Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal Audit Best Practices Workshop

Similar presentations

Presentation on theme: "Internal Audit Best Practices Workshop"— Presentation transcript:

1 Internal Audit Best Practices Workshop
12th November 2013 Presented by: Kellie Hart, CPA, CA, CIA, Manager, Internal Audit Michael Brown, CIA, Senior Internal Auditor

2 Overview Introduction to Internal Audit Internal Control 101
Hot Topics Fraud 101


4 Queen’s Internal Audit Team
Name Position Degrees/ Professional Designations Joseph Choi Director CPA, CA Kellie Hart Manager CPA, CA, CIA Jonathan Nicholls Senior Auditor CPFA, Part 3 CIA Michael Brown CIA, CISA

5 Internal Audit’s Mandate
Internal Audit “provides independent, objective assurance and consulting services designed to add value and improve the organization’s operations...[and] effectiveness of governance, risk management and control processes.” (Source: Institute of Internal Auditors)

6 What is an Internal Auditor?
Our Role: Monitor/Audit Queen’s Make recommendations Drive continuous improvement and VALUE!

7 What we do Governance, Risk, and Compliance Operational Financial
Forensic (fraud related investigations/ reviews) IT Systems

8 How We Select University Audits
Internal Audit Plan: Risk-based approach Professional judgment Best use of our time Various types of audits Approved by the University’s Audit and Risk Committee of the Board of Trustees


10 Agenda Definition Internal Control at Home and Work Risk Roles and Responsibilities SOAPSPAM - Applying the Theory

11 Definition of Internal Control
“Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.”

12 Simple Definition Internal control - trying to make the things we want to happen, happen … And the things we don’t want to happen, not happen.

13 Internal Control at Home
Lock your home and vehicle. Turn off the stove / iron Keep your ATM/debit card pin number separate from your card Review bills and credit card statements before paying them

14 Internal Control at Home..Cont’d
Reconcile your bank statement Don’t leave blank cheques or cash just lying around Expect your children to ask permission before they can do certain things

15 Internal Control at Work
Computer passwords are periodically changed and aren’t written down PCard transactions are checked against source documents. Financial transactions are checked. Authorizations required for certain activities.

16 What is ‘Risk’? The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of consequence and likelihood

17 Success is the reward for taking risks
What is ‘Risk’? Success is the reward for taking risks (“I miss 100% of the shots I don’t take”)

18 External Risk Drivers Economic changes
Changing student & community needs New/changed legislation & regulations Technological developments Natural catastrophes Competitive conditions

19 Risk Internal Risk Drivers New Personnel / High Turnover of Staff
Low Morale New policy / internal control system New or Revamped Information Systems Complexity of Activities Dispersion of Operations Changes in Management

20 Risk Example Example: Risk of not sleeping through the night..
External Factors Internal Factors Consequence Likelihood Internal Controls…?

21 Tolerate Treat Transfer Terminate
Risk Tolerate Treat Transfer Terminate

22 Internal controls are one way to manage risk..
Risk Management Internal controls are one way to manage risk.. But.. ‘risk vs. reward’ Are there any risks that have no / few controls? Are there risks that may have too many controls? Are there controls that do not mitigate any risks? What are the COSTS of control – is it worth it?

23 QUIZ: 1 Internal Controls exist solely for the detection of fraud a. True b. False

24 Board of Trustees Principal Management Frontline Personnel
Who Is Responsible? Board of Trustees Principal Management Frontline Personnel University policies assign responsibility for the internal control system to all University employees.

25 Internal Controls & Internal Audit
Internal auditors are not responsible for establishing or maintaining controls Instead we are responsible for: Examining the adequacy and effectiveness of the University’s internal controls, Making recommendations where control improvements are needed Contributing to the effectiveness of the control environment

26 QUIZ: 2 Internal control can do which of the following?
I. Ensure organizational success II. Ensure organizational survival III. Ensure the reliability of financial reporting IV. Ensure absolute compliance with laws and regulations I, II, and III only II, III, and IV only All of the above None of the above

27 Controls 101 – ‘SOAPSPAM’ S - Segregation of Duties O - Organisational
A - Authorisation P - Physical S - Supervision P - Personnel A - Arithmetic/Accounting M - Managerial

28 SOAPSPAM – PCard Example
S- Segregate payment and review and approval of reconciliation O- Review and understand PCard Policy A- Ensure that transactions, claims and statements are authorised P- Keep the card secure when not in use. Do you know where it is right now?

29 SOAPSPAM – PCard Example
S –Review and supervision P – Training and support A – Arithmetic - Reconcile PCard statement to backup in accordance with timetable M - Know who is accountable, reporting lines

30 PCard – What can go wrong?
PCard fraud, misuse found at Florida universities A Florida International University professor used a school credit card to buy at least $5,000 worth of personal items, including an MP3 player, a wireless reading device and a membership with United Airlines' Red Carpet club. An administrative assistant in University of Florida's oral history program submitted receipts for books for a “ WWII project." But the books weren't about a world war. They were from Weight Watchers.

31 WARNING SIGNS If you hear this.. Then…? ‘I didn’t know that!’ Inadequate knowledge of policies or governing regulations ‘We trust ‘A’ who does all those things.’ Inadequate segregation of duties ‘We share a password, it’s easier.’ Inappropriate access to assets ‘You mean I’m supposed to do something besides initial/sign it?’ Form over Substance ‘I know that’s the policy, but we do it this way.’ ‘Just get it done; I don’t care how!’ Control override Be alert to these responses – they usually INDICATE poor controls OR ineffective practices…

32 Myths and Facts MYTH FACT
If a policy doesn’t exist, we don’t have to do it FACT A lack of formal policies does NOT preclude good business practices

33 Myths and Facts MYTH FACT
If controls are strong enough, we can be sure that errors, fraud and irregularities will always be detected FACT Internal controls are our best defence against errors..but DO NOT guarantee this

34 Myths and Facts MYTH FACT
Internal controls are just about finance and accounting FACT Internal controls are integral to every aspect of university systems and processes

35 Myths and Facts MYTH FACT
Internal controls are negative. They take time away from our core responsibilities FACT Internal controls are designed to IMPROVE processes and make them more efficient!

36 Final Thoughts… Internal control is a process; it is a means to an end, not an end itself. Everyone has a role in regard to internal controls Controls are there for you! Avoid mistakes and re-work Protect yourself Save time Avoid uncomfortable questions Provide a framework Clarity and confidence



39 HOT TOPICS Procurement / BPS Hospitality Policy
Travel and Related Expenses Policy Procurement Policy Procurement Card Policy PeopleSoft HR Revenue

40 BPS ..the whole policy is not just a Queen’s thing, it’s the law!
In 2011 the Ontario government established new directives for open, fair and transparent financial practices at all Broader Public Sector (BPS) organizations, including Queen’s. All BPS organizations must comply. ..the whole policy is not just a Queen’s thing, it’s the law!

41 BPS Cont’d… Hospitality Policy Highlights:
Pre-approval requirements have been instituted for expenses incurred for internal meetings Alcohol purchases for employee/student only meals or events must be pre-approved in writing by the Dean, Vice-Principal or Principal Personal University Club memberships will not be reimbursed

42 BPS Cont’d… Travel Meal Highlights:
Meal per diems are no longer allowable for travel claims Itemized receipts are required for meals, as they are for all expenses (Even Hotel Meals!) Maximum daily meal reimbursement = $71.80

43 BPS Cont’d… Procurement Policy Highlights:
Three quotes must be obtained and submitted with a PeopleSoft Purchase Requisition for: all consulting services of any value goods and services over $10k Purchase orders are required for purchasing goods and services over $5,000; and, Hospitality expenses cannot be included in or paid under a consulting contract

44 Procurement Card Policy
The Procurement Card can be used for the purchase of goods and services up to a transaction limit of $5,000. Monthly credit limit standard is $20,000

45 Travel and Related Expenses – Best Practices
Meal / Meeting Claims: Need to indicate who is/isn’t an employee/student (important indicator of pre-approval requirement) Always attach pre-approval (when required) List the business purpose of the meeting / event

46 Travel and Related Expense and Hospitality Policies - Best Practices
Always explain variances between total claims and total receipts Submit proof of payment (itemized receipts, boarding passes) Use the right form (i.e. Travel Claim on a Cheque Requisition Form) Submit claims with a signature in ‘Approved by’ or ‘Manager’ section (e.g. ‘visitor’ claims) Check tax calculation

47 Procurement Card Policy – Best Practices
Ensure procurement card activity statements are signed by the cardholder and one-over approver Don’t split transactions Remind yourself of policy and only purchase allowable items (i.e., not computers and hotels)

48 Travel and Related Expenses Policy- FAQ
Q: I lost the receipt for my lunch. How can I claim this as an expense? A: If original receipts are lost, destroyed, or stolen, a written explanation of the circumstances must be provided by the claimant and approved by the approver before the claim will be processed.

49 Travel and Related Expenses Policy - FAQ
Q: The Approver is responsible to ensure expenses are in accordance with applicable granting agency guidelines or with the terms of the specific award. How can an approver be expected to have sufficient knowledge of the terms of every grant? A: If the Approver is not familiar with specific terms of an award funding travel, he or she should ask appropriate questions to assure themselves that the individual submitting the claim has complied with the applicable requirements.

50 Travel and Related Expenses Policy - FAQ
Q: I want to keep my original receipts, can I just send in photocopies with my claim? A: No. Credit card receipts/statements and photocopies are not eligible as proof of expense. If you require your original receipts back please indicate this and they will be stamped (“spoiled”), dated, and initialed and sent back to you after your claim has been reviewed.

51 Travel and Related Expenses Policy - FAQ
Q: I have receipts from travel two years ago; can I be reimbursed for them? A: No. Travel expense claims must be submitted within sixty days following completion of each trip. It would be unreasonable to expect reimbursement more than one year after related expenses have been incurred.

52 Procurement - FAQ Q: For purchases over $10,000 it says I need three quotes. Can these be s? A: Yes. The new legislation allows for an informal process for requesting quotes when the total value of the contract is less than $100K. You may seek quotations by inviting selected suppliers to provide you with a quote. This invitation may be sent via .

53 Procurement - FAQ Q:If I place an order with a preferred supplier and the amount is over $10K do I still need to obtain three quotes? A: No. Preferred suppliers have been the subject of a competitive tendering exercise already and as such you do not need to obtain three quotes.

54 Procurement Cards - FAQ
Q: Can the Procurement Card be used to purchase Gift Certificates/Cards or gifts for employees? A: No. The Procurement Card cannot be used. Please refer to Financial Services website, Policies, University Restricted Expenditures.

55 Procurement Cards - FAQ
Q: If I have a purchase of over $5,000 can I split the transaction in order to be able to charge the purchase to my card? A: No. Any transaction totaling over $5,000 must be entered on a Purchase Order. Splitting a transaction will be deemed as a serious offence by the University which will result in the cardholder’s card being cancelled. (remember, purchasing thresholds do NOT include taxes…)

56 Procurement Cards - FAQ
Q: If someone else reconciles my card am I still responsible for it? A: Yes. The cardholder may appoint another person to do the monthly reconciliation process for them, but it is up to the cardholder to assure that the reconciliation process is completed on time and accurately as per the Procurement Card Policy

57 Summary – BPS and Procurement
If unsure when considering procurement of any goods and services call Strategic Procurement Services first at Please refer to the Procurement Policy and to the Strategic Procurement Services website. Refer also to FAQs:

58 HR/PeopleSoft – Best Practices PWC Report
Timesheets should always be reviewed/approved by manager before being processed in PeopleSoft Casual employees should submit timesheets..time was occasionally still entered in PeopleSoft based on regular hours (rather than actual hours..) Timekeepers should double check that records are calculated correctly Care is required to ensure time is posted to the correct code in the Time and Labour module

59 Revenue Recognition – Best Practices
A contract is required: if selling services like labwork or consulting to comply with Queen’s Contract Signing Authority Policy and Matrix Record & Invoice when revenue earned Regular Invoice Tracking & Follow Up Charging HST/GST Segregation of Duties

60 When there is change, ask:
Summary When there is change, ask: What am I doing that I didn’t do before ? What am I NOT doing that I used to do? Do you see any gaps? (think: SOAPSPAM) Do you feel uncomfortable? Speak up

61 15 minute break…

62 FRAUD 101

63 Agenda Fraud Definition Causes and Effects of Fraud – ‘Fraud Triangle’
Examples / Statistics Red Flags / Case Study What can be done? Quiz Final Thoughts / Questions

64 What is Fraud? Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. – Per IIA IPPF An intentional act, not a mistake.

65 Theft or Fraud? Fraud = there is an attempt to CONCEAL the act
Theft comes to light at the time of the act… “Now as through the world I ramble, I see lots of funny men, Some rob you with a six gun, And some with a fountain pen.” Woody Guthrie – 1939

66 Impact of Fraud Reputational damage
Loss of funding – ability to fund raise More oversight / monitoring / inspection Low morale Loss of assets / capacity or functionality Prosecution / restriction on ways of doing business in future (e.g. no cash) Personal liberty!

67 Video

68 Internal Audit Fraud Survey Results
Has your organization identified instances of suspected or actual fraud within the last 24 months, if so, how many? a.      No instances? 2 b.      1 instance? 8 c.      2-5 instances? 15 d.      More than 5? 6

69 Myths About Fraud MYTH FACT
Small frauds aren’t important enough for management to worry about FACT There is no such thing as a small fraud, just a big one caught early

70 Myths About Fraud MYTH FACT Fraud will be detected by our auditors
Auditors may detect indicators of fraud, but management has primary responsibility

71 Myths About Fraud MYTH FACT
Most people are honest and won’t commit fraud FACT 20% are truly honest 60% will try, in certain circumstances 20% will actively seek opportunities to commit fraud

72 The Fraud Triangle

73 Pressure to Commit Fraud
Living beyond ones means Greed Poor credit Achievement of performance targets Family (conflict of interest) Personal financial pressures (health, divorce) Unexpected financial needs (gambling losses, investments)

74 The Fraud Triangle - Pressure
Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009

75 The Fraud Triangle - Opportunity
Poor internal controls Lack of proper authorisation No separation of authorisation, custody, record keeping No independent checks on performance Lack of clear lines of authority Inadequate documentation System change, leadership change

76 The Fraud Triangle - Rationalization
“It’s only a loan. I’ll pay it back as soon as I can." “They didn’t give me the pay raise I deserve.” “Nobody will get hurt. It’s only a company not a person.”

77 Who’s Doing it? Age? Gender? Years of Service? Role/Job?

78 Who’s Doing it? Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009

79 Who’s Doing it? Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009

80 Who’s Doing it? Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009

81 Who’s Doing it? Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009

82 Common Frauds at Universities
Misuse of procurement cards (“P-Cards”) – Asset Misappropriation Padding expense accounts Inappropriate Research Costs Listing fictitious vendors Rigging vendor bids Taking kickbacks

83 Common Frauds at Universities
Abusing payroll and overtime by fraudulent reporting of work hours Paying family members from the university’s payroll account Selling university computer assets on eBay and “pocketing” the proceeds

84 Non-Financial Frauds Academic Fraud Diploma Fraud Performance Fraud (Targets/Achievements) Resume Fraud

85 CAUBO Fraud Survey - Findings
Total Fraud Loss reported for 2010 was $2.2M, $353k in 2011 Range of Fraud Losses $ 35 to $1.2M Administrative employee most frequent perpetrator Lack of Segregation of Duties & Supervision reported as most frequent control weakness Process with most frequently reported frauds were PCards, Point of Sales and Payables (payroll/travel) Tip-offs reported as greatest source for fraud detection

86 York University $1.2M Construction Fraud
Police are focusing attention on the school’s maintenance, construction and parking operations. Involved consulting contracts and billings for goods and services, such as surveillance cameras, personal computers, shrubs and flooring. “Lets just say there were materials on the loading dock that never ended up at York,” said one senior manager, who requested anonymity, about missing goods, “I just told them I wasn’t signing for stuff that I hadn’t seen here.”

87 University of Waterloo
University of Waterloo copy centre supervisor was charged with one count of theft over $5,000 and one count of fraud over $5,000, involving a total amount of approximately $955,000

88 Other Recent Examples of Fraud
An audit at the University of Missouri’s athletic department uncovered dozens of questionable personal charges made to university credit cards, including two totaling more than $7,600 at a Las Vegas ‘gentlemen’s establishment’ A biomedical engineer from Keele University and his personal assistant were jailed for attempting to defraud $256k earmarked for research.

89 Red Flags - Definition A red flag is a set of circumstances that are unusual in nature or vary from the normal activity. It is a signal that something is out of the ordinary and may need to be investigated further. Remember that red flags do not indicate guilt or innocence but merely provide possible warning signs of fraud.


91 Red Flags Overspending against budget;
Unexplained items in suspense accounts; Altered petty cash vouchers and receipts; Goods invoiced that are not normally purchased; Employees who never take annual leave; also staff who regularly work outside normal working hours; Employees' personal financial problems;

92 More Red Flags Someone who often breaks the rules and regulations - cutting corners may be a way of concealing fraud; Complaints about a member of staff from customers or employees; People who rule their subordinates with a 'rod of iron' and unnecessary anger, sarcasm or criticism..too frightened to question anything; Lack of effective internal controls, e.g., segregation of duties;

93 More Red Flags Failure of management information systems;
Undocumented procedures; Sole responsibility for a system; Employees whose lifestyle is more extravagant than their salary would warrant; Unusual concerns about visits by auditors.

94 What you can do to help prevent Fraud..
Set the tone - lead by example – promote awareness of fraud! Be aware of red flags! Consider how to improve internal controls! (think what a fraudster could do)

95 If you DO suspect fraud..DON’T
DON’T Investigate the matter yourself DON’T Accuse anyone you suspect directly DON’T Do nothing…

96 Record your concerns- the more detail the better
What you SHOULD do! If fraud is suspected: Act quickly Record your concerns- the more detail the better Tell an appropriate person - for example, line manager, internal audit

97 Safe Disclosure Policy
What is it? A mechanism to disclose concerns without fear of retaliation and reflects the University’s commitment to accountability and ethical conduct A discloser should contact the Safe Disclosure Officer in the University Secretariat to make a confidential report of an alleged improper act or at ConfidenceLine or

98 Quiz 1! The main kinds of occupational fraud committed by an employee against the employer are: corruption, financial reporting fraud, and theft of assets. Which of these three is the most frequent? A) Corruption B) Financial Reporting Fraud C) Asset Misappropriation

99 Quiz 2! 2. Three factors, often referred to as the “fraud triangle” are generally present when a fraud occurs. Which of the following is NOT a part of the fraud triangle? A) Pressure or an incentive to commit fraud B) Perceived opportunity C) Prior history of fraudulent activity D) Ability to rationalize or justify fraudulent behavior

100 Quiz 3! 3. Who has the primary responsibility for the deterrence and detection of financial reporting fraud? A) Internal Audit B) Board and Audit Committee C) Management D) External Auditor

101 Quiz 4! 4. What factor(s) effectively mitigate fraud risk
A) Strong ethical culture from the top down B) Board and management skepticism C) Robust communication about fraud risk among all players in the control environment – management, frontline staff, the audit committee, internal audit, and the external auditors D) All of the above

102 Quiz 5! 5. Most individuals who engage in fraud have a prior history of fraud or other criminal misconduct? A) True B) False

103 Quiz 6! 6. Fraud risk can be eliminated by:
A) Increasing security and strengthening controls B) Segregation of duties C) Fraud awareness training D) All of the above E) None of the above

104 Workshop Conclusion Internal Audit Who we are, what we do and how
Internal Control Definitions, uses, techniques, ‘SOAPSPAM’ Fraud Definitions, typical frauds, red flags, what to do


Download ppt "Internal Audit Best Practices Workshop"

Similar presentations

Ads by Google