Creating an effective Internal Control Framework. Marcus Guenther CA, MBA

Transcription

1 Creating an effective Internal Control Framework Marcus Guenther CA, MBA

2 Agenda Use of a top-down risk-based approach Understanding internal control design and implementation Understanding the impact of the new CASs Creating a sustainable ICFR framework

3 Is SOX working? Certified fraud examiners 65% say SOX has been "somewhat /very effective" in identifying incidences of financial-statement fraud. 19% say not effective 17% skeptical of any sustained shift to corporate integrity 39% believe interest that exists now for raising corporate integrity/fraud prevention will diminish in next five years. 32% think that stated commitments to adhere to SOX guidelines has already begun to subside. 12% see no change among business leaders.

4 Could Enron happen again? What happened? Madoff Investments Preliminary investigation reveals that $50B fund may never have executed a single trade brokerage statements falsified. Where were the regulators? SEC chairman Christopher Cox admitted that the agency had failed to thoroughly investigate multiple "credible and specific allegations regarding Mr. Madoff's financial wrongdoing Where were the auditors? Audited F/S with auditor s responsibility to detect fraud. How could major firms have missed red flags for years. Fallout Class action lawsuit against Ascot Partners LP which had a $1.8B investment in Madoff and it s auditors-fund

5 Compliance versus continual improvement Compliance overload Regulatory: SOX, Bill 198, continuous and capital disclosure requirements, Basel 2 etc. Accounting: Financial instruments, upcoming IFRS, NFP. A compliance mindset: Focus on reducing costs since little perceived benefits Static; no focus on improving the process Hard to get additional resources or management s interest Competing against value-added projects.

6 Extracts from New Auditors Report Management is responsible for the preparation and fair presentation of these financial statements.and for such internal control as management determines is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity s internal control. 6

7 Why Evaluate Internal Control? CAS The overall objectives of the auditor are to: obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, report on the financial statements, and communicate as required by the CASs, in accordance with the auditor's findings.

8 Clarified Auditing Standards Italics to shalls New structure for auditing standards 1. Introduction 2. Objectives 3. Definitions 4. Requirements (the auditor shall ) 5. Application and Other Explanatory Material Current Italics Change in number of paragraphs (not content) "Shalls" 282 A 100% increase in requirements 532

9 Impact of Clarified Standards Plus Structure makes them easier to read/use Framework provides a consistent approach Shalls make very clear what is required Minus Shalls make very clear what is required Standards are more prescriptive Methodology and systems changes New terminology to learn

10 The Basic Structure of a CAS Risk Response Risk Assessment Plan the audit Perform risk assessment procedures Implement responses to assessed RMM Reporting Evaluate the audit evidence obtained Prepare the auditor s report

11 CASs with 10+ new shalls CAS CAS Title Italics Shalls New Old HB CAS 600 Audits of group financial statements CAS 700 Forming an opinion/reporting on F/S CAS 250 Consideration of laws and regulations CAS 540 Estimates CAS 570 Going concern N/A CAS 550 Related Parties CAS 705 Modifications to the opinion CSQC1 CANADIAN STANDARD ON QUALITY CONTROL GSF 1 CAS 210 Agreeing the terms of audit engagements CAS 710 Comparative information CAS 530 audit sampling N/A

12 CASs with 5-10 new shalls CAS CAS Title Italics Shalls New Old HB CAS 510 Initial audit engagements opening balances various CAS 560 Subsequent events CAS 240 Fraud in an audit of financial statements CAS 450 Evaluation of misstatements identified CAS 260 Communication with those charged with governance CAS 505 External Confirmations CAS 330 The auditor's responses to assessed risks CAS 580 Written representations

13 5305 Estimates CAS540 Current Italics Subject matter "Shalls" Risk Assessment Procedures 2 Identifying and Assessing RMM 2 Responses to the Assessed Risks 3 Further Substantive Procedures 3 Evaluating Reasonableness of Estimates 1 Disclosures 2 Indicators of Possible Management Bias 1 Written Representations 1 1 Documentation 1 1 Totals 16

14 Reporting Risk Assessment Risk Response Estimates What estimates are required? How were the estimates prepared? How significant are the estimates? Is an expert required? How accurate were prior years estimates? Any evidence of management bias? Extent of estimation uncertainty involved? Have estimates been prepared properly using consistent methodology? Is the supporting evidence reliable? Any evidence of fraud? Are financial statements disclosures of accounting estimates in accordance with the financial reporting framework? If a significant risk, has disclosure been made of the estimation uncertainty? Obtain management representations

15 Going Concern CAS 570 Current Italics Going concern CAS 570 Subject matter "Shalls" Risk Assessment Procedures 2 Evaluating Management's Assessment 4 Additional Audit Procedures when events identified 1 Audit Conclusions and Reporting 1 Material Uncertainty Exists 3 Going Concern Assumption Inappropriate 1 Management Unwilling to Extend Its Assessment 1 Communication with Those Charged with Governance 1 Significant Delay in Approval of Financial Statements 1 0 Totals 15

16 Going concern

17 Nature of Control

18 Inherent Risks Pervasive Scope of Risk Assessment Entity Objectives Financial Statements & Assertions Governance Leadership/management Information Systems Pervasive (entity level) Controls Revenue Processes Purchasing Processes Payroll Processes Other Processes Transactions

19 Risk Identification Risk Response Evaluating ICFR 1. Define Risk Materiality Appetite (for entity) Design & implement: 2. Understand/update mandate and nature of operations 5. Entity level & IT General Controls 3. Identify/Assess internal/external Risk Factors 6. Business Process Controls 4. Classify/report on events that require monitoring and/or mitigation 7. Test operating effectiveness & remediate as necessary 8. Ongoing Risk Monitoring FocusROI 2008

20 Why Identify Risk? Understand the entity and types of events that could cause a material misstatement in the F/S NOTE: We cannot assess risks that have not been identified

21 How? CAS Enquiries of management and others Observation & Inspection Analytical Procedures Identify and assess the risks of material misstatement through understanding the entity and its environment

22 Identifying risk Sources of Risk Scope of required risk assessment CAS Key Point Identify sources of risks not just effects on the F/S Absence of relevant Internal controls Risks from accounting policies used Risks resulting from entity objectives & strategies Map sources of risk to possible errors/fraud in the Financial Statements Risks identified from use of Industry performance indicators External risk factors Internal risk factors (nature of entity) * RMM = Risks of material misstatement

23 Focus on causes of risks not the effects The effect Water coming through cieling The cause Hole in the roof Inventory is overvalued Cut off errors found Estimates are conservative Slowdown in economy Bookkeeper prone to mistakes Owner wants to minimize taxes

24 CAS 240 Fraud The objectives of the auditor are: (a) To identify and assess the risks of material misstatement of the financial statements due to fraud; (b) To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and (c) To respond appropriately to fraud or suspected fraud identified during the audit.

25 Significant Risks: An identified and assessed risk of material misstatement that, in the auditor s judgment, requires special audit consideration. Presumed Fraud risks : Management override Revenue Recognition Related parties Journal entries Estimate bias NOTE: These risks are assessed BEFORE considering any element of internal control

26 Fraud All about Patterns - Exceptions - Oddities Keep fraud risks separate from business risks Ignore past experience of peoples good behaviour Don t ignore something that does not make sense or is tiny in relation to materiality Management is in the best position to perpetrate fraud

27 Fraud Scenarios 1. Manipulation of F/S Bias in Estimates Judgements Journal Entries Revenue Recognition 2. Non-Selfish Fraud Account classification Disclosure F/S Fraud Inappropriate Accounting Policies False records Related party/complex transactions Ommission transactions events

28 Fraud Scenarios 2. Misappropriation of assets Inflated expense accounts. Getting paid for goods/services not supplied The art of the steal Frank Abagnale Embezzling cash Physical asset theft or destruction Asset Fraud Personal use of Corporate Assets Related party transactions Unauthorized trading False records to cover losses

29 Documenting Risk Factors Pervasive Source of risk Result of risk Risk Assessment

30 Assessing Risk.. Use two attributes: Likelihood of event happening (chance or probability) Low (1) Moderate (2-3) High (4) Impact (magnitude) of event in $ (relate to materiality) Low (1) Moderate (2-3) High (4)

31 Specific Risks Transactional 31

32 Managements Response to Risk ICFR

33 Internal Control defined (CAS 315.4(c)) The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity s objectives with regard to: reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term controls refers to any aspects of one or more of the components of internal control. 33

34 Scope of ICFR 4 6 Operational and compliance objectives Entity Level Controls IT General Controls Application/ Business Process Controls Application/ Business Process Controls Application/ Business Process Controls Application/ Business Process Controls

35 The Five Components. Financial Reporting Objectives Control Environment Risk Assessment Monitoring Control Activities Information Systems 35

36 Control Environment Control Environment Communication of Entity values and commitment to competence Human Resources Policies and procedures 36

37 General IT Controls: Entity Level Control environment Culture, Assignment of authority and responsibility, people, plans, budgets, organization, risk assessment etc. IT Operations Day to day management, Security of infrastructure Data integrity, hardware maintenance, virus control User support & service levels etc Application Management Program selection, acquisition implementation Program development procedures Program change controls Application/data Access Management Application access controls, (local and remote) User authorizations, password control, Wireless and internet assess, use and security 37

38 The Key Control Tone at the Top or Culture Refers to the ethical atmosphere that is created in the workplace by the organization's leadership. Whatever tone management sets will have a trickle-down effect on employees of the company 38

39 Gomery.. Poor Culture administrative/political culture surrounding the Sponsorship initiatives tolerated and even encouraged the contracting practices that led to abuse. No one came forward to accept responsibility for management of Sponsorship initiatives Doctrine of mutual deniability Public servants reluctant to raise questions A breakdown of ethical standards occurred, Source. Gomery commission report V

40 Risk Assessment Risk Assessment How does management Identify business/fraud risks relevant to F/S Assess risk significance & likelihood of occurence Decide on actions required to manage assessed risks 40

41 Business Processes Accounting systems Information Systems Outputs Financial Statements (including disclosures) Transfer information from transaction processing to G/L Capture information for other events/conditions (amortization, valuation of inventory, receivables etc.) Accumulate, record, process, summarize information required to be disclosed in the financial statements. Use of standard and other journal entries to record transactions, estimates and adjustments Initiate, record, process, and report transactions and maintain accountability (safeguard, classify, measure etc.) for related assets, liabilities, and equity Information Systems Process and account for system overrides 41 Inputs Transactions, events and conditions

42 Control Activities Policies and procedures that help ensure that management directives are carried out. Authorization of transactions; Performance reviews; Information processing; Physical controls; Segregation of duties. Control Activities 42

43 Monitoring Monitoring of controls is a process to assess the effectiveness of internal control performance over time. Monitoring Monitoring provides feedback to management on whether the internal control system is: Effective in addressing stated control objectives; Properly implemented and understood by employees; Being used and complied with on a day-to-day basis; and In need of modification or improvement to reflect changes in conditions. 43

44 Ongoing Monitoring Identify key controls to be monitored ELCs Transaction controls Design creative monitoring controls

45 Internal Control Pervasive are often called entity level controls Specific are often called business process or application controls

46 Nature of Control

47 Control Risk Two Approaches Top Down Approach Bottom up Approach Risk Identification What risks require mitigation by control? Control Documentation Document internal controls (cradle to grave) Control Design What controls in place to prevent or detect/correct misstatements from occurring? Control Implementation Perform a walkthrough Control Implementation Are controls actually operating Risk Identification What risks require mitigation by control? Control Documentation Document the operation of relevant internal controls Control Design What controls in place to prevent or detect/correct misstatements from occurring? Conclusion on Control Risk Has management mitigated the RMM in the F/S Conclusion on Control Risk Has management mitigated the RMM in the F/S You only need to evaluate controls relevant to the audit

48 Control Design CAS 315. A66 Evaluating the design of a control involves considering: whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements. 48

49 Assessing Control Design Two most common methodologies in use one risk factor to many controls One risk factor (control objective) linked to many controls many controls to many risks Now accepted as a best practice Helps to identify key and missing controls Approach taken in CPEM to entity level controls Approach taken in CPEM to transactional controls 49

50 One Risk to Many Controls RISK OR CONTROL OBJECTIVE 1Incompetent employees may be hired or retained Relevant Controls/procedures A. Job descriptions exist and are effectively used. B. Management provides personnel with access to training programs on relevant topics. C. Adequate staffing levels are maintained to effectively perform required tasks. D. Initial and ongoing matching of staff skills to their job descriptions. Do controls/procedures identified mitigate the risk YES / NO 50

51 Forms

52 Many Risks to Many Controls Process xyz Risk A Risk B Risk C Risk D Assertion C E A A C A Control IC Com Control Procedure 1 CA P P Control Procedure 2 IS D Control Procedure 3 CA P P P Control Procedure 4 M D Control Procedure 5 CA P Control Procedure 6 IS D Control Procedure 7 IS D D Note the P s and Ds where control intersects with risk Can you quickly identify the control weaknesses, control strengths & key controls? 52

53 Control Design Matrix Entity Period ended Objective: To evaluate control design (i.e. do controls mitigate the risks identified?) and control implementation (i.e. do controls exist and are they in u Instructions: 1. First identify the relevant risk factors and assertions. 2. Ask management what controls (if any) exist to mitigate each risk factor (one at a time). 3. Indicate the type of control (P or D) in the box where the control and risk intersect 4. Conclude whether the controls identified are sufficient to prevent or detect/correct the risk event (control design). 5. Determine (through inquiry, observation, inspection and reperformance) whether the control exists and is in use (control implementation). (See Form 582 for a listing of typical control procedures). Risk factors: (What events could result in a material misstatement in the F/S?) Assertions C = Completeness E = Existence A = Accuracy V = Valuation Type of control P = Prevent D = Detect and correct Relevant control procedures Assertion risks C CA CEAV CEA E V CEA 1 2 Do the control procedures mitigate the risk factor? Y = Risk mitigated S = Some mitigation No = Significant deficiency exists (Form 575) 53 Prepared by Date Reviewed by

54 Identifying Controls 1. Identify risks that require mitigation Where controls are required to prevent a material misstatement) 2. Ask what controls exist to mitigate each risk factor In larger organization this information may be obtained from talking to a number of people or reviewing system documentation that identifies controls 3. Use Control design matrix (full or condensed) to record the control procedures identified. Indicate whether the control prevents (P) or detects (D) the potential misstatement. 3. Then repeat steps 2and 3 for each risk factor from step 1. Note that some controls may well prevent or detect a number of the risk factors. 54 This process will immediately alert entity to risk factors that have not been mitigated.

55 Control Implementation 315. A66 Implementation of a control means that the control exists and that the entity is using it. There is little point in assessing the implementation of a control that is not effective, and so the design of a control is considered first. An improperly designed control may represent a significant deficiency in internal control.. 55

56 Control Implementation 315 A67 Involves Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls. This includes: Inquiring of entity personnel. Observing the application of specific controls. Inspecting documents and reports. Tracing transactions through the information system relevant to financial reporting. 56

57 Control Implementation SHOW ME Does control exist and is it in operation? Did the control change at all during the period or were new risks identified that need to be controlled? Who performs control and how often? Review the evidence that demonstrates that the control was performed? Re-perform the control where necessary to support operation Ask about what happens when things went wrong? Observation & Inspection Enquiries Analytical Review 57

58 CPEM Form 565 larger entities 58

59 Document relevant controls Document operation of relevant controls Place identified controls in context From inception to financial reporting The traditional starting point now comes last!! Why CAS requirement is only to document relevant controls Relevant controls can best be identified using the control design matrix Documentation only required to provide additional information about the operation of relevant controls (such as for evaluating control implementation) especially in larger entities 59

60 Control Documentation Methods: Memos Flowcharts Combinations of memos and charts Re-performable W/P s Key Principle Keep documentation as simple as possible. ONLY document relevant controls that mitigate risks relevant to financial reporting 60

61 Significant Control Deficiencies CAS 265 The objective of the auditor is to communicate appropriately to those charged with governance and management deficiencies in internal control that the auditor has identified during the audit and that, in the auditor's professional judgment, are of sufficient importance to merit their respective attentions. 61

62 Control Deficiencies CAS If the auditor has identified one or more deficiencies in internal control, the auditor shall determine, on the basis of the audit work performed, whether, individually or in combination, they constitute significant deficiencies. 9. The auditor shall communicate in writing significant deficiencies in internal control identified during the audit to those charged with governance on a timely basis. Significant deficiency in internal control A deficiency or combination of deficiencies in internal control that, in the auditor s professional judgment, is of sufficient importance to merit the attention of those charged with governance. 62

63 Emerging Control Design Deficiencies Entity level and general IT Controls Anti fraud Controls Management override Spending authority Changes to Controls over: New product or service launches Acquisitions New system implementations 63

64 Control Deficiencies (Form 582) 1. Consider any compensating controls 2. Classify severity Inconsequential or Significant 3. If significant - record on Risk Assessment form (520/522) To develop an appropriate audit response 4. Agree on action plan New control design or remediation of existing controls Report to management/audit committee? 64

65 Recording Deficiencies CPEM Form

66 Testing IC Focus on Relevant Controls Test annually (unless reliance on work in previous years is possible) Consider doing this work to an interim time period 66

67 Typical Sample Sizes Control Frequency Many Times / Day Daily Weekly Suggested Number of Items to Test Monthly 2-4 Quarterly 2 67

68 Testing ELCs Top to Bottom approach Design What documentation exists? Code of Conduct, Whistle-blowing Board Composition, IT Governance, etc Does documentation address essential elements Implementation - Have policies/procedures/ management philosophy been communicated to everybody?

69 The Top to Bottom approach Effectiveness Select a sample of junior employees Are employees aware of P&P? Orientation training Do employees actually understand the P&P? Are employees actions consistent with P&P?

70 ELC Testing Tools Employee focus groups or surveys Review of self assessments Interviews and questionnaires Observations Review of employee records Employee communications Testing compliance with P&P Re-performance of controls Exception handling reports

71 Extent and timing Extent Professional judgement required Most ELC s do not lend themselves to statistical sampling Timing Can conduct tests earlier in year and then rely on change management controls for policy changes/new personnel/procedures etc

72 Summary The 4 Step Top Down Approach Identify what risks require mitigation Assess control design Assess control implementation Document relevant controls A Risk Assessment Procedure What risks if unmitigated by controls would result in a material misstatement? Identify/assess controls to mitigate risks Address each of the 5 IC components Do material control weaknesses exist? A Risk Assessment Procedure Ensure identified (relevan)t controls are actually operating as designed Document operation of relevant controls Place identified controls in context From inception to financial reporting 72

73 Introducing C-PEM Volume 1 Core concepts Audits, reviews and compilations Volume 2 Practical Guidance Includes 2 integrated case studies Part A Audits Part B Reviews Part C Compilations Part D Practice Aids (forms, etc. on a CD)

74 Questions Please 74