1. Internal Audit Best Practices Workshop
29th May 2018
Presented by:
Michael Brown, CIA, CISA, Senior Internal Auditor

2. Overview Introduction to Internal Audit Internal Control 101 Fraud 101
Current Events
MIKE

3. Perceptions of Internal Audit

4. INTRODUCTION TO INTERNAL AUDIT

5. Queen’s Internal Audit Team
Name
Position
Degrees/ Professional Designations
Joseph Choi
Director
CPA, CA
Michael Brown
Senior Internal Auditor
CIA, CISA
Kathryn Kyle
Senior Auditor
CPA-CA
Sanjiv Sandhu
Internal Controls Manager
CPA-CGA

6. Internal Audit’s Mandate
Internal Auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of Queen’s University. The Office of Internal Audit assists the University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s governance, risk management and controls. (Source: Internal Audit Activity Charter)

7. What is an Internal Auditor?
Our Role:
Monitor/Audit Queen’s
Make recommendations
Drive continuous improvement and VALUE!

8. What we do Operational Financial
Forensic (fraud related investigations/ reviews)
IT Systems

9. How We Select University Audits
Internal Audit Plan:
Risk-based approach
Professional judgment
Best use of our time
Various types of audits
Approved by the University’s Audit and Risk Committee of the Board of Trustees

10. The Audit Process

11. INTERNAL CONTROL 101

12. Agenda
What is Risk
What is Internal Control
Roles and Responsibilities
SOAPSPAM - Applying the Theory

13. What is ‘Risk’?
The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood

14. External Risk Drivers Economic changes
Changing student & community needs
New/changed legislation & regulations
Technological developments
Natural catastrophes
Competitive conditions

15. Risk Internal Risk Drivers New Personnel / High Turnover of Staff
What other internal drivers can you think of?

16. Tolerate Transfer Treat Terminate
Risk Management
Tolerate Transfer Treat Terminate

17. Definition of Internal Control
“Any action taken by management, the board,
and other parties to manage risk and increase
the likelihood that established objectives and
goals will be achieved.”
(Source: IIA International Professional Practice Framework)

18. Simple Definition Internal control
Trying to make the things we want to happen, happen …
And the things we don’t want to happen, not happen.

19. Internal Controls at Home
Lock your home and vehicle.
Turn off the stove / iron
Keep your ATM/debit card pin number separate from your card
Review bills and credit card statements before paying them

20. Your Objective: Arrive to work on time.
Exercise 1:
Your Objective: Arrive to work on time.
DEBRA
Think back to our list of external and internal drivers.
Try to find 10 examples of risk that would affect us getting to work on time.

21. Internal Control at Work
Computer passwords are periodically changed and aren’t written down
PCard transactions are checked against source documents.
Financial transactions are checked.
Authorizations required for certain activities.
Ask the crowd

23. Board of Trustees Principal Management Frontline Personnel
Who Is Responsible?
Board of Trustees
Principal
Management
Frontline Personnel
University policies assign responsibility for the internal control system to all University employees.

24. Internal Controls & Internal Audit
Internal auditors are not responsible for establishing or maintaining controls
Instead we are responsible for:
Examining the adequacy and effectiveness of the University’s internal controls,
Making recommendations where control improvements are needed
Contributing to the effectiveness of the control environment

25. Controls 101 – ‘SOAPSPAM’ S - Segregation of Duties O - Organizational
A - Authorization
P - Physical
S - Supervision
P - Personnel
A - Arithmetic/Accounting
M - Managerial

26. SOAPSPAM – PCard Example
S- Segregate payment, review and approval of reconciliation
O- Review and understand PCard Policy
A- Ensure that transactions, claims and statements are authorized
P- Keep the card secure when not in use. Do you know where it is right now?

27. SOAPSPAM – PCard Example
S –Review and supervision
P – Training and support
A – Arithmetic - Reconcile PCard statement to backup in accordance with timetable
M - Know who is accountable, reporting lines

28. Exercise: Expense Reimbursement
SOAPSPAM
Exercise: Expense Reimbursement

29. PCard – What can go wrong?
PCard fraud, misuse found at Florida universities
A Florida International University professor used a school credit card to buy at least $5,000 worth of personal items, including an MP3 player, a wireless reading device and a membership with United Airlines' Red Carpet club.
An administrative assistant in University of Florida's oral history program submitted receipts for books for a
“ WWII project." But the books weren't about a world war. They were from Weight Watchers.

30. WARNING SIGNS
If you hear this..
Then…?
‘I didn’t know that!’
Inadequate knowledge of policies or governing regulations
‘We trust ‘A’ who does all those things.’
Inadequate segregation of duties
‘We share a password, it’s easier.’
Inappropriate access to assets
‘You mean I’m supposed to do something besides initial/sign it?’
Form over Substance
‘I know that’s the policy, but we do it this way.’ ‘Just get it done; I don’t care how!’
Control override
Be alert to these responses – they usually INDICATE poor controls OR ineffective practices…

31. QUIZ: 1
Internal Controls exist solely for the detection of fraud a. True b. False

32. QUIZ: 2
If a policy doesn’t exist, we don’t have to do it a. True b. False

33. QUIZ: 3
If controls are strong enough, we can be sure that errors, fraud and irregularities will always be detected a. True b. False

34. QUIZ: 4
Internal controls are integral to every aspect of university systems and processes a. True b. False

35. Final Thoughts…
Internal control is a process; it is a means to an end, not an end itself.
Everyone has a role in regard to internal controls
Controls are there for you!
Avoid mistakes and re-work
Protect yourself
Save time
Avoid uncomfortable questions
Provide a framework
Clarity and confidence

36. FRAUD 101

37. Agenda Fraud Definition Causes and Effects of Fraud – ‘Fraud Triangle’
Examples / Statistics
Red Flags
What can be done?
Quiz
Final Thoughts / Questions

38. What is Fraud?
Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force.
Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. – Per IIA IPPF
An intentional act, not a mistake.

39. Theft or Fraud? Fraud = there is an attempt to CONCEAL the act
Theft comes to light at the time of the act…
“Now as through the world I ramble,
I see lots of funny men,
Some rob you with a six gun,
And some with a fountain pen.”
Woody Guthrie – 1939

40. Impact of Fraud Reputational damage
Loss of funding – ability to fund raise
More oversight / monitoring / inspection
Low morale
Loss of assets / capacity or functionality
Prosecution / restriction on ways of doing business in future (e.g. no cash)
Personal liberty!

41. The Fraud Triangle

42. The Fraud Triangle Poor Controls or lack of oversight
Exploiting errors
Lack of Segregation of Duties
Abuse of Authority
Poor governance
Complex Transactions
Revenge
Debts, Gambling
Chemical addictions
Illness or family pressures
Coercion/blackmail
Results at any Cost
“They do not pay me enough”
“Everyone Does It”
“I’ll never get caught”
“It is only a small amount”
“No one gets hurt. The school has the money”
Go through Opportunity,
Ask for Pressure and Rationalization

43. Who’s Doing it?
Age?
Gender?
Years of Service?
Role/Job?

44. Profile of a Fraudster
Source: ACFE Report to the Nation 2014

45. Common Frauds at Universities
Misuse of procurement cards (“P-Cards”) – Asset Misappropriation
Padding expense accounts
Inappropriate Research Costs
Listing fictitious vendors
Rigging vendor bids
Taking kickbacks

46. Common Frauds at Universities
Abusing payroll and overtime by fraudulent reporting of work hours
Paying family members from the university’s payroll account
Selling university computer assets on eBay and “pocketing” the proceeds

47. Non-Financial Frauds
Academic Fraud
Diploma Fraud
Performance Fraud (Targets/Achievements)
Resumé Fraud

48. CAUBO Fraud Survey - Findings
Education is the 9th most frequent victim of fraud
Median loss for education $208,000
Areas of highest losses from fraud – Travel, Point of Sale Terminals, Payables
Administrative employee most frequent perpetrator
Lack of Segregation of Duties & Supervision
reported as most frequent control weakness
Tip-offs reported as greatest source for fraud detection
Source: 2016 CAUBO Fraud Survey

49. York University $1.2M Construction Fraud
Police focused their attention on the school’s maintenance, construction and parking operations.
Involved consulting contracts and billings for goods and services, such as surveillance cameras, personal computers, shrubs and flooring.
“Lets just say there were materials on the loading dock that never ended up at York,” said one senior manager, who requested anonymity, about missing goods, “I just told them I wasn’t signing for stuff that I hadn’t seen here.”

50. University of Waterloo
University of Waterloo copy centre supervisor was charged with one count of theft over $5,000 and one count of fraud over $5,000, involving a total amount of approximately $955,000

51. Other Recent Examples of Fraud
A researcher has been charged with scientific fraud related to data falsification and fabrication about the benefits of red wine. His grants of nearly $1,000,000 have been returned.
An accounts receivable clerk at the University of Nipissing has been charged with fraud over $5,000 related to the sale of equipment totally more than $200,000.

52. Other Recent Examples of Fraud
Former vice president of finance at a college in New York, pleaded guilty to embezzling more than $850,000 by issuing college cheques for her own use, using a college credit card for personal purchases and making false expenses claims. A catholic nun also known as Sister Susie, she committed the thefts over a period of 10 years.

53. Other Recent Examples of Fraud
An Employee who worked in the Residence Life office at the University of Montana, pleaded guilty to embezzling more than $300,000 over a period of seven years.
She had been stealing student rent payments that had been made in cash.

54. Red Flags - Definition
A red flag is a set of circumstances that are unusual in nature or vary from the normal activity.
It is a signal that something is out of the ordinary and may need to be investigated further.
Remember that red flags do not indicate guilt or innocence but merely provide possible warning signs of fraud.

55. Red Flags
Source: 2018 ACFE Report to the Nations

56. Other Red Flags
Source: ACFE Report to the Nation 2014

57. What you can do to help prevent Fraud..
Set the tone - lead by example – promote awareness of fraud!
Be aware of red flags!
Consider how to improve internal controls!
(think what a fraudster could do)

58. If you DO suspect fraud..DON’T
DON’T Investigate the matter yourself
DON’T Accuse anyone you suspect directly
DON’T Do nothing…

59. Record your concerns- the more detail the better
What you SHOULD do!
If fraud is suspected:
Act quickly
Record your concerns- the more detail the better
Tell an appropriate person - for example, line manager, internal audit

60. Safe Disclosure Policy
What is it?
A mechanism to disclose concerns without fear of retaliation and reflects the University’s commitment to accountability and ethical conduct
A discloser should contact the Safe Disclosure Officer in the University Secretariat to make a confidential report of an alleged improper act or at
ConfidenceLine or

61. Quiz: 1
The main kinds of occupational fraud committed by an employee against the employer are: corruption, financial reporting fraud, and theft of assets. Which of these three is the most frequent?
A) Corruption
B) Financial Reporting Fraud
C) Asset Misappropriation

62. Quiz: 2
2. Three factors, often referred to as the “fraud triangle” are generally present when a fraud occurs. Which of the following is NOT a part of the fraud triangle?
A) Pressure or an incentive to commit fraud
B) Perceived opportunity
C) Prior history of fraudulent activity
D) Ability to rationalize or justify fraudulent behavior

63. Quiz: 3
3. Who has the primary responsibility for the deterrence and detection of financial reporting fraud?
A) Internal Audit
B) Board and Audit Committee
C) Management
D) External Auditor

64. Quiz: 4 4. What factor(s) effectively mitigate fraud risk
A) Strong ethical culture from the top down
B) Board and management skepticism
C) Robust communication about fraud risk among all players in the control environment – management, frontline staff, the audit committee, internal audit, and the external auditors
D) All of the above

65. Quiz: 5
5. Most individuals who engage in fraud have a prior history of fraud or other criminal misconduct?
A) True
B) False

66. Quiz: 6 6. Fraud risk can be eliminated by:
A) Increasing security and strengthening controls
B) Segregation of duties
C) Fraud awareness training
D) All of the above
E) None of the above

67. CURRENT EVENTS

68. Current Events Access and Privacy Privacy Access
Queen’s University is subject to Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA)
ACCESS requirement
respond to access-to-information requests within 30 days
114 FIPPA requests completed to date with 14 appeals (2006 to 2015)
$5,000 penalty for altering, concealing or destroying a record with the intention of denying access
PRIVACY requirement
collect, use, disclose, retain and dispose of personal information appropriately
$5,000 penalty for willfully disclosing personal information in contravention of the Act
privacy breaches may be caused by external threats and cybercrime, but more often result from poor information handling practices within the University
Privacy
Access

69. Personal Health Information Protection Act (PHIPA)
Current Events
Access and Privacy
Personal Health Information Protection Act (PHIPA)
There are many laws that govern how a health information custodian (HIC) must manage care to patients and their information
The primary Act that deals with protection personal health information (PHI) – PHIPA - Personal health Information Protection Act, 2004
PHIPA was created to establish rules for the collection, use and disclosure of PHI, that protect its confidentiality and the privacy of individuals, while facilitating the effective provision of health care

70. Current Events
PCI Compliance - The Payment Card Industry Data Security Standard (PCI DSS) is a set of mandatory requirements, set by the banking and credit card industry, designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
81% of businesses store credit card information
73% store expiry dates
71% store verification codes
More information:

71. Current Events
Ransomware
A type of computer virus that uses encryption to effectively hold files hostage in exchange for payment.
On November 29, 2016, Carleton University experienced a ransomware attack which affected their IT network.
Phishing s
Sending s purporting to be from a reputable sender in order to induce individuals to reveal personal information such as passwords and credit card numbers
Tax time is high time for hackers targeting payroll and HR depts. asking for T4s and employee lists.

72. Current Events
Discussion: What current events are part of your daily tasks?

73. Workshop Conclusion Internal Audit Who we are, what we do and how
Internal Control
Definitions, uses, techniques, ‘SOAPSPAM’
Fraud
Definitions, typical frauds, red flags, what to do

74. QUESTIONS?