Why internal controls matter?

Transcription

1 Why internal controls matter? Vienna, 18 November, 2014 Kalina Sukarova, Senior Financial Management Specialist, and Carla Loum, Consultant, Centre for Financial Reporting Reform, World Bank

2 Open discussion: Some of your comments When it comes to SMEs, the controls are not well organized / components are not so clear. Typical issues within SMEs: The owner is also the manager and he is taking everything under his own control Lack of segregation of duties when the number of accounting or admin staff is very small (risk that some procedures are not followed and fraud risk as well); Owner is requesting information daily but systems may not be in place to perform real time capture of data; Significant amounts of payments are made in cash, which increases risk of proper and complete recording 2

3 Open discussion: Some of your comments (continued) Internal control is fundamental to every business organization, however there is a need to scale down internal control to fit company size and avoid time-consuming and costly compliance efforts. Effective internal control also creates a competitive advantage as an organization with effective controls can take on additional risk Some examples when internal controls failed in state owned companies: Failure to check if consolidation information is complete due to using simple excel spreadsheet without sufficient completeness checks; Employees lack the qualifications and training to fulfill their assigned functions (lack of training) 3

4 Open discussion: Some of your comments (continued) Proper internal controls will provide management with reliable source of information based on which adequate business decisions will be made Real life example of internal control deficiency leading to fraud: cash paid loans to non existing customers (wrong customer names and IDs used). The treasurer and loan approval officer colluded in the fraud together. There was lack of back up controls as the loan approval officer both approved and kept supporting documentation of the loan files. Also, all loans paid where cash transactions. Finally there was low capacity in the internal audit function. The fact remains that from the auditors perspective in smaller entities, reliable controls may not exist (or their performance is not documented). In these cases a primarily substantive approach may be the only acceptable alternative. 4

5 Open discussion: Some of your comments (continued) We have observed cases in practice when no evidence of review of activities has been available and the auditor is not able to use this control activity to plan and design audit procedures. IT controls and password protection need to be observed Good internal controls can prevent fraud more effectively then any external audit can A good system of internal control can help auditors also to perform an efficient and effective audit and reduce costs Very often the employees are not aware of the benefits linked to internal controls and therefore in practice the individual controls are not implemented consistently or properly 5

6 Open discussion: Some of your comments (continued) Lack of internal control very often leads to fraud, however event in best companies fraud often appears due to management override of controls Positive example: front office gave a go ahead suggestion to management to acquire shares of a foreign issuer; compliance control gave an opinion not to proceed with the suggestion as statutory investment limits would be breached. Management followed the regulatory limits. Thank you for your inputs! 6

7 Presentation on a real life lesson from a $8 million fraud The presentation has been developed using the following source : «Lessons from an $8 million fraud» from Journal of Accountancy of the American Institute of Certified Public Accountants Nathan J. Mueller was a former employee in ING s reinsurance division who embezzled nearly $ 8.5 million from ING over four years and three months. His fraud is noteworthy because of : the millions of dollars involved and the length of time the scheme went undetected. And his scheme was made possible by a breach of controls. 7

8 Short presentation of the scenario Mueller was the accounting manager in his division He requested 99 checks for pseudo companies with names similar to ING clients. He kept his fraud concealed by posting the debits to a ledger accounts of his choosing (accounts that had a lot of reconciliation activity). Evidence that he was living far beyond his means didn t voiced any concerns for years. He was finally caught because of suspicions of fraud. 8

9 How this fraud was made possible 9

10 How to prevent and detect similar schemes Fraud prevention activities involve: Maintaining an organizational culture of honesty and high ethical standards Assessing fraud risk Reducing the opportunities to commit fraud Organization s hiring policy Authentication controls : identify the person accessing the accounting system and ensure that only legitimate users can access it Authorization controls : restrict the access to certain classes of information and capabilities 10

11 How to prevent and detect similar schemes Processing controls : ensure that data is processed correctly and that obvious errors are not processed Physical safeguards : ensure that employees who can request or approve payments can not access the printed checks Segregation of duties : separates operational responsibility from recordkeeping responsibilities Fraud awareness training : reminds employees that fraud is real and that it could be happening in their departments Anonymous fraud reporting channel such as third-party hot line 11

12 Thank you Q&A 12