Effective Internal Controls (Annotated) by @EricPesik


Published on

Instilling good governance and ensuring full compliance with an effective internal control program. Presented at Corruption and Compliance South & South East Asia Summit, September 2012, Hilton Hotel, Singapore.

Published in: Business, Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Effective Internal Controls (Annotated) by @EricPesik

  1. 1. effective internalcontrols
  2. 2. Presented by Eric Roring Pesik atCorruption and ComplianceSouth & South East Asia Summit September 2012 Hilton Hotel, Singapore
  3. 3. “These slides cannot replace thefull live presentation, so I haveadded quotes and narration frommy live presentation tosupplement the visuals.”
  4. 4. effective internal controls
  5. 5. “I am here to talk about instillinggood governance and ensuringfull compliance with an effectiveinternal controls program.”
  6. 6. “There are two main topics:First, what are internal controls?And second, how do you ensurethey are effective?”
  7. 7. internal controls
  8. 8. finance & accounting procedures
  9. 9. “When we envision internal controls in modern organizations, the typical things one thinks about are finance and accounting procedures, such as revenue recognition rules, balance sheets, and cash flow statements.”finance & accounting procedures
  10. 10. corporate IT systems
  11. 11. “Or you might also think about yourcorporate IT systems , such asORACLE, SAP, and the databases andprograms that keep track corporatetransactions.” corporate IT systems
  12. 12. company policies & procedures
  13. 13. “Or you might think about generalcompany policies & procedures, suchas the rules we all follow to get ourexpense reports approved.”company policies & procedures
  14. 14. humanize internal controls
  15. 15. “These are typical examples ofinternal controls. But they can be asobscure or esoteric. Internal controlsshould make sense to the peoplethat have to comply with them.” humanize internal controls
  16. 16. simplify internal controls
  17. 17. “Instead of the typical corporateinternal controls, I offer you a simpleinternal control...”
  18. 18. restaurant guest check
  19. 19. “Everyone has seen a restaurantguest check. You knows what it is andhow it works. But how many peoplethis of this as an internal control?” restaurant guest check
  20. 20. restaurant procedures
  21. 21. “We recognize restaurantprocedures, and we participatewithout question or thought.” restaurant procedures
  22. 22. take your order
  23. 23. “When the waitress takes your order,the first internal control comes intoplay when you tell the waitress whatyou want. She writes it down. Thissimple data entry drives restaurantoperations.” take your order
  24. 24. “The waitress repeats your order asadditional an control to verify thedata, and correct it if it is incorrect.” take your order
  25. 25. prepare your order
  26. 26. “The segregation of duties is anotherinternal control because the kitchenmust translate the written data into anallowed order on the menu.” prepare your order
  27. 27. “The kitchen uses the order tomanage production , preparing themeal as described in the guest check,and pulling raw materials frominventory.” prepare your order
  28. 28. “The segregation of duties is also afraud prevention control. The kitchenoperates to the written order,preventing the waitress fromrecording an inexpensive item butdelivering an expensive item.” prepare your order
  29. 29. serve your order
  30. 30. “When your order is ready the waitressuses the order to verify customerrequirements against kitchenproduction output. serve your order
  31. 31. “There is a final verification whenyour meal arrives. If you dispute theorder, the wait staff can compare yourdispute against the written order.” serve your order
  32. 32. pay for your order
  33. 33. “After you eat, you must pay. Thecashier reviews the guest check tocalculate sales price and record thesales revenue from your meal.” pay for your order
  34. 34. receipt for order
  35. 35. “The restaurant keeps the order forrecords retention. The manager canaudit these records to monitor thebusiness operations.” receipt for order
  36. 36. “Total sales as shown in the guestchecks should match the revenue inthe cash register.” receipt for order
  37. 37. “Production orders as shown in theguest checks should match thechanges in inventory.” receipt for order
  38. 38. “The guest check allows top levelreview of restaurant operations. Ifthere are discrepancies,management can investigate.” receipt for order
  39. 39. restaurant guest check
  40. 40. “It doesn’t feel like an internal control.It’s not bureaucratic. It helpsrestaurant employees do their jobmore effectively, so they use iteffectively.” restaurant guest check
  41. 41. human scale controls
  42. 42. “The restaurant guest check is ahuman scale control. It is easy tounderstand and requires no specialskill or technical knowledge.”
  43. 43. 1. simple2. effective3. efficient
  44. 44. “It is simple because it only requiresa small piece of paper passed fromuser to user without special tools orequipment.”
  45. 45. “It is effective because one itemdrives nearly every aspect of thebusiness: sales, customer services,operations, production, inventory,revenue, accounting, planning,management oversight...”
  46. 46. “It is an efficient control because itdoes not interfere with how eachemployee does his or her job. Thisinternal control helps employee theirjob more efficiently.”
  47. 47. organic controls
  48. 48. “This internal control was developedorganically. It wasn’t implemented bylegal or finance or compliance. It wasdeveloped over time by the usersthemselves to make their job easier.”
  49. 49. “There are probably similar internalcontrols in your company developedby the users themselves.”
  50. 50. internal controlintegrated framework
  51. 51. “Let’s look at the opposite end of thespectrum. The Internal Control -Integrated Framework wascommissioned the Committee ofSponsoring Organizations of theTreadway Commission.”
  52. 52. “This is a formal framework forinternal control systems that isemployed by a majority ofmultinational companies.”
  53. 53. “There are four key concepts in theInternal Controls - IntegratedFramework.”
  54. 54. internal control is a process
  55. 55. “Internal control is a means to anend, not an end in itself.” internal control is a process
  56. 56. affected by people
  57. 57. “Internal controls are not just things,they are people at every level of anorganization. Internal controls rely onpeople for their effectiveness and areaffected by the inherent faults ofpeople.” affected by people
  58. 58. reasonable assurance
  59. 59. “Internal controls cannot provideabsolute assurances. There are nofool-proof internal controls.” reasonable assurance
  60. 60. achieve objectives
  61. 61. “Internal control should be directed atachieving company objectives. Aninternal control that is not tied to acorporate objective is not an effectiveinternal control.” achieve objectives
  62. 62. 1. process2. people3. assurances4. objectives
  63. 63. “Internal controls are processeseffected by people that providereasonable assurances that you aremeeting or achieving your corporateobjectives.”
  64. 64. integrated framework
  65. 65. human framework
  66. 66. human laziness
  67. 67. “Internal controls protect against thehuman desire to skip steps and takeshortcuts.” human laziness
  68. 68. human carelessness
  69. 69. “Internal controls need to protectagainst mistakes and humancarelessness.” human carelessness
  70. 70. human dishonesty
  71. 71. “Human controls need to protectagainst human dishonesty.” human dishonesty
  72. 72. 1. laziness2. carelessness3. dishonesty
  73. 73. human framework
  74. 74. “Internal controls protect against theinherent risk of having humansparticipate in your business.”
  75. 75. internal controls methods
  76. 76. “The integrated framework describesmethods we put in place to protectagainst the human framework.”
  77. 77. segregation of duties
  78. 78. “Separating authorization, custody,and record keeping roles helpsprevent fraud or error by one person.” segregation of duties
  79. 79. retention of records
  80. 80. “Maintaining documentation allows usto document and substantiatetransactions.” retention of records
  81. 81. supervision or monitoring
  82. 82. “Supervision or monitoring allows usto observe and review ongoingoperational activity.” supervision or monitoring
  83. 83. information processing
  84. 84. “Information processing allows us toverify data entry, comparing file totalswith control accounts, and controlaccess to data, files, and programs.” information processing
  85. 85. authorization of transactions
  86. 86. “Authorization of transactions ensurethat transactions are reviewed andapproved by an appropriate person.” authorization of transactions
  87. 87. top-level reviews
  88. 88. “Top level reviews allow reporting andanalysis of actual results versusorganizational goals and keyperformance indicators.” top-level reviews
  89. 89. electronic security
  90. 90. “Electronic security providespasswords and access logs to protectdata and programs fromunauthorized access.” electronic security
  91. 91. physical security
  92. 92. “Physical security provides cameras,locks, and physical barriers to protectcash, property, and inventory.” physical security
  93. 93. 1. segregation of duties2. retention of records3. super vision or monitoring4. information processing5. authorization of transactions6. top-level reviews7. electronic security8. physical security
  94. 94. internal controls methods
  95. 95. “The eight categories of internalcontrol methods are overlapping andnonexclusive.”
  96. 96. “How to you make them effective?”
  97. 97. effective internal controls
  98. 98. risk focused
  99. 99. “Internal controls must be riskfocused. They must be tailored toactual risks your company faces.”
  100. 100. risk assessment
  101. 101. “To implement risk-focused internalcontrols, you have to do a formal riskassessment. This is somethingeveryone talks about, but rarely does.” risk assessment
  102. 102. “Everyone has seen a typical riskmatrix. It is a tool to compare twodimensions of data, the probability ofrisk and the magnitude of harm, tohelp you measure threats.”
  103. 103. High Magnitude High Magnitude Low Probability High ProbabilityMagnitude of Loss Low Magnitude Low Magnitude Low Probability High Probability Probability of Risk risk matrix
  104. 104. “How many people have actuallyplotted out risks their companyfaces? This should not be merely athought experiment, but a formal riskassessment.”
  105. 105. who determines risk?
  106. 106. “Most companies’ risk profiles aredetermined by the personal opinionsof a small number of individuals.” who determines risk?
  107. 107. risk experts
  108. 108. “Lawyers, accountants, risk officers,experienced business professionalsare all risk experts. Their job is tounderstand the risks our companiesface based on their professionalexperience, training, and individualexpertise.” risk experts
  109. 109. subjective opinions
  110. 110. “But individual opinions are toosubjective, especially when riskassessments are made by limitedindividuals insulated from day-to-dayoperations.” subjective opinions
  111. 111. objective data
  112. 112. “Relying on risk experts is notenough. To develop effective internalcontrols, you need to supplementsubjective individual opinions withobjective risk data.” objective data
  113. 113. “Without objective risk data, you docannot have a risk-focused program.And you cannot demonstrate toregulatory authorities that you haveappropriate controls in place.” objective data
  114. 114. sources of data
  115. 115. “The data in this presentation isderived from reports from theAssociation of Certified FraudExaminers. This presentation wasdelivered in Asia, and uses Asia data.But global data is similar.”
  116. 116. categories of risk
  117. 117. “Probability is the frequency of fraudin each category. The percentagesexceed 100% because any event mayinvolve more than one risk category.”
  118. 118. Corruption 51% Billing 19% Non-Cash 19% Expense Account 14% Skimming 13% Cash on Hand 11% Cash Larceny 9% Check Tampering 7%Financial Statement 7% Payroll 4% Cash Register 2% probability of the risk
  119. 119. “Corruption is the most frequentrisk, occurring in more than half of allevents.”
  120. 120. “The magnitude of loss is the medianloss for each event, in thousands ofUS dollars.”
  121. 121. Financial Statement $1,730 Corruption $175 Check Tampering $131 Billing $128 Cash Larceny $100 Non-Cash $90 Payroll $72 Skimming $60 Expense Account $33 Cash on Hand $23 Cash Register $23 magnitude of the loss
  122. 122. “Financial statement fraud isinfrequent, but it is the most costlyform of fraud when it occurs.”
  123. 123. “The adjusted risk profile combinesthe probability and magnitudetogether and then scales the resultfrom 1-10, lowest to the highest.”
  124. 124. Financial Statement 10.0 Corruption 7.4 Billing 2.0 Non-Cash 1.3 Check Tampering 0.7 Cash Larceny 0.7 Skimming 0.6 Expense Account 0.4 Payroll 0.2 Cash on Hand 0.2 Cash Register 0.0 adjusted risk profile
  125. 125. “Financial statement risk andcorruption risks are both high riskbecause of the high occurrence andhigh cost. Corruption is a current hottopic, but the data shows financialstatement fraud is a greater risk.”
  126. 126. perpetrators of risk
  127. 127. Sales 21.0% Operations 15.4% Accounting 15.1% Exec/Upper Mgmt 14.0% Purchasing 10.7%Warehousing/Inventory 4.0% Finance 4.0% Customer Service 3.3%Marketing/Pub Relations 2.9% Board of Directors 2.9% Mfg and Production 2.2% Human Resources 2.2%Information Technology 1.5% Internal Audit 0.4% Research and Dev 0.4% Legal 0.0% probability of the risk
  128. 128. “The sales department is the mostfrequent source of risk, probablybecause corruption is the mostfrequent category of risk. But the top5 overall departments are similar, allwith double digits risks.”
  129. 129. Exec/Upper Mgmt $829 Board of Directors $800 Legal $566 Purchasing $500 Finance $450Marketing/Pub Relations $248Warehousing/Inventory $239 Human Resources $200 Accounting $180 Mfg and Production $150 Operations $105 Research and Dev $100 Sales $95Information Technology $71 Customer Service $46 Internal Audit $13 magnitude of the loss
  130. 130. “Upper management and the boardof directors are the source of thegreatest median loss per event,probably because financial statementfraud is the most costly form offraud.”
  131. 131. Exec/Upper Mgmt 10.0 Accounting 3.5 Purchasing 2.8 Operations 1.7 Finance 1.7 Sales 1.1Warehousing/Inventory 1.0 Board of Directors 1.0Marketing/Pub Relations 0.4 Customer Service 0.3 Legal 0.2 Human Resources 0.2 Mfg and Production 0.2Information Technology 0.2 Research and Dev 0.0 Internal Audit 0.0 adjusted risk profile
  132. 132. “The adjusted risk profile showsupper and executive management isthe source of greatest source of riskto the company.”
  133. 133. external data
  134. 134. “External data is not enough. It helpsyou benchmark your risk analysis, butthe key to developing risk-focusedcontrols is collecting your owninternal data.”
  135. 135. internal data
  136. 136. company constituents
  137. 137. “When you need unfiltered data aboutyour company, you cannot rely on riskexperts, because they don’t knowwhat is happening with manager-leveland line-level employees.” company constituents
  138. 138. “You need to discover open secretsthat everyone knows on the shop floorbut that never reach management.” company constituents
  139. 139. human laziness
  140. 140. “Employees know who is lazy in theirorganization. They might not turn intheir co-workers, but they will tell youthe steps people skip.” human laziness
  141. 141. human carelessness
  142. 142. “Employees know who is careless intheir organization. They might not turnin their co-workers, but they will tellyou the mistakes people make.” human carelessness
  143. 143. human dishonesty
  144. 144. “Employees know who is dishonest intheir organization. They might not turnin their co-workers, but they will tellyou how people steal from thecompany.” human dishonesty
  145. 145. risk experts
  146. 146. ordinary employees
  147. 147. “Ordinary employees are the real riskexperts in your company.” ordinary employees
  148. 148. formal risk assessment
  149. 149. “A formal risk assessment is timeconsuming. It requires putting all yourconstituents in a room having each ofthem teach you about the risks theysee every day.” formal risk assessment
  150. 150. risk inventory
  151. 151. “Your risk assessment will produce arisk inventory - a list of every riskyour employees identify.” risk inventory
  152. 152. “Analyze the probability andmagnitude of each item in your riskinventory to develop your company’srisk matrix.” risk inventory
  153. 153. probability of occurrence
  154. 154. magnitude of loss
  155. 155. risk matrix
  156. 156. “Once you develop your company’smatrix, you must select appropriateinternal control methods to mitigatethe risks.”
  157. 157. internal controls methods
  158. 158. 1. segregation of duties2. retention of records3. super vision or monitoring4. information processing5. authorization of transactions6. top-level reviews7. electronic security8. physical security
  159. 159. “But your work is not done. You alsohave to assess the effectiveness ofyour proposed controls.”
  160. 160. effectiveness of controls
  161. 161. cost of mitigating or avoiding
  162. 162. “Every internal control has a price. Itmay be the financial cost toimplement, or the loss of operationalefficiencies due to burdensomeprocess steps or procedures.” cost of mitigating or avoiding
  163. 163. “Do not allow the cost of mitigation toexceed the value of the risk. Youneed to know the effectiveness ofeach internal control.” cost of mitigating or avoiding
  164. 164. follow the money
  165. 165. “Effectiveness is measured by thereduction in median losses oforganizations with an internal controlversus organizations without thesame internal control.”
  166. 166. Hotline 59.2% Employee Support Programs 59.0% Surprise Audits 51.5%Fraud Training for Managers/Execs 50.0% Fraud Training for Employees 50.0% Job Rotation/Mandatory Vacation 46.8% Code of Conduct 46.6% Management Review 40.0% Anti-Fraud Policy 40.0% External Audit of ICOFR 34.9% Internal Audit Department 30.6% Independent Audit Committee 30.0% External Audit of F/S 25.0% Management Certification of F/S 25.0% Rewards for Whistleblowers 23.2% effective loss reduction
  167. 167. “Hotlines were the most effective, butthe top 5 internal controls yielded50% or greater median lossreduction.”
  168. 168. Hotline $100 $245 Employee Support Programs $100 $244 Surprise Audits $97 $200Fraud Training for Managers/Execs $100 $200 Fraud Training for Employees $100 $200 Job Rotation/Mandatory Vacation $100 $188 Code of Conduct $140 $262 Management Review $120 $200 Anti-Fraud Policy $120 $200 External Audit of ICOFR $140 $215 Internal Audit Department $145 $209 Independent Audit Committee $140 $200 External Audit of F/S $150 $200 Management Certification of F/S $150 $200 Rewards for Whistleblowers $119 $155 benefit of loss reduction
  169. 169. “Companies without hotlines sufferedmedian losses of $245k per event.Companies with hotlines sufferedonly $100k median losses perevent.”
  170. 170. “Since hotlines have the greatesteffective loss reduction, let’s do aquick case study to examine hotlinesfurther and compare them with othersources of risk detection.”
  171. 171. risk detection
  172. 172. Tip 42.3% Internal Audit 14.3% Management Review 11.3% By Accident 8.9% External Audit 5.8% Account Reconciliation 5.5%Document Examination 4.4%Surveillance/Monitoring 2.7% Confession 2.4% Notified by Police 1.7% IT Controls 0.7% detection method
  173. 173. “Tips are the source of 42.3% of riskdetection. They are the greatestdetection source.”
  174. 174. Employee 49.2% Customer 17.8% Anonymous 13.4% Vendor 12.1%Shareholder/ 3.7% Owner Competitor 2.5%Perpetrators 1.8%Acquaintance source of tips
  175. 175. “Employees are the greatest sourceof tips. But about half of all tips comefrom sources other thanemployees.”
  176. 176. With Hotline 47.1%Tips Overall 42.3% No Hotline 33.8% companies with hotlines
  177. 177. With Hotline 47.1%Tips Overall 42.3% No Hotline 33.8% 13.3% companies without hotlines
  178. 178. “Companies with hotlines receive13% more tips than companieswithout.”
  179. 179. importance of hotlines
  180. 180. “Hotlines are the most effectiveinternal control, reducing medianlosses by almost 60%. Tips are thenumber one source for detecting risk,resulting in 13% more tips.”“Why is this important?” importance of hotlines
  181. 181. whistleblower bounties
  182. 182. “Regulators are paying whistleblowerbounties to get tips. If you don’t havea hotline, you are telling 13% ofpeople with tips to take themsomewhere else.” whistleblower bounties
  183. 183. “They will follow the money.” whistleblower bounties
  184. 184. follow the money
  185. 185. “Follow the money, follow the risk.”
  186. 186. recap
  187. 187. effective internal controls
  188. 188. 1. simple2. effective3. efficient
  189. 189. 1. process2. people3. assurances4. objectives
  190. 190. 1. laziness2. carelessness3. dishonesty
  191. 191. 1. segregation of duties2. retention of records3. super vision or monitoring4. information processing5. authorization of transactions6. top-level reviews7. electronic security8. physical security
  192. 192. risk focused
  193. 193. objective data
  194. 194. follow the money
  195. 195. “Follow the money, follow the risk.”
  196. 196. questions?
  197. 197. get more fromhttp://www.slideshare.net/ericpesik/
  198. 198. License and CreditsThis presentation, excluding the images, is provided under creative commons attribution license.http://creativecommons.org/licenses/by/3.0/You are free to share, copy, distribute, and transmit this work; to remix, adapt this work; and to make commercial use of the work; under the condition that you attributethis work to me by including the following attribution “Effective Internal Controls by Eric Pesik. Used with permission,” and URL Link:http://www.slideshare.net/ericpesik/Microsoft Office Online:Except as noted below, all images in this presentation are from Microsoft Office Online. Used with permission from Microsoft:http://office.microsoft.com/en-us/images/Flickr Creative Commons:The following images are from flickr creative commons and are licensed and used under creative commons attribution license:http://creativecommons.org/licenses/by/2.0/deed.en Art Coffee House Waitress by Wonderlane http://www.flickr.com/photos/wonderlane/293137892/ Waitress by Adikos http://www.flickr.com/photos/adikos/4319818916/ Rutherford Grill by Neeta Lind http://www.flickr.com/photos/neeta_lind/2517034517/ Serving Food by Adrian Nier http://www.flickr.com/photos/adriannier/4004167201/ Donut Shop Owner by Robert Couse-Baker http://www.flickr.com/photos/29233640@N07/7104455917/ Two chorizo burritos with cheese and sour cream by Rick http://www.flickr.com/photos/spine/1994814081/ Waiter by Hans Van Den Berg http://www.flickr.com/photos/myimage/4353456304/ Blue Telephone by UggBoy♥UggGirl http://www.flickr.com/photos/uggboy/5345135964/Association of Certified Fraud Examiners:All data is from the Association of Certified Fraud Examiners, Report to the Nations on Occupational Fraud and Abuse, 2010 Global Fraud Study based on 1,843 casesof occupational fraud that were reported by the Certified Fraud Examiners who investigated them. http://www.acfe.comCommittee on Sponsoring Organizations of the Treadway Commission:The Internal Control — Integrated Framework was commissioned by the Committee on Sponsoring Organizations of the Treadway Commission. It establishes a commondefinition of internal control that services the needs of different parties for assessing and improving their control systems. http://www.coso.org