Internal Audit
Best Practices Workshop
12th November 2013
Presented by:
Kellie Hart, CPA, CA, CIA, Manager, Internal Audit
Michael Brown, CIA, Senior Internal Auditor
Overview
• Introduction to Internal Audit
• Internal Control 101
• Hot Topics
• Fraud 101
INTRODUCTION TO
INTERNAL AUDIT
Queen’s Internal Audit Team
Name
Position
Degrees/
Professional
Designations
Joseph Choi
Director
CPA, CA
Kellie Hart
Manager
CPA, CA, CIA
Jonathan Nicholls
Senior Auditor
CPFA, Part 3 CIA
Michael Brown
Senior Auditor
CIA, CISA
Internal Audit’s Mandate
Internal Audit “provides independent, objective
assurance and consulting services designed to add
value and improve the organization’s operations...[and]
effectiveness of governance, risk management and
control processes.”
(Source: Institute of Internal Auditors)
What is an Internal Auditor?
Our Role:
• Monitor/Audit Queen’s
• Make recommendations
• Drive continuous improvement and VALUE!
What we do
–Governance, Risk, and Compliance
–Operational
–Financial
–Forensic (fraud related investigations/
reviews)
–IT Systems
How We Select University Audits
• Internal Audit Plan:
–Risk-based approach
–Professional judgment
–Best use of our time
–Various types of audits
–Approved by the University’s Audit and Risk
Committee of the Board of Trustees
INTERNAL CONTROL
101
Agenda
• Definition
• Internal Control at Home and Work
• Risk
• Roles and Responsibilities
• SOAPSPAM - Applying the Theory
Definition of Internal Control
“Any action taken by management, the board,
and other parties to manage risk and increase
the likelihood that established objectives and
goals will be achieved.”
Simple Definition
Internal control - trying to make the things
we want to happen, happen …

And the things we don’t want to happen,
not happen.
Internal Control at Home
• Lock your home and vehicle.
• Turn off the stove / iron
• Keep your ATM/debit card pin number
separate from your card
• Review bills and credit card statements
before paying them
Internal Control at Home..Cont’d
• Reconcile your bank statement
• Don’t leave blank cheques or cash just lying
around
• Expect your children to ask permission before
they can do certain things
Internal Control at Work
• Computer passwords are
periodically changed and aren’t
written down
• PCard transactions are checked
against source documents.
• Financial transactions are
checked.
• Authorizations required for
certain activities.
What is ‘Risk’?
The possibility of an event
occurring that will have an impact
on the achievement of objectives.
Risk is measured in terms of
consequence and likelihood
What is ‘Risk’?
Success is the reward for taking risks
(“I miss 100% of the shots I don’t take”)
Risk
External Risk Drivers
 Economic changes
 Changing student & community needs
 New/changed legislation & regulations
 Technological developments
 Natural catastrophes
 Competitive conditions
Risk
Internal Risk Drivers







New Personnel / High Turnover of Staff
Low Morale
New policy / internal control system
New or Revamped Information Systems
Complexity of Activities
Dispersion of Operations
Changes in Management
Risk Example
• Example: Risk of not sleeping through the night..
• External Factors
• Internal Factors
• Consequence
• Likelihood
• Internal Controls…?
Risk
Tolerate
Treat
Transfer
Terminate
Risk Management
Internal controls are one way to manage risk..
But..
‘risk vs. reward’
• Are there any risks that have no / few controls?
• Are there risks that may have too many controls?
• Are there controls that do not mitigate any risks?
• What are the COSTS of control – is it worth it?
QUIZ: 1
Internal Controls exist solely for the
detection of fraud
a. True
b. False
Who Is Responsible?
• Board of Trustees
• Principal
• Management
• Frontline Personnel
• University policies assign responsibility for the
internal control system to all University
employees.
Internal Controls & Internal Audit
• Internal auditors are not responsible for
establishing or maintaining controls
• Instead we are responsible for:
Examining the adequacy and effectiveness of
the University’s internal controls,
Making recommendations where control
improvements are needed
Contributing to the effectiveness of the control
environment
QUIZ: 2
Internal control can do which of the following?
I. Ensure organizational success
II. Ensure organizational survival
III. Ensure the reliability of financial reporting
IV. Ensure absolute compliance with laws and
regulations
A.
B.
C.
D.
I, II, and III only
II, III, and IV only
All of the above
None of the above
Controls 101 – ‘SOAPSPAM’
S - Segregation of Duties
O - Organisational
A - Authorisation
P - Physical
S - Supervision
P - Personnel
A - Arithmetic/Accounting
M - Managerial
SOAPSPAM – PCard Example
S- Segregate payment and review and approval of
reconciliation
O- Review and understand PCard Policy
A- Ensure that transactions, claims and statements
are authorised
P- Keep the card secure when not in use. Do you
know where it is right now?
SOAPSPAM – PCard Example
S –Review and supervision
P – Training and support
A – Arithmetic - Reconcile PCard statement to
backup in accordance with timetable
M - Know who is accountable, reporting lines
PCard – What can go wrong?
PCard fraud, misuse found at Florida universities
• A Florida International University professor used a
school credit card to buy at least $5,000 worth of personal
items, including an MP3 player, a wireless reading device
and a membership with United Airlines' Red Carpet club.
• An administrative assistant in University of Florida's oral
history program submitted receipts for books for a
“ WWII project." But the books weren't about a world war.
They were from Weight Watchers.
WARNING SIGNS
If you hear this..
Then…?
‘I didn’t know that!’
Inadequate knowledge of policies or
governing regulations
‘We trust ‘A’ who does all those things.’
Inadequate segregation of duties
‘We share a password, it’s easier.’
‘You mean I’m supposed to do something
besides initial/sign it?’
‘I know that’s the policy, but we do it this
way.’ ‘Just get it done; I don’t care how!’
Inappropriate access to assets
Form over Substance
Control override
BE ALERT TO THESE RESPONSES – THEY USUALLY INDICATE
POOR CONTROLS OR INEFFECTIVE PRACTICES…
Myths and Facts
MYTH
If a policy doesn’t exist, we
don’t have to do it
FACT
A lack of formal policies
does NOT preclude good
business practices
Myths and Facts
MYTH
FACT
If controls are strong
enough, we can be sure that
errors, fraud and
irregularities will always be
detected
Internal controls are our best
defence against errors..but
DO NOT guarantee this
Myths and Facts
MYTH
Internal controls are
just about finance and
accounting
FACT
Internal controls are
integral to every aspect of
university systems and
processes
Myths and Facts
MYTH
Internal controls are
negative. They take
time away from our
core responsibilities
FACT
Internal controls are
designed to IMPROVE
processes and make them
more efficient!
Final Thoughts…
•
Internal control is a process; it is a means to an end, not
an end itself.
•
Everyone has a role in regard to internal controls
•
Controls are there for you!
Avoid mistakes and re-work
Protect yourself
Save time
Avoid uncomfortable questions
Provide a framework
Clarity and confidence






ANY QUESTIONS SO FAR…?
HOT TOPICS
HOT TOPICS
• Procurement / BPS
–Hospitality Policy
–Travel and Related Expenses Policy
–Procurement Policy
–Procurement Card Policy
• PeopleSoft HR
• Revenue
BPS
In 2011 the Ontario government established
new directives for open, fair and transparent
financial practices at all Broader Public Sector
(BPS) organizations, including Queen’s. All
BPS organizations must comply.
..the whole policy is not just a Queen’s
thing, it’s the law!
BPS Cont’d…
Hospitality Policy Highlights:
• Pre-approval requirements have been instituted
for expenses incurred for internal meetings
• Alcohol purchases for employee/student only
meals or events must be pre-approved in writing
by the Dean, Vice-Principal or Principal
• Personal University Club memberships will not
be reimbursed
BPS Cont’d…
Travel Meal Highlights:
• Meal per diems are no longer allowable for
travel claims
• Itemized receipts are required for meals, as they
are for all expenses (Even Hotel Meals!)
• Maximum daily meal reimbursement = $71.80
BPS Cont’d…
Procurement Policy Highlights:
• Three quotes must be obtained and submitted with
a PeopleSoft Purchase Requisition for:
– all consulting services of any value
– goods and services over $10k
• Purchase orders are required for purchasing goods
and services over $5,000; and,
• Hospitality expenses cannot be included in or paid
under a consulting contract
Procurement Card Policy
• The Procurement Card can be used for the
purchase of goods and services up to a
transaction limit of $5,000.
• Monthly credit limit standard is $20,000
Travel and Related Expenses – Best Practices
• Meal / Meeting Claims:
Need to indicate who is/isn’t an employee/student
(important indicator of pre-approval requirement)
Always attach pre-approval (when required)
List the business purpose of the meeting / event
Travel and Related Expense and
Hospitality Policies - Best Practices
• Always explain variances between total claims and
total receipts
• Submit proof of payment (itemized receipts,
boarding passes)
• Use the right form (i.e. Travel Claim on a Cheque
Requisition Form)
• Submit claims with a signature in ‘Approved by’ or
‘Manager’ section (e.g. ‘visitor’ claims)
• Check tax calculation
Procurement Card Policy – Best Practices
• Ensure procurement card activity statements
are signed by the cardholder and one-over
approver
• Don’t split transactions
• Remind yourself of policy and only purchase
allowable items (i.e., not computers and hotels)
Travel and Related Expenses Policy- FAQ
Q: I lost the receipt for my lunch. How can I
claim this as an expense?
A: If original receipts are lost, destroyed, or
stolen, a written explanation of the
circumstances must be provided by the
claimant and approved by the approver before
the claim will be processed.
Travel and Related Expenses Policy - FAQ
Q: The Approver is responsible to ensure expenses are
in accordance with applicable granting agency
guidelines or with the terms of the specific award.
How can an approver be expected to have sufficient
knowledge of the terms of every grant?
A: If the Approver is not familiar with specific terms of
an award funding travel, he or she should ask
appropriate questions to assure themselves that the
individual submitting the claim has complied with the
applicable requirements.
Travel and Related Expenses Policy - FAQ
Q: I want to keep my original receipts, can I just
send in photocopies with my claim?
A: No. Credit card receipts/statements and
photocopies are not eligible as proof of expense. If
you require your original receipts back please
indicate this and they will be stamped (“spoiled”),
dated, and initialed and sent back to you after your
claim has been reviewed.
Travel and Related Expenses Policy - FAQ
Q: I have receipts from travel two years ago; can
I be reimbursed for them?
A: No. Travel expense claims must be submitted
within sixty days following completion of each
trip. It would be unreasonable to expect
reimbursement more than one year after related
expenses have been incurred.
Procurement - FAQ
Q: For purchases over $10,000 it says I need three
quotes. Can these be emails?
A: Yes. The new legislation allows for an informal
process for requesting quotes when the total value of
the contract is less than $100K. You may seek
quotations by inviting selected suppliers to provide
you with a quote. This invitation may be sent via email.
Procurement - FAQ
Q:If I place an order with a preferred supplier
and the amount is over $10K do I still need to
obtain three quotes?
A: No. Preferred suppliers have been the subject
of a competitive tendering exercise already and
as such you do not need to obtain three quotes.
Procurement Cards - FAQ
Q: Can the Procurement Card be used to
purchase Gift Certificates/Cards or gifts for
employees?
A: No. The Procurement Card cannot be used.
Please refer to Financial Services website,
Policies, University Restricted Expenditures.
Procurement Cards - FAQ
Q: If I have a purchase of over $5,000 can I split the
transaction in order to be able to charge the purchase to
my card?
A: No. Any transaction totaling over $5,000 must be
entered on a Purchase Order. Splitting a transaction will
be deemed as a serious offence by the University which
will result in the cardholder’s card being cancelled.
(remember, purchasing thresholds do NOT
include taxes…)
Procurement Cards - FAQ
Q: If someone else reconciles my card am I still
responsible for it?
A: Yes. The cardholder may appoint another person to
do the monthly reconciliation process for them, but it is
up to the cardholder to assure that the reconciliation
process is completed on time and accurately as per the
Procurement Card Policy
Summary – BPS and Procurement
• If unsure when considering procurement of any
goods and services call Strategic Procurement
Services first at 613 533 2626
• Please refer to the Procurement Policy and to the
Strategic Procurement Services
website.http://queensu.ca/procurement/contact.html
• Refer also to FAQs:
http://www.queensu.ca/procurement/policies/Procur
ement_Policy_FAQ.pdf
HR/PeopleSoft – Best Practices PWC Report
– Timesheets should always be reviewed/approved by
manager before being processed in PeopleSoft
– Casual employees should submit timesheets..time
was occasionally still entered in PeopleSoft based on
regular hours (rather than actual hours..)
– Timekeepers should double check that records are
calculated correctly
– Care is required to ensure time is posted to the correct
code in the Time and Labour module
Revenue Recognition – Best
Practices
• A contract is required:
– if selling services like labwork or consulting
– to comply with Queen’s Contract Signing
Authority Policy and Matrix
• Record & Invoice when revenue earned
• Regular Invoice Tracking & Follow Up
• Charging HST/GST
• Segregation of Duties
Summary
• When there is change, ask:
–What am I doing that I didn’t do before ?
–What am I NOT doing that I used to do?
–Do you see any gaps? (think: SOAPSPAM)
–Do you feel uncomfortable?
• Speak up
15 minute break…
FRAUD 101
Agenda
• Fraud Definition
• Causes and Effects of Fraud – ‘Fraud Triangle’
• Examples / Statistics
• Red Flags / Case Study
• What can be done?
• Quiz
• Final Thoughts / Questions
What is Fraud?
• Any illegal act characterized by deceit, concealment,
or violation of trust. These acts are not dependent
upon the threat of violence or physical force.
• Frauds are perpetrated by parties and organizations
to obtain money, property, or services; to avoid
payment or loss of services; or to secure personal or
business advantage. – Per IIA IPPF
• An intentional act, not a mistake.
Theft or Fraud?
• Fraud = there is an attempt to CONCEAL the act
• Theft comes to light at the time of the act…
“Now as through the world I ramble,
I see lots of funny men,
Some rob you with a six gun,
And some with a fountain pen.”
- Woody Guthrie – 1939
Impact of Fraud
•
•
•
•
•
•
Reputational damage
Loss of funding – ability to fund raise
More oversight / monitoring / inspection
Low morale
Loss of assets / capacity or functionality
Prosecution / restriction on ways of doing business in
future (e.g. no cash)
• Personal liberty!
Video
http://www.deloitte.com/view/en_us/us/5efd1350a8efd110
VgnVCM100000ba42f00aRCRD.htm
Internal Audit Fraud Survey Results
Has your organization identified instances of suspected or actual
fraud within the last 24 months, if so, how many?
a.
No instances?
b.
1 instance?
c.
2-5 instances?
d.
More than 5?
2
8
15
6
Myths About Fraud
MYTH
Small frauds aren’t
important enough for
management to worry
about
FACT
There is no such thing as a
small fraud, just a big one
caught early
Myths About Fraud
MYTH
Fraud will be detected
by our auditors
FACT
Auditors may detect
indicators of fraud, but
management has primary
responsibility
Myths About Fraud
MYTH
Most people are honest
and won’t commit fraud
FACT
•20% are truly honest
•60% will try, in certain
circumstances
•20% will actively seek
opportunities to commit
fraud
The Fraud Triangle
Pressure to Commit Fraud
• Living beyond ones means
• Greed
• Poor credit
• Achievement of performance targets
• Family (conflict of interest)
• Personal financial pressures (health, divorce)
• Unexpected financial needs (gambling losses, investments)
The Fraud Triangle - Pressure
Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009
The Fraud Triangle - Opportunity
• Poor internal controls
–Lack of proper authorisation
–No separation of authorisation, custody, record
keeping
–No independent checks on performance
–Lack of clear lines of authority
–Inadequate documentation
• System change, leadership change
The Fraud Triangle - Rationalization
• “It’s only a loan. I’ll pay it back as soon as I
can."
• “They didn’t give me the pay raise I
deserve.”
• “Nobody will get hurt. It’s only a company
not a person.”
Who’s Doing it?
• Age?
• Gender?
• Years of Service?
• Role/Job?
Who’s Doing it?
Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009
Who’s Doing it?
Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009
Who’s Doing it?
Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009
Who’s Doing it?
Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009
Common Frauds at Universities
• Misuse of procurement cards (“P-Cards”) –
Asset Misappropriation
• Padding expense accounts
• Inappropriate Research Costs
• Listing fictitious vendors
• Rigging vendor bids
• Taking kickbacks
Common Frauds at Universities
• Abusing payroll and overtime by fraudulent
reporting of work hours
• Paying family members from the
university’s payroll account
• Selling university computer assets on eBay
and “pocketing” the proceeds
Non-Financial Frauds
–Academic Fraud
–Diploma Fraud
–Performance Fraud (Targets/Achievements)
–Resume Fraud
CAUBO Fraud Survey - Findings
• Total Fraud Loss reported for 2010 was $2.2M, $353k in
2011
• Range of Fraud Losses $ 35 to $1.2M
• Administrative employee most frequent perpetrator
• Lack of Segregation of Duties & Supervision
reported as most frequent control weakness
• Process with most frequently reported frauds were
PCards, Point of Sales and Payables (payroll/travel)
• Tip-offs reported as greatest source for fraud detection
York University $1.2M Construction Fraud
• Police are focusing attention on the school’s maintenance,
construction and parking operations.
• Involved consulting contracts and billings for goods and
services, such as surveillance cameras, personal computers,
shrubs and flooring.
• “Lets just say there were materials on the loading dock that
never ended up at York,” said one senior manager, who
requested anonymity, about missing goods, “I just told them I
wasn’t signing for stuff that I hadn’t seen here.”
University of Waterloo
• University of Waterloo copy
centre supervisor was charged
with one count of theft over $5,000
and one count of fraud over
$5,000, involving a total amount
of approximately $955,000
Other Recent Examples of Fraud
• An audit at the University of Missouri’s
athletic department uncovered dozens of
questionable personal charges made to
university credit cards, including two totaling
more than $7,600 at a Las Vegas ‘gentlemen’s
establishment’
• A biomedical engineer from Keele University
and his personal assistant were jailed for
attempting to defraud $256k earmarked for
research.
Red Flags - Definition
• A red flag is a set of circumstances that are unusual
in nature or vary from the normal activity.
• It is a signal that something is out of the ordinary
and may need to be investigated further.
• Remember that red flags do not indicate guilt or
innocence but merely provide possible warning
signs of fraud.
CASE STUDY
Red Flags
• Overspending against budget;
• Unexplained items in suspense accounts;
• Altered petty cash vouchers and receipts;
• Goods invoiced that are not normally purchased;
• Employees who never take annual leave; also staff
who regularly work outside normal working hours;
• Employees' personal financial problems;
More Red Flags
• Someone who often breaks the rules and
regulations - cutting corners may be a way of
concealing fraud;
• Complaints about a member of staff from
customers or employees;
• People who rule their subordinates with a 'rod of
iron' and unnecessary anger, sarcasm or
criticism..too frightened to question anything;
• Lack of effective internal controls, e.g., segregation
of duties;
More Red Flags
• Failure of management information systems;
• Undocumented procedures;
• Sole responsibility for a system;
• Employees whose lifestyle is more extravagant
than their salary would warrant;
• Unusual concerns about visits by auditors.
What you can do to help prevent
Fraud..
• Set the tone - lead by example – promote
awareness of fraud!
• Be aware of red flags!
• Consider how to improve internal
controls!
–(think what a fraudster could do)
If you DO suspect fraud..DON’T
• DON’T Investigate the matter yourself
• DON’T Accuse anyone you suspect directly
• DON’T Do nothing…
What you SHOULD do!
• If fraud is suspected:
–Act quickly
–Record your concerns- the more
detail the better
–Tell an appropriate person - for
example, line manager, internal
audit
Safe Disclosure Policy
www.queensu.ca/secretariat/policies/senateandtrustees/Safe_
Disclosure_Policy.pdf
What is it?
• A mechanism to disclose concerns without fear of retaliation
and reflects the University’s commitment to accountability and
ethical conduct
• A discloser should contact the Safe Disclosure Officer in the
University Secretariat to make a confidential report of an
alleged improper act. 613-533-2030 or at drm@queensu.ca.
• ConfidenceLine www.queensuniversity.confidenceline.net or
1-800-661-9675
Quiz 1!
1. The main kinds of occupational fraud committed by
an employee against the employer are: corruption,
financial reporting fraud, and theft of assets. Which
of these three is the most frequent?
A) Corruption
B) Financial Reporting Fraud
C) Asset Misappropriation
Quiz 2!
2. Three factors, often referred to as the “fraud triangle”
are generally present when a fraud occurs. Which of the
following is NOT a part of the fraud triangle?
A) Pressure or an incentive to commit fraud
B) Perceived opportunity
C) Prior history of fraudulent activity
D) Ability to rationalize or justify fraudulent behavior
Quiz 3!
3. Who has the primary responsibility for the deterrence
and detection of financial reporting fraud?
A) Internal Audit
B) Board and Audit Committee
C) Management
D) External Auditor
Quiz 4!
4. What factor(s) effectively mitigate fraud risk
A) Strong ethical culture from the top down
B) Board and management skepticism
C) Robust communication about fraud risk among all
players in the control environment – management,
frontline staff, the audit committee, internal audit, and
the external auditors
D) All of the above
Quiz 5!
5. Most individuals who engage in fraud have a prior
history of fraud or other criminal misconduct?
A) True
B) False
Quiz 6!
6. Fraud risk can be eliminated by:
A) Increasing security and strengthening controls
B) Segregation of duties
C) Fraud awareness training
D) All of the above
E) None of the above
Workshop Conclusion
Internal Audit
• Who we are, what we do and how
Internal Control
• Definitions, uses, techniques, ‘SOAPSPAM’
Fraud
• Definitions, typical frauds, red flags, what to
do
QUESTIONS?
http://www.queensu.ca/auditservices/index.html