Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Common Internal Audit Findings and How To Avoid Them

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 33

Presenter

2012-07-19 09:44:16
--------------------------------------------
Boyd starts

Common Internal Audit


Findings and How to Avoid
Them

May 2, 2011
Boyd Kumher
University Compliance Officer
Tina Griffiths
Senior Manager, Deloitte
Brian Bartos
Senior Consultant, Deloitte
Today’s
Agenda
• Compliance Brown Bag Events
• Evaluation and Compliance Program Survey Tool.
• Purpose of the University Compliance Program
• Need for Good Corporate Governance
• Meet the Deloitte Team
• Overview of Internal Audit
• Risk and Internal Control Basics
• The Internal Audit Process
• Common Internal Audit Observations
• Wrap Up – What Are Your Compliance Responsibilities?
Welcome to a Compliance Brown Bag
Lunch Event
• Information about these events:
• Informal (bring your lunch!) Training or informative sessions
that cover a variety of compliance related topics.
• Open to all University community members, but each
event will typically have a “target audience”.
• If you like what you hear don’t be afraid to ask for a
repeat presentation in your own department.
• E-mail notifications of future events available – please
contact boyd.kumher@case.edu to be added to
distribution list.
Presentation Evaluation and
Compliance Program Survey Tool
• Presentation Evaluation
• Give us feedback so that we may enhance our
performance and better select topics to meet your needs.
• May be completed anonymously.
• Compliance Program Survey Tool
• Help us understand the University’s culture of compliance.
• May be completed more than once per year.
• May be completed anonymously.
Purpose of the University Compliance
Program
• Develop and maintain an operational structure that outlines,
documents and supports the University’s compliance
efforts.
• Coordinate compliance efforts and assesses University-
wide compliance.
• Encourage compliance by providing support, training,
and educational resources.
Internal
Audit
• The Institute of Internal Auditors defines Internal Auditing as…
• "An independent, objective assurance and consulting activity
designed to add value and improve and organization's
operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management,
control, and governance processes."
• Recognized need for good corporate governance.
• 2010, Former University of Louisville dean sentenced to 5
years in prison after conviction in a $2.3 million fraud
case.
• 2011, Former La Salle University food service director
sentenced to 4 to 9 years in prison after conviction in a
$5.6 million fraud case.
• 2011, Two former Southern University employees charged
in alleged $157,000 shell company scheme.
Presenter
2012-07-19 09:44:20
--------------------------------------------
Brian starts

Meet the Deloitte Team


Meet the Deloitte Internal Audit Team
Core Team: Advisory Team:
Kathie Schwerdtfeger Higher Education Advisory Principal Deloitte & Touche LLP Austin, Texas
+ 1 512 691 2333
David Stahler Tina Griffiths
Lead Engagement Partner Deloitte & Touche LLP Cleveland, Ohio
This image cannot currently be displayed. Engagement Senior Manager Deloitte & Touche LLP Cleveland, Ohio
+1 216 589 1406 + 1 216 589 5717

Glenn Yauch
IT Advisory Principal Deloitte & Touche LLP Cleveland, Ohio
Kevin Fechter Brian Bartos Engagement Senior Consultant
+ 1 216 589 1432
Engagement Senior Manager Deloitte & Touche LLP Cleveland, Ohio Deloitte & Touche LLP Cleveland, Ohio
+1 216 589 1414 +1 216 589 5814

Theresa Cui Engagement Consultant Deloitte & Touche LLP Cleveland, Ohio Joe Trela
+1 216 589 5018 Engagement Consultant Deloitte & Touche LLP Cleveland, Ohio
+1 216 830 6025
Overview of Internal
Audit
Overview of the CWRU / Deloitte Relationship

• Background Information
• Engaged with CWRU since August 2008
• Currently engaged through June 2012
• Reporting Structure
• Administratively – John Sideras, Chief Financial Officer
• Functionally – Audit Committee of the Board of Trustees
• Contact Information
• We maintain a full-time on campus presence within the
BioEnterprise Building (Corner of Cedar and MLK)
• Phone Number: 216-368-4309
• Email: internalaudit@case.edu
Overview of the CWRU / Deloitte Relationship

• Major Responsibilities
• Conduct annual enterprise-wide risk assessment
• Develop annual audit plan
• Perform reviews noted in the annual audit plan
• Follow-up on the implementation status of previously mutually agreed
upon recommendations for improvement
• Special ad-hoc projects at the request of executive management
• Assist in monitoring and facilitating the Integrity Hotline
• Communicate with executive management and the Audit Committee

Please note: Unless you are an executive or an executive administrative assistant, we do not
routinely audit your PCard / Reimbursement activity. These transactions are monitored by Kevin
Dwenger and Michael Kurutz respectively.
Presenter
2012-07-19 09:44:22
--------------------------------------------
Tina starts

Risk and Internal Controls Basics


What is Risk?

Risk* is “any event that can adversely affect the achievement of your objectives.”

* Internal Control – Integrated Framework, Committee of Sponsoring Organizations


(COSO) of the Treadway Commission

Risk Types:
• Credit • Environmental
• Organizational • Political
• Position/Financial • Reputation
• Operational • Governance
• Strategic • Technological
• Human
Techniques for Managing Risk

• Avoid: Redesign the process to avoid particular risks with the plan of
reducing overall risk.

• Diversify: Spread the risk among numerous assets or processes to reduce the
overall risk of loss or impairment.

• Share: Distribute a portion of the risk through a contract with another party, such
as insurance.

• Transfer: Distribute all of the risk through a contract with another party, such as
outsourcing.

• Accept: Allow minor risks to exist to avoid spending more on managing the
risks than the potential harm.

• Control: Design activities to prevent, detect or contain adverse events or to


promote positive outcomes.
What is Internal Control?
• Internal control means different things to different people

• Authoritative guidance defines Internal Control* as a process designed to


provide reasonable assurance regarding the achievement of business objectives.

• Internal control has three main objectives:


• To promote effectiveness and efficiency of operations
• To ensure reliability of financial reporting
• To maintain compliance with applicable laws and regulations

• * Internal Control – Integrated Framework, Committee of Sponsoring Organizations


(COSO) of the Treadway Commission
Why is Internal Control Important?

Financial
Operations
• Promotes efficiency and • Promotes integrity of data
effectiveness of used in making business
operations through decisions
standardized processes • Assists in fraud prevention
• Ensures the safeguarding of and detection through the
assets through control creation of an auditable trail
activities of evidence
Compliance
• Helps maintain
compliance with laws
and regulations through
periodic monitoring
Internal Control Definitions
Control Objectives
A goal of management (i.e., management directive). Control objectives pertain to
various principal business process categories. Control objectives may be related to
compliance with laws and regulations or the effectiveness and efficiency of the
organization’s operations.
Example: Purchase orders are placed only for approved requisitions.

Control Activities
Policies and procedures designed to help ensure that management directives are
carried out. They help ensure that necessary actions are taken to address risks of
not achieving the entity’s objectives. The control activities relevant to an audit of
financial statements are those that prevent or detect, on a timely basis, material
misstatements in the financial statements or unauthorized disposition of assets or
incurrence of liabilities.
Example: Purchase orders are reviewed and approved by management prior
to mailing to the supplier.
Preventive Controls
Control activities established to prevent an error or misstatement in the financial
statements. Typically these controls will be upstream at the front-end of a process
or sub-process.
Example: The ability to create a purchase order is appropriately restricted by job
responsibility.

Detective Controls
Control activities designed to detect an error or misstatement in the financial
statements. These controls usually consist of performing reconciliations,
management review or analysis and typically occur downstream in the process.
Example: On a periodic basis, an analysis is performed to identify invoices
received without a corresponding approved purchase requisition or purchase orders
created AFTER the invoice date.
Roles and Responsibilities
Executive Management (Including the University Compliance Officer)
• Sets the standard for the control environment
• Maintains ultimate accountability for internal control and risk
management enterprise wide
• Supports control and risk management activities throughout the organization

Operating Management
• Directly responsible and accountable for business operations effectiveness
and internal control related to business objectives
• Periodically assess departmental risk management practices and
control environment
• Develops and implements action plans for improvement
Internal Audit
• Provides support for risk and control assessment activities
• Monitors exposure of the organization and makes recommendations relating to
risk and control activities
• Designs internal audit plan based on strategic risk assessment
• Tests adequacy and effectiveness of controls
• Challenges and validates management control environment assertions
• Reports independent findings and provides recommendations

Audit Committee
• Focuses board attention
• Evaluates overall risk exposure
• Reviews adequacy of overall control environment
• Provides oversight and advice
External Audit
• Evaluates the effectiveness of internal control to determine the scope of
external audit procedures
• Issues management commentary reports
• Issues an opinion on the consolidated financial statements
• Reviews control environment and uses results of risk assessments as input to
develop external audit plan
Presenter
2012-07-19 09:44:28
--------------------------------------------
Brian starts

The Internal Audit


Process
Expectations for the
Auditee
• Expect to be contacted prior to the commencement of a scheduled audit project

• Expect to understand the audit's purpose and objective

• Expect to provide your ideas or concerns regarding the audit

• Expect to be treated with respect and courtesy

• Expect to be asked for various financial and department documentation; some


may be confidential

• Expect confidential information to remain confidential

• Expect to answer all questions honestly

• Expect to receive a draft copy of the Final Audit Report prior to its release
How to Prepare for an
Audit
• Have all requested materials/records ready when requested

• Organize files so we minimize disruption of your day

• Provide complete files

• Please make yourself available during the time of the audit and communicate
any planned absences

• Provide work space for auditors if requested


Audit Steps

• Step 1: Planning - The auditor will review any prior audits in your area and
professional literature. The auditor will also research applicable policies and
statutes and prepare a basic audit program to follow.
• Step 2: Notification - The Office of Audit Services will notify the appropriate
department or department personnel regarding the upcoming audit and its
purpose, at which time an opening meeting will be scheduled.
• Step 3: Opening Meeting - This meeting will include management and any
administrative personnel involved in the audit. The audit's purpose and objective
will be discussed as well as the audit program. The audit program may be adjusted
based on information obtained during this meeting.
• Step 4: Fieldwork - This step includes the testing to be performed as well as
interviews with appropriate department personnel.
• Step 5: Report Drafting - After the fieldwork is completed, a report is drafted. The
report includes such areas as the objective and scope of the audit, relevant
background, and the findings and recommendations for correction or improvement.
• Step 6: Management Response - A draft audit report will be submitted to the
management of the audited area for their review and responses to the
recommendations. Management responses should include their action plan
for correction.
• Step 7: Closing Meeting - This meeting is held with department management. The
audit report and management responses will be reviewed and discussed. This is the
time for questions and clarifications. Results of other audit procedures not discussed
in the final report will be communicated at this meeting.
• Step 8: Final Audit Report Distribution - After the closing meeting, the final audit
report with management responses is distributed to department personnel involved in
the audit, the Chief Financial & Administrative Officer, and our external accounting
firm.
• Step 9: Follow-up - Approximately 6-9 months after the audit report is issued, the
Office of Audit Services will perform a follow-up review. The purpose of this review
is to conclude whether or not the corrective actions were implemented.
Common Internal
Audit
Observations
Common Internal Audit
1. Observations
Segregation of Duties
• Ensure tasks and process flows have a check and balance. For example:
• A person who is responsible for collecting payments should not be
responsible for creating the deposit and reconciling to source
documents.
2. Lack of Written Policies and Procedures (Departmental)
• Major business transactions and related internal controls of a department's
operations should be clearly documented, periodically reviewed and
updated.
3. Lack of Awareness of Centralized University Policies
4. Lack of Formally Documented Approvals
• Evidence should be maintained to document independent approvals
(e.g. reconciliations, departmental financial statements, etc.)
5. Absence of Supporting Documentation
• Transactions should be appropriately supported by documentation. For example:
• Manual Journal Entries: Purpose, related source documents, approvals
• Purchases: Requisition, competitive bidding, purchase order, invoice,
approvals
Common Internal Audit
7. Lack ofObservations
Properly Safeguarding University Assets
• In more than one department we have noted cash/checks that were not properly
safeguarded.
8. Inappropriate Information Security Access
• Critical or sensitive information should be appropriately restricted based on
job duties.
9. Inaccurate Financial Reporting
• Examples include:
• Expenses
• Invoices – Not recorded as a liability upon commitment
• Overtime – Not approved timely
• Revenue
• Receivables – Not recorded in PeopleSoft (booked when cash
is received)
• Income – Recorded as an offset to an expense account (500000
– 599999) rather than to an income account (400000 – 499999)
Presenter
2012-07-19 09:44:32
--------------------------------------------
Boyd starts

Wrap Up
What Are Your Compliance Responsibilities?

• Understand and adhere to the laws, regulations and


institutional policies that relate to your work.
• Report non-compliance or suspected non-compliance
immediately.
• Supervisor
• Compliance Officer (216-368-0833)
• Integrity Hotline (Can be Anonymous)
• Web: https://www.caseintegrityhotline.com/
• Phone: 1-866-483-9367

You might also like