Download presentation
Presentation is loading. Please wait.
1
Internal Audit Best Practices Workshop
29th May 2018 Presented by: Michael Brown, CIA, CISA, Senior Internal Auditor
2
Overview Introduction to Internal Audit Internal Control 101 Fraud 101
Current Events MIKE
3
Perceptions of Internal Audit
4
INTRODUCTION TO INTERNAL AUDIT
5
Queen’s Internal Audit Team
Name Position Degrees/ Professional Designations Joseph Choi Director CPA, CA Michael Brown Senior Internal Auditor CIA, CISA Kathryn Kyle Senior Auditor CPA-CA Sanjiv Sandhu Internal Controls Manager CPA-CGA
6
Internal Audit’s Mandate
Internal Auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of Queen’s University. The Office of Internal Audit assists the University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s governance, risk management and controls. (Source: Internal Audit Activity Charter)
7
What is an Internal Auditor?
Our Role: Monitor/Audit Queen’s Make recommendations Drive continuous improvement and VALUE!
8
What we do Operational Financial
Forensic (fraud related investigations/ reviews) IT Systems
9
How We Select University Audits
Internal Audit Plan: Risk-based approach Professional judgment Best use of our time Various types of audits Approved by the University’s Audit and Risk Committee of the Board of Trustees
10
The Audit Process
11
INTERNAL CONTROL 101
12
Agenda What is Risk What is Internal Control Roles and Responsibilities SOAPSPAM - Applying the Theory
13
What is ‘Risk’? The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood
14
External Risk Drivers Economic changes
Changing student & community needs New/changed legislation & regulations Technological developments Natural catastrophes Competitive conditions
15
Risk Internal Risk Drivers New Personnel / High Turnover of Staff
What other internal drivers can you think of?
16
Tolerate Transfer Treat Terminate
Risk Management Tolerate Transfer Treat Terminate
17
Definition of Internal Control
“Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.” (Source: IIA International Professional Practice Framework)
18
Simple Definition Internal control
Trying to make the things we want to happen, happen … And the things we don’t want to happen, not happen.
19
Internal Controls at Home
Lock your home and vehicle. Turn off the stove / iron Keep your ATM/debit card pin number separate from your card Review bills and credit card statements before paying them
20
Your Objective: Arrive to work on time.
Exercise 1: Your Objective: Arrive to work on time. DEBRA Think back to our list of external and internal drivers. Try to find 10 examples of risk that would affect us getting to work on time.
21
Internal Control at Work
Computer passwords are periodically changed and aren’t written down PCard transactions are checked against source documents. Financial transactions are checked. Authorizations required for certain activities. Ask the crowd
23
Board of Trustees Principal Management Frontline Personnel
Who Is Responsible? Board of Trustees Principal Management Frontline Personnel University policies assign responsibility for the internal control system to all University employees.
24
Internal Controls & Internal Audit
Internal auditors are not responsible for establishing or maintaining controls Instead we are responsible for: Examining the adequacy and effectiveness of the University’s internal controls, Making recommendations where control improvements are needed Contributing to the effectiveness of the control environment
25
Controls 101 – ‘SOAPSPAM’ S - Segregation of Duties O - Organizational
A - Authorization P - Physical S - Supervision P - Personnel A - Arithmetic/Accounting M - Managerial
26
SOAPSPAM – PCard Example
S- Segregate payment, review and approval of reconciliation O- Review and understand PCard Policy A- Ensure that transactions, claims and statements are authorized P- Keep the card secure when not in use. Do you know where it is right now?
27
SOAPSPAM – PCard Example
S –Review and supervision P – Training and support A – Arithmetic - Reconcile PCard statement to backup in accordance with timetable M - Know who is accountable, reporting lines
28
Exercise: Expense Reimbursement
SOAPSPAM Exercise: Expense Reimbursement
29
PCard – What can go wrong?
PCard fraud, misuse found at Florida universities A Florida International University professor used a school credit card to buy at least $5,000 worth of personal items, including an MP3 player, a wireless reading device and a membership with United Airlines' Red Carpet club. An administrative assistant in University of Florida's oral history program submitted receipts for books for a “ WWII project." But the books weren't about a world war. They were from Weight Watchers.
30
WARNING SIGNS If you hear this.. Then…? ‘I didn’t know that!’ Inadequate knowledge of policies or governing regulations ‘We trust ‘A’ who does all those things.’ Inadequate segregation of duties ‘We share a password, it’s easier.’ Inappropriate access to assets ‘You mean I’m supposed to do something besides initial/sign it?’ Form over Substance ‘I know that’s the policy, but we do it this way.’ ‘Just get it done; I don’t care how!’ Control override Be alert to these responses – they usually INDICATE poor controls OR ineffective practices…
31
QUIZ: 1 Internal Controls exist solely for the detection of fraud a. True b. False
32
QUIZ: 2 If a policy doesn’t exist, we don’t have to do it a. True b. False
33
QUIZ: 3 If controls are strong enough, we can be sure that errors, fraud and irregularities will always be detected a. True b. False
34
QUIZ: 4 Internal controls are integral to every aspect of university systems and processes a. True b. False
35
Final Thoughts… Internal control is a process; it is a means to an end, not an end itself. Everyone has a role in regard to internal controls Controls are there for you! Avoid mistakes and re-work Protect yourself Save time Avoid uncomfortable questions Provide a framework Clarity and confidence
36
FRAUD 101
37
Agenda Fraud Definition Causes and Effects of Fraud – ‘Fraud Triangle’
Examples / Statistics Red Flags What can be done? Quiz Final Thoughts / Questions
38
What is Fraud? Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. – Per IIA IPPF An intentional act, not a mistake.
39
Theft or Fraud? Fraud = there is an attempt to CONCEAL the act
Theft comes to light at the time of the act… “Now as through the world I ramble, I see lots of funny men, Some rob you with a six gun, And some with a fountain pen.” Woody Guthrie – 1939
40
Impact of Fraud Reputational damage
Loss of funding – ability to fund raise More oversight / monitoring / inspection Low morale Loss of assets / capacity or functionality Prosecution / restriction on ways of doing business in future (e.g. no cash) Personal liberty!
41
The Fraud Triangle
42
The Fraud Triangle Poor Controls or lack of oversight
Exploiting errors Lack of Segregation of Duties Abuse of Authority Poor governance Complex Transactions Revenge Debts, Gambling Chemical addictions Illness or family pressures Coercion/blackmail Results at any Cost “They do not pay me enough” “Everyone Does It” “I’ll never get caught” “It is only a small amount” “No one gets hurt. The school has the money” Go through Opportunity, Ask for Pressure and Rationalization
43
Who’s Doing it? Age? Gender? Years of Service? Role/Job?
44
Profile of a Fraudster Source: ACFE Report to the Nation 2014
45
Common Frauds at Universities
Misuse of procurement cards (“P-Cards”) – Asset Misappropriation Padding expense accounts Inappropriate Research Costs Listing fictitious vendors Rigging vendor bids Taking kickbacks
46
Common Frauds at Universities
Abusing payroll and overtime by fraudulent reporting of work hours Paying family members from the university’s payroll account Selling university computer assets on eBay and “pocketing” the proceeds
47
Non-Financial Frauds Academic Fraud Diploma Fraud Performance Fraud (Targets/Achievements) Resumé Fraud
48
CAUBO Fraud Survey - Findings
Education is the 9th most frequent victim of fraud Median loss for education $208,000 Areas of highest losses from fraud – Travel, Point of Sale Terminals, Payables Administrative employee most frequent perpetrator Lack of Segregation of Duties & Supervision reported as most frequent control weakness Tip-offs reported as greatest source for fraud detection Source: 2016 CAUBO Fraud Survey
49
York University $1.2M Construction Fraud
Police focused their attention on the school’s maintenance, construction and parking operations. Involved consulting contracts and billings for goods and services, such as surveillance cameras, personal computers, shrubs and flooring. “Lets just say there were materials on the loading dock that never ended up at York,” said one senior manager, who requested anonymity, about missing goods, “I just told them I wasn’t signing for stuff that I hadn’t seen here.”
50
University of Waterloo
University of Waterloo copy centre supervisor was charged with one count of theft over $5,000 and one count of fraud over $5,000, involving a total amount of approximately $955,000
51
Other Recent Examples of Fraud
A researcher has been charged with scientific fraud related to data falsification and fabrication about the benefits of red wine. His grants of nearly $1,000,000 have been returned. An accounts receivable clerk at the University of Nipissing has been charged with fraud over $5,000 related to the sale of equipment totally more than $200,000.
52
Other Recent Examples of Fraud
Former vice president of finance at a college in New York, pleaded guilty to embezzling more than $850,000 by issuing college cheques for her own use, using a college credit card for personal purchases and making false expenses claims. A catholic nun also known as Sister Susie, she committed the thefts over a period of 10 years.
53
Other Recent Examples of Fraud
An Employee who worked in the Residence Life office at the University of Montana, pleaded guilty to embezzling more than $300,000 over a period of seven years. She had been stealing student rent payments that had been made in cash.
54
Red Flags - Definition A red flag is a set of circumstances that are unusual in nature or vary from the normal activity. It is a signal that something is out of the ordinary and may need to be investigated further. Remember that red flags do not indicate guilt or innocence but merely provide possible warning signs of fraud.
55
Red Flags Source: 2018 ACFE Report to the Nations
56
Other Red Flags Source: ACFE Report to the Nation 2014
57
What you can do to help prevent Fraud..
Set the tone - lead by example – promote awareness of fraud! Be aware of red flags! Consider how to improve internal controls! (think what a fraudster could do)
58
If you DO suspect fraud..DON’T
DON’T Investigate the matter yourself DON’T Accuse anyone you suspect directly DON’T Do nothing…
59
Record your concerns- the more detail the better
What you SHOULD do! If fraud is suspected: Act quickly Record your concerns- the more detail the better Tell an appropriate person - for example, line manager, internal audit
60
Safe Disclosure Policy
What is it? A mechanism to disclose concerns without fear of retaliation and reflects the University’s commitment to accountability and ethical conduct A discloser should contact the Safe Disclosure Officer in the University Secretariat to make a confidential report of an alleged improper act or at ConfidenceLine or
61
Quiz: 1 The main kinds of occupational fraud committed by an employee against the employer are: corruption, financial reporting fraud, and theft of assets. Which of these three is the most frequent? A) Corruption B) Financial Reporting Fraud C) Asset Misappropriation
62
Quiz: 2 2. Three factors, often referred to as the “fraud triangle” are generally present when a fraud occurs. Which of the following is NOT a part of the fraud triangle? A) Pressure or an incentive to commit fraud B) Perceived opportunity C) Prior history of fraudulent activity D) Ability to rationalize or justify fraudulent behavior
63
Quiz: 3 3. Who has the primary responsibility for the deterrence and detection of financial reporting fraud? A) Internal Audit B) Board and Audit Committee C) Management D) External Auditor
64
Quiz: 4 4. What factor(s) effectively mitigate fraud risk
A) Strong ethical culture from the top down B) Board and management skepticism C) Robust communication about fraud risk among all players in the control environment – management, frontline staff, the audit committee, internal audit, and the external auditors D) All of the above
65
Quiz: 5 5. Most individuals who engage in fraud have a prior history of fraud or other criminal misconduct? A) True B) False
66
Quiz: 6 6. Fraud risk can be eliminated by:
A) Increasing security and strengthening controls B) Segregation of duties C) Fraud awareness training D) All of the above E) None of the above
67
CURRENT EVENTS
68
Current Events Access and Privacy Privacy Access
Queen’s University is subject to Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) ACCESS requirement respond to access-to-information requests within 30 days 114 FIPPA requests completed to date with 14 appeals (2006 to 2015) $5,000 penalty for altering, concealing or destroying a record with the intention of denying access PRIVACY requirement collect, use, disclose, retain and dispose of personal information appropriately $5,000 penalty for willfully disclosing personal information in contravention of the Act privacy breaches may be caused by external threats and cybercrime, but more often result from poor information handling practices within the University Privacy Access
69
Personal Health Information Protection Act (PHIPA)
Current Events Access and Privacy Personal Health Information Protection Act (PHIPA) There are many laws that govern how a health information custodian (HIC) must manage care to patients and their information The primary Act that deals with protection personal health information (PHI) – PHIPA - Personal health Information Protection Act, 2004 PHIPA was created to establish rules for the collection, use and disclosure of PHI, that protect its confidentiality and the privacy of individuals, while facilitating the effective provision of health care
70
Current Events PCI Compliance - The Payment Card Industry Data Security Standard (PCI DSS) is a set of mandatory requirements, set by the banking and credit card industry, designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. 81% of businesses store credit card information 73% store expiry dates 71% store verification codes More information:
71
Current Events Ransomware A type of computer virus that uses encryption to effectively hold files hostage in exchange for payment. On November 29, 2016, Carleton University experienced a ransomware attack which affected their IT network. Phishing s Sending s purporting to be from a reputable sender in order to induce individuals to reveal personal information such as passwords and credit card numbers Tax time is high time for hackers targeting payroll and HR depts. asking for T4s and employee lists.
72
Current Events Discussion: What current events are part of your daily tasks?
73
Workshop Conclusion Internal Audit Who we are, what we do and how
Internal Control Definitions, uses, techniques, ‘SOAPSPAM’ Fraud Definitions, typical frauds, red flags, what to do
74
QUESTIONS?
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.