Common internal audit findings & how to avoid them
1. Common Internal Audit Findings
& How to Avoid Them
April 6, 2016, 10:00 am – 12:00 pm
Workshop Conducted by: Surajit Datta
2. 1. Internal Audit
2. Internal Controls
3. Elements of Internal Controls
4. Audit Findings
5. Common Internal Audit Findings
6. Fraud Indicators
7. How to Avoid Audit Findings
Topics
IAD Workshop - 2016
3. Internal Audit
The Institute of Internal Auditors defines Internal Auditing as…
"An independent, objective assurance and consulting activity designed to add value and improve and
organization's operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and governance processes."
IAD Workshop - 2016
4. • 2002 – Enron
• Billions of dollars of market value erased. Thousands of jobs lost. Savings wiped out. The Enron failure
failure demonstrated a failure of corporate governance, in which internal control mechanisms were short-
were short-circuited by conflicts of interest that enriched certain managers at the expense of the
the shareholders.
• 2008 - $ 500 million loss by Merrill Lynch
“several mitigating internal controls were not operating effectively and therefore failed to identify the
the intercompany difference that resulted in the huge loss” - Deloitte.
Effects of Internal Control Failures
IAD Workshop - 2016
5. A process designed to provide reasonable assurance about the achievement of an entity’s
objectives concerning:
Financial reporting
Effectiveness of operations
Compliance with laws and regulations
What are Internal Controls
IAD Workshop - 2016
6. What are Internal Controls
IAD Workshop - 2016
FINANCIAL
1. Promotes integrity of data
used in making business
decisions
2. Assists in fraud prevention
and detection through the
creation of an auditable trail of
of evidence
COMPLIANCE
Helps maintain
compliance with laws and
and regulations through
periodic monitoring
OPERATIONAL
1. Promotes efficiency
and effectiveness of
operations through
standardized processes
2. Ensures the
safeguarding of assets
through control activities
Effective internal controls
prevent fraud, waste, and
abuse
Develop internal controls to
address the risks identified
during your “risk assessment
process”
Review and adjust your control
activities to ensure they are
working
7. Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
5 Elements of Internal Controls
IAD Workshop - 2016
8. Tone at the Top
Commitment to Competence
Management’s Philosophy/Integrity
Management’s Direction/Assignment of Responsibility
Human Resources Policies and Procedures
Control Environment
IAD Workshop - 2016
9. Identify the Risks to Achievement of aswaaq’s Objectives in relation to:
Reporting
Financial (Cash Management)
Operational
Compliance (with laws and regulations)
Prioritize them (Probability X Impact)
Develop a plan to manage them (Risk Response / Mitigation Action plans or BCPs)
Risk Assessment
IAD Workshop - 2016
10. Specific to the company’s operation and may include the following:
Policies and procedures to protect against fraud, waste, and abuse
Authorizations and approvals (DOA)
Verifications (Internal Checks, Checklists, etc.)
Reconciliations
Segregation of duties
Review operational performance
Control Activities
IAD Workshop - 2016
11. Financial Reporting
Operational Reporting
Accounting Manual
Compliance Reporting
Codes of Conduct
Keep the communication lines open
Information & Communication
IAD Workshop - 2016
12. Budget to Actual
Internal Audits
Reconciliations to General Ledger
Management review of controls
Review of exception reports
External Audit
Audit Committee
Monitoring
IAD Workshop - 2016
13. Audit Findings
Risk assessment
Corrective action required
Audit recommendation
A management opportunity
Risk response / risk mitigation action plans
Result of Audits
IAD Workshop - 2016
14. Financial misstatement
Control weakness
Policy or other rule violations
Other issues identified during the audit
Audit findings – What are they?
IAD Workshop - 2016
15. Internal Control failure profile
IAD Workshop - 2016
Error
4%
Weak
Monitoring &
Control
25%
Non-
compliance
31%
Others
27%
Process design
10%
SOD
3%
weaknesses which may put some of the company
objectives at risk that are primarily due to-
compliance inconsistencies with established
policies and procedures
ineffective process design, and
weak monitoring
16. 1. Non-compliance of established company policy or statutes
2. Process execution not following the established DOA
3. Segregation of Duties (SOD) Conflict
Ensure tasks and process flows have a check and balance.
For example: A person who is responsible for collecting payments should not be responsible for creating
the deposit and reconciling to source documents.
4. Lack of sufficient supervision / monitoring
5. Lack of Awareness of Company Policies
Common Internal Audit Findings
IAD Workshop - 2016
17. 6. Lack of Written Policies and Procedures (Departmental)
Major business transactions and related internal controls of a department's operations should be clearly
documented, periodically reviewed and updated.
7. Lack of Formally Documented Approvals
Evidence should be maintained to document independent approvals (e.g. reconciliations,
departmental financial statements, etc.)
8. Unbudgeted expense
9. Absence of Supporting Documentation
Transactions should be appropriately supported by documentation.
For example:
Journal Entries: Purpose, related source documents, approvals
Purchases: Requisition, competitive bidding, purchase order, invoice, approvals
Common Internal Audit Findings
IAD Workshop - 2016
18. 10. Lack of Proper Safeguarding of Assets
11. Inappropriate Information Security Access
Critical or sensitive information should be appropriately restricted based on job duties.
12. Inaccurate Financial Reporting
Examples include:
Expenses:
Invoices Not recorded as a liability upon commitment
Overtime Not approved timely
Revenues:
Receivables Not recorded in books (booked when cash is received)
Income Recorded as an offset to an expense account rather than to an income account
Common Internal Audit Findings
IAD Workshop - 2016
19. 1. One person in control
2. No separation of duties
3. High turnover of personnel
4. Unexplained entries in records
5. Unusually large amounts of payments for cash
6. Inadequate or missing documentation
7. Altered records (white-out, copies of documents, etc.)
8. Non-serial number transactions
9. Inventories and financial records not reconciled
Fraud Indicators
IAD Workshop - 2016
20. Fraud Indicators
IAD Workshop - 2016
10.Lack of internal controls/ignoring controls
11.Repeat audit findings
12.Unauthorized transactions
13.Ability to get around internal controls that prevent or detect fraud
14.Inability to judge quality of performance
15.Lack of an audit trail
16.Failure to discipline prior fraud perpetrators
21. Internal Audit Report
Read it and discuss with IAD
Understand the problem
Understand the recommended corrective action
Plan the corrective action steps
Develop the overall corrective action plan
Assign overall responsibility
Assign specific action step responsibilities
Establish a time line
Follow up – sustained attention
Verify completion and effectiveness
Report to management
How to Avoid Audit Findings
IAD Workshop - 2016
22. Establish Policies and Procedures
• Write them
• Follow them
• Review and up-date them as needed
Establish Internal Controls
• Financial
• Operational
• Compliance
• Cash Management
How to Avoid Audit Findings
IAD Workshop - 2016