Lafleur - Financial Accounting Internal Auditing - Aga

advertisement
1
FINANCIAL ACCOUNTING
& INTERNAL AUDITS
How financial accounting and internal audits
can benefit government agencies.
Lydia Lafleur, CIA
LSU Center for Internal Auditing
2
Agenda
• Accounting and Auditing Standards
• Internal Auditing
• Internal Controls
• Governance
• Fraud
• Management Responsibilities
3
Financial Accounting
Information & Measurement System
Identifies
Records
Communicates
Business Activities
Decision Makers
External Users
Internal Users
Investors, Creditor, Suppliers, etc.
Managers, Supervisors, Directors, etc.
FASB: Financial Accounting Standards Board
4
Governmental Accounting
GASB: Governmental Accounting Standards Board
GASB Concept Statement No. 1, Objectives of Financial Reporting:
“…financial reporting should provide information to assist users in assessing
the service efforts, costs, and accomplishments of the governmental entity.”
Stakeholders
• Citizens and taxpayers
• Legislative and oversight bodies
• Creditors and investors
Accountability
• Fiscal
• Operational
Characteristics of
Financial Reports
•
•
•
•
•
•
Understandability
Reliability
Relevance
Timeliness
Consistency
Comparability
5
Auditing Standards
• Institute of Internal Auditors Professional
Practices Framework
• Generally Accepted Government Auditing
Standards (GAGAS) (The Yellow Book)
• Other Guidance
• Standards for Internal Control in the Federal Government (The
Green Book)
• Internal Control Management and Evaluation Tool
• Structured approach to assessing the internal control structure
6
Accountability
• Management and officials are responsible for:
• Carrying out public functions
• Providing service to the public effectively, efficiently, economically,
ethically, and equitably
• Providing reliable, useful, and timely information
• Users need to know whether:
1. Management and officials manage government resources and
use their authority properly and in compliance with laws
2. Programs are achieving the objectives and desired outcomes
3. Services are provided efficiently, economically, ethically and
equitably
Generally Accepted Government Auditing Standards Introduction
7
Internal Auditing Definition
• Internal auditing is an independent and
objective assurance and consulting activity
that is guided by a philosophy of adding value to
improve the operations of the organization. It
assists an organization in accomplishing its
objectives by bringing a systematic and
disciplined approach to evaluate and improve the
effectiveness of the organization’s risk
management, control, and governance
processes.
Institute of Internal Auditors
8
Internal Auditing
Audit Planning
Add-Value
Corporate
Governance
Risks
Controls
Assurance Consulting
Plan
• Triple Bottom Line
- Environmental
- Social
- Economic
Types of Audits:
1. Financial Audits
2. Attestation Engagements
3. Performance Audits
Organization
9
Internal Controls
Adequate Controls
G&O
RxC=r
G&O
Plan
Organize
G = Goals
O = Objectives
R = Risk
L = Likelihood
I = Impact
C = Controls
r = Residual Risk
Reasonable Assurance
RLI x CL x CI = rLI
10
Internal Controls
Continuous Improvement Model
Goals &
Objectives
Goals &
Objectives
"Monitoring & Learning"
 Specific
 Measurable
 Attainable
 Relevant
 Timely
"Purpose"
Preventive
Detective
Directive
Controls
Hard
Soft
Control
Environment
"Commitment"
COCO
•
•
•
•
Purpose
Commitment
Capability
Monitor & Learn
Management
Plan
• Tactical
• Strategic
Organize
Staff
Direct
Monitor
"Capability"
Selection
• Alternatives
Control Activities
Segregation
• Access
• Accountability
• Authority
Reconcile
• Completeness
Authority
Transactions
• Manage
Accountability
Safeguard
Design
In Place
Functioning
• Compliance
11
COSO
 Financial
 Compliance
 Operations
Management Controls:
Planning
• To achieve goals
• Tactical
 Systems
Monitoring
Methodology used for
assessing the quality
of internal controls.
Control Activities
Hard Controls:
• Segregation of Duties (AAA)
• Safeguarding of assets
• Transactions recorded
• Accountability
• Periodic Reconciliation
Risk Analysis
• Strategic
Organizing
• Delegation
Staffing
• Right People
Directing
• Policies and Procedures
Monitoring
• Communication and information
• Analytics and Analysis
• Change management
Common factors used in identifying and
assessing materiality of risks.
Control Environment
Soft Controls:
• Corporate Culture
• Tone at the Top
Committee of Sponsoring Organizations of the Treadway Commission
12
COSO Control (Addressing Governance)
Challenge:
Monitoring
Control Activities
Activity 2
Entity
Information & Communication
Unit A
Aggregate
Activity 1
• Evolving from Control Activities
to the Control Environment
Process
Risk Assessment
Unit
Control Environment
Tone at the Top
Tone at the Middle
“Systemic cultural problem” Mark Emmert, NCAA President
“Management should periodically check the batteries in their moral compass.” GES
13
Update Formalizes Fundamental Concepts Embedded in the
Original Framework as Principles
1.
2.
3.
4.
5.
Demonstrates commitment to integrity and ethical values
Exercises oversight responsibility
Establishes structure, authority and responsibility
Demonstrates commitment to competence
Enforces accountability
Risk Assessment
6.
7.
8.
9.
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant changes
Control Activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
Control Environment
Information &
Communication
Monitoring Activities
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and / or separate evaluations
17. Evaluates and communicates deficiencies
Source: COSO, “Internal Control – Integrated Framework”, September 2012
14
Quality Drift (Cascading Process)
Subjective
Control Environment
Management Controls
P-O-S-D-M
Control Activities
Objective
15
Controls
Subjectivity
Challenges:
• Hard to Soft
• Objective to Subjective
• Simple to Complex
• Evolution to Revolution
Complexity
Parkinson’s Law:
Complexity leads to decay
16
Criteria of Control: CoCo
Purpose
Monitoring
Action
Commitment
Capability
17
Internal Auditing: Adding Value
Subjective
(Mature)
(Embryo)
•Opportunities
•Threats
(Radar)
Governance
Risk
Controls
Control Environment
Objective
Management Controls
Objective
Control Activities
Integration
• GRC
Evaluation
Board
• Check the box
• Reality
External
Entity
Process
Audit Committee
• Charter
Internal Audit
• Charter
Unit
Evolution of the Profession
Quality
Subjective
Question: Can you be in 100% compliance and go out of business?
(Evaluation Audit). Does compliance equal quality?
18
Governance
The Big Risk
SOD
Board
Selection Process
Audit
Committee
Risk
Committee
Compensation
Committee
• Stock options
• Bonus plans
CAE
CRO
• Global
• Strategic
(CRMA)
CEO
COB
• Counterproductive
• Salaries
• Up, up, up, and
away
• The Bear
• Charley Mac
• Shareholder Input
Sub.
Obj.
AAA
Issues:
•
•
•
•
Accountability – Governance, Risks, and Controls
King III
Transparency
Sustainability
Personal Opinion:
The CEO and CFO should not be involved in selecting members of the Board, Audit Committee, Risk Committee,
or Compensation Committee
19
Organizational Governance
(Roles and Responsibilities)
Control Environment
BOARD & SUB-COMMITTEES
Plan – Organize – Staff – Direct – Monitor (P-O-S-D-M)
Executive Management
P-O-S-D-M
Process Owner
Process Owner
Process Owner
P-O-S-D-M
P-O-S-D-M
P-O-S-D-M
Control Activities
Employees
Specific Job Descriptions
Organizations Should Be Organized
Delineation of Goals & Objectives
(Integration & Linkage)
Governance
20
COSO Risk
Focus:
• Internal Environment
• Strategies
• Integration
Objectives
Internal Environment
Event Identification
Risk Assessment
Division
Objective Setting
Risk Response
Control Activities
Info. & Communication
Monitoring
ERM – Conceptual Framework
21
Governance Infrastructure (Integration & Linkage)
Governance
Audit Committee of Board of Directors
Reporting
ERM
Oversight
Oversight
(Responsibility)
Chief Risk Officer
(CRO)
(Execution)
Audit
Audit Plan (Risk Driven)
Macro (Resource Allocation)
Auditor in Charge (AIC)
Micro (Engagement Planning-Risk Driven)
Governance
Input
Chief Audit Executive (CAE)
Feedback
Input
Enterprise Risk Management (ERM)
Priority
Reporting
Comprehensive Report
CEO
Governance
Governance
(Oversight)
22
The Reporting Model (Risks and Controls)
Recommendation
Plan
Criteria
 Plan
 Tactical
 Strategic
 Implementation
 Monitor
 Analysis
Subjective
 Benchmarking
Inappropriately Included
Criteria
Controls
Policy
General
External
Inappropriately Excluded
Specific
Law
Performance Drift
(The way it should be.)
Reactive
Risk Threats
Internal
Partially
Controllable
 Best Practices
Controllable
Objective
Consulting
Negotiation
Assurance
Agent of Change
Preview
 Reengineering
• Evolution
• Revolution
Review
Proactive
Risk
Opportunities
 CSA
Cause
Condition
Effect
(How we got to where
we are?)
(The way it is.)
(What difference does it
make?)
Management
 Plan
 Organize
 Staff
 Direct
 Monitor
Recommendation





Persuasion
Follow-up




Revenue
Cost
Effectiveness
Efficiency
Goals
Issue Addressed
Recommendation Implemented
Management Solution
Risk Accepted
 Meeting
23
The Fraud Risk Triangle
Incentive/Pressure
Opportunity
Attitude/Rationalization
The Fraud Risk Triangle (FRT) consists of three key elements
which are generally correlated with fraud. The FRT was
developed by a criminologist, Donald R. Cressey, in 1973.
How do you address the Fraud Triangle?
24
The Fraud Risk Triangle
Opportunity
Attitude
Incentive
Pressure Rationalization
Over-ride
O
P
R
OR
O
P
R
OR
O
P
R
OR
The Fraud Diamond
Opportunity
Pressure
Rationalization
Ability
Kennesaw State
25
Management Responsibility
Pre-Control
RLFIF
*
Post-Control
CLF
*
ClF =
Prevent
Detect
(Analytics)
(Analytics)
Control Override
Control Failure
rLFIF
Residual risk
Risk tolerance
Risk appetite
Affordable risk
Override Control
RLFIF
rLFIF
Management Functions
Plan
Tactical, Strategic
Organize
Delegation, Accountability
Staff
Competencies, Training
Direct
Policies, Procedure
Monitor
Supervision, Oversight, Change management
26
Management Responsibility
• Setting policies and strategic direction
• Directing employees in performance of routine activities
• Custody of entity’s assets
• Reporting to those in charge of governance
• Implementation of audit recommendations
• Design, implement, and maintain internal controls
• Develop performance measurement system
27
Questions?
Download