4Queen’s Internal Audit Team NamePositionDegrees/ Professional DesignationsJoseph ChoiDirectorCPA, CAKellie HartManagerCPA, CA, CIAJonathan NichollsSenior AuditorCPFA, Part 3 CIAMichael BrownCIA, CISA
5Internal Audit’s Mandate Internal Audit “provides independent, objective assurance and consulting services designed to add value and improve the organization’s operations...[and] effectiveness of governance, risk management and control processes.”(Source: Institute of Internal Auditors)
6What is an Internal Auditor? Our Role:Monitor/Audit Queen’sMake recommendationsDrive continuous improvement and VALUE!
7What we do Governance, Risk, and Compliance Operational Financial Forensic (fraud related investigations/ reviews)IT Systems
8How We Select University Audits Internal Audit Plan:Risk-based approachProfessional judgmentBest use of our timeVarious types of auditsApproved by the University’s Audit and Risk Committee of the Board of Trustees
10AgendaDefinitionInternal Control at Home and WorkRiskRoles and ResponsibilitiesSOAPSPAM - Applying the Theory
11Definition of Internal Control “Any action taken by management, the board,and other parties to manage risk and increasethe likelihood that established objectives andgoals will be achieved.”
12Simple DefinitionInternal control - trying to make the things we want to happen, happen …And the things we don’t want to happen, not happen.
13Internal Control at Home Lock your home and vehicle.Turn off the stove / ironKeep your ATM/debit card pin number separate from your cardReview bills and credit card statements before paying them
14Internal Control at Home..Cont’d Reconcile your bank statementDon’t leave blank cheques or cash just lying aroundExpect your children to ask permission before they can do certain things
15Internal Control at Work Computer passwords are periodically changed and aren’t written downPCard transactions are checked against source documents.Financial transactions are checked.Authorizations required for certain activities.
16What is ‘Risk’?The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of consequence and likelihood
17Success is the reward for taking risks What is ‘Risk’?Success is the reward for taking risks(“I miss 100% of the shots I don’t take”)
19Risk Internal Risk Drivers New Personnel / High Turnover of Staff Low MoraleNew policy / internal control systemNew or Revamped Information SystemsComplexity of ActivitiesDispersion of OperationsChanges in Management
20Risk Example Example: Risk of not sleeping through the night.. External FactorsInternal FactorsConsequenceLikelihoodInternal Controls…?
21Tolerate Treat Transfer Terminate RiskTolerate Treat Transfer Terminate
22Internal controls are one way to manage risk.. Risk ManagementInternal controls are one way to manage risk..But..‘risk vs. reward’Are there any risks that have no / few controls?Are there risks that may have too many controls?Are there controls that do not mitigate any risks?What are the COSTS of control – is it worth it?
23QUIZ: 1Internal Controls exist solely for the detection of fraud a. True b. False
24Board of Trustees Principal Management Frontline Personnel Who Is Responsible?Board of TrusteesPrincipalManagementFrontline PersonnelUniversity policies assign responsibility for the internal control system to all University employees.
25Internal Controls & Internal Audit Internal auditors are not responsible for establishing or maintaining controlsInstead we are responsible for:Examining the adequacy and effectiveness of the University’s internal controls,Making recommendations where control improvements are neededContributing to the effectiveness of the control environment
26QUIZ: 2 Internal control can do which of the following? I. Ensure organizational successII. Ensure organizational survivalIII. Ensure the reliability of financial reportingIV. Ensure absolute compliance with laws and regulationsI, II, and III onlyII, III, and IV onlyAll of the aboveNone of the above
27Controls 101 – ‘SOAPSPAM’ S - Segregation of Duties O - Organisational A - AuthorisationP - PhysicalS - SupervisionP - PersonnelA - Arithmetic/AccountingM - Managerial
28SOAPSPAM – PCard Example S- Segregate payment and review and approval of reconciliationO- Review and understand PCard PolicyA- Ensure that transactions, claims and statements are authorisedP- Keep the card secure when not in use. Do you know where it is right now?
29SOAPSPAM – PCard Example S –Review and supervisionP – Training and supportA – Arithmetic - Reconcile PCard statement to backup in accordance with timetableM - Know who is accountable, reporting lines
30PCard – What can go wrong? PCard fraud, misuse found at Florida universitiesA Florida International University professor used a school credit card to buy at least $5,000 worth of personal items, including an MP3 player, a wireless reading device and a membership with United Airlines' Red Carpet club.An administrative assistant in University of Florida's oral history program submitted receipts for books for a“ WWII project." But the books weren't about a world war. They were from Weight Watchers.
31WARNING SIGNSIf you hear this..Then…?‘I didn’t know that!’Inadequate knowledge of policies or governing regulations‘We trust ‘A’ who does all those things.’Inadequate segregation of duties‘We share a password, it’s easier.’Inappropriate access to assets‘You mean I’m supposed to do something besides initial/sign it?’Form over Substance‘I know that’s the policy, but we do it this way.’ ‘Just get it done; I don’t care how!’Control overrideBe alert to these responses – they usually INDICATE poor controls OR ineffective practices…
32Myths and Facts MYTH FACT If a policy doesn’t exist, we don’t have to do itFACTA lack of formal policies does NOT preclude good business practices
33Myths and Facts MYTH FACT If controls are strong enough, we can be sure that errors, fraud and irregularities will always be detectedFACTInternal controls are our best defence against errors..but DO NOT guarantee this
34Myths and Facts MYTH FACT Internal controls are just about finance and accountingFACTInternal controls are integral to every aspect of university systems and processes
35Myths and Facts MYTH FACT Internal controls are negative. They take time away from our core responsibilitiesFACTInternal controls are designed to IMPROVE processes and make them more efficient!
36Final Thoughts…Internal control is a process; it is a means to an end, not an end itself.Everyone has a role in regard to internal controlsControls are there for you!Avoid mistakes and re-workProtect yourselfSave timeAvoid uncomfortable questionsProvide a frameworkClarity and confidence
39HOT TOPICS Procurement / BPS Hospitality Policy Travel and Related Expenses PolicyProcurement PolicyProcurement Card PolicyPeopleSoft HRRevenue
40BPS ..the whole policy is not just a Queen’s thing, it’s the law! In 2011 the Ontario government establishednew directives for open, fair and transparentfinancial practices at all Broader Public Sector(BPS) organizations, including Queen’s. AllBPS organizations must comply...the whole policy is not just a Queen’s thing, it’s the law!
41BPS Cont’d… Hospitality Policy Highlights: Pre-approval requirements have been instituted for expenses incurred for internal meetingsAlcohol purchases for employee/student only meals or events must be pre-approved in writing by the Dean, Vice-Principal or PrincipalPersonal University Club memberships will not be reimbursed
42BPS Cont’d… Travel Meal Highlights: Meal per diems are no longer allowable for travel claimsItemized receipts are required for meals, as they are for all expenses (Even Hotel Meals!)Maximum daily meal reimbursement = $71.80
43BPS Cont’d… Procurement Policy Highlights: Three quotes must be obtained and submitted with a PeopleSoft Purchase Requisition for:all consulting services of any valuegoods and services over $10kPurchase orders are required for purchasing goods and services over $5,000; and,Hospitality expenses cannot be included in or paid under a consulting contract
44Procurement Card Policy The Procurement Card can be used for the purchase of goods and services up to a transaction limit of $5,000.Monthly credit limit standard is $20,000
45Travel and Related Expenses – Best Practices Meal / Meeting Claims:Need to indicate who is/isn’t an employee/student (important indicator of pre-approval requirement)Always attach pre-approval (when required)List the business purpose of the meeting / event
46Travel and Related Expense and Hospitality Policies - Best Practices Always explain variances between total claims and total receiptsSubmit proof of payment (itemized receipts, boarding passes)Use the right form (i.e. Travel Claim on a Cheque Requisition Form)Submit claims with a signature in ‘Approved by’ or ‘Manager’ section (e.g. ‘visitor’ claims)Check tax calculation
47Procurement Card Policy – Best Practices Ensure procurement card activity statements are signed by the cardholder and one-over approverDon’t split transactionsRemind yourself of policy and only purchase allowable items (i.e., not computers and hotels)
48Travel and Related Expenses Policy- FAQ Q: I lost the receipt for my lunch. How can I claim this as an expense?A: If original receipts are lost, destroyed, or stolen, a written explanation of the circumstances must be provided by the claimant and approved by the approver before the claim will be processed.
49Travel and Related Expenses Policy - FAQ Q: The Approver is responsible to ensure expenses are in accordance with applicable granting agency guidelines or with the terms of the specific award. How can an approver be expected to have sufficient knowledge of the terms of every grant?A: If the Approver is not familiar with specific terms of an award funding travel, he or she should ask appropriate questions to assure themselves that the individual submitting the claim has complied with the applicable requirements.
50Travel and Related Expenses Policy - FAQ Q: I want to keep my original receipts, can I just send in photocopies with my claim?A: No. Credit card receipts/statements and photocopies are not eligible as proof of expense. If you require your original receipts back please indicate this and they will be stamped (“spoiled”), dated, and initialed and sent back to you after your claim has been reviewed.
51Travel and Related Expenses Policy - FAQ Q: I have receipts from travel two years ago; can I be reimbursed for them? A: No. Travel expense claims must be submitted within sixty days following completion of each trip. It would be unreasonable to expect reimbursement more than one year after related expenses have been incurred.
52Procurement - FAQQ: For purchases over $10,000 it says I need three quotes. Can these be s?A: Yes. The new legislation allows for an informal process for requesting quotes when the total value of the contract is less than $100K. You may seek quotations by inviting selected suppliers to provide you with a quote. This invitation may be sent via .
53Procurement - FAQQ:If I place an order with a preferred supplier and the amount is over $10K do I still need to obtain three quotes?A: No. Preferred suppliers have been the subject of a competitive tendering exercise already and as such you do not need to obtain three quotes.
54Procurement Cards - FAQ Q: Can the Procurement Card be used to purchase Gift Certificates/Cards or gifts for employees? A: No. The Procurement Card cannot be used. Please refer to Financial Services website, Policies, University Restricted Expenditures.
55Procurement Cards - FAQ Q: If I have a purchase of over $5,000 can I split the transaction in order to be able to charge the purchase to my card?A: No. Any transaction totaling over $5,000 must be entered on a Purchase Order. Splitting a transaction will be deemed as a serious offence by the University which will result in the cardholder’s card being cancelled.(remember, purchasing thresholds do NOT include taxes…)
56Procurement Cards - FAQ Q: If someone else reconciles my card am I still responsible for it? A: Yes. The cardholder may appoint another person to do the monthly reconciliation process for them, but it is up to the cardholder to assure that the reconciliation process is completed on time and accurately as per the Procurement Card Policy
57Summary – BPS and Procurement If unsure when considering procurement of any goods and services call Strategic Procurement Services first atPlease refer to the Procurement Policy and to the Strategic Procurement Services website.http://queensu.ca/procurement/contact.htmlRefer also to FAQs:
58HR/PeopleSoft – Best Practices PWC Report Timesheets should always be reviewed/approved by manager before being processed in PeopleSoftCasual employees should submit timesheets..time was occasionally still entered in PeopleSoft based on regular hours (rather than actual hours..)Timekeepers should double check that records are calculated correctlyCare is required to ensure time is posted to the correct code in the Time and Labour module
59Revenue Recognition – Best Practices A contract is required:if selling services like labwork or consultingto comply with Queen’s Contract Signing Authority Policy and MatrixRecord & Invoice when revenue earnedRegular Invoice Tracking & Follow UpCharging HST/GSTSegregation of Duties
60When there is change, ask: SummaryWhen there is change, ask:What am I doing that I didn’t do before ?What am I NOT doing that I used to do?Do you see any gaps? (think: SOAPSPAM)Do you feel uncomfortable?Speak up
63Agenda Fraud Definition Causes and Effects of Fraud – ‘Fraud Triangle’ Examples / StatisticsRed Flags / Case StudyWhat can be done?QuizFinal Thoughts / Questions
64What is Fraud?Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force.Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. – Per IIA IPPFAn intentional act, not a mistake.
65Theft or Fraud? Fraud = there is an attempt to CONCEAL the act Theft comes to light at the time of the act…“Now as through the world I ramble,I see lots of funny men,Some rob you with a six gun,And some with a fountain pen.”Woody Guthrie – 1939
66Impact of Fraud Reputational damage Loss of funding – ability to fund raiseMore oversight / monitoring / inspectionLow moraleLoss of assets / capacity or functionalityProsecution / restriction on ways of doing business in future (e.g. no cash)Personal liberty!
68Internal Audit Fraud Survey Results Has your organization identified instances of suspected or actual fraud within the last 24 months, if so, how many?a. No instances?2b. 1 instance?8c. 2-5 instances?15d. More than 5?6
69Myths About Fraud MYTH FACT Small frauds aren’t important enough for management to worry aboutFACTThere is no such thing as a small fraud, just a big one caught early
70Myths About Fraud MYTH FACT Fraud will be detected by our auditors Auditors may detect indicators of fraud, but management has primary responsibility
71Myths About Fraud MYTH FACT Most people are honest and won’t commit fraudFACT20% are truly honest60% will try, in certain circumstances20% will actively seek opportunities to commit fraud
73Pressure to Commit Fraud Living beyond ones meansGreedPoor creditAchievement of performance targetsFamily (conflict of interest)Personal financial pressures (health, divorce)Unexpected financial needs (gambling losses, investments)
74The Fraud Triangle - Pressure Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009
75The Fraud Triangle - Opportunity Poor internal controlsLack of proper authorisationNo separation of authorisation, custody, record keepingNo independent checks on performanceLack of clear lines of authorityInadequate documentationSystem change, leadership change
76The Fraud Triangle - Rationalization “It’s only a loan. I’ll pay it back as soon as I can."“They didn’t give me the pay raise I deserve.”“Nobody will get hurt. It’s only a company not a person.”
77Who’s Doing it?Age?Gender?Years of Service?Role/Job?
78Who’s Doing it?Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009
79Who’s Doing it?Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009
80Who’s Doing it?Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009
81Who’s Doing it?Source: KPMG Profile of a Canadian Fraudster- Survey Report 2009
82Common Frauds at Universities Misuse of procurement cards (“P-Cards”) – Asset MisappropriationPadding expense accountsInappropriate Research CostsListing fictitious vendorsRigging vendor bidsTaking kickbacks
83Common Frauds at Universities Abusing payroll and overtime by fraudulent reporting of work hoursPaying family members from the university’s payroll accountSelling university computer assets on eBay and “pocketing” the proceeds
85CAUBO Fraud Survey - Findings Total Fraud Loss reported for 2010 was $2.2M, $353k in 2011Range of Fraud Losses $ 35 to $1.2MAdministrative employee most frequent perpetratorLack of Segregation of Duties & Supervisionreported as most frequent control weaknessProcess with most frequently reported frauds were PCards, Point of Sales and Payables (payroll/travel)Tip-offs reported as greatest source for fraud detection
86York University $1.2M Construction Fraud Police are focusing attention on the school’s maintenance, construction and parking operations.Involved consulting contracts and billings for goods and services, such as surveillance cameras, personal computers, shrubs and flooring.“Lets just say there were materials on the loading dock that never ended up at York,” said one senior manager, who requested anonymity, about missing goods, “I just told them I wasn’t signing for stuff that I hadn’t seen here.”
87University of Waterloo University of Waterloo copy centre supervisor was charged with one count of theft over $5,000 and one count of fraud over $5,000, involving a total amount of approximately $955,000
88Other Recent Examples of Fraud An audit at the University of Missouri’s athletic department uncovered dozens of questionable personal charges made to university credit cards, including two totaling more than $7,600 at a Las Vegas ‘gentlemen’s establishment’A biomedical engineer from Keele University and his personal assistant were jailed for attempting to defraud $256k earmarked for research.
89Red Flags - DefinitionA red flag is a set of circumstances that are unusual in nature or vary from the normal activity.It is a signal that something is out of the ordinary and may need to be investigated further.Remember that red flags do not indicate guilt or innocence but merely provide possible warning signs of fraud.
91Red Flags Overspending against budget; Unexplained items in suspense accounts;Altered petty cash vouchers and receipts;Goods invoiced that are not normally purchased;Employees who never take annual leave; also staff who regularly work outside normal working hours;Employees' personal financial problems;
92More Red FlagsSomeone who often breaks the rules and regulations - cutting corners may be a way of concealing fraud;Complaints about a member of staff from customers or employees;People who rule their subordinates with a 'rod of iron' and unnecessary anger, sarcasm or criticism..too frightened to question anything;Lack of effective internal controls, e.g., segregation of duties;
93More Red Flags Failure of management information systems; Undocumented procedures;Sole responsibility for a system;Employees whose lifestyle is more extravagant than their salary would warrant;Unusual concerns about visits by auditors.
94What you can do to help prevent Fraud.. Set the tone - lead by example – promote awareness of fraud!Be aware of red flags!Consider how to improve internal controls!(think what a fraudster could do)
95If you DO suspect fraud..DON’T DON’T Investigate the matter yourselfDON’T Accuse anyone you suspect directlyDON’T Do nothing…
96Record your concerns- the more detail the better What you SHOULD do!If fraud is suspected:Act quicklyRecord your concerns- the more detail the betterTell an appropriate person - for example, line manager, internal audit
97Safe Disclosure Policy What is it?A mechanism to disclose concerns without fear of retaliation and reflects the University’s commitment to accountability and ethical conductA discloser should contact the Safe Disclosure Officer in the University Secretariat to make a confidential report of an alleged improper act or atConfidenceLine or
98Quiz 1!The main kinds of occupational fraud committed by an employee against the employer are: corruption, financial reporting fraud, and theft of assets. Which of these three is the most frequent?A) CorruptionB) Financial Reporting FraudC) Asset Misappropriation
99Quiz 2!2. Three factors, often referred to as the “fraud triangle” are generally present when a fraud occurs. Which of the following is NOT a part of the fraud triangle?A) Pressure or an incentive to commit fraudB) Perceived opportunityC) Prior history of fraudulent activityD) Ability to rationalize or justify fraudulent behavior
100Quiz 3!3. Who has the primary responsibility for the deterrence and detection of financial reporting fraud?A) Internal AuditB) Board and Audit CommitteeC) ManagementD) External Auditor
101Quiz 4! 4. What factor(s) effectively mitigate fraud risk A) Strong ethical culture from the top downB) Board and management skepticismC) Robust communication about fraud risk among all players in the control environment – management, frontline staff, the audit committee, internal audit, and the external auditorsD) All of the above
102Quiz 5!5. Most individuals who engage in fraud have a prior history of fraud or other criminal misconduct?A) TrueB) False
103Quiz 6! 6. Fraud risk can be eliminated by: A) Increasing security and strengthening controlsB) Segregation of dutiesC) Fraud awareness trainingD) All of the aboveE) None of the above
104Workshop Conclusion Internal Audit Who we are, what we do and how Internal ControlDefinitions, uses, techniques, ‘SOAPSPAM’FraudDefinitions, typical frauds, red flags, what to do