day in the life of an internal auditor alka abbi tomar
Post on 21-Dec-2015
224 views
TRANSCRIPT
Day in the life of an Internal Auditor
Alka Abbi Tomar
Agenda
My journey… Internal Audit Sarbanes Oxley
Journey thus far…
Remote AuditsOn-site Audits
INDEPENDENT FUNCTION
Responsibilities include Assist management with SOX 404 compliance Conduct Internal Audits Investigations
My role
Director Internal Audit/SOX
VP Finance, Corporate Controller
Audit Committee(BoD)
COSO Framework (New)
Source: sox-online.com
COSO Framework (old)
MONITORING
INFORMATION AND COMMUNICATION
CONTROL ACTIVITIES
RISK ASSESSMENT
CONTROL ENVIRONMENT
OPERATIONS
FINANCIA
L
REPORTING
COMPLIA
NCE
UN
IT A
UN
IT B
AC
TIV
ITY
1A
CT
IVIT
Y 2
AC
TIV
ITY
3
Span of Internal Control
Co
mp
on
en
ts o
f In
tern
al
Co
ntr
ol
Foundation - Discipline and Structure
Identification and Analysis of Risks
Policies and Procedures
Oversight of Entity / Process
SOX
Internal Audit
Internal Audit
Thoughts about IA profession
Not the police
Based on LOGIC and COMMON SENSE
Global profession
Foundation is Ethics & Integrity
Duty to the Company & its stake holders
Part of an Organization Partnership - No longer the ‘gottcha approach’
but still INDEPENDENT
Spans all areas of the organization Finance & Accounting
Operations
HR
Sales and Marketing
Compliance
IT
What is Internal Audit
Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.
Internal Audit Functioning
Internal Audit Department Charter Approved by Audit Committee
Annual Process Internal Audit Risk Assessment Selection of Audits Conduct Audits Conduct investigations Assist with compliance efforts such as SOX
Internal Audit Risk Assessment
Get inputs key members of the management team Review financial results, business and process
documentation, corporate strategic initiatives during current and prior years
Consider industry best practices
Inherent risk of business activity Current and anticipated business changes Financial/transaction significance and trends Current control environment: staffing, policies, culture,
changes Degree of legal/regulatory compliance requirements
Summarize results of business activity risk assessments based on Significance and Likelihood
Test conclusions with the Audit Committee Finalize internal audit plan for the year
AssessBusiness
Develop
Plan
ConsiderRisks
Audit Methodology
1. Planning Objective Background Scope Design Audit Plan Resources & timing
2. Fieldwork Execute Audit Plan Discuss findings with process owner Obtain management remediation action
3. Reporting Top Management Audit Committee
Examples of audits
Finance and Accounting Expense Audits Revenue Recognition Vendor Audit
Operations Inventory Reverse Logistics
Sales and Marketing Channel Partner Audit Marketing Fund Audit
Compliance Audit Environment Audits
Country Audit IT Security Audit Human Resources
Overtime laws Health Committee Free medical check-ups
Audit Techniques
Interviews Analytical Email reviews / other forensic tools Substantive sample testing Continuous monitoring
Example 1: Country Audit
Audit Objective: Based on understanding of the location’s business activities, the country
Audit will include the following areas:
1. Revenue Ensure orders were supported and booked properly, and revenue was recognized appropriately
2. Operating Expenses and Expense Reimbursement To ensure company expenditures incurred were legitimate expenses, and were processed
according to company policies and appropriate documentation maintained. Accounts Payable Vendors Payroll
3. Balance Sheet Accounts and Reconciliations To ensure that balance sheet accounts have been properly reconciled with adequate supports
and to search for unrecorded liabilities Cash Accounts Receivable Fixed Assets Liabilities
4. Segregation of Duties
5. Channel Sales Review
6. Compliance Review
Example 2: Country Audit
Key Audit Steps taken: Interviewed key process owners to understand the processes Obtain process documents and policies Data Analytics to identify areas of focus Sample testing of areas identified Separate steps for each area
Example 2: Country Audits
Revenue Objective
Ensure orders were supported and booked properly, and revenue was recognized appropriately
Audit Procedures1. Review P&L and customer reports
Revenue composition Major customers Unusual fluctuations
2. Local Order to collection process3. Detailed sample testing for
Supporting documents (customer PO, shipping docs, etc) – booking accuracy Proper cut-off
Shipping terms Compliance with revenue recognition criteria – Based on Corporate (US)
Fees are fixed and determinable Persuasive evidence of agreement Delivery of goods Collectability reasonably assured
Example 2: Country Audit
Channel Partner Review Objective
Channel stuffing Related party transactions FCPA compliance Sales Returns
Audit Procedures Review list of channel partners and sales reports
Volume Discount Growth Rebates Sales returns
Review agreements with Channel Partners Interview with Channel partners
Example 2: Country Audit
Key Findings: Revenue
Cut-off evidence of shipment not available; revenue recognized in the wrong period
Segregation of duties: AR Accountant – applies cash; credits; collection calls Channel Partner
Related party transactions Channel stuffing
Operating Expenses and Expense Reimbursement Accounts Payable
Potential misappropriation funds -petrol cards Non compliance with Spending policy Leased property was subleased – not properly accounted for
Payroll Terminated employees were paid Segregation of duties Payroll vs GL reconciliation not performed Payroll consultant handled competitor payroll
Balance Sheet Accounts and Reconciliations Bank: Segregation of duties Fixed Assets:
No confirmation of offsite assets No confirmations of demos, etc
Example 2: Reverse Logistics Audit
In simple language…goods returned Audit Objective:
To verify that goods returned are accounted for appropriately Key Audit Steps taken:
Interviewed key process owners to understand the process Where are returns received? Who receives them? How is it supposed to be captured in the system Are items scrapped or refurbished? How are both scrap and refurbished items documented and traced Are there any known issues or areas of improvement
Obtained list of assets returned in the books of accounts Surprise visit of the warehouse for physical count Compared actual inventory with books of accounts Observe security of warehouse
Example 2: Reverse Logistics Audit
Key Findings Management had a project team to reconcile differences between goods
that were scheduled to be received/ received and goods actually received – had been in place for a few years
Physical count of goods returned was never conducted Access to goods returned area was not restricted Physical count observations
Goods indicated as received were not in the warehouse Goods not on the list were in the warehouse Goods of a different Company were mistakenly received by the Company Items which were scrapped in the books were still in warehouse Items sent for internal use (for R&D) could not be traced to location Goods received had not been entered in the system for upto a week as
research was ongoing on the order, etc
Example 2: Reverse Logistics Audit
Management Remediation Warehouse area was redesigned Full physical count of goods returned was conducted and differences written off Access to goods returned area was restricted to responsible personnel Formal process was established to track
Scrap Items circulated internally
Items received were recorded in the system the date of receipt Goods received but not identified were recorded in the system Once identified to a specific sales order, it was transacted out of this ‘suspense’ account Bar coding/ scan was being established
Fraud
Fraud
Not a part of an Internal Audit Helps with prevention Sometime with detection
Investigations Revenue Recognition Check fraud Related party transactions Petrol card fraud FCPA (foreign corrupt practices act)
Fraud Triangle
Pressure/IncentivePressure/Incentive
OpportunityOpportunity RationalizationRationalization
Sarbanes Oxley Compliance
What is Sarbanes-Oxley or SOX?
Sarbanes-Oxley Act was passed in 2002
Section 301: Whistleblower policy
Section 302: Quarterly Disclosure of control effectiveness
Section 404: Annual Internal Control over Financial reporting (ICFR) reportSection 404: Annual Internal Control over Financial reporting (ICFR) report
Section 906: Criminal penalties
SOX 404 Objective
Improve Corporate Governance Increase Transparency Enhance Internal control over financial reporting (ICFR)
Management requirement Document processes and controls Evaluate design and operation of controls Report on the effectiveness of its ICFR
Reliability on Financial Reporting (10-K)Reliability on Financial Reporting (10-K)
How does SOX404 impact a Company?
Annual
10-K
SEC ReportingSEC Reporting
Management ReportingManagement Reporting
External AuditExternal Audit
Share PriceShare PriceSOX 404 Compliance
External AuditExternal Audit
SOX 404 Methodology
PlanningPlanning Internal Control over Financial Reporting AssessmentInternal Control over Financial Reporting Assessment ReportingReporting
Risk Assessment
Significant Accounts Scoping (identify processes in scope)
Location Scoping
Materiality
Assess current state
Evaluate design of controls
Validate and update critical process documentation
Narratives
Risk and Control Matrices
Test Plans
Walkthroughs
Tests of key controls
Design solutions for control gaps
Implementation of solutions for control gaps by management
Retesting of remediated controls
Self Assessment
Assessment of deficiencies
SOX 404 - Management Certification
Jan-Mar 2011 Apr- June 2011 June – Oct 2011 July – Dec 2011 Jan – Feb 2012
Questions?