Day in the life of an Internal Auditor

Alka Abbi Tomar

Agenda

My journey… Internal Audit Sarbanes Oxley

Journey thus far…

Remote AuditsOn-site Audits

INDEPENDENT FUNCTION

Responsibilities include Assist management with SOX 404 compliance Conduct Internal Audits Investigations

My role

Director Internal Audit/SOX

VP Finance, Corporate Controller

Audit Committee(BoD)

COSO Framework (New)

Source: sox-online.com

COSO Framework (old)

MONITORING

INFORMATION AND COMMUNICATION

CONTROL ACTIVITIES

RISK ASSESSMENT

CONTROL ENVIRONMENT

OPERATIONS

FINANCIA

L

REPORTING

COMPLIA

NCE

UN

IT A

UN

IT B

AC

TIV

ITY

1A

CT

IVIT

Y 2

AC

TIV

ITY

3

Span of Internal Control

Co

mp

on

en

ts o

f In

tern

al

Co

ntr

ol

Foundation - Discipline and Structure

Identification and Analysis of Risks

Policies and Procedures

Oversight of Entity / Process

SOX

Internal Audit

Internal Audit

Thoughts about IA profession

Not the police

Based on LOGIC and COMMON SENSE

Global profession

Foundation is Ethics & Integrity

Duty to the Company & its stake holders

Part of an Organization Partnership - No longer the ‘gottcha approach’

but still INDEPENDENT

Spans all areas of the organization Finance & Accounting

Operations

HR

Sales and Marketing

Compliance

IT

What is Internal Audit

Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization's operations. It helps an

organization accomplish its objectives by bringing a systematic, disciplined

approach to evaluate and improve the effectiveness of risk management, control,

and governance processes.

Internal Audit Functioning

Internal Audit Department Charter Approved by Audit Committee

Annual Process Internal Audit Risk Assessment Selection of Audits Conduct Audits Conduct investigations Assist with compliance efforts such as SOX

Internal Audit Risk Assessment

Get inputs key members of the management team Review financial results, business and process

documentation, corporate strategic initiatives during current and prior years

Consider industry best practices

Inherent risk of business activity Current and anticipated business changes Financial/transaction significance and trends Current control environment: staffing, policies, culture,

changes Degree of legal/regulatory compliance requirements

Summarize results of business activity risk assessments based on Significance and Likelihood

Test conclusions with the Audit Committee Finalize internal audit plan for the year

AssessBusiness

Develop

Plan

ConsiderRisks

Audit Methodology

1. Planning Objective Background Scope Design Audit Plan Resources & timing

2. Fieldwork Execute Audit Plan Discuss findings with process owner Obtain management remediation action

3. Reporting Top Management Audit Committee

Examples of audits

Finance and Accounting Expense Audits Revenue Recognition Vendor Audit

Operations Inventory Reverse Logistics

Sales and Marketing Channel Partner Audit Marketing Fund Audit

Compliance Audit Environment Audits

Country Audit IT Security Audit   Human Resources

Overtime laws Health Committee Free medical check-ups

Audit Techniques

Interviews Analytical Email reviews / other forensic tools Substantive sample testing Continuous monitoring

Example 1: Country Audit

Audit Objective: Based on understanding of the location’s business activities, the country

Audit will include the following areas:

1. Revenue Ensure orders were supported and booked properly, and revenue was recognized appropriately

2. Operating Expenses and Expense Reimbursement To ensure company expenditures incurred were legitimate expenses, and were processed

according to company policies and appropriate documentation maintained. Accounts Payable Vendors Payroll

3. Balance Sheet Accounts and Reconciliations To ensure that balance sheet accounts have been properly reconciled with adequate supports

and to search for unrecorded liabilities Cash Accounts Receivable Fixed Assets Liabilities

4. Segregation of Duties

5. Channel Sales Review

6. Compliance Review

Example 2: Country Audit

Key Audit Steps taken: Interviewed key process owners to understand the processes Obtain process documents and policies Data Analytics to identify areas of focus Sample testing of areas identified Separate steps for each area

Example 2: Country Audits

Revenue Objective

Ensure orders were supported and booked properly, and revenue was recognized appropriately

Audit Procedures1. Review P&L and customer reports

Revenue composition Major customers Unusual fluctuations

2. Local Order to collection process3. Detailed sample testing for

Supporting documents (customer PO, shipping docs, etc) – booking accuracy Proper cut-off

Shipping terms Compliance with revenue recognition criteria – Based on Corporate (US)

Fees are fixed and determinable Persuasive evidence of agreement Delivery of goods Collectability reasonably assured

Example 2: Country Audit

Channel Partner Review Objective

Channel stuffing Related party transactions FCPA compliance Sales Returns

Audit Procedures Review list of channel partners and sales reports

Volume Discount Growth Rebates Sales returns

Review agreements with Channel Partners Interview with Channel partners

Example 2: Country Audit

Key Findings: Revenue

Cut-off evidence of shipment not available; revenue recognized in the wrong period

Segregation of duties: AR Accountant – applies cash; credits; collection calls Channel Partner

Related party transactions Channel stuffing

Operating Expenses and Expense Reimbursement Accounts Payable

Potential misappropriation funds -petrol cards Non compliance with Spending policy Leased property was subleased – not properly accounted for

Payroll Terminated employees were paid Segregation of duties Payroll vs GL reconciliation not performed Payroll consultant handled competitor payroll

Balance Sheet Accounts and Reconciliations Bank: Segregation of duties Fixed Assets:

No confirmation of offsite assets No confirmations of demos, etc

Example 2: Reverse Logistics Audit

In simple language…goods returned Audit Objective:

To verify that goods returned are accounted for appropriately Key Audit Steps taken:

Interviewed key process owners to understand the process Where are returns received? Who receives them? How is it supposed to be captured in the system Are items scrapped or refurbished? How are both scrap and refurbished items documented and traced Are there any known issues or areas of improvement

Obtained list of assets returned in the books of accounts Surprise visit of the warehouse for physical count Compared actual inventory with books of accounts Observe security of warehouse

Example 2: Reverse Logistics Audit

Key Findings Management had a project team to reconcile differences between goods

that were scheduled to be received/ received and goods actually received – had been in place for a few years

Physical count of goods returned was never conducted Access to goods returned area was not restricted Physical count observations

Goods indicated as received were not in the warehouse Goods not on the list were in the warehouse Goods of a different Company were mistakenly received by the Company Items which were scrapped in the books were still in warehouse Items sent for internal use (for R&D) could not be traced to location Goods received had not been entered in the system for upto a week as

research was ongoing on the order, etc

Example 2: Reverse Logistics Audit

Management Remediation Warehouse area was redesigned Full physical count of goods returned was conducted and differences written off Access to goods returned area was restricted to responsible personnel Formal process was established to track

Scrap Items circulated internally

Items received were recorded in the system the date of receipt Goods received but not identified were recorded in the system Once identified to a specific sales order, it was transacted out of this ‘suspense’ account Bar coding/ scan was being established

Fraud

Fraud

Not a part of an Internal Audit Helps with prevention Sometime with detection

Investigations Revenue Recognition Check fraud Related party transactions Petrol card fraud FCPA (foreign corrupt practices act)

Fraud Triangle

Pressure/IncentivePressure/Incentive

OpportunityOpportunity RationalizationRationalization

Sarbanes Oxley Compliance

What is Sarbanes-Oxley or SOX?

Sarbanes-Oxley Act was passed in 2002

Section 301: Whistleblower policy

Section 302: Quarterly Disclosure of control effectiveness

Section 404: Annual Internal Control over Financial reporting (ICFR) reportSection 404: Annual Internal Control over Financial reporting (ICFR) report

Section 906: Criminal penalties

SOX 404 Objective

Improve Corporate Governance Increase Transparency Enhance Internal control over financial reporting (ICFR)

Management requirement Document processes and controls Evaluate design and operation of controls Report on the effectiveness of its ICFR

Reliability on Financial Reporting (10-K)Reliability on Financial Reporting (10-K)

How does SOX404 impact a Company?

Annual

10-K

SEC ReportingSEC Reporting

Management ReportingManagement Reporting

External AuditExternal Audit

Share PriceShare PriceSOX 404 Compliance

External AuditExternal Audit

SOX 404 Methodology

PlanningPlanning Internal Control over Financial Reporting AssessmentInternal Control over Financial Reporting Assessment ReportingReporting

Risk Assessment

Significant Accounts Scoping (identify processes in scope)

Location Scoping

Materiality

Assess current state

Evaluate design of controls

Validate and update critical process documentation

Narratives

Risk and Control Matrices

Test Plans

Walkthroughs

Tests of key controls

Design solutions for control gaps

Implementation of solutions for control gaps by management

Retesting of remediated controls

Self Assessment

Assessment of deficiencies

SOX 404 - Management Certification

Jan-Mar 2011 Apr- June 2011 June – Oct 2011 July – Dec 2011 Jan – Feb 2012

Questions?