INTERNAL CONTROLS

AND
INTERNAL AUDIT
TRAINING
Bio-Xin Cosmeceuticals
By
Kamrul Islam
Manager- Internal Audit
INTERNAL CONTROLS

What do you think of when someone mentions

Internal Controls?
INTERNAL CONTROLS

What do you think of when someone mentions

Internal Controls?

• Fraud / Error • Internal Audits

• Separation of duties • Payment Mechanism

• SOPs
• SOA (Statement of Accounts)
Reconciliation
INTERNAL CONTROL DEFINITION
Internal Control is a process designed to provide reasonable
assurance regarding the achievement of objectives in the
following three categories:
Examples:
1. Effectiveness and Efficiency of Operations Underutilized Inventory or Slow
Processes are doing what they are intended to Moving Inventories.
do (i.e., achieving their objectives), and doing
so in an efficient manner - - i.e., making good
use of available resources.

2. Compliance with Laws and Regulations VAT, TAX, Regularoty Requirments

Actions are consistent with all applicable laws
and regulations.

Statement of Activity
3. Reliability of Financial Reporting Accuracy
and reliability of Financial Statements.
INTERNAL CONTROL FRAMEWORK

Central Financial Processes

• Reviewed annually by external auditors
- Reviewed periodically by internal audit

Unit Financial Functions

• Highly decentralized process with individual control processes
• Relies heavily on institutional knowledge and often undocumented processes
• Oversight may rely on functional managers and other non-financial
leadership

Optimized Control Environment

• Ongoing integrated process to connect central process owners with Units
 Internal Controls Myths and Facts
MYTHS: FACTS:

Internal control starts with a strong set of Internal control starts with a strong control
policies and procedures. environment.

Internal control: That’s why we have While internal auditors play a key role in the
internal auditors! system of control, management is the
primary owner of internal control.

Internal control is a finance thing. Internal control is integral to every aspect

of business.

Internal controls are essentially Internal control makes the right things
negative, like a list of “thou-shalt-nots.” happen the first time.

Internal controls take time away from

Internal controls should be built “into,” not
our core activities of research,
“onto” business processes.
instruction, and patient care.

Source: Institute of Internal Auditors, 2003

RISK AND INTERNAL CONTROLS

What are risks?

A risk is anything that could jeopardize:
• Achieving our goals
• Operating effectively and efficiently
• Protecting the Company’s assets from loss
• Providing reliable financial data
• Complying with applicable laws, policies, and procedures
RISK AND INTERNAL CONTROLS

Questions to ask yourself:

• What can go wrong?
• How could someone steal from us?
• What policies are we most affected by?
• What types of transactions in our area provide the
greatest risk?
• How can someone bypass the internal controls?
• What potential risk areas could cause adverse publicity?
RISK AND INTERNAL CONTROLS

• Assess risks
• What is likelihood of occurrence?
• What is potential impact?
Likelihood of
Occurrence

Impact
RISK AND INTERNAL CONTROLS

What could go wrong in your unit?

• Fire breaks out in research lab / branch
• Key system/application goes down
• Key employee calls in sick
• Media becomes aware of incident during treatment
• Safety or security incident with branch/clients/staff
member
• Cash missing from departmental funds
• Employees serves known person inappropriately
 KEY RISK AREAS
• Regulatory Compliance – All types
• Information Technology–Security, privacy, access
• Internal Operations – All types
• Client/Employment Safety – Stress, counseling, other
workplace harassment
• Customer Satisfaction – Managing / Communication
 TYPES OF INTERNAL
CONTROLS

Controls can be either automated or manual

• Automated Controls – Incorporated into application logic / algorithms
• Example: System automatically searches for a matching PO before paying an invoice
• Manual Controls – Performed by individuals outside of the system or
application
• Example: Supervisor’s signature on P-Card statement
TYPES OF INTERNAL CONTROLS
Controls can be either preventive or detective
Preventive Controls – Built into the process or system
to avoid or minimize risk. Helps make processes more
efficient and can reduce cost of corrective actions.
Example: Access Controls –
• Only individuals with approved ID can access in the SAP.
• Only approved individuals have the cash vault access.
Detective Controls – Provides a process assessment to
identify potential issues for further review
• Example: Conduct bank reconciliation to identify timing gap or
other issue with transections.
• Example: Monthly stocktaking to identify completeness and
existence of the stock.
TYPES OF INTERNAL CONTROLS
While Automated Controls are generally more effective,
Preventive Controls are typically more efficient

Automated Automated
Detective PREVENTIVE
Level of
Reliability
(Effective)
Manual Manual
Detective PREVENTIVE

Level of Economic Value (Efficient)

 TYPES OF INTERNAL CONTROLS

Controls - particularly related to information processing -

support the following objectives or assertions:

Completeness • All transactions are processed

(once and only once)
Accuracy • All transactions are processed
correctly

Validity • All transactions are authorized or

approved by appropriate person
Restrictiveness • Access to certain functions is
restricted to appropriate persons
 CAVR AND YOUR CHECKBOOK

When you reconcile your checkbook every month, you are

going through the CAVR steps:

Completeness • Did the bank process all the

checks that I wrote this month?
Accuracy • Did the bank process all the checks
correctly - - the right amount?

Validity • Were all the checks processed by

the bank written by me?
Restrictiveness • Did someone else have access to
my checkbook?
 CAVR AND THE GROSS PAY REGISTER

Completeness • All employees that should be in a

unit, are in the unit
Accuracy • The pay for a new hire starting in the
middle of a month is correct

Validity • Additional pay was approved by

appropriate person

Restrictiveness • Person processing changes in pay

is not reconciling GPR
TYPES OF INTERNAL CONTROLS

Automated Manual
Controls Controls
Preventive Detective Preventive Detective

Completeness
Accuracy
Validity
Restrictiveness
 BRANCH AUDIT COMMON CONTROL
ISSUES
Cash Handling • Petty cash management and reconciliation
• Credit card processing Payment mode
• Cash depositing – timely deposits

Purchasing • Review of statements and expenses, authorization,

personal expenditures
• Purchases over $5,000

Payroll / • Returning signed timesheets

Timekeeping • Proper timesheet approval

Review /Approval • Travel and hosting – business purpose

of Expenses • Proper review and approval by higher level
• Statement of Activity review / managerial or
departmental review of expenses
THE FIVE COMPONENTS OF A STRONG
INTERNAL CONTROL FRAMEWORK
Monitoring Control Activities
§ Assessment of a control system’s § Policies/procedures that ensure
performance over time. management directives are
§ Combination of ongoing and carried out.
separate evaluation. § Range of activities including
§ Management and supervisory approvals, authorizations,
activities. verifications, recommendations,
performance reviews, asset
§ Internal audit activities. security and segregation of
duties.

Information and Communication Control Environment Risk Assessment

§ Pertinent information identified, § Sets tone of organization- § Risk assessment is the
captured and communicated in a influencing control consciousness identification and analysis of
timely manner. of its people. relevant risks to achieving the
entity’s objectives-forming the
§ Access to internal and externally § Factors include integrity, ethical
basis for determining control
generated information. values, competence, authority,
activities.
responsibility.
§ Flow of information that allows for
successful control actions from § Foundation for all other
instructions on responsibilities to components of control.
summary of findings for
management action.

All five components must be in place for internal control to be effective.

 Internal Control Framework
Component General Description Examples of UM Activity

The picture can’t be displayed.

Control Sets tone of organization Standard Practice Guides
Environment Statement on Stewardship
Finance, Audit and Investment Committee

Risk Identification and analysis Internal Audit Risk Assessment

Assessment of relevant risks Risk Management, Compliance Offices

Control Policies and procedures that Purchase Approvals, Bank reconciliations, separation of
Activities govern day-to-day activity duties, written procedures, access controls

Information and Flow of timely, accessible and Foundations of Supervision, metric

Communication pertinent information reporting, management reviews, websites, annual
performance reviews

Monitoring Assessment of controls Internal Audit, annual gap analysis, M-Reports,

Oversight reports
WHAT IS FRAUD?

Fraud - Typically requires 3 key elements:

1) Did something bad/wrong - -
misrepresentation of facts
2) Done intentionally
3) Resulted in unauthorized personal gain
 WHO COMMITS FRAUD?
Those having:
• Pressure - Usually caused by financial
need or desire for lavish lifestyle
• Ability to rationalize – Make
excuses and do not think of crime as
stealing
• Opportunity – Typically arises from
weak controls or too much
independence/ control given to
someone
WHO COMMITS FRAUD?

Sometimes the best personnel;

Per the ACFE (Association of Certified Fraud Examiners)
study:
• Majority of perpetrators were
long-serving, middle-aged, male
executives and managers
• Positive correlation exists between size of loss and perpetrator’s
authority level, tenure, education
level, age, and male gender
Source: 2006 ACFE Report to Nation on Occupational Fraud & Abuse - study of 1134 fraud cases
HOW DOES FRAUD OCCUR?
• Billing – Employee submits invoice for payment to bogus
vendor or for personal expenses
• Non-cash – Employee steals office supplies, treatment or
services, etc.
• Expense reimbursement – Employee files expense
report claiming personal travel, nonexistent meals, etc.
• Skimming – Employee accepts payment from customer
but does not record.
• Payroll – Employee takes unreported annual/sick leave,
claims overtime for hours not worked, adds ghost
employee to payroll.

Source: 2006 ACFE Report to Nation on Occupational Fraud & Abuse - study of 1134 fraud cases
 HOW IS FRAUD DETECTED?

The sum of percentages in this chart exceeds 100% because in some cases Tip- Testimony, Information, and Privileged Communication.
respondents identified more than one detection method.

Source: 2008 ACFE Report to Nation on Occupational Fraud & Abuse - study of 959 fraud cases

26
 INTERNAL CONTROLS AND
EFFICIENCY

It’s not always about fraud:

• Controls help prevent/detect human error
• System input errors
• Automation can eliminate risk and increase efficiency
• Direct time entry eliminating hardcopy timesheets
• Redundant or unnecessary steps
• Reconciling GPR to SOA (Gross Pay Register (GPR) to a Statement of Account (SOA))
 INTERNAL CONTROL VS
INTERNAL AUDIT
• Internal Audit functions are considered to be a valuable
element of Internal control, which provides assurance to the
audit committee and management.
• As an organization grows it becomes more challenging to
conduct frequent and economical first-hand monitoring of
controls by management.
 WE’RE HERE TO HELP!

• Identify Risks
• Find Better Ways and Best Practices
• Partner With You to Find Solutions
• Prevent Problems
 AUDITABLE ENTITIES

WE DO AUDIT WE DO NOT
• Operations and compliance AUDIT
• Departments
• Branches/Factories • Specific individuals
• Programs, Contracts
• Information Technology
Systems
• Company-wide Processes
PREVENTIVE MEASURES

• Make sure your controls are working

• Review and reconcile
• Check the work of your subordinates
• Don’t give in to the temptation to skip controls because
you are busy!
WHAT IS INCLUDED IN THE AUDIT
REPORT?

• What was found

• Why it happened
• What is required
• What effect it has
• Recommendation for improvement
• Response – who, when and how
WHAT HAPPENS AFTER THE AUDIT?

• FOLLOW-UP
• REVIEW CORRECTIVE ACTION
• REPORT TO AUDIT COMMITTEE
WHO AUDITS THE AUDITORS?

• We must have a peer review at least once every years

• Audit Committee
• Our Standards are set by the Institute of Internal Auditors
and IFAC.
WE ARE HERE TO HELP

• We provide training
• Respond to policy and
technical accounting
questions
• Offer suggestions for
improvement
• Advisory role
WE WANT TO KNOW HOW WE
ARE DOING
• At the completion of each audit we will send an after-audit-
survey
• We want you to rate our performance
• Were we professional, helpful, timely and did we add value?
• Please take the time to give us your feedback.
THANK YOU