Common Internal Audit Findings

& How to Avoid Them

April 6, 2016, 10:00 am – 12:00 pm

Workshop Conducted by: Surajit Datta

1. Internal Audit

2. Internal Controls

3. Elements of Internal Controls

4. Audit Findings

5. Common Internal Audit Findings

6. Fraud Indicators

7. How to Avoid Audit Findings

TopicsIAD Workshop - 2016

Internal Audit

The Institute of Internal Auditors defines Internal Auditing as…

"An independent, objective assurance and consulting activity designed to add value and improve and organization's operations.

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

IAD Workshop - 2016

• 2002 – Enron• Billions of dollars of market value erased. Thousands of jobs lost. Savings wiped out. The

Enron failure demonstrated a failure of corporate governance, in which internal control mechanisms were short-circuited by conflicts of interest that enriched certain managers at the expense of the shareholders.

• 2008 - $ 500 million loss by Merrill Lynch“several mitigating internal controls were not operating effectively and therefore failed to identify the intercompany difference that resulted in the huge loss” - Deloitte.

Effects of Internal Control FailuresIAD Workshop - 2016

A process designed to provide reasonable assurance about the achievement of an entity’s objectives concerning:

Financial reporting Effectiveness of operations Compliance with laws and regulations

What are Internal ControlsIAD Workshop - 2016

What are Internal ControlsIAD Workshop - 2016

FINANCIAL 1. Promotes integrity of

data used in making business decisions2. Assists in fraud

prevention and detection through the creation of

an auditable trail of evidence

COMPLIANCE

Helps maintain compliance with laws and

regulations through periodic monitoring

OPERATIONAL1. Promotes efficiency and effectiveness of operations through

standardized processes 2. Ensures the

safeguarding of assets through control activities

Effective internal controls prevent fraud, waste, and abuse

Develop internal controls to address the risks identified during your “risk assessment process”

Review and adjust your control activities to ensure they are working

Control Environment Risk Assessment Control Activities Information and Communication Monitoring

5 Elements of Internal ControlsIAD Workshop - 2016

Tone at the Top Commitment to Competence Management’s Philosophy/Integrity Management’s Direction/Assignment of Responsibility Human Resources Policies and Procedures

Control EnvironmentIAD Workshop - 2016

Identify the Risks to Achievement of aswaaq’s Objectives in relation to:

Reporting Financial (Cash Management) Operational Compliance (with laws and regulations)

Prioritize them (Probability X Impact)

Develop a plan to manage them (Risk Response / Mitigation Action plans or BCPs)

Risk AssessmentIAD Workshop - 2016

Specific to the company’s operation and may include the following: Policies and procedures to protect against fraud, waste, and abuse Authorizations and approvals (DOA) Verifications (Internal Checks, Checklists, etc.) Reconciliations Segregation of duties Review operational performance

Control ActivitiesIAD Workshop - 2016

Financial Reporting Operational Reporting Accounting Manual Compliance Reporting Codes of Conduct Keep the communication lines open

Information & CommunicationIAD Workshop - 2016

Budget to Actual Internal Audits Reconciliations to General Ledger Management review of controls Review of exception reports External Audit Audit Committee

MonitoringIAD Workshop - 2016

Audit Findings Risk assessment

Corrective action required Audit recommendation

A management opportunity Risk response / risk mitigation action plans

Result of AuditsIAD Workshop - 2016

Financial misstatement

Control weakness

Policy or other rule violations

Other issues identified during the audit

Audit findings – What are they?IAD Workshop - 2016

Internal Control failure profileIAD Workshop - 2016

Error4% Weak

Monitor-ing &

Control25%

Non-compliance31%

Others27%

Process design

10%

SOD3% weaknesses which may put some of the

company objectives at risk that are primarily due to- compliance inconsistencies with

established policies and procedures ineffective process design, and weak monitoring

1. Non-compliance of established company policy or statutes

2. Process execution not following the established DOA

3. Segregation of Duties (SOD) Conflict

Ensure tasks and process flows have a check and balance. For example: A person who is responsible for collecting payments should not be

responsible for creating the deposit and reconciling to source documents.

4. Lack of sufficient supervision / monitoring

5. Lack of Awareness of Company Policies

Common Internal Audit FindingsIAD Workshop - 2016

6. Lack of Written Policies and Procedures (Departmental) Major business transactions and related internal controls of a department's operations

should be clearly documented, periodically reviewed and updated.

7. Lack of Formally Documented Approvals

Evidence should be maintained to document independent approvals (e.g. reconciliations, departmental financial statements, etc.)

8. Unbudgeted expense

9. Absence of Supporting Documentation Transactions should be appropriately supported by documentation. For example:

Journal Entries: Purpose, related source documents, approvals Purchases: Requisition, competitive bidding, purchase order, invoice, approvals

Common Internal Audit FindingsIAD Workshop - 2016

10.Lack of Proper Safeguarding of Assets

11.Inappropriate Information Security Access

Critical or sensitive information should be appropriately restricted based on job duties.

12.Inaccurate Financial Reporting

Examples include: Expenses:

Invoices Not recorded as a liability upon commitment Overtime Not approved timely

Revenues: Receivables Not recorded in books (booked when cash is received) Income Recorded as an offset to an expense account rather than to an income account

Common Internal Audit FindingsIAD Workshop - 2016

1. One person in control

2. No separation of duties

3. High turnover of personnel

4. Unexplained entries in records

5. Unusually large amounts of payments for cash

6. Inadequate or missing documentation

7. Altered records (white-out, copies of documents, etc.)

8. Non-serial number transactions

9. Inventories and financial records not reconciled

Fraud IndicatorsIAD Workshop - 2016

Fraud IndicatorsIAD Workshop - 2016

10.Lack of internal controls/ignoring controls

11.Repeat audit findings

12.Unauthorized transactions

13.Ability to get around internal controls that prevent or detect fraud

14.Inability to judge quality of performance

15.Lack of an audit trail

16.Failure to discipline prior fraud perpetrators

Internal Audit Report

Read it and discuss with IAD Understand the problem Understand the recommended corrective action Plan the corrective action steps

Develop the overall corrective action plan Assign overall responsibility Assign specific action step responsibilities Establish a time line Follow up – sustained attention Verify completion and effectiveness Report to management

How to Avoid Audit FindingsIAD Workshop - 2016

Establish Policies and Procedures

• Write them• Follow them• Review and up-date them as needed

Establish Internal Controls

• Financial• Operational• Compliance• Cash Management

How to Avoid Audit FindingsIAD Workshop - 2016