those business risks that affect the organization as a whole. These risks are generally not specific to one business process but rather are applicable at the organization-wide level. Examples of entity level business risks include competitor risk, political risk and regulatory risk.

Risk self-assessment at the entity level can either be conducted on an integrated basis with the other phases of Business Self-Assessment (BSA) or on a stand-alone basis. Risk self-assessment, in its fullest form, is much more than one meeting or session. It is a continuous process of identifying, prioritizing, measuring and sourcing risks to reflect the fact that organizations and their environment are dynamic with ever-changing risk profiles.

The results of risk self-assessment at the entity level can be used for various purposes. Results can be used to:


Process Level Risk Self-Assessment
Risk self-assessment at the process level entails a comprehensive look at those risks that affect one specific process within an organization. These risks are not necessarily applicable to the organization as a whole but rather are specific to one business process. Examples of process level risks include data integrity risk, efficiency risk and performance gap risk.

Risk self-assessment at the process level can either be conducted on an integrated basis with the other phases of Business Self-Assessment (BSA) or on a stand-alone basis.

The results of risk self-assessment at the process level can be used for various purposes. Results can be used to:

Control Self-Assessment

Overview
The objective of control self-assessment is to evaluate the effectiveness of a business risk management process within a company or the internal controls within a specific business process. Controls are the policies and procedures that, when implemented effectively and efficiently, help minimize or reduce the impact of risk on a company or business process to an acceptable level.

Entity Level Control Self-Assessment
Control self-assessment at the entity level entails a review of the business risk management processes in place within an organization that are designed to manage its business risks. The execution of control self-assessment at the entity level assumes that the business risks facing the organization have already been identified and prioritized as part of a risk self-assessment process or by some other means. Entity level control self-assessment results in enhanced risk control for entity level risks. Examples of entity level controls include determining risk tolerance, establishing policies and procedures to manage the risks, and measuring and monitoring the risks.

Control self-assessment at the entity level can either be conducted on an integrated basis with the other phases of Business Self-Assessment (BSA) or on a stand-alone basis. Control self-assessment, in its fullest form, is much more than one meeting or session. It is a continuous process of ensuring that a company’s business risk management process adequately mitigates its entity level risks. This continuous process reflects the fact that organizations and their environments are dynamic and control environments must be responsive to those changes.

The results of control self-assessment at the entity level can be used for various purposes. Results can be used to:


Process Level Control Self-Assessment
Control self-assessment at the process level entails a review of the internal controls in place within a specific business process of an organization. The execution of control self-assessment at the process level assumes that the risks within the business process have already been identified and prioritized as part of a risk self-assessment process or by some other means. Process level control self-assessment results in enhanced risk control within a particular business process. Examples of process level controls include reconciliation’s, approvals, passwords and segregation of duties.

Control self-assessment at the process level can either be conducted on an integrated basis with the other phases of Business Self-Assessment (BSA) or on a stand-alone basis.

The results of control self-assessment at the process level can be used for various purposes. Results can be used to:

Process Self-Assessment

Overview
The objective of process self-assessment is to enhance the performance of a specific business process within the company. Participant feedback and “best practices” may be used to identify and analyze performance gaps, source root causes and agree on next steps.

Entity Level Process Self-Assessment
Because of the nature of process self-assessment, it is generally not performed at the entity level.

Process Level Process Self-Assessment
Process self-assessment entails a detailed examination of the primary components of one specific process within an organization. Key stakeholders and those involved in the process on a daily basis discuss potential performance gaps and ways to close them to enhance business performance. The gaps may be caused by an inefficient step in the process or a control that is not operating effectively or is inappropriate based on the risk level. Action plans that include timelines and responsibilities are developed to help ensure that issues identified during the self-assessment are addressed.

Process self-assessment at the entity level can either be conducted on an integrated basis with the other phases of Business Self-Assessment (BSA) or on a stand-alone basis.

The results of process self-assessment can be used for various purposes. Results can be used to:

Key Definitions, Strategy Self-Assessment

Key Definitions, Risk Self-Assessment

Key Definitions, Control Self-Assessment

Key Definitions – Process Self-Assessment

Fraud Schemes and Scenarios

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

The purpose of this document is to provide common understanding of the potential fraud schemes and scenarios that ABC Company has included in its entity-level fraud risk assessment. Each of these schemes/scenarios was should be examined by the Internal Audit group and senior management from each of the functional areas within the company.

Fraud Schemes/Scenarios and Definitions

Benefits Fraud: Encompasses the receipt of benefits by employees that are not eligible, dependents of employees that are not eligible, or the receipt of benefits beyond their departure date from the company.

Bid Rigging: This scheme occurs when an employee fraudulently assists a vendor in winning a contract through the competitive bidding process. This may include related party transactions and vendor kickbacks, among other frauds.

Check Fraud: Check fraud includes the use of technology to design/reproduce bank checks and simple check forgery.

Check Theft: This scheme involves interception of a valid disbursement prior to delivery to the rightful recipient.

Collateral or Records Management: Employee could use titles to secure other/personal debt.

Concealment of Investing Activity: This scheme involves the failure of personnel to report investing activity for inclusion in the financial statement preparation process.

Disguised purchases: This scheme involves the utilization of company funds to make non-company related purchases. The purchase may benefit the employee or another party and is intended to have the appearance of a purchase made in the normal course of business.

Early Recognition of Revenue: Companies try to enhance revenue by manipulating the recognition of revenue. Improper revenue recognition entails recognizing revenue before a sale is complete, before the product is delivered to a customer, or at a time when the customer still has options to terminate, void, or delay the sale. Examples of improper revenue recognition include recording sales to nonexistent customers, recording fictitious sales to legitimate customers, recording purchase orders as sales, altering contract dates and shipping documents, entering into “bill and hold” transactions, holding the books open until after shipment so that the sale can be recorded in the desired period, entering into side agreements, and channel stuffing.

Earnings Management/Smoothing: The pressure to meet or beat analyst expectations may lead management to engage in dubious practices such as “big bath” restructuring charges, creative acquisition accounting, “cookie jar reserves,” “immaterial” misapplications of accounting principles, and the premature recognition of revenue. Insistence on aggressive application of accounting principles, on always being “on the edge” and on applying “soft” methods allowing for a lot of “running room” when making significant estimates in the financial reporting process all contribute to an environment that impair or reduce the quality of earnings and breed earnings management.

Electronic Transaction Fraud: This scheme is similar to embezzlement, but specifically relates to diversion, theft, or misappropriation of funds that are received or disbursed electronically. This scheme may be perpetuated at the initiation point of the transaction, during transmission, or at the destination of the transaction.

Embezzlement: The property of another party is wrongfully taken or converted for the wrongdoer’s benefit. This may include theft of cash or property or the use of company assets for personal gain.

Employee Fraud: While every industry is at risk for employee fraud, the nature of the financial services industry makes it an attractive target for employees who can figure out how to work around existing or lax controls and, for example, create dummy loans, siphon money from customer accounts, or arrange to get kickbacks for providing services. This may also include fraud resulting from a “rogue employee,” e.g., the trader who manages to trade off-book and/or hide his trading losses in accounts that only he controls or from insider dealing, i.e., the use of non-public information for personal gain.

Fictitious Borrowing/Borrowing Fraud: Personnel may enter into borrowing arrangements for personal gain utilizing company credentials/collateral.

Fictitious Vendors: This scheme involves intent to divert funds to an employee or another party with no corresponding receipt of goods or services.

Fictitious/False Employees: This refers to someone on payroll who does not actually work for the company. Through the falsification of personnel or payroll records a fraudster causes paychecks to be generated to a “ghost.” The fraudster or an accomplice then converts these paychecks. The ghost employee may be a fictitious person or a real individual who simply does not work for the victim employer. When the ghost is a real person, it is often a friend or relative of the perpetrator.

Financial Statement Fraud: Misstatement(s) of an entity’s financial statements accomplished by: (a) overstatement of revenue and revenue-related assets or (b) understatement of costs or expenses and their related liabilities (c) omission or manipulation of required disclosures which involves violation(s) of Generally Accepted Accounting Principles (“GAAP”) and which defrauds investors or creditors of the entity by manipulation, deception, or contrivance using false and misleading financial information.

Fraudulent Account Activity: This scheme involves the manipulation of customer accounts to conceal delinquency or boost portfolio performance metrics. The scheme may involve changing receivables status to current or manipulating bankruptcy account status to boost the quality of receivables and lessen the need for a bad debt reserve.

Fraudulent Capitalization of Costs: This scheme involves the capitalization of costs that do not provide a benefit to future periods. Management may undertake this effort to delay the recognition of period expenses and lessen the current P&L impact.

Fraudulent Journal Entries: Some characteristics may include entries (1) made to unrelated, unusual or seldom-used accounts; (2) made by individuals who typically do not make journal entries; (3) made with little or no support; (4) made post-closing or at the end of a period such as quarter or year end and might be reversed in a subsequent period; (5) include round numbers; and/or (6) affect earnings. Financial statement fraud is frequently accomplished through the use of fraudulent journal entries and is a form of management override of the internal control structure. Of particular interest would be journal entries that mask fund diversion, the improper reversal of reserve accounts, the use of intercompany accounts to hide expenses, and/or the capitalization of costs that should be expensed.

Fraudulent Disbursements: In fraudulent disbursement schemes, an employee makes a distribution of company funds for a dishonest purpose. Examples of fraudulent disbursements include forging company checks, the submission of false invoices, doctoring timecards and so forth.

Fraudulent Loan Setup/Funding Disbursement: This scheme involves booking loans that do not exist, or disbursing funds to fictitious customers. This scheme can inflate revenues, assets (loan receivables) and may also include embezzlement of funds.

Identity Theft: A crime in which an imposter obtains key pieces of personal information, such as Social Security or driver’s license numbers, in order to impersonate someone else.

Inflated Time Reporting: Employees may intentionally report hours that were not spent working. This may involve reporting hours for days the employee did not work, incrementing hours beyond those actually spent at work, and failing to report vacation or sick time.

Insider Trading: Insider trading is an illegal act that involves the use of non-public information to purchase/sell company stock. Insider trading most often involves executive management or financial reporting personnel who have access to company performance results in advance of public filings.

Intentional Misapplication of Payments: This scheme involves taking a customer payment and applying it to another customer, or another type of payable due from the customer.

Kiting: Check kiting is the act of writing checks against a bank account with insufficient funds to cover the check in hopes that funds will be available prior to the payee depositing the check.

Lapping: Lapping customer payments is one of the most common methods of concealing skimming. It is a technique, which is particularly useful to employees who skim receivables. Lapping is the crediting of one account through the abstraction of money from another account. It is the fraudster’s version of “robbing Peter to pay Paul.”

Loss Allowance Manipulation: The scheme involves changing allowance calculation assumptions, changing input data, or simply changing the end result of the allowance calculation to delay the impact of impending losses. This scheme most often must be continued over time to conceal inevitable write-offs and may lead to other fraudulent journal entries (defined above).

Manipulation of Bonus/Commission Criteria/Results: This scheme is similar to embezzlement, but has distinct characteristics. Personnel responsible for submitting bonus/commission attainment (HR, department management) may modify compensation criteria or performance results to increase bonus/commission payouts to themselves or the employees that work for them. In many cases, this scheme is justified by management to reward employees that are perceived to be strong performers that are not rewarded by established performance metrics.

Manipulation of Derivative Position: This scheme involves the intentional misreporting of derivative position to conceal a poor business decision or simply increase earnings. This scheme can be accomplished in a variety of manners including the destruction or concealment of supporting documentation, falsifying documentation related to hedging activities, or modifying the actual position to one more favorable to the company.

Manipulation of Inventory: This scheme involves the modification of inventory records to overstate assets or failure to recognize the decline/impairment to its value. This scheme may involve the falsification or destruction of records in an attempt to substantiate activity in the period that did not occur.

Manipulation or Concealment of Trigger Reporting: This scheme involves the intentional cover up or falsification of performance reports that would otherwise result in the violation of debt covenants.

Misappropriation of Customer Payments/Funds: Often accompanies embezzlement, but is a separate and distinct offense. Misapplication is the wrongful taking or conversion of another’s property, in this case customer payments, for the benefit of someone else – that of the employee or for another customer.

Misappropriation of Funds: Often accompanies embezzlement, but is a separate and distinct offense. Misapplication is the wrongful taking or conversion of another’s property, in this case company funds, for the benefit of someone else.

Misappropriation of Trustee Payments/Funds: Often accompanies embezzlement, but is a separate and distinct offense. Misapplication is the wrongful taking or conversion of another’s property, in this case trustee payments, for the benefit of someone else.

Misleading Analyst Forecasts: This scheme is perpetuated by management to conceal a pending downturn or flat revenues or to predict a significant in increase in revenue despite the lack of supporting analysis.

Overstatement of Assets: Areas where assets can easily be overstated include inventory valuation, accounts receivable, business combinations, and fixed assets:

  • Inventory valuation: the failure to write down obsolete inventory, manipulation of physical inventory counts, recording “bill and hold” items as sales and including these items in inventory
  • Accounts receivable: fictitious receivables and the failure to write-off bad debts
  • Business combinations: setting up excessive merger reserves and taking the reserves into income
  • Fixed assets: capitalizing costs that should be expensed or booking an asset although the related equipment might be leased

Proprietary Information Dissemination: This scheme involves the intentional dissemination of private company information to potential customers, vendors or suppliers that give them an unfair advantage in dealing with the company, whether applying for a loan or providing goods/services. This scheme may be coupled with other acts such as embezzlement or bid rigging (defined above).

Speculative Investing: This scheme involves company personnel, either on their own, or at the direction of management, to enter into derivative/hedging transactions with no specific risk that is attempting to be mitigated. This may be an attempt to circumvent investing policies in an effort to boost earnings or to profit individually from the transaction.

Tax Evasion: The company intentionally evades payment of taxes that is otherwise owed to a taxing authority. This conduct can include but is not limited to the concealment of assets or income, keeping two sets of books, manipulation of quarterly payment estimates, and the destruction of books and records.

Title Fraud: This scheme involves the use of company assets, in this case vehicle titles, to secure personal/others debt. This scheme is most likely to occur with Collateral or Records Management employees due to their access to such documents.

Unrecorded, Deferred, or Understated Liabilities: The most common methods used to understate liabilities include failing to record liabilities and/or expenses, failing to record warranty costs and liabilities and failing to disclose contingent liabilities. In one high profile case, liabilities were hidden in off-balance sheet affiliates.

Other Fraud Schemes/Scenarios to Consider

Collusion with Dealers
Concealment or Manipulation of financial results and disclosures
Dealer buyback – Theft of Funds
Diversion of Funds/Misappropriation of Assets
Diversion/Misappropriation of Funds
Diversion/Theft of DisbursementsElectronic Payments Fraud

Failure to Record/Remit Payroll Taxes
Failure to Remit Ancillary Product Refund to Customer
False Repo Agent Invoices
Falsification of Expense Reports
Fraudulent Auction Invoices
Fraudulent Repo Agent Invoices/Auction Expenses
Fraudulent Settlement Negotiation
Improper Re-Aging Accounts to Current
Initiation of Fraudulent Check
Kickbacks
Manipulation of Assumptions Utilized by Financial Reporting

Manipulation of Bank Account Status
Manipulation of Estimates to Alter Quarterly Tax Payments
Manipulation of Payroll Records
Manipulation of Performance Forecasting
Manipulation of Performance Results
Manipulation of Significant Accounting Estimates
Manipulation or Theft of Fees
Management Circumvention/Override of Loan Setup Controls
Principal Credit Adjustments to Increase Recoveries
Principal Credit Adjustments to Reduce/Pay-Off Loans
Related Party Purchases
Related Party Transactions
Terminated Employee Payments
Theft
Unauthorized Electronic Payments
Unsupported Top-Side Entries
Use of Resources for Personal Gain
Vendor Kickbacks

Protiviti’s Sarbanes-Oxley Section 404 Compliance Initiatives Methodology

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

To comply with Section 404 of the Sarbanes-Oxley Act, management needs a comprehensive internal controls evaluation approach. Section 404 is an annual assessment with an external auditor attestation required.

As part of this process companies have the opportunity to:

  • Understand, document and evaluate their internal control over financial reporting to comply with Section 404
  • Improve the efficiency and effectiveness of their business processes and internal controls
  • Build a sustainable, cost-effective assessment process

Protiviti has developed a phased approach to the execution of Sarbanes-Oxley Section 404 compliance. The approach is facilitated by project management, knowledge sharing, communication and continuous improvement. It applies the COSO Internal Control – Integrated Framework by taking both an entity-level and a process-level view of the business. This document provides a high level overview of Protiviti’s approach, which is illustrated below.

Set Foundation

In the Set Foundation stage, we establish the basis of the work. This includes project organization, developing a project plan, agreeing on the project approach and identifying existing internal controls documentation.

Organize Project

Develop Project Plan

Agree on Project Approach and Reporting Requirements


PHASE I – Assess Current State and Identify Relevant Processes

In Phase I, we conduct a risk assessment to provide the basis for selecting priority financial reporting elements and the processes feeding those elements for review. This stage also includes inventorying and reviewing existing process documentation to determine its adequacy for purposes of identifying risk and evaluating controls.

Complete Entity-Level Risk Assessment

Select Priority Financial Reporting Elements

Select Priority Processes

Inventory Existing Documentation

Develop Phase II Action Plan


PHASE II – Document Design and Evaluate Critical Processes and Controls

The focus of Phase II is on documenting the identified processes and the related risks and controls, and identifying potential control gaps. Process documentation is typically in narrative or flowchart form. Risk and control documentation will include identification of process risks and related controls, assessment of controls design effectiveness and assessment of controls operating effectiveness, which is accomplished through testing of controls.

Document Processes


Source Risks

(Note: Sourcing the risks (or “what can go wrong”) to the achievement of assertions is THE most important part of the management’s evaluation of internal control over financial reporting.)

Document Controls

Assess Design

Validate Controls Operation

Develop Phase III Action Plan


PHASE III– Design Solutions for Control Gaps

Phase III considers all of the control design and operating gaps identified in Phase II and determines the required remediation for each respective gap.

During Phase III:

Factors to consider when assessing deficiencies:


Phase IV – Implement Solutions for Control Gaps

Phase IV entails the execution of remediation plans created in Phase III and the establishment of policies and procedures to ensure timely and accurate updating of process documentation as changes occur. This phase includes training company personnel in control gap remediation.

During Phase IV:


Critical Supporting Activities

As each phase of the SOA methodology is executed, it is important to complete certain supporting activities. These supporting activities are important to revisit throughout the process as they assist in moving SOA compliance from project to process. These activities are organized in four categories.

Project Management

Knowledge Sharing

Communication

Continuous Improvement

Fraud/Integrity Risk Methodology

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

Introduction
What Is Integrity Risk?
Key Questions Answered by the Integrity Risk Management Process
Overview of the Integrity Risk Management Process

Introduction

Companies are under increasing competitive, regulatory and shareholder pressure to assess and manage their integrity risks more effectively. In the past internal auditors have investigated financial frauds and illegal acts after they have happened. While this service continues to be important, senior executives are increasingly interested in preventing such problems and avoiding serious damage to the organization’s reputation and shareholder wealth.


This methodology should not be viewed as a rigid “cookbook” of prescribed activities, which, if mechanically performed, will always produce the desired finished product. It is a flexible framework upon which internal audit teams can build, adapting their approach to their current needs and situation.

What Is Integrity Risk?

The Integrity Risk Management methodology focuses exclusively on the Integrity Risk section of the Process Risk category of the Protiviti Risk Model The general integrity risk categories in that model are Employee Fraud, Management Fraud, Illegal Acts, Unauthorized Use and Reputation Risk. They are defined as follows:

  • Employee Fraud — employees, customers or suppliers, individually or in collusion, perpetrate fraud against the company, resulting in financial loss.
  • Management Fraud — management and/or employees issue misleading financial statements with intent to deceive the investing public and the external auditor or engage in bribes, kickbacks, influence payments and other schemes for the benefit of the organization.
  • Illegal Acts — willful violations of laws or governmental regulations. Illegal acts should be broadly construed to include, for example, violations of environmental laws or securities regulations, but should be restricted to those that are integrity related. Illegal acts committed against the organization by third parties (i.e., organized criminals) are also included. Illegal acts committed by the organization’s personnel unrelated to the company’s business activities are not relevant for our purposes, unless they create a reputation risk for the organization. See Reputation Risk below.
  • Unauthorized Use — the use of the organization’s physical, financial, information and other assets for unauthorized or unofficial purposes by employees or others (industrial espionage), resulting in loss of competitive advantage.
  • Reputation Risk — the risk that an organization may lose customers, key employees or its ability to compete or perform its business purpose, due to public perceptions that it does not deal fairly with employees, customers, suppliers and stakeholders, or know how to manage its business. (For example, a company’s lawful use of child labor to manufacture designer clothing may be damaging to its reputation with customers in some countries).

Loss of customers means the loss of future revenue streams. Loss of employees means the loss of the talent, skills and expertise needed to run and grow the business. Loss of ability to profitably compete means, ultimately, going out of business.

Reputation risk can arise as a consequence of employee fraud, management fraud, illegal acts or unauthorized use, given enough media attention and coverage. It can also arise directly from other lawful activities of the organization. It can often be mitigated by the same measures taken to manage other integrity risks.

Key Questions Answered by the Integrity Risk Management Process

Internal Auditors need to ask the right questions about integrity risks and controls in addressing the vital concerns of management. These questions include:


Overview of the Integrity Risk Management Process

The Integrity Risk Management process (see above graphic) can be applied broadly at the organization level (across many processes) or more narrowly within specific processes of an organization. There are three major components to the process, sandwiched between determining management’s expectations and communicating results.

Although the methodology is shown to be linear, the actual execution may require that certain steps be repeated or that the sequence of steps be modified.

Determine Client Expectations

The internal audit team should inquire about and document their client’s expectations. The expectations discussion is designed to:


The team inquires, during the course of its work, about the client’s expectations for the integrity risk management process, and whether expectations have been met and exceeded. Any significant changes from what was originally agreed to and the reasons underlying those changes are communicated on an ongoing basis.

Understanding expectations requires a full understanding of business operations and potential fraud concerns. The team should customize the expectations discussion to reflect that understanding. One common issue is that management may not have clearly defined the goals for the integrity risk management process, which makes it difficult to establish clear expectations for the audit team. Management may in some cases obtain input from the independent directors to ensure that their expectations in this area are known and are communicated to the audit team.

During the discussion, expectations are summarized and shared with the appropriate members of the audit team. Changes in senior management, the Audit Committee, the corporate structure or the company’s condition all can impact the process of understanding expectations from year to year. The Internal Audit team should customize its approach based on the specific situation. Regardless of the approach taken, the end result should be an understanding of client expectations and a plan to meet or exceed these expectations.

Assess Integrity Risks

An organization that wants to manage its integrity risks needs first to assess the integrity risks to which it is exposed. In our experience, most organizations do not have an up-to-date evaluation of their integrity risks. If they exist at all, they may not reflect recent developments in crime trends (e.g., caused by new technology or organized criminal gangs) or their organization’s activities (e.g., new international ventures). They often do not draw on the most effective external information sources, particularly for international locations. Risk assessments also may not reflect the full measure of losses (direct and consequential) that could arise from each potential integrity risk incident.

This component of the process has four phases that together determine the integrity risks which the organization needs to mitigate through its system of controls. The four phases are: Identify Key Integrity Risks, Source Integrity Risks, Measure Integrity Risks, Reject, Transfer and Retain Integrity Risks.

KnowledgeLeader has several tools and resources to help you identify fraud and integrity risks. See More on Fraud.

Identify Key Integrity Risks

Objective: To focus integrity risk assessment on specific businesses or business units, risks, and processes.

Activities:
1) Understand the industry, environment, countries of operation, business objectives, etc.
2) Identify the performance measures used in the business and review the financial performance.
3) Identify the universe of integrity risks using knowledge bases, external information sources and facilitated self-assessment. Link to Self-Assessment
Survey Development Tool
4) Identify the processes wherein identified risks could occur, and the owners of those processes.
5) Filter the risks further using facilitated self-assessment by a steering committee and process owners to arrive at Preliminary Target Integrity Risks (PTIR) (to be sourced, measured and validated at a later step).
6) Obtain management agreement on Preliminary Target Integrity Risks (PTIR).

Source Integrity Risks

Objective: To determine where and how integrity risks, both external to the organization and within its business processes, manifest themselves.

Activities:
1) Understand each identified business process.
2) Note any control information offered during discussions.
3) Map the process.
4) Source the PTIRs within the business process.

Measure Integrity Risks

Objective: To develop valuable information for management to use in making informed strategic decisions about integrity risk during the next phase.

Activities:
1) Identify useful metrics.
2) Gather risk measurement information and determine whether the PTIR’s adverse consequences will be expressed qualitatively or quantitatively.
3) Measure the level of significance
4) Assess the level of likelihood and determine integrity risk exposure.

Reject, Transfer and Retain Integrity Risks

Objective: To facilitate management in making strategic integrity risk decisions and selecting target integrity risks.

Activities:
1) Determine management’s tolerance for the risk impact areas of a PTIR
2) Assess the gaps between the potential consequences of a PTIR and management’s risk tolerance and determine the estimated cost of implementing the integrity risk management strategy.
3) Assist management in identifying the Target Integrity Risks (i.e., the PTIRs management chooses to retain and reduce to an acceptable level.)

Evaluate and Improve Integrity Risk Controls

In the second component, “Evaluate and Improve Integrity Risk Controls,” the adequacy of the organization’s existing controls are evaluated. The idea is to mitigate the specific integrity risks which have been identified and which the organization has elected to retain. This can be done by comparing existing controls to best practices. The design and operating effectiveness of the relevant controls should also be tested. Identify any control gaps and propose appropriate new or improved controls, then assist the client in building improved controls into their business processes.

The types of controls that can be considered in this component include both process-specific controls and environmental controls, such as ethics programs, compliance programs, anti-fraud programs and other nontraditional measures to reduce integrity risk. Environmental controls are particularly important in mitigating integrity risk because process controls may be overridden or circumvented by a determined fraudster or thief, especially if collusion is involved.

Provide Change Management Services

In the third component, “Provide Change Management Services,” the goal is to assist the organization in establishing a self-assessment process to identify and act on changes in integrity risks as they occur. The organization’s processes should allow for the identification of potentially significant integrity risks on a timely basis, along with the assessment of whether they are being adequately mitigated to an acceptable level. The result is continuous improvement of the organization’s control processes.

Communicate Results

“Communicate Results” is shown as the last step in the linear process. However, experience has shown that frequent and ongoing communication with management is crucial and should occur throughout the process. This feedback can generate valuable additional input from management to enhance and focus remaining work.

The Rubric Theme. Blog pada WordPress.com.

Ikuti

Get every new post delivered to your Inbox.