AUDIT and INTERNAL CONTROL Conf. univ. dr. Camelia Dobroţeanu Prof. univ. dr. Laurenţiu...

1

AUDIT and INTERNAL CONTROL

Conf. univ. dr. Camelia DobroţeanuProf. univ. dr. Laurenţiu Dobroţeanu

Master Aprofundat 2009-2010

2

Detailed requirements:Study materials:

Brink’s Modern Internal Auditing, R. Moeller, ed. Wiley, ediţia 6, 2005

Sawyer’s Internal Auditing, L. B. Sawyer et. al, IIA, ediţia 5, 2005

Managing the audit function: a corporate audit department procedures guide, M.P. Cangemi, T. Singleton, Ed. Wiley, ediţia 3, 2003

Audit Intern, C. L. Dobroţeanu, L. Dobroţeanu, ed. InfoMega, 2007

Audit: concepte şi practici. O abordare naţională şi internaţională, L. Dobroţeanu, C. L. Dobroţeanu, Ed. Economică, 2002

Teoria şi practica auditului intern, J. Renard, Ministerul Finanţelor, 2002

Marking:

Workshop 30%

Written examination 70%

3

Syllabus:

I. The system of internal control: conceptual

framework, principles, models (2 lectures)

II. Risk management (1 lecture)

III. Fraud: detection and prevention (1 lecture)

IV. Audit - internal control relationships (1.5 lectures)

V. Audit – internal control – corporate governance (0.5 lectures)

4

I. Internal Control System

Lecture overview:1. Importance of IC2. Fundamentals of IC3. Essential IC techniques4. COSO framework5. IC assessment: SOX

5

I.1. Importance of IC

Definition: “IC reflects any action taken by the board, management etc. to improve the risk management and to increase the likelihood that the organization meets its objectives”

Can we define a good IC?

6

I.1. Importanţa CI

Good IC if:Accomplishes its stated mission; Produces accurate and reliable data;Complies with applicable laws and organization policies;Provides for economical and efficient use of resources;Provides for appropriate safeguarding of assets.

7

I.2. Fundamentals of IC

acceleratorbrake

steering wheel

driver

8


Controller

Standard

Communicator

Detector/Senzor

1. Performance

Indicator

2. Benchmark

3. Signals departures

4. Transmits messages

9


Monitor/measure control element

Are controls within standards?

Correct CE

Monitor to make sure corrections are

working

Continue monitoring CE

NO YES

10

I.3. Essential IC techniques

1.

•Prevention controls

2.

•Detection controls

3.

•Corrective controls

11

I.3. Essential IC techniques

Steering controls

Yes/No Controls

Post-Action Controls

e.g. macro-economic trends

e.g. Authorization,

approval

e.g. after dismissal of an

employee

12

WORKSHOP

Case study: ................

13

I.4. COSO Framework

IMA

AICPA

IIA

AAA

FEI

COSO:

14

I.4. COSO Framework

Internal Control: Integrated FrameworkIC – a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives of the following categories:

Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and regulations

15

I.4. COSO Framework

Monitoring

Control activities

Risk assessment

Control environment

Comm

unicationICS

16

I.4. COSO Frameworka. Control environment:

Integrity and ethical valuesProfessional competenceBoard and audit committeeManagement philosophy and operating styleOrganizational structureAssignment of authority and responsibilityHuman resources policies and practices:

RecruitmentNew employee orientationEvaluation, promotion, compensationDisciplinary actions

Monitorizare

Activităţi de control

Evaluarea riscurilor

Mediul de control

17

I.4. COSO Framework

b. Risk assessment:3-step process:

Identification of significant risksAssess the risk likelihood or frequencyConsider the appropriate actions to manage the risk

Monitorizare



Mediul de control

18

I.4. COSO Framework

b. Risk assessment (cont.):Types of risks:

Organizational risks from external factorsOrganizational risks from internal factorsSpecific activity-level risks

Monitorizare



Mediul de control

19

I.4. COSO Framework

c. Control activitiesTypes of control activities:

top-level reviews direct functional or activity management information processing physical controls performance indicators segregation of duties

Monitorizare



Mediul de control

20

I.4. COSO Framework

c. Control activities (cont.)Integration of control activities with risk assessmentControls over information systems

general controls – applied to overall information systems application controls – applied to specific sections of the system

Monitorizare



Mediul de control

21

I.4. COSO Framework

d. CommunicationRelationship of information and ICMeans and methods of communication

Monitorizare



Mediul de control

22

I.4. COSO Framework

e. MonitoringOngoing monitor activities:

operating management normal functions communications from external parties organizational structures and supervisory activities physical inventories and asset reconciliation

Monitorizare



Mediul de control

23

I.4. COSO Framework

e. Monitoring (cont.)Separate evaluation of IC

ReviewsInternal audit: compliance, peer reviewSelf-assessmentExternal evaluationAction plan

Reporting IC deficienciesTo whom?How?

Monitorizare



Mediul de control

24

I.5. IC ASSESSMENT: SOX- TO BE PREPARED BY STUDENTS -

25

WORKSHOP

Case study: Pam-Pam or Keos

26

II. Risk Management

II.1. ERM frameworkII.2. COSO: IC framework – ERM

framework

27

II.1. ERM framework

• 2001 – PWC: developed a framework for ERM assessment – completed in 2004

28

II.1. ERM framework

ERM: A process implemented by the board, management and other staff at enterprise strategic level with a view:– To identify events that could adversely affect the

organization;– To manage the risks within the risk appetite

limits – To obtain a reasonable assurance that the

organization’s objectives are achievable.

29

II.1. ERM framework

Organization’s objectives:• Strategic

• Operational • Reporting

• Compliance

30

II.1. ERM framework

Components of ERM framework:1. Internal environment2. Setting the objectives3. Identification of events4. Risk assessment5. Risk response: AARS (avoid, accept, reduce,

share) 6. Control activities7. Information and communication8. Monitoring

31

II.1. ERM framework

Objectives – components relationships:

Internal Environment

Identification of events

Risk assessment

Risk response

Control activities

Inf.&Communic.Monitoring

Stra

tegi

cOpe

ration

al

Rapor

ting

Com

plia

nce

Org

an

izatio

nD

ivis

ion

Bu

sin

ess u

nit

Bra

nch

32

II.1. ERM framework

ERM effectiveness:a. Effective functioning of the 8

components:– There are no material deficiencies

and– Risks managed within the risk appetite

limits

33

II.1. ERM framework

Effectiveness of ERM (cont.)b. Objectives:

–governance structures know whether the objectives are achievable

34

II.1. ERM framework

Governance structures’ role:– Supervision of ERM

• Understand the risks and risk response

• Know to what extent the management has implemented an effective ERM

• Review the risk portfolio against the risk appetite

• Monitor the revision of material risk indicators

35

II.1. ERM framework

COSO responses related ERM – current financial crises:– Reconsideration of current ERM and assessment

of risk appetite

ERM is an integral component of internal control!

36

II.2. COSO: IC – ERM frameworks

• Are there any differences?– ERM: risk based assessment– COSO-CI: IC framework

• ERM – IC framework components: similar(environment, monitoring, communication and

information, etc.)• Is ERM an improved version of IC

framework?• The controversial role of internal auditors:

– ERM seem to provide assurance that risks are managed!

37

III. Fraud: detection and prevention

38

Lecture outlines:

1. The concept of fraud

2. Responsibilities for fraud

prevention&detection - DPF

2.1. Risk of fraud assessment - EFR

2.2. “Audit of fraud” and IIA requirements

39


Illegal actions – deception, betrayal

Does not necessarily imply the use of force or force threats

Actions done purposely:

to obtain financial benefits

to avoid the payment for or the opportunity lost of a financial/personal benefit

40


Benefits:

• direct – e.g.: money

• indirect – e.g.: promotion, power,

influence.

41

1. The concept of fraudFrauds committed in the organization’s

benefit: Sale of fictitious assets;

Forbidden payments: illegal financing of political campaigns, bribery, etc.;

False statement/misuses of transactions;

Incorrect assessment of transfer prices (for assets exchanged between members of the same group).

42


Frauds committed in the organization’s benefit (cont.):

misrecording or misreporting of transactions to

mislead users of financial reports;

Illegal commercial activities;

Tax frauds.

43


Frauds committed in the organization’s

detriment:

Acceptance of bribery;

Unlawful seizure of profitable transactions by an employee;

Invoicing goods or services which were actually not provided to the company.

44


Frauds committed in the organization’s detriment(cont.):

Misuse of resources or falsification of accounting records;

Intentional omission or misleading interpretation of events or transactions.

45


Indications of fraud (Simmons):

intentionally

trust

Injury

Victim

Action

46


Frauds (Simmons):Bribery: offering, acceptance, requesting;Theft;Conflict of interest;False statements;Swindle;Mail and internet frauds;Conspiracy;Brake of financial obligations provided by

agreements;Embezzlement.

47

2. Responsibilities for DPF

Fraud

48


Board + AC – supervise:

antifraud programmes and controls, including identification of fraud risk and implementation of antifraud actions;

the risk of controls avoidance and inappropriate management influence;

whistle-blowing mechanisms;

49

2. Responsibilities for DPFBoard + AC – supervise (cont.):

regular reporting: nature, stage and actions taken for detected frauds;

IA plan: risk of fraud and whistle-blowing channels for IA;

involvement of independent experts in investigations of frauds.

50


IA role – to answer to questions like:

What is the risk of fraud within the organization?

What are the programs and internal controls that have been implemented to face these risks?

What is IA doing to PDRF before it leads to corporate scandals?

51

2.1. Assessment of the risk of fraud

IA role – the process of ARF:

Organize the assessment process – integration of ARF within the current risks assessment process / setting up a separate process.

Identify the areas to be assessed - ARF at each of the following level:

organization, units, operations (accounts, etc.); complex transactions (e.g. acquisitions, mergers, combinations, etc.)

52


IA role – the process of ARF (cont.):

Identify the possible scenarios: the organization commits frauds or suffer injuries due to other’s frauds? How? DB – specific issues;

Assess the likelihood of fraud commitment.

scale used for assessmentUS practice: three level qualitative values

Assess the relevance of the RF: Impact of RF RR = Impact X LikelihoodUS practice: RR ≥ average – considered by IA

53


IA role – the process of ARF(cont.):Identify and assess the associated internal controls

Avoidance / ignorance of internal controls

Identify internal controls unable to mitigate the RF

Integrate the ARF results within the audit plan: a separate section dedicated to audit of fraud based on residual risk

54

2.2. Audit of fraud

G.1210-A2.2 – Responsibilities for fraud detection (FD): – FD = identification of fraud indications sufficient

to request an investigation.

IA responsibilities:To have sufficient and appropriate knowledge regarding the fraud indications:

The basic elements of a fraud, Techniques used,Types of frauds particular for the audited areas;

55

2.2. Audit of fraud

Responsabilităţile AI (cont.):să fie vigilent deficienţele SCI:

prezenţa mai multor indicii, simultan, creşte probabilitatea ca o fraudă să fi fost comisă;

să evalueze indiciile unei fraude şi să decidă dacă sunt necesare alte măsuri sau să se recomande o anchetă;să înştiinţeze autorităţile competente din cadrul entităţii.

56

G. 1210.A2-1, Fraud detection

IA responsibilities:

To investigate and assess the existence and importance of eventual associations to commit frauds;

To establish the required knowledge, abilities and other competencies to conduct an investigation;

To set up procedures to be followed in order to identify the fraud authors, the fraud scope, the reasons, impacts, and the techniques used;

2.2. Audit of fraud

57

2.2. Audit of fraud

IA responsibilities:

To coordinate its activities during the investigation with management, legal advisors, and any other expert involved;

To be aware of the rights of the supposed authors of fraud.

58

2.2. Audit of fraud

G 1210.A2-1, Fraud detection: Reporting the results of an audit of fraud engagement – issues to be considered:

Recommendations for implementation and/or strengthening the internal controls;

Design audit test that would allow future detection of similar frauds;

The need to set up a knowledge file related to the risk of fraud;

Privileged information.

59

2.2. Audit of fraud

IIAS 2400:

Immediate reporting to the executive management and the board:

If a relevant fraud has been detected – high certainty;

The fraud has had an adverse significant impact on the financial position and financial results reported for the previous years.

AUDIT and INTERNAL CONTROL Conf. univ. dr. Camelia Dobroţeanu Prof. univ. dr. Laurenţiu...

Documents

Transcript of AUDIT and INTERNAL CONTROL Conf. univ. dr. Camelia Dobroţeanu Prof. univ. dr. Laurenţiu...