audit and internal control conf. univ. dr. camelia dobroţeanu prof. univ. dr. laurenţiu...
TRANSCRIPT
1
AUDIT and INTERNAL CONTROL
Conf. univ. dr. Camelia DobroţeanuProf. univ. dr. Laurenţiu Dobroţeanu
Master Aprofundat 2009-2010
2
Detailed requirements:Study materials:
Brink’s Modern Internal Auditing, R. Moeller, ed. Wiley, ediţia 6, 2005
Sawyer’s Internal Auditing, L. B. Sawyer et. al, IIA, ediţia 5, 2005
Managing the audit function: a corporate audit department procedures guide, M.P. Cangemi, T. Singleton, Ed. Wiley, ediţia 3, 2003
Audit Intern, C. L. Dobroţeanu, L. Dobroţeanu, ed. InfoMega, 2007
Audit: concepte şi practici. O abordare naţională şi internaţională, L. Dobroţeanu, C. L. Dobroţeanu, Ed. Economică, 2002
Teoria şi practica auditului intern, J. Renard, Ministerul Finanţelor, 2002
Marking:
Workshop 30%
Written examination 70%
3
Syllabus:
I. The system of internal control: conceptual
framework, principles, models (2 lectures)
II. Risk management (1 lecture)
III. Fraud: detection and prevention (1 lecture)
IV. Audit - internal control relationships (1.5 lectures)
V. Audit – internal control – corporate governance (0.5 lectures)
4
I. Internal Control System
Lecture overview:1. Importance of IC2. Fundamentals of IC3. Essential IC techniques4. COSO framework5. IC assessment: SOX
5
I.1. Importance of IC
Definition: “IC reflects any action taken by the board, management etc. to improve the risk management and to increase the likelihood that the organization meets its objectives”
Can we define a good IC?
6
I.1. Importanţa CI
Good IC if:Accomplishes its stated mission; Produces accurate and reliable data;Complies with applicable laws and organization policies;Provides for economical and efficient use of resources;Provides for appropriate safeguarding of assets.
7
I.2. Fundamentals of IC
acceleratorbrake
steering wheel
driver
8
I.2. Fundamentals of IC
Controller
Standard
Communicator
Detector/Senzor
1. Performance
Indicator
2. Benchmark
3. Signals departures
4. Transmits messages
9
I.2. Fundamentals of IC
Monitor/measure control element
Are controls within standards?
Correct CE
Monitor to make sure corrections are
working
Continue monitoring CE
NO YES
10
I.3. Essential IC techniques
1.
•Prevention controls
2.
•Detection controls
3.
•Corrective controls
11
I.3. Essential IC techniques
Steering controls
Yes/No Controls
Post-Action Controls
e.g. macro-economic trends
e.g. Authorization,
approval
e.g. after dismissal of an
employee
12
WORKSHOP
Case study: ................
13
I.4. COSO Framework
IMA
AICPA
IIA
AAA
FEI
COSO:
14
I.4. COSO Framework
Internal Control: Integrated FrameworkIC – a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives of the following categories:
Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and regulations
15
I.4. COSO Framework
Monitoring
Control activities
Risk assessment
Control environment
Comm
unicationICS
16
I.4. COSO Frameworka. Control environment:
Integrity and ethical valuesProfessional competenceBoard and audit committeeManagement philosophy and operating styleOrganizational structureAssignment of authority and responsibilityHuman resources policies and practices:
RecruitmentNew employee orientationEvaluation, promotion, compensationDisciplinary actions
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
17
I.4. COSO Framework
b. Risk assessment:3-step process:
Identification of significant risksAssess the risk likelihood or frequencyConsider the appropriate actions to manage the risk
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
18
I.4. COSO Framework
b. Risk assessment (cont.):Types of risks:
Organizational risks from external factorsOrganizational risks from internal factorsSpecific activity-level risks
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
19
I.4. COSO Framework
c. Control activitiesTypes of control activities:
top-level reviews direct functional or activity management information processing physical controls performance indicators segregation of duties
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
20
I.4. COSO Framework
c. Control activities (cont.)Integration of control activities with risk assessmentControls over information systems
general controls – applied to overall information systems application controls – applied to specific sections of the system
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
21
I.4. COSO Framework
d. CommunicationRelationship of information and ICMeans and methods of communication
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
22
I.4. COSO Framework
e. MonitoringOngoing monitor activities:
operating management normal functions communications from external parties organizational structures and supervisory activities physical inventories and asset reconciliation
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
23
I.4. COSO Framework
e. Monitoring (cont.)Separate evaluation of IC
ReviewsInternal audit: compliance, peer reviewSelf-assessmentExternal evaluationAction plan
Reporting IC deficienciesTo whom?How?
Monitorizare
Activităţi de control
Evaluarea riscurilor
Mediul de control
24
I.5. IC ASSESSMENT: SOX- TO BE PREPARED BY STUDENTS -
25
WORKSHOP
Case study: Pam-Pam or Keos
26
II. Risk Management
II.1. ERM frameworkII.2. COSO: IC framework – ERM
framework
27
II.1. ERM framework
• 2001 – PWC: developed a framework for ERM assessment – completed in 2004
28
II.1. ERM framework
ERM: A process implemented by the board, management and other staff at enterprise strategic level with a view:– To identify events that could adversely affect the
organization;– To manage the risks within the risk appetite
limits – To obtain a reasonable assurance that the
organization’s objectives are achievable.
29
II.1. ERM framework
Organization’s objectives:• Strategic
• Operational • Reporting
• Compliance
30
II.1. ERM framework
Components of ERM framework:1. Internal environment2. Setting the objectives3. Identification of events4. Risk assessment5. Risk response: AARS (avoid, accept, reduce,
share) 6. Control activities7. Information and communication8. Monitoring
31
II.1. ERM framework
Objectives – components relationships:
Internal Environment
Identification of events
Risk assessment
Risk response
Control activities
Inf.&Communic.Monitoring
Stra
tegi
cOpe
ration
al
Rapor
ting
Com
plia
nce
Org
an
izatio
nD
ivis
ion
Bu
sin
ess u
nit
Bra
nch
32
II.1. ERM framework
ERM effectiveness:a. Effective functioning of the 8
components:– There are no material deficiencies
and– Risks managed within the risk appetite
limits
33
II.1. ERM framework
Effectiveness of ERM (cont.)b. Objectives:
–governance structures know whether the objectives are achievable
34
II.1. ERM framework
Governance structures’ role:– Supervision of ERM
• Understand the risks and risk response
• Know to what extent the management has implemented an effective ERM
• Review the risk portfolio against the risk appetite
• Monitor the revision of material risk indicators
35
II.1. ERM framework
COSO responses related ERM – current financial crises:– Reconsideration of current ERM and assessment
of risk appetite
ERM is an integral component of internal control!
36
II.2. COSO: IC – ERM frameworks
• Are there any differences?– ERM: risk based assessment– COSO-CI: IC framework
• ERM – IC framework components: similar(environment, monitoring, communication and
information, etc.)• Is ERM an improved version of IC
framework?• The controversial role of internal auditors:
– ERM seem to provide assurance that risks are managed!
37
III. Fraud: detection and prevention
38
Lecture outlines:
1. The concept of fraud
2. Responsibilities for fraud
prevention&detection - DPF
2.1. Risk of fraud assessment - EFR
2.2. “Audit of fraud” and IIA requirements
39
1. The concept of fraud
Illegal actions – deception, betrayal
Does not necessarily imply the use of force or force threats
Actions done purposely:
to obtain financial benefits
to avoid the payment for or the opportunity lost of a financial/personal benefit
40
1. The concept of fraud
Benefits:
• direct – e.g.: money
• indirect – e.g.: promotion, power,
influence.
41
1. The concept of fraudFrauds committed in the organization’s
benefit: Sale of fictitious assets;
Forbidden payments: illegal financing of political campaigns, bribery, etc.;
False statement/misuses of transactions;
Incorrect assessment of transfer prices (for assets exchanged between members of the same group).
42
1. The concept of fraud
Frauds committed in the organization’s benefit (cont.):
misrecording or misreporting of transactions to
mislead users of financial reports;
Illegal commercial activities;
Tax frauds.
43
1. The concept of fraud
Frauds committed in the organization’s
detriment:
Acceptance of bribery;
Unlawful seizure of profitable transactions by an employee;
Invoicing goods or services which were actually not provided to the company.
44
1. The concept of fraud
Frauds committed in the organization’s detriment(cont.):
Misuse of resources or falsification of accounting records;
Intentional omission or misleading interpretation of events or transactions.
45
1. The concept of fraud
Indications of fraud (Simmons):
intentionally
trust
Injury
Victim
Action
46
1. The concept of fraud
Frauds (Simmons):Bribery: offering, acceptance, requesting;Theft;Conflict of interest;False statements;Swindle;Mail and internet frauds;Conspiracy;Brake of financial obligations provided by
agreements;Embezzlement.
47
2. Responsibilities for DPF
Fraud
48
2. Responsibilities for DPF
Board + AC – supervise:
antifraud programmes and controls, including identification of fraud risk and implementation of antifraud actions;
the risk of controls avoidance and inappropriate management influence;
whistle-blowing mechanisms;
49
2. Responsibilities for DPFBoard + AC – supervise (cont.):
regular reporting: nature, stage and actions taken for detected frauds;
IA plan: risk of fraud and whistle-blowing channels for IA;
involvement of independent experts in investigations of frauds.
50
2. Responsibilities for DPF
IA role – to answer to questions like:
What is the risk of fraud within the organization?
What are the programs and internal controls that have been implemented to face these risks?
What is IA doing to PDRF before it leads to corporate scandals?
51
2.1. Assessment of the risk of fraud
IA role – the process of ARF:
Organize the assessment process – integration of ARF within the current risks assessment process / setting up a separate process.
Identify the areas to be assessed - ARF at each of the following level:
organization, units, operations (accounts, etc.); complex transactions (e.g. acquisitions, mergers, combinations, etc.)
52
2.1. Assessment of the risk of fraud
IA role – the process of ARF (cont.):
Identify the possible scenarios: the organization commits frauds or suffer injuries due to other’s frauds? How? DB – specific issues;
Assess the likelihood of fraud commitment.
scale used for assessmentUS practice: three level qualitative values
Assess the relevance of the RF: Impact of RF RR = Impact X LikelihoodUS practice: RR ≥ average – considered by IA
53
2.1. Assessment of the risk of fraud
IA role – the process of ARF(cont.):Identify and assess the associated internal controls
Avoidance / ignorance of internal controls
Identify internal controls unable to mitigate the RF
Integrate the ARF results within the audit plan: a separate section dedicated to audit of fraud based on residual risk
54
2.2. Audit of fraud
G.1210-A2.2 – Responsibilities for fraud detection (FD): – FD = identification of fraud indications sufficient
to request an investigation.
IA responsibilities:To have sufficient and appropriate knowledge regarding the fraud indications:
The basic elements of a fraud, Techniques used,Types of frauds particular for the audited areas;
55
2.2. Audit of fraud
Responsabilităţile AI (cont.):să fie vigilent deficienţele SCI:
prezenţa mai multor indicii, simultan, creşte probabilitatea ca o fraudă să fi fost comisă;
să evalueze indiciile unei fraude şi să decidă dacă sunt necesare alte măsuri sau să se recomande o anchetă;să înştiinţeze autorităţile competente din cadrul entităţii.
56
G. 1210.A2-1, Fraud detection
IA responsibilities:
To investigate and assess the existence and importance of eventual associations to commit frauds;
To establish the required knowledge, abilities and other competencies to conduct an investigation;
To set up procedures to be followed in order to identify the fraud authors, the fraud scope, the reasons, impacts, and the techniques used;
2.2. Audit of fraud
57
2.2. Audit of fraud
IA responsibilities:
To coordinate its activities during the investigation with management, legal advisors, and any other expert involved;
To be aware of the rights of the supposed authors of fraud.
58
2.2. Audit of fraud
G 1210.A2-1, Fraud detection: Reporting the results of an audit of fraud engagement – issues to be considered:
Recommendations for implementation and/or strengthening the internal controls;
Design audit test that would allow future detection of similar frauds;
The need to set up a knowledge file related to the risk of fraud;
Privileged information.
59
2.2. Audit of fraud
IIAS 2400:
Immediate reporting to the executive management and the board:
If a relevant fraud has been detected – high certainty;
The fraud has had an adverse significant impact on the financial position and financial results reported for the previous years.
60
61
62
63