effective control environments:

Download Effective Control Environments:

Post on 03-Jan-2016

16 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

Effective Control Environments: Getting the most “bang for your buck” through segregation of duties. May 12, 2008. Presented By. Lee S. Buby, CPA Haskell & White LLP SOX 404 Practice Leader lbuby@hwcpa.com. Who We Are: - PowerPoint PPT Presentation

TRANSCRIPT

  • Effective Control Environments: Getting the most bang for your buck through segregation of duties.May 12, 2008

    The Value of Experience

  • Presented ByLee S. Buby, CPAHaskell & White LLPSOX 404 Practice Leaderlbuby@hwcpa.com

  • Haskell & White LLPWho We Are:Headquartered in Irvine, California, with a second office in San Diego, Haskell & White LLP is one of the largest independently owned accounting and business advisory firms in Southern California. For nearly two decades, we have successfully provided a full complement of tax, accounting and auditing services to the region's public and private middle-market companies.

  • Haskell & White LLPCore CompetenciesTax Consulting and Planning Audit and Business Advisory Services SEC Advisory Services Sarbanes-Oxley Compliance Mergers & Acquisitions

  • Haskell & White

    National Resources

    Squeaky Clean 2007 PCAOB Opinion

  • Segregation of Duties

    Definitions and Misconceptions

  • Definitions and Misconceptions (cont.)John Tonsicks keynote address this morning was on FRAUDStatistic referenced: The Association of Certified Fraud Examiners estimates that the average U.S. business loses 5% of its gross revenue to employee fraud and abuse; that comes to about $9 per day, per U.S. employee.

  • Definitions and Misconceptions (cont.)

    This is a big problem.

  • Definitions and Misconceptions (cont.)

    FinancialAnd Emotional Aspects

  • Definitions and Misconceptions (cont.)Hank

  • Definitions and Misconceptions (cont.)Association of Certified Fraud Examiners Stat: After examining 1,100 cases of occupational fraud in 2006, the ACFE said the average theft scheme costs a business about $159,000. About one-quarter of the theft schemes cost a business more than $1 million.

  • Definitions and Misconceptions (cont.)Sadly, by the time a fraud scheme is uncovered, its safe to assume the money has already been spent. So, a lot of businesses hesitate to expend the time and energy to recoup the money. This would be throwing good money after bad

  • Definitions and Misconceptions (cont.)Segregation of Duties (SOD)by definition, is an anti-fraud control. It is, in fact, the most effective anti-fraud control. It prevents a single employee from being able to negatively affect a company. This is the case regardless of whether an employee wishes to do so, or might otherwise do accidentally.

  • Definitions and Misconceptions (cont.)Control TypesThey come in many shapes and sizes: Manual, Automated, Entity-Level, Transaction-Level, and, of course, Preventive and Detective.

  • Definitions and Misconceptions (cont.)Auditing Standard No. 5 Defines each:Preventive controls have the objective of preventing errors or fraud that could result in a misstatement of the financial statements from occurring.Detective controls have the objective of detecting errors or fraud that has already occurred that could result in a misstatement of the financial statements.

  • Definitions and Misconceptions (cont.)My two cents worth:Detective Control An activity that identifies an accounting error, whether intentional or not, after it has been recorded. This is usually a procedure performed external to the processing of transactions, designed specifically to identify errors of a specific nature. Examples: reviews, exception reports, reconciliations, financial analysis, etc.

  • Definitions and Misconceptions (cont.)

    My two cents worth:Preventive Control An activity or environmental condition that does not allow an error, whether intentional or not, to be recorded in an accounting ledger.

  • Definitions and Misconceptions (cont.)The ability to contribute to a control environment more efficiently directly correlates to the cost/benefit effects of the ongoing operation of preventive vs. detective controls.

  • Definitions and Misconceptions (cont.)Because of the preventive nature, proper SOD is the most powerful control an organization can have for either fraud or unintentional errors.

  • Definitions and Misconceptions (cont.)Confucius Say:

  • Definitions and Misconceptions (cont.)Confucius Say:Man who run in front of car get tired.

  • Definitions and Misconceptions (cont.)Confucius Say:Man who run behind car get exhausted.

  • Definitions and Misconceptions (cont.)Moral of the Story:Make sure the Company is the one driving the car, controlling the speed and direction.

  • Definitions and Misconceptions (cont.)Segregation of DutiesNot as simple as it sounds.

  • Definitions and Misconceptions (cont.)Segregation of Duties Process Attributes: AuthorizationCustody of AssetsRecordingControl Activity

  • Definitions and Misconceptions (cont.)Segregation of Abilities Process Attributes: AuthorizationCustody of AssetsRecordingControl Activity

  • Definitions and Misconceptions (cont.)Segregation of Abilities Process Attributes: Authorization and ResponsibilityAccess to potential (personal) benefitRecordingControl Activity

  • Definitions and Misconceptions (cont.)Example of a fraud committed without actual access to an asset:Excerpt from an ACFE article: An internal investigation found [She] stole thousands of dollars a week from the hotel between April 2006 and September 2007. [She] canceled non-existent reservations and ordered refunds to seven different credit cards she opened, stealing $200 to $1,100 at a time until she had taken so much money her managers had to postpone a renovation of the hotel.

  • Definitions and Misconceptions (cont.)

    Deterring the misappropriation of assets

    Deterring the creation of liability=

  • Definitions and Misconceptions (cont.)Segregation of Abilities Process Attributes: Authorization and ResponsibilityAccess to potential (personal) benefitRecording**Control Activity

  • Definitions and Misconceptions (cont.)How many organizations have appropriate segregation of duties?

  • Definitions and Misconceptions (cont.)0

  • Definitions and Misconceptions (cont.)

    In business, ignorance is not bliss.

  • Segregation of Duties

    Control Objectives Taking the prevention of fraud and mistakes seriously.

  • Control Objectives

    How much of your time is spent fixing mistakes?

  • Control Objectives

    NO company grows well in these back-end functions.

  • Control ObjectivesEffective controls help gain efficiencies that allow a company to cut costs and/or position its existing resources to handle foreseeable growth without increasing costs.- The ability to grow WELL -

  • Control ObjectivesThrough the Auditors Goggles

  • Control ObjectivesCompanies seem to think that a formal SOD assessment is not necessary because the concept is so elementary or futile.

  • Control Objectives2. If attempted, done so using very poor assessment tools pulled from national firms rusty, generic template arsenals.

  • Control Objectives3. Management and consultants tend to come to the conclusion that there are few, or no significant SOD issues out of thin air.

  • Control Objectives4. Only the most obvious SOD issues are called out as a result of a walkthrough/process document and are often discounted as unavoidable due to the size of the organization.

  • Control ObjectivesParticularly in 404 implementations: a large portion of controls identified as key are, in effect, a segregation of duties control.As much as 75%, if viewed through our goggles of Segregation of Abilities

  • Control ObjectivesThe Paradigm Shift:Performing an appropriate SOD assessment will actually define and formally identify each of the existing issues and allow management to address them one by one. If the risk of loss (or potential liability) is small, management may choose to accept it, or it may be satisfied that an already existing, detective control is sufficient.

  • Control ObjectivesRemember:The potential for FRAUD is at risk, so identifying ALL possibilities and permutations and then deciding what is or isnt a severe issue is more prudent than presupposing that theres no way a particular process/area could result in a significant occurrence.

  • Segregation of Duties

    Assessment Methods

  • Assessment MethodsFrom:

    To:

  • Assessment Process:Identify all significant accounting-related processes (or, cycles) Break these processes down into sub-process components, both transaction-level and general (i.e. steps in performing a check run vs. vendor creation)

  • Assessment Process:In a two-dimensional manner (one-to-one), compare each step to identify whether an individual performing both processes would have the ability to both obtain personal value and affect the recording of it and highlight the intersection of these functions. This is an area of ideal SOD.

  • Assessment Process:Identify which of these steps requires access, either physical or electronic, to perform. For those steps that require neither, assume anyone can do them.

  • Assessment Process:For those steps that require eitherDetermine who has access to perform each of these stepsWork with IT personnel to determine:Who has write access to these functions (not read-only)

  • Assessment Process:Summarize all of your potential issues (I guarantee there will be many) and identify the reasons why, if any, each issue is effectively mitigated.

  • Assessment Process:For High-Risk Areas:Again, FRAUD is at risk, so identifying significant

View more