Your SlideShare is downloading. ×
0
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Effective Internal Controls (Annotated) by @EricPesik

4,429

Published on

Instilling good governance and ensuring full compliance with an effective internal control program. Presented at Corruption and Compliance South & South East Asia Summit, September 2012, Hilton …

Instilling good governance and ensuring full compliance with an effective internal control program. Presented at Corruption and Compliance South & South East Asia Summit, September 2012, Hilton Hotel, Singapore.

Published in: Business, Technology
2 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total Views
4,429
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
190
Comments
2
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. effective internalcontrols
  • 2. Presented by Eric Roring Pesik atCorruption and ComplianceSouth & South East Asia Summit September 2012 Hilton Hotel, Singapore
  • 3. “These slides cannot replace thefull live presentation, so I haveadded quotes and narration frommy live presentation tosupplement the visuals.”
  • 4. effective internal controls
  • 5. “I am here to talk about instillinggood governance and ensuringfull compliance with an effectiveinternal controls program.”
  • 6. “There are two main topics:First, what are internal controls?And second, how do you ensurethey are effective?”
  • 7. internal controls
  • 8. finance & accounting procedures
  • 9. “When we envision internal controls in modern organizations, the typical things one thinks about are finance and accounting procedures, such as revenue recognition rules, balance sheets, and cash flow statements.”finance & accounting procedures
  • 10. corporate IT systems
  • 11. “Or you might also think about yourcorporate IT systems , such asORACLE, SAP, and the databases andprograms that keep track corporatetransactions.” corporate IT systems
  • 12. company policies & procedures
  • 13. “Or you might think about generalcompany policies & procedures, suchas the rules we all follow to get ourexpense reports approved.”company policies & procedures
  • 14. humanize internal controls
  • 15. “These are typical examples ofinternal controls. But they can be asobscure or esoteric. Internal controlsshould make sense to the peoplethat have to comply with them.” humanize internal controls
  • 16. simplify internal controls
  • 17. “Instead of the typical corporateinternal controls, I offer you a simpleinternal control...”
  • 18. restaurant guest check
  • 19. “Everyone has seen a restaurantguest check. You knows what it is andhow it works. But how many peoplethis of this as an internal control?” restaurant guest check
  • 20. restaurant procedures
  • 21. “We recognize restaurantprocedures, and we participatewithout question or thought.” restaurant procedures
  • 22. take your order
  • 23. “When the waitress takes your order,the first internal control comes intoplay when you tell the waitress whatyou want. She writes it down. Thissimple data entry drives restaurantoperations.” take your order
  • 24. “The waitress repeats your order asadditional an control to verify thedata, and correct it if it is incorrect.” take your order
  • 25. prepare your order
  • 26. “The segregation of duties is anotherinternal control because the kitchenmust translate the written data into anallowed order on the menu.” prepare your order
  • 27. “The kitchen uses the order tomanage production , preparing themeal as described in the guest check,and pulling raw materials frominventory.” prepare your order
  • 28. “The segregation of duties is also afraud prevention control. The kitchenoperates to the written order,preventing the waitress fromrecording an inexpensive item butdelivering an expensive item.” prepare your order
  • 29. serve your order
  • 30. “When your order is ready the waitressuses the order to verify customerrequirements against kitchenproduction output. serve your order
  • 31. “There is a final verification whenyour meal arrives. If you dispute theorder, the wait staff can compare yourdispute against the written order.” serve your order
  • 32. pay for your order
  • 33. “After you eat, you must pay. Thecashier reviews the guest check tocalculate sales price and record thesales revenue from your meal.” pay for your order
  • 34. receipt for order
  • 35. “The restaurant keeps the order forrecords retention. The manager canaudit these records to monitor thebusiness operations.” receipt for order
  • 36. “Total sales as shown in the guestchecks should match the revenue inthe cash register.” receipt for order
  • 37. “Production orders as shown in theguest checks should match thechanges in inventory.” receipt for order
  • 38. “The guest check allows top levelreview of restaurant operations. Ifthere are discrepancies,management can investigate.” receipt for order
  • 39. restaurant guest check
  • 40. “It doesn’t feel like an internal control.It’s not bureaucratic. It helpsrestaurant employees do their jobmore effectively, so they use iteffectively.” restaurant guest check
  • 41. human scale controls
  • 42. “The restaurant guest check is ahuman scale control. It is easy tounderstand and requires no specialskill or technical knowledge.”
  • 43. 1. simple2. effective3. efficient
  • 44. “It is simple because it only requiresa small piece of paper passed fromuser to user without special tools orequipment.”
  • 45. “It is effective because one itemdrives nearly every aspect of thebusiness: sales, customer services,operations, production, inventory,revenue, accounting, planning,management oversight...”
  • 46. “It is an efficient control because itdoes not interfere with how eachemployee does his or her job. Thisinternal control helps employee theirjob more efficiently.”
  • 47. organic controls
  • 48. “This internal control was developedorganically. It wasn’t implemented bylegal or finance or compliance. It wasdeveloped over time by the usersthemselves to make their job easier.”
  • 49. “There are probably similar internalcontrols in your company developedby the users themselves.”
  • 50. internal controlintegrated framework
  • 51. “Let’s look at the opposite end of thespectrum. The Internal Control -Integrated Framework wascommissioned the Committee ofSponsoring Organizations of theTreadway Commission.”
  • 52. “This is a formal framework forinternal control systems that isemployed by a majority ofmultinational companies.”
  • 53. “There are four key concepts in theInternal Controls - IntegratedFramework.”
  • 54. internal control is a process
  • 55. “Internal control is a means to anend, not an end in itself.” internal control is a process
  • 56. affected by people
  • 57. “Internal controls are not just things,they are people at every level of anorganization. Internal controls rely onpeople for their effectiveness and areaffected by the inherent faults ofpeople.” affected by people
  • 58. reasonable assurance
  • 59. “Internal controls cannot provideabsolute assurances. There are nofool-proof internal controls.” reasonable assurance
  • 60. achieve objectives
  • 61. “Internal control should be directed atachieving company objectives. Aninternal control that is not tied to acorporate objective is not an effectiveinternal control.” achieve objectives
  • 62. 1. process2. people3. assurances4. objectives
  • 63. “Internal controls are processeseffected by people that providereasonable assurances that you aremeeting or achieving your corporateobjectives.”
  • 64. integrated framework
  • 65. human framework
  • 66. human laziness
  • 67. “Internal controls protect against thehuman desire to skip steps and takeshortcuts.” human laziness
  • 68. human carelessness
  • 69. “Internal controls need to protectagainst mistakes and humancarelessness.” human carelessness
  • 70. human dishonesty
  • 71. “Human controls need to protectagainst human dishonesty.” human dishonesty
  • 72. 1. laziness2. carelessness3. dishonesty
  • 73. human framework
  • 74. “Internal controls protect against theinherent risk of having humansparticipate in your business.”
  • 75. internal controls methods
  • 76. “The integrated framework describesmethods we put in place to protectagainst the human framework.”
  • 77. segregation of duties
  • 78. “Separating authorization, custody,and record keeping roles helpsprevent fraud or error by one person.” segregation of duties
  • 79. retention of records
  • 80. “Maintaining documentation allows usto document and substantiatetransactions.” retention of records
  • 81. supervision or monitoring
  • 82. “Supervision or monitoring allows usto observe and review ongoingoperational activity.” supervision or monitoring
  • 83. information processing
  • 84. “Information processing allows us toverify data entry, comparing file totalswith control accounts, and controlaccess to data, files, and programs.” information processing
  • 85. authorization of transactions
  • 86. “Authorization of transactions ensurethat transactions are reviewed andapproved by an appropriate person.” authorization of transactions
  • 87. top-level reviews
  • 88. “Top level reviews allow reporting andanalysis of actual results versusorganizational goals and keyperformance indicators.” top-level reviews
  • 89. electronic security
  • 90. “Electronic security providespasswords and access logs to protectdata and programs fromunauthorized access.” electronic security
  • 91. physical security
  • 92. “Physical security provides cameras,locks, and physical barriers to protectcash, property, and inventory.” physical security
  • 93. 1. segregation of duties2. retention of records3. super vision or monitoring4. information processing5. authorization of transactions6. top-level reviews7. electronic security8. physical security
  • 94. internal controls methods
  • 95. “The eight categories of internalcontrol methods are overlapping andnonexclusive.”
  • 96. “How to you make them effective?”
  • 97. effective internal controls
  • 98. risk focused
  • 99. “Internal controls must be riskfocused. They must be tailored toactual risks your company faces.”
  • 100. risk assessment
  • 101. “To implement risk-focused internalcontrols, you have to do a formal riskassessment. This is somethingeveryone talks about, but rarely does.” risk assessment
  • 102. “Everyone has seen a typical riskmatrix. It is a tool to compare twodimensions of data, the probability ofrisk and the magnitude of harm, tohelp you measure threats.”
  • 103. High Magnitude High Magnitude Low Probability High ProbabilityMagnitude of Loss Low Magnitude Low Magnitude Low Probability High Probability Probability of Risk risk matrix
  • 104. “How many people have actuallyplotted out risks their companyfaces? This should not be merely athought experiment, but a formal riskassessment.”
  • 105. who determines risk?
  • 106. “Most companies’ risk profiles aredetermined by the personal opinionsof a small number of individuals.” who determines risk?
  • 107. risk experts
  • 108. “Lawyers, accountants, risk officers,experienced business professionalsare all risk experts. Their job is tounderstand the risks our companiesface based on their professionalexperience, training, and individualexpertise.” risk experts
  • 109. subjective opinions
  • 110. “But individual opinions are toosubjective, especially when riskassessments are made by limitedindividuals insulated from day-to-dayoperations.” subjective opinions
  • 111. objective data
  • 112. “Relying on risk experts is notenough. To develop effective internalcontrols, you need to supplementsubjective individual opinions withobjective risk data.” objective data
  • 113. “Without objective risk data, you docannot have a risk-focused program.And you cannot demonstrate toregulatory authorities that you haveappropriate controls in place.” objective data
  • 114. sources of data
  • 115. “The data in this presentation isderived from reports from theAssociation of Certified FraudExaminers. This presentation wasdelivered in Asia, and uses Asia data.But global data is similar.”
  • 116. categories of risk
  • 117. “Probability is the frequency of fraudin each category. The percentagesexceed 100% because any event mayinvolve more than one risk category.”
  • 118. Corruption 51% Billing 19% Non-Cash 19% Expense Account 14% Skimming 13% Cash on Hand 11% Cash Larceny 9% Check Tampering 7%Financial Statement 7% Payroll 4% Cash Register 2% probability of the risk
  • 119. “Corruption is the most frequentrisk, occurring in more than half of allevents.”
  • 120. “The magnitude of loss is the medianloss for each event, in thousands ofUS dollars.”
  • 121. Financial Statement $1,730 Corruption $175 Check Tampering $131 Billing $128 Cash Larceny $100 Non-Cash $90 Payroll $72 Skimming $60 Expense Account $33 Cash on Hand $23 Cash Register $23 magnitude of the loss
  • 122. “Financial statement fraud isinfrequent, but it is the most costlyform of fraud when it occurs.”
  • 123. “The adjusted risk profile combinesthe probability and magnitudetogether and then scales the resultfrom 1-10, lowest to the highest.”
  • 124. Financial Statement 10.0 Corruption 7.4 Billing 2.0 Non-Cash 1.3 Check Tampering 0.7 Cash Larceny 0.7 Skimming 0.6 Expense Account 0.4 Payroll 0.2 Cash on Hand 0.2 Cash Register 0.0 adjusted risk profile
  • 125. “Financial statement risk andcorruption risks are both high riskbecause of the high occurrence andhigh cost. Corruption is a current hottopic, but the data shows financialstatement fraud is a greater risk.”
  • 126. perpetrators of risk
  • 127. Sales 21.0% Operations 15.4% Accounting 15.1% Exec/Upper Mgmt 14.0% Purchasing 10.7%Warehousing/Inventory 4.0% Finance 4.0% Customer Service 3.3%Marketing/Pub Relations 2.9% Board of Directors 2.9% Mfg and Production 2.2% Human Resources 2.2%Information Technology 1.5% Internal Audit 0.4% Research and Dev 0.4% Legal 0.0% probability of the risk
  • 128. “The sales department is the mostfrequent source of risk, probablybecause corruption is the mostfrequent category of risk. But the top5 overall departments are similar, allwith double digits risks.”
  • 129. Exec/Upper Mgmt $829 Board of Directors $800 Legal $566 Purchasing $500 Finance $450Marketing/Pub Relations $248Warehousing/Inventory $239 Human Resources $200 Accounting $180 Mfg and Production $150 Operations $105 Research and Dev $100 Sales $95Information Technology $71 Customer Service $46 Internal Audit $13 magnitude of the loss
  • 130. “Upper management and the boardof directors are the source of thegreatest median loss per event,probably because financial statementfraud is the most costly form offraud.”
  • 131. Exec/Upper Mgmt 10.0 Accounting 3.5 Purchasing 2.8 Operations 1.7 Finance 1.7 Sales 1.1Warehousing/Inventory 1.0 Board of Directors 1.0Marketing/Pub Relations 0.4 Customer Service 0.3 Legal 0.2 Human Resources 0.2 Mfg and Production 0.2Information Technology 0.2 Research and Dev 0.0 Internal Audit 0.0 adjusted risk profile
  • 132. “The adjusted risk profile showsupper and executive management isthe source of greatest source of riskto the company.”
  • 133. external data
  • 134. “External data is not enough. It helpsyou benchmark your risk analysis, butthe key to developing risk-focusedcontrols is collecting your owninternal data.”
  • 135. internal data
  • 136. company constituents
  • 137. “When you need unfiltered data aboutyour company, you cannot rely on riskexperts, because they don’t knowwhat is happening with manager-leveland line-level employees.” company constituents
  • 138. “You need to discover open secretsthat everyone knows on the shop floorbut that never reach management.” company constituents
  • 139. human laziness
  • 140. “Employees know who is lazy in theirorganization. They might not turn intheir co-workers, but they will tell youthe steps people skip.” human laziness
  • 141. human carelessness
  • 142. “Employees know who is careless intheir organization. They might not turnin their co-workers, but they will tellyou the mistakes people make.” human carelessness
  • 143. human dishonesty
  • 144. “Employees know who is dishonest intheir organization. They might not turnin their co-workers, but they will tellyou how people steal from thecompany.” human dishonesty
  • 145. risk experts
  • 146. ordinary employees
  • 147. “Ordinary employees are the real riskexperts in your company.” ordinary employees
  • 148. formal risk assessment
  • 149. “A formal risk assessment is timeconsuming. It requires putting all yourconstituents in a room having each ofthem teach you about the risks theysee every day.” formal risk assessment
  • 150. risk inventory
  • 151. “Your risk assessment will produce arisk inventory - a list of every riskyour employees identify.” risk inventory
  • 152. “Analyze the probability andmagnitude of each item in your riskinventory to develop your company’srisk matrix.” risk inventory
  • 153. probability of occurrence
  • 154. magnitude of loss
  • 155. risk matrix
  • 156. “Once you develop your company’smatrix, you must select appropriateinternal control methods to mitigatethe risks.”
  • 157. internal controls methods
  • 158. 1. segregation of duties2. retention of records3. super vision or monitoring4. information processing5. authorization of transactions6. top-level reviews7. electronic security8. physical security
  • 159. “But your work is not done. You alsohave to assess the effectiveness ofyour proposed controls.”
  • 160. effectiveness of controls
  • 161. cost of mitigating or avoiding
  • 162. “Every internal control has a price. Itmay be the financial cost toimplement, or the loss of operationalefficiencies due to burdensomeprocess steps or procedures.” cost of mitigating or avoiding
  • 163. “Do not allow the cost of mitigation toexceed the value of the risk. Youneed to know the effectiveness ofeach internal control.” cost of mitigating or avoiding
  • 164. follow the money
  • 165. “Effectiveness is measured by thereduction in median losses oforganizations with an internal controlversus organizations without thesame internal control.”
  • 166. Hotline 59.2% Employee Support Programs 59.0% Surprise Audits 51.5%Fraud Training for Managers/Execs 50.0% Fraud Training for Employees 50.0% Job Rotation/Mandatory Vacation 46.8% Code of Conduct 46.6% Management Review 40.0% Anti-Fraud Policy 40.0% External Audit of ICOFR 34.9% Internal Audit Department 30.6% Independent Audit Committee 30.0% External Audit of F/S 25.0% Management Certification of F/S 25.0% Rewards for Whistleblowers 23.2% effective loss reduction
  • 167. “Hotlines were the most effective, butthe top 5 internal controls yielded50% or greater median lossreduction.”
  • 168. Hotline $100 $245 Employee Support Programs $100 $244 Surprise Audits $97 $200Fraud Training for Managers/Execs $100 $200 Fraud Training for Employees $100 $200 Job Rotation/Mandatory Vacation $100 $188 Code of Conduct $140 $262 Management Review $120 $200 Anti-Fraud Policy $120 $200 External Audit of ICOFR $140 $215 Internal Audit Department $145 $209 Independent Audit Committee $140 $200 External Audit of F/S $150 $200 Management Certification of F/S $150 $200 Rewards for Whistleblowers $119 $155 benefit of loss reduction
  • 169. “Companies without hotlines sufferedmedian losses of $245k per event.Companies with hotlines sufferedonly $100k median losses perevent.”
  • 170. “Since hotlines have the greatesteffective loss reduction, let’s do aquick case study to examine hotlinesfurther and compare them with othersources of risk detection.”
  • 171. risk detection
  • 172. Tip 42.3% Internal Audit 14.3% Management Review 11.3% By Accident 8.9% External Audit 5.8% Account Reconciliation 5.5%Document Examination 4.4%Surveillance/Monitoring 2.7% Confession 2.4% Notified by Police 1.7% IT Controls 0.7% detection method
  • 173. “Tips are the source of 42.3% of riskdetection. They are the greatestdetection source.”
  • 174. Employee 49.2% Customer 17.8% Anonymous 13.4% Vendor 12.1%Shareholder/ 3.7% Owner Competitor 2.5%Perpetrators 1.8%Acquaintance source of tips
  • 175. “Employees are the greatest sourceof tips. But about half of all tips comefrom sources other thanemployees.”
  • 176. With Hotline 47.1%Tips Overall 42.3% No Hotline 33.8% companies with hotlines
  • 177. With Hotline 47.1%Tips Overall 42.3% No Hotline 33.8% 13.3% companies without hotlines
  • 178. “Companies with hotlines receive13% more tips than companieswithout.”
  • 179. importance of hotlines
  • 180. “Hotlines are the most effectiveinternal control, reducing medianlosses by almost 60%. Tips are thenumber one source for detecting risk,resulting in 13% more tips.”“Why is this important?” importance of hotlines
  • 181. whistleblower bounties
  • 182. “Regulators are paying whistleblowerbounties to get tips. If you don’t havea hotline, you are telling 13% ofpeople with tips to take themsomewhere else.” whistleblower bounties
  • 183. “They will follow the money.” whistleblower bounties
  • 184. follow the money
  • 185. “Follow the money, follow the risk.”
  • 186. recap
  • 187. effective internal controls
  • 188. 1. simple2. effective3. efficient
  • 189. 1. process2. people3. assurances4. objectives
  • 190. 1. laziness2. carelessness3. dishonesty
  • 191. 1. segregation of duties2. retention of records3. super vision or monitoring4. information processing5. authorization of transactions6. top-level reviews7. electronic security8. physical security
  • 192. risk focused
  • 193. objective data
  • 194. follow the money
  • 195. “Follow the money, follow the risk.”
  • 196. questions?
  • 197. get more fromhttp://www.slideshare.net/ericpesik/
  • 198. License and CreditsThis presentation, excluding the images, is provided under creative commons attribution license.http://creativecommons.org/licenses/by/3.0/You are free to share, copy, distribute, and transmit this work; to remix, adapt this work; and to make commercial use of the work; under the condition that you attributethis work to me by including the following attribution “Effective Internal Controls by Eric Pesik. Used with permission,” and URL Link:http://www.slideshare.net/ericpesik/Microsoft Office Online:Except as noted below, all images in this presentation are from Microsoft Office Online. Used with permission from Microsoft:http://office.microsoft.com/en-us/images/Flickr Creative Commons:The following images are from flickr creative commons and are licensed and used under creative commons attribution license:http://creativecommons.org/licenses/by/2.0/deed.en Art Coffee House Waitress by Wonderlane http://www.flickr.com/photos/wonderlane/293137892/ Waitress by Adikos http://www.flickr.com/photos/adikos/4319818916/ Rutherford Grill by Neeta Lind http://www.flickr.com/photos/neeta_lind/2517034517/ Serving Food by Adrian Nier http://www.flickr.com/photos/adriannier/4004167201/ Donut Shop Owner by Robert Couse-Baker http://www.flickr.com/photos/29233640@N07/7104455917/ Two chorizo burritos with cheese and sour cream by Rick http://www.flickr.com/photos/spine/1994814081/ Waiter by Hans Van Den Berg http://www.flickr.com/photos/myimage/4353456304/ Blue Telephone by UggBoy♥UggGirl http://www.flickr.com/photos/uggboy/5345135964/Association of Certified Fraud Examiners:All data is from the Association of Certified Fraud Examiners, Report to the Nations on Occupational Fraud and Abuse, 2010 Global Fraud Study based on 1,843 casesof occupational fraud that were reported by the Certified Fraud Examiners who investigated them. http://www.acfe.comCommittee on Sponsoring Organizations of the Treadway Commission:The Internal Control — Integrated Framework was commissioned by the Committee on Sponsoring Organizations of the Treadway Commission. It establishes a commondefinition of internal control that services the needs of different parties for assessing and improving their control systems. http://www.coso.org

×