seminar - iia.org.uk · seminar financial management risks and ... management of financial risk has...

Seminar

Financial management risks and financial controls

An update for internal auditors

20 May 2015

Chairman’s Welcome

Agenda

09.15-09.45 Registration and coffee

09.45-10.00 Welcome and opening remarks

10.00-10.45 Identifying and managing your financial risk

Kantilal Pithia, Senior Manager, Finance and Risk, Grant Thornton

10:30-11:15 Financial risks and financial control – the latest initiatives and

developments

Martin Robinson, Training Development Adviser, Chartered Institute of

Internal Auditors

11.30-11.45 Coffee

11.45-12.30 Focusing on the importance of accounting reconciliations, suspense

accounts and journal voucher processing

Michel Schurer, Director Internal Audit, EMEA AP, Crawford and Company

Claims Management

Agenda

12.30-13.15 Managing fraud in accounting systems and accounting manipulation fraud Alex Plavsic, Partner – Forensic, KPMG

13.15-14.00 Lunch

14.00-14.40 Internal audit and external audit – managing the organisation’s expectations Chris Baker, Technical Development Manager, Chartered Institute of Internal Auditors

14.45-15.30 Benchmarking workshop – a roundtable discussion on current practice on auditing financial systems Martin Robinson, Training Development Adviser, Chartered Institute of Internal Auditors

15.30-15.45 Summary feedback and close

Identifying and managing

your financial risk

6 © 2015 Grant Thornton UK LLP. All rights reserved.

Financial risk

landscape

Agenda

Managing

financial risk

Financial

Performance

Three lines of

defence

Summary

Financial risk balance

Trilogy of risk, effect and response

Risks across the landscape

Key effects and response

Influences on risk management

Risk management governance

Strategy, risk principal and objectives

Risk culture, appetite and tolerance

Risk management cycle

Achieving financial performance

Three Lines of Defence in risk management

Summary


Financial risk balance

How is equilibrium

achieved?

Sharehold

er Value

Financial

results

Financial

Risk

Increasing demand from

Investors

Shareholders

Analysts and

Regulators

for greater transparency

of financial risk

embedded in the

organisation and results

of risk assessments

Management of financial risk has been heavily influenced by the financial crisis in 2007/08

• Board of directors and senior

executives are required to

fully understand all financial

risk within their organisation

• Link business model /strategy

with financial risk and

financial performance

A web of complex regulations, standards, policies and initiates aimed

at addressing the impact brought about by the crisis and requiring

organisations to consider and manage financial risk


"EU to probe popular US sites over data

use and search" (FT, April 2015)

"Healthy liquidity diet needed to survive

future financial shocks" (FT, April 2015)

"CME suspends two gold futures traders"

(FT, May 2015)

"Tesco takes first steps on long road to

recovery" (FT, April 2015)

Trilogy of risk, effect and response

“The major difference between a thing that might go wrong

and a thing that cannot possibly go wrong is that when a

thing that cannot possibly go wrong goes wrong it usually

turns out to be impossible to get at or repair”

Douglas Adams


Risks across the landscape

Internal

risks

External risks

Ability to influence and control

Compliance risk Credit risk

Operational risk

Technology

including

cyber risk Legal and tax

risk

Business

risk Reputational/Brand risk

Sovereign/Countr

y risk Market risk

Liquidity and

Funding risk

Pension risk

Non-financial risks Financial risks Sector/macro

risk


Effect Non-financial

• Brand tarnished

• Customer loss

• Control weaknesses /

failures

Financial • Insolvency /administration

• Large losses

• No dividend payments

• Balance sheet reductions

• Stagnation in business

growth

• Inaccurate accounting and

reporting

Key effects and response

Organisation

Response • Granular and new regulatory requirements

• Enhanced reporting and disclosures

• Enhanced board and executive governance

• New/revised accounting Standards

• Compliance

• Risk Framework and risk appetite

• Greater scrutiny

• Accountability and transparency

• Conduct/customer detriment

• Transaction reporting

• Volker rule/ Dodd Frank Act

• Recovery and resolution plans


Influences on risk management

Sector / Macro risks

Non-Financial risks

Financial risks

Enhanced

board

governanc

e

Risk

manage

ment and

framewor

k

Improved

systems

and

controls

Current external

drivers

Internal management

Annual Reports

Strategic report

Principal risk

.

Capital and

liquidity risk

management

Growing / Future

external impact

Enhanced and

more granular

public disclosures

Developed MI /

reporting

Emerging risk

Strategic, holistic

and forward looking

views

New accounting

standards / IFRS

9, 14 and 15

European

directives

Conduct and

Compliance

MiFID2

Transaction

Reporting

.


Risk management governance

Business

Strategy/Mod

el Business Outcomes

Risk

Framework Risk

Appetite Risk

Culture

Risk

Tolerance

Identification Monitoring Assessment Reporting Management

Risk Cycle

Governance

Risk

objectives

Risk

principals

The Board should be

firmly committed to

sound and prudent risk

management practices

that are aligned to

achieving the

organisation's strategic

objectives.

The Board need to

consider the principal

risks and uncertainties

facing the

organisation.


Strategy, risk principal and objectives

Risk Management Objectives

•All key risks to the achievement of strategic objectives are

identified, assessed, managed and monitored across the

organisation

•Key stakeholders have assurance that a framework is in place

Business Strategy is a long term plan of action designed to achieve a set of

goals or objectives, "roadmap"

The Board is responsible for embedding a governance and policy framework

designed to provide for appropriate control and monitoring consistent with the

risk principals and objectives.

Risk Management Principals

•Responsibility and clearly assigned and accepted

•Fully independent system of risk management established and

maintained

•Effective escalation and incident management processes


Risk culture, appetite and tolerance

Risk appetite

• The risk appetite statement should be directly linked to

organisation's short and long term strategic plans

• Address the firm's material risk and establishes clear

quantitative limits (measures of loss or negative outcomes)

and qualitative statements for risk that are difficult to

measure

Implementing an effective risk management framework requires an appropriate

combination of policies, processes, controls, systems and procedures to accomplish

a set of objectives Risk culture

• Risk culture is critical to successful risk management

• Defines values and behaviours that shapes risk decisions

• Reinforces a clear and well communicated risk strategy and

risk appetite

• Stresses the philosophy that all employees are responsible

for the management of risk

Risk tolerance

• Allocation of the firm's aggregated risk appetite statement

down the organisation: business line, legal entity, specific risk

categories, concentrations and other levels

• Risk limits should be specific, measureable, frequency-

based, reportable and based on forward looking assumptions



Risk Management

• Risk management or risk mitigation process requires

identification of a range of options around managing

individual risks,

• Mitigation planning include: mitigation, sharing, avoidance,

transfer or acceptance

.

Risk management is the process of minimizing or mitigating the risk. It starts with the

identification and evaluation of risk followed by optimal use of resources to monitor

and minimize the risk Risk Identification

• Identification of all risks which could have a material impact

on the operation of the business and/or the achievement of

the business’s strategy and objectives.

• Assess risk both present now and potentially future risk that

are both internal and external to the firm

• Regular internal business meetings assist in risk

identification, and new risks may be identified through

analysis of root causes of other (related) risks

Risk Assessment

• Develop an understanding of each risk, including cause,

potential likelihood of occurrence and the impact

• Use an impact v likelihood matrix (probability) to quantify and prioritise the risk



Risk Monitoring

• Monitoring involves the on-going review of risks and

mitigation strategies, and is key to ensuring risk mitigation

priorities remain relevant as the business structure and

strategy changes.

• Risks are monitored through the reporting of KRI, through

local business reporting and submissions to Risk

Management, incident tracking and through maintenance of

risk registers..

Risk reporting needs to provide actionable intelligence to decision makers

and risk managers Risk Reporting / Board MI

• Risk reporting to Board and senior executives incorporate

Key Risk Indictors (KRI) that bring benefits to the

organization

• Provide an indication of actual risk against the organisation's

risk appetite and risk tolerance

• Provide a backward looking view on risk events, so lesson

can be learned by the past

• Provide an early warning for potential emerging / horizon risk

so proactive action can take place to mitigate / manage

• Balanced selection of risk indicators, covering performance

indictors, lead indictors and trends

• Selected indicators should drill down to the root cause of the

events


Achieving financial performance

Board and senior management

Board and senior management

• Risk assessment begins and ends with specific strategic and business

objectives

• Set defined performance targets and principal risks to delivery

• Evaluate risk-adjusted returns to the organisation

Business strategy and

model

Risk

framework and risk

appetite

Identity,

assess and

manage risk

Report, and

monitor

Budget Actual v budgets Actions taken Forecasting

Business, division, legal entity and product


The Three Lines of Defence in risk

management


Summary

• Historically organisations viewed risk as a necessary evil to achieve higher returns and meet

shareholder value

• In the current economic and regulatory environment, identifying, managing and exploiting

risk across an organisation has become increasingly important to it’s financial success

• Regulators, shareholders, investors and analyst now scrutinize firms to understand the

governance, controls and processes in place to identify and manage risk to an appropriate

level for the organisation

•

• An effective risk assessment provides a clear view of variables to which the firm may be

exposed to, whether internal or external, retrospective or prospective

"Not everything that can be counted counts.

Not everything that counts can be counted".

Albert Einstein


Kantilal Pithia

Telephone +44 (0)20 7865 2688

Mobile +44 (0)7500 761 351

Email [email protected]

mailto:[email protected]

Financial risks and financial control - the latest initiatives and

developments

Martin Robinson

Topics to be covered

• Financial control

• Financial reporting

• COSO requirements

• Impact of Sarbanes Oxley

Topics to be covered

• Financial Reporting Council

• Accounting Standards

• International Accounting Standards

Board

• Authorisation, segregation of duties

and management review

Crawford & Company Michel Schurer

Director Internal Audit EMEA AP

Financial Controls

Balance Sheet Reconciliations /Journal Vouchers/ Suspense

Accounts. / Other

Michel./ Crawford

1. Overview- Control framework: Core vs. Non Core

2. Journal Vouchers.

3. Suspense Accounts

4. Balance Sheet Reconciliations

5. Other

AGENDA

Crawford and company. London, UK: Director Internal Audit, EMEA A/P

Koch Industries. London, UK: Director Internal Audit, Europe

Eisai Europe Ltd, London, UK: Director Internal Audit Europe

Russell Reynolds, London: International Financial Controller - Germany/Sweden

Unilever/ Bestfoods, Germany / UK, Financial Controller/ Audit Manager

Eaton Ltd, London, UK: International Internal Auditor

Deloitte & Touche, Gothenburg, Sweden: External Auditor

Education & Qualifications

CMIIA – Certified Oct 2007 (Institute of Internal Audit)

ACCA / FCCA – Qualified 2003. Elected Fellow – May 2008 (Chartered accountant)

University of Gothenburg/ Sweden - Bachelor of Science in Business Administration

Options in Accounting and Finance

Personal

French / German dual nationality Married – 3 children; Passionate Tennis player

Career Summary: 25 years’ experience combining Internal Audit

(15), Finance (5) and External Audit (5)

Strategy - diversified claims services

History - founded 1941

Head office - Atlanta, USA

Employees - 8,700

Locations - 700 locations across 70 countries

Revenues - US$ 1.2b

Listed - NYSE

Crawford & Company WORLDWIDE

Unprecedented global catastrophes

27.02.10 – Chile: Earthquake

20.04.10 – Deepwater Horizon: Oil Spill

21.12.10 – Australia: Severe Flooding

02.02.11 – Australia: Cyclone Yasi

04.02.11 – Australia: Severe Flooding

05.02.11 – Australia: Bushfires

22.02.11 – New Zealand: Earthquake

11.03.11 – Japan: Earthquake & Tsunami

06.08.11 – UK Riots

--.10.11 -- Thailand: Floods

29.10.12 – Sandy

09.07.13 – Canada Floods

29

Overview Core vs Non Core

GL

Adjust-

ments FinalGAAP, IFRS, Tax ..

Subledgers:

"Core"

Receivables,

Payables..

Journal Entries:

"Non Core"

Suspense

Accounts

SEGREGATION OF DUTIES

• Segregation of duties (SOD) is one of the key concepts of internal controls.

• Contributes to an organization’s system of checks.

• The concept of segregation of duties is to separate the following

responsibilities in each business process: ( C A R )

• Custody of assets

• Authorization

• Record keeping

• Reconciliation

• Ideally, no individual employee should handle more than one of the above-noted functions in a process. If not:

• compensating controls should be considered. (preventative, detective or monitoring controls) by an independent, supervisory-level employee who does not have CAR responsibilities.

30

Journal Vouchers (JV)

31

Background • Process entries that do not go through the “Core”

underlying systems (which should have strong controls) • JV = Draft voucher awaiting approval and posting. • JE (Journal Entry) = Posted entry. • Manual vs Automated Journal Entries. • Think “CAR” and “SOD”. • Custody of relevant accounts, Authorisation, Record

keeping. Step back • What behaviours could be driven by current situation?

• Good year- understate assets/ overstate liabilities. • Bad year – overstate assets/ understate liabilities.

• What controls are in place and are they applied. • How could controls be circumvented and is this tested

Use common sense !!


32

Characteristics of irregular entries 1. Not posted in GL (adjustment to final outside of books)

2. Made to unrelated, unusual or seldom-used accounts;

3. Made by individuals who typically do not make journal

entries;

4. Recorded at the end of the period or as post-closing entries that have little or no explanation or description;

5. Made either before or during the preparation of the financial statements that do not have account numbers;

6. Round numbers or a consistent ending number;


33

Characteristics of irregular entries 7. To accounts containing complex /unusual items.

8. Contain significant estimates and period-end adjustments,

9. Prone to errors in the past,

10. Not reconciled timely or contain unreconciled differences,

11. Contain intercompany transactions,

12. Associated with an identified risk of material misstatement

due to fraud.

Suspense Accounts

34

Double-entry bookkeeping implies that all transactions

appear in at least two accounts or more and must

balance each other. You receive goods, a supplier

invoices, a payment from a customer but not sure… Definition A temporary resting place for an entry that will end up

somewhere else once its final destination is determined:

-Manually: Not sure where to book it for now.

-Systems: Transactions not properly coded.

Suspense Accounts

35

Multiple suspense accounts prevents unknown

transactions from being placed into the wrong areas of

the general ledger.

For example, payroll, tax, inventory, clients, suppliers.

Don’t forget to understand whether suspense account

bookings bypass other normal controls such as matching

goods received (GR) against PO and matching GR

against supplier invoices or SOD (CAR)

Clear out suspense accounts on a monthly or cyclical

basis, which will should give a zero balance.

Was it properly cleared ?

Balance Sheet Account Reconciliations

36

Basics • Each account is assigned a preparer • Compare GL and sub-ledger or other “source”. • Reconciled regularly & timely, typically monthly/ quarterly. • Must identify differences & explain. • Un-reconciled items must be promptly resolved. • Reconciliations must be reviewed, challenged & approved


37

Sources of Back up

Acceptable

External Sub ledgers Other Bank statement Debtors Analysis of: Contracts, Payroll Reserves, Supplier statements Fixed Assets Accruals, Inventory Warranty, Vendors Bad Debt,

Def Tax

Not acceptable

- Copies of Journal entries - Balance roll forwards. - Employee emails "the account is correct"

-List of details with no source


38


39

How good is this ? • Validate the Balance Sheet – Is it accurate ? • Not best way to catch irregularities/ frauds etc. • What is the reconciliation worth ? • It may reconcile to the GL, but was the GL adjusted before the reconciliation to make it match ! • Need to understand integrity in the process controls

40

JV, BS Recs and Suspense accounts are areas to assess

to gain an understanding whether the company is well

controlled.

This nevertheless indicates that there is a certain level of

control but don’t forget that it could be “worse” and bad

controls/ practices could be hidden further:

Some other risk areas

41

1. Booking unusual transactions well hidden in the P&L

under large volumes of transactions.

2. Not recording

1. Liabilities:

• Are all supplier invoices/ customer rebates

recorded.

2. Assets

• I sell to you but the money does not go to the

company. (Selling production scrap, pallets in

distribution, delivering more but not billing)

• Net-net deals (discounts, rebates, promotional

activities) - Tesco.

• Suppliers not passing on savings from sub

suppliers

Some other risk areas

42

3. Overpaying.

• I choose you as a supplier and you give me

something in return. (Kick backs). Bidding !

• You choose me as a supplier and I pay you off

through hidden invoices such as agency

commissions. (*)

4. Recording expenses on the basis of ambivalent

invoices. (*)

• Net-net deals (discounts, rebates, promotional

activities, - Tesco.

• Suppliers not passing on savings.

(*) Transparent invoices, matching service/ goods

received against invoices.

©2012 Association of Certified Fraud Examiners, Inc. 43

ACFE – Global Fraud

Survey

Closing Note

44

To find issues it helps to:

• Understand the business & the environment. (So you

scrap production rest metals)

• Identify and explore what does not get talked about.

(So we control inventory but not the pallets that ship it

around)

• Compare and contrast across industries.

• Refer to other subject matter bodies like ACFE, IIA.

Whether in commerce & industry or service or other

-

IIA Managing fraud in

accounting systems and

accounting manipulation

fraud

Forensic

19 May 2015

47 © 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a

Swiss entity. All rights reserved.

Agenda

■ Latest fraud examples

■ Opportunities for fraud in financial systems

■ Financial red flags

■ Effective accounting fraud risk management



Payment Diversion

What we are seeing on the ground

Technology enabled

Accounting misstatement Procurement fraud



Payment Diversion

Financial red flags

Technology enabled

Accounting misstatement Procurement fraud

• Pre-payment analytics

• Verification process

• Systems not forcing ‘four eyes’

• Third party due diligence

• Non-experts – VFM

• Transactional analytics

• Weak access controls

• Portal access not restricted

• Sharing of passwords

• Reconcile to cash

• Hit the balance sheet

• Anomalous accounting entries



Red flag indicators of possible

earnings management

Financial (or other) results that seem “too good to be true” or significantly better than

competitors

Consistently close or exact match between reported and forecast results

Unusual balance sheet changes or trends: for example receivables/WIP growing faster than

cash

Unusual accounting policy: revenue before shipping, deferral of costs

Accounting principles at variance with industry norm

The pattern of shipping: most of quarter’s sales in last week or day of period

Use of reserves/provisions to smooth out earnings: for example large additions to reserves

that get reversed in a later period

Frequent and significant changes in estimates for no apparent reason

Complex or unique business arrangements not well understood or appearing to serve little

practical purpose



51

Remote

operations

Multiple banking

arrangements

Related party

arrangements

Complex

corporate

structures

Profit warnings /

credit warnings

High management

turnover

Results exceed

market trend

Cash / funding gap

Unique products –

unique risks

Aggressive

accounting

policies

Highly-leveraged

rewards

Aggressive

forecasts

High hope value

Declining industry

/ earnings

High analyst or

other pressures

Significant director

share sales

Illegal unethical

practices

Undue secrecy

Dominance /

lifestyle issues

Lack of trust / poor

internal or external

auditor

relationships

Warning signs - accounts manipulation / fraudulent financial reporting



Fraud Triangle

“Whatever it takes” to hit targets

Personal debts

Greed

Addiction

Fear of job loss if targets

not achieved

Hidden in complex transactions

Abuse of authority

Exploiting errors

Lack of segregation of duties

Policies/procedures are easy

to bypass

Lack of confidence that

reporting will result in action

“It’s a victimless crime”

“I deserve it”

Lack of understanding of the standards

Code of conduct not taken seriously

Results are rewarded, not conduct

Understanding the fraudster



Integrity and ethical standards

Source: KPMG Integrity Survey

■ 73% of US company employees have observed violations of law or their

company standards – “misconduct” in the past year;

■ 56% of those employees said that what they observed could cause “a significant

loss of public trust” if discovered;

■ 47% of employees across all sectors lacked confidence in reporting misconduct

to company hotlines;

■ 33% lacked confidence that appropriate action would be taken if they reported a

violation;

■ 48% lacked confidence that they would be protected from retaliation;

■ 52% lacked confidence that senior management knew what type behaviour really

went on inside the business.



Fraud risk management

Understand the environment & relationships

■ CEO & CFO

■ CFO & Financial Controller

■ General Counsel

■ Auditors

■ Divisional management

Searching for a ‘bad environment in the extreme’



Ground we have covered

■ The explosion of payment diversion fraud: from outside, from inside and

collusively

■ Fraud triangle properly based model (both academically and anecdotally) to

anchor awareness training, an anti-fraud strategy and investigations

■ Employees across all sectors lacked confidence in reporting misconduct (US

survey)

■ Most companies still lurch from one fraud (broadly defined) to another because

they do not strategically address all elements of the motivations for fraud

■ Assess the environment: it is your biggest risk and biggest defence

© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG

Europe LLP and a member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative, a Swiss entity. All rights

reserved.

The KPMG name, logo and “cutting through complexity” are registered trademarks

or trademarks of KPMG International Cooperative (KPMG International).

The information contained herein is of a general nature and is not intended to

address the circumstances of any particular individual or entity. Although we

endeavour to provide accurate and timely information, there can be no guarantee

that such information is accurate as of the date it is received or that it will continue

to be accurate in the future. No one should act on such information without

appropriate professional advice after a thorough examination of the particular

situation.

Alex Plavsic

Partner - Forensic

Direct Line: +44 (0) 20 7311 3862

Mobile: +447710808969

Email [email protected]

mailto:[email protected]

Internal audit’s relationship with external audit

Chris Baker

CIIA Technical Manager

20 May 2015

Its all ‘audit’ isn’t it?

• Complementary functions in the assurance framework.

• Both are essential for effective governance.

• Both use risk management as a starting point.

• Independent, professional code of ethics and standards

• Both provide assurance around financial management, including preventing errors and fraud.

INTERNAL AUDIT

EXTERNAL AUDIT

Differences between IA & EA

INTERNAL AUDIT

Employed by board & senior executives

Discretionary

All objectives and risks

Reports are not publicly available

Continuous

EXTERNAL AUDIT

Appointed by owners & shareholders

Legal requirement

Financial reporting risks

Reports are publicly available

Financial cycle

https://www.iia.org.uk/policy/policy-position-papers/internal-audits-relationship-with-external-audit/

Differences between IA & EA

INTERNAL AUDIT

Employed by board & senior executives

Discretionary

All objectives and risks

Reports are not publicly available

Continuous

EXTERNAL AUDIT

Appointed by owners & shareholders

Legal requirement

Financial reporting risks

Reports are publicly available

Financial cycle

Independent and objective assurance and consulting... to evaluate & improve governance, risk management & control.

To obtain reasonable assurance financial statements are free from misstatement, error & fraud in accordance with accounting principles

Blurred lines ?

Governance & culture

Risk management

Project & change programmes

Value for money

Financial systems

IT infrastructure

Cybersecurity

Fraud prevention

IA & financial management?

Questions

Priority?

Frequency?

Focus?

Timing?

Response

Understand change & risk

Understand expectations

Explain & justify choices

Coordinate with EA

Objectives

Change

Risk

What does good coordination look like?

• Regular communication.

• Aligned planning.

• Possible co-sourcing or one-off joint working

• Exchange of information.

• Learning & development

Case study example Quarterly meeting timetable linked to audit committee meeting dates: Feb – planning discussions & progress update. May – Onsite EA progress meeting, exchange of audit reports Sept - finalising IA annual reports and EA management letter. IT audit work terms of reference Dec – IA plan progress review, update of strategic risk register . IT audit report finalisation.

Thank you

[email protected]

Benchmarking and round table

discussion on current practise

on auditing financial systems

Martin Robinson

Discussion Points

• How do you focus on strategic financial risks?

• Do you try to incorporate a review of financial risks

in all audits you carry out?

• How do you relate and communicate with senior

finance management?

• What challenges do you face in auditing financial

risk and financial control?

• What are some of the key issues you have raised in

the past?

Seminar

Financial management risks and financial controls

An update for internal auditors

20 May 2015

seminar - iia.org.uk · seminar financial management risks and ... management of financial risk has...

Documents