SSA 240 Auditors’ Responsibilities Relating to Fraud

This SSA concerns auditor’s responsibilities relating to fraud in an audit of FS.

Misstatements can be either due to error or fraud. If it’s fraud, there are 2 kinds, namely, fraudulent financial reporting or misappropriation of assets.

Management and those charged with governance are responsible for the prevention and detection of fraud. There should be a strong culture of honesty and ethical behaviour.

The auditor is responsible for providing reasonable assurance that the FS as a whole is free of material misstatement, whether caused by fraud or error. Frauds are often concealed and hence, the inherent limitations are larger. It is difficult to determine whether misstatements are due to fraud or error. Management fraud is even harder to detect due to management override of controls.

Auditor needs to assess ROMM due to fraud and also to respond to fraud/suspected fraud during the audit. Auditors need to be aware of the fraud risk factors that can be perpetuated by management. They need to maintain professional scepticism throughout the audit.

There needs to be a discussion among engagement team on how the FS can be susceptible to ROMM due to fraud, and how fraud might occur.

The auditor should question the management on what is management’s assessment of fraud risks. They should understand management’s fraud risk assessment, and the escalation process. Auditor should ask whether management has knowledge about any suspected fraud etc. It is also possible to ask the IA team about it. It is also good to understand how those charged with governance maintain oversight of fraud risk management.

Unusual relationships using analytical procedures for revenue accounts should be identified and assessed. The auditor should also examine fraud risk indicators as these are potential ROMM.

There is a presumed risk of fraud in revenue recognition and the auditor needs to investigate further. The auditor should incorporate elements of unpredictability in the testing (use different sampling methods etc, surprise audit etc) and see whether the accounting policies are subject to subjective measurements etc.

There is also a presumed risk of management override of controls. As such, the auditor needs to test appropriateness of the journal entries in the GL and adjustments made. They need to select JE near the end of the reporting period and may test JE/adjustments throughout the audit period. There is a need to review estimates for biases and determine whether they are reasonable.

Analytical procedures should be performed and an assessment must be made on whether it is in line with normal business practices/trends.

If auditor is unable to carry on the engagement, he may withdraw or report to the relevant authorities.

The auditor needs to obtain written representations from management that they acknowledge the responsibility for the design, implementation and maintenance of internal controls to prevent and detect fraud. They also need to disclose potential fraud cases and management’s assessment of the risk of fraud.

If auditor suspects fraud, this must be disclosed to those charged with governance. The auditor can also consider reporting it to the regulatory authorities.

Auditor needs to keep documentation on the understanding of entity’s environment and assessment of ROMM.

The fraud triangle: incentive (eg earning management so that can get more bonus. The auditor should analyse incentives that relate to the entity’s environment); opportunity (poor internal controls); rationalisation (sufficient pressure, poor character etc)

The SSA also goes into detail about how fraud may be perpetuated in relation to financial reporting and misappropriation of assets.

Management is often in the best position to perpetuate fraud.  

There is a need to understand oversight exercised by those charged with governance. Fraud risks cannot be ranked easily.

It is possible to rebut the risk of fraud in revenue recognition if the revenue stream is simple and straightforward.

Management may not implement every control to combat fraud due to the cost-benefit analysis. Therefore, it is important for the auditor to understand which such controls are.

For accounting estimates, auditor needs to perform a retrospective review of management judgments and assumptions related to significant accounting estimates in the prior year. This is also required under SSA540. The auditor needs to look out and question complex transactions.

The SSA describes many other procedures the auditor can perform.

IIA Magazine Feb 2016 Issue

This is the 75^th year of the anniversary of the IIA.

Capturing the Moment. Experts from around the globe provide a snapshot of the profession, discussing key issues impacting IA. In the past, IA was more focused on hindsight, it is now more about foresight too. Often, some IA staff may want to move to other departments. It is critical to find a clear path ahead for IA. Some of them might just want to stay in the profession forever. There has a clear shift from compliance to risk based audits. It is also good to volunteer for the profession. Combined assurance is also becoming more widely used. Students should try to contact the industries and ask for challenging assignments on IA. IA should set aside a portion of their paycheck every month to attend training etc. Work objectives should be clear and there must be clear communication. IA can also provide assurance on the management of strategy risks. IA can also add value to process effectiveness.

A Career on Point. There are many more women in this profession. IA has matured and many have viewed this function more positively now. To some, IA seems interesting and challenging. It is good as it helps you prepare for a leadership role.

Expanding the Foundation. Required audit competencies have changed considerably over the years, placing more and more emphasis on technology, business acumen and soft skills. IA is now a very respected profession. Effectiveness and efficiency are the hallmarks now. Information has increased over time and data analytics is being used more frequently nowadays. Soft skills and business acumen are very important too. Nowadays, it is good for IA to possess leadership capabilities and strategic thinking capabilities. There is a need for long-term adaptability, continuous learning etc.

Changing with the Profession. The IPPF has a history of adapting to meet stakeholder and member needs. They often listen to the needs of the profession. Now, the framework is more broad and flexible in its approach. The Standards are separated into attribute, performance and implementation types.

Twenty-first Century Milestones. Over the last 15 years, several watershed events helped define the practice of IA. IA is never dull. The first is flagrant financial reporting fraud, with cases like Enron etc. IA cannot ignore controls over financial reporting. The next is financial markets meltdown. The dotcom crash and the subprime crisis wreaked chaos throughout. ERM grew in stature as a result of all these meltdowns. The 3 lines of defence is all the more important in recent times. The next 2 big issues were cybersecurity and bribery and corruption.

The Perception of Value. A comparison of 2 IIA studies suggest internal audit may still have a long way to go in delivering stakeholder insight. Most IA are not meeting stakeholders’ expectations. Sometimes, there might be a lack of general management or operating insights within IA. Sometimes, IA also does not consult departments when developing audit plans.

Where We Are. Today’s IA enjoy greater stature within the organization and are working to meet ever-increasing expectations.

A Steady Progression. Audit professionals are in demand. IA needs to shape management’s expectations of them. IA should market themselves more. Cross-training and gaining exposure from other departments is the key. Auditors must be well-rounded and learn to take personal responsibility.

Conformance to the Standards. The top 10 non-conformance issues are: 1) Internal assessments; 2) reporting on the QAIP; 3) recognition of the definition of IA, code of ethics, standards in the IA charter; 4) external assessments; 5) QAIP; 6) requirements of the QAIP; 7) Engagement work program; 8) purpose, authority and responsibility; 9) co-ordination; 10) communication and approval

The ‘Anti-Fraud Moment’. Fighting fraud demands more than just awareness. There needs to be meaningful training when it comes to learning of skills. There is little training on red flag indicators. Create simple articles to share with employees. Record 5 minute training videos. Take advantage of live formal and informal skills training opportunities.

How Much Do Risks Really Change? The risk landscape shifts radically from 1 year to the next. It can changed a lot in 75 years. Global events can rock the market and commodity prices etc. Tech breakthroughs happen fast and world events disrupt things. Regulations change as well.

Internal Audit Fundamentals. The most basic skills remain largely unchanged. Critical thinking and communication are the key. Co-sourcing is an option when IA lacks certain technical skill sets.

Around the Globe. IA around the world are providing value to their organizations in a wide variety of ways and at different levels of complexity and sophistication. The role of IA may not be well-understood. Value demonstration is the key. Different auditors will be at different levels of proficiency and maturity.

Industry Roundup. The challenges IA face today are many and vary by sector. Public sector audit has moved beyond compliance or financial audits into performance auditing. There is also emphasis on effectiveness. There are sophisticated products in banking and safeguarding information is one of the key objectives. Money laundering is also a key area to watch. As for health care, there are issues like quality of service, compliance, data security are all big challenges.

A Different Perspective. IA’s business partners offer their views of the profession. Audit can identify opportunities for improvement throughout the organization. It is important to have a sharing environment. Technical skills matter a lot nowadays. IA should look at areas that management struggle with. IA should not hide or mask problems from management. Being able to understand IT etc would make IA more valuable.

Educating Auditors. Determining what IA students need to know now is a constant challenge. Being skilled in IA is a unique skill that is useful. It is possible to simulate real-world IA case studies for students. IA needs to be intellectually curious to learn more. One cannot speed up experience as time is required.

IA Future. IA allows one to understand the business. Do not miss the change to meet senior leaders.

‘I realized the role of IA aligned with many of my interests. I wanted to add value and bring a positive impact to a business while understanding how it operates, and IA presents opportunities not found in other roles within the company.’

IT Audit Trends and Foresight. Technology will continue to bring new risks for organizations. IA need to address the IOTs. We need to understand the inventory of devices and the type of data that is collected. One needs to understand the value of digital strategy.

The Changing Business World. Auditors can anticipate future developments by looking beyond their organization’s current business situation. Africa is going to grow fast in future. Businesses need to create space to think. IA needs to be able to anticipate new risks. IA can follow current affairs. Talk to customers to see how their needs are changing. IA is really looking to delight people.

Five Trends. Top global IA thinkers take a broad look at key issues that will shape the profession. The world is changing fast and risk are interdisciplinary. New risks must be understood and evaluated. IA can learn new ways of analysing and also develop strategic foresight. The compliance scope is continually expanding and making things more difficult. IA needs to link compliance activities to upstream processes and control improvements. It will be a challenge for lower the cost of compliance. Stakeholders are more demanding nowadays. IA must have knowledge of the various industries and any new business lines. Technology risk is getting more complicated. Data is becoming more prevalent and data analytics is getting more useful than ever before.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

IIA Magazine Apr 2016 issue

Soft skills seem to be lacking in some of the IA teams. There is the art of interviewing that must be executed properly. IA can set aside time to work with other parts of the business. Audit reports are not the only communication channel.

Time to Shift the Mindset. Pulse report urges IA to focus on culture and cybersecurity response. Board members should discuss with management to ensure that there is a common understanding. There is a risk of poor vendors and that firms could suffer from reputational damage. There needs to be strong third party risk practices.

Fraud Prevention. An effective control environment can deter or minimize the occurrence of fraudulent activities. Internal controls may not always be designed to prevent fraud. There must be a strong control environment for fraud prevention. Background checks and fraud related training can be useful indeed. Whistle-blowing hotlines can be set up. A certain level of anonymity must be ensured. No one person should complete control over a whole particular process, from start to end. Monitoring activities should take place on a frequent basis.

The Call no CAE wants to receive. A strong working relationship between IA and the CIO is essential to responding quickly to a cyber incident. This is important as cyber attacks can lead to reputational damage. One can verify the controls at the vendor and get them to fill up a data security risk assessment questionnaire. IA can be the trusted advisor that an organization needs.

Collaborative Risk Management. As organizations consolidate their risk processes, IA may not be able to continue to stand alone. Risk collaboration and organizing risks are more important nowadays. There is a need to be efficient about going about this. Risk needs to be organized neatly. ERM is one way to link everything together. Auditors should be open to other ideas on organizing and mitigating risk.

The Ticking Ethical Time Bomb. The financial loss from theft was secondary to the effect on company culture. Sometimes, the most obvious issue is no the more important one. Small frauds can lead to large ones. Reinforcing identity is also very smart sometimes, as it can help with ethical reinforcement. Increasing controls should not be done as a knee-jerk reaction sort of thing.

A Matter of Trust. Attention to detail and focused effort can help IA build the relationships required to be perceived as valued advisers. IA should be given time to innovate, gain an understanding of evolving challenges and talk to people in the business regularly about the issues they face. You help to build trust if you know what the regulators or other people are doing. Sometimes, top management might even tell CAE the problems that are upcoming. Relationship building and being part of the management team is crucial. However, there is still a need to be independent even if IA is like a trusted advisor. Try to leverage on technology.

‘IA can often be forgotten if it is not part of the core team, because it is less visible than those functions that meet and talk regularly.’

‘Auditors are there to make organizations better – it is a key part of the way they can add value. Not commenting when they see a better way to do something could show a certain lack of moral courage.’

Proactive Fraud Analysis. Integrating advanced forensic data analytics capabilities can help auditors mitigate fraud risks and demonstrate returns. IA can invest in such tools as it can help in the monitoring of risk. IA should ask ‘What are the high risk accounts?’; ‘When?’; ‘Where?’ etc. IA should focus on the low-hanging fruit first. The first project undertaken should be easy. Learn to go beyond the descriptive analytics. Learn to embrace both structured and unstructured data. Communication is the key. It would be good to automate the tests and involve the end-users. Also, learn to set a realistic timetable. Keep analytics simple and intuitive – don’t include too much information in one report so it isn’t easy to understand.

Getting More from Interviews. Instead of emphasizing formalities, IA should approach each interview like a conversation. You can gain insight into the way operations work and identify gaps etc. Plan your questions beforehand and be prepared. However, the less formal it is, the more information you can find out from the interview. Try to make it a conversation. Learning about the auditees’ life can help to build rapport and build the bond. Talk to others within the auditees’ same department. The interview’s purpose should be specific, attainable and outcome oriented. Preparing for the interview helps a lot. The location matters as well. Try to open in a way that makes the auditee at ease. Try to explain the purpose and the outcome of the interview. Learn to practise effective listening. One can ask thought provoking questions that will help to elicit information. Learn to practise active listening and show positive body language such as being attentive. You can prepare questions but there is no need to follow to a list strictly. It can be difficult to build rapport. Do not try to tell the interviewee that the interview must be done to complete the audit. Have lunch with auditees once in a while. People love to hear about themselves.

‘Auditors should be curious about the way processes work, the way the organization works, and perhaps most importantly, the people who make it work. Curiosity will lead to a better understanding of the organization, better ideas for improving the organization, and a better rapport with the individuals within the organization.’

On the Hunt for Payroll Fraud. Taking a close look at payroll risks can enable IA to help their organizations save money and identify wrongdoing. Payroll fraud is more common if there is irregular workforce patterns. Payroll is usually shrouded in secrecy. Overpayment is more common than underpayment. IA can also examine to seek actual cost savings/ productivity gains. IA can adopt a helicopter overview of payroll data and the payroll process. One can compare payroll costs with other organizations. Rosters should be designed to optimize the allocation of employees to operational needs. Management welcomes findings that reveal specific wrongdoing because they provide hard-to-dispute evidence. IA can look out for certain insights and then drill further. There are many common findings. The audit fieldwork needs to be well-researched and planned.

Guardians of Integrity. IA can provide insight into corporate identity and people-related risks. For instance, IA can evaluate the ethics and organizational integrity. IA must communicate with the board and management and be the corporate conscience. Testing the effectiveness of the ethics programs can be tough. It is important to understand how an organization defines success. It is important to uphold the code of ethics: integrity; objectivity; confidentiality; competence. IA should examine incident reports too. IA must be as wise as the board, as savvy as management, and as shrews as attorneys. Stakeholder surveys could be used to understand the management and employee ethics. IIA needs to exercise fair and ethical decision making.

audit financial company tax investigation process business accounting

IIA Magazine Aug 2017 issue

The Technology Issue

 A technology revolution. Tech is moving at a fast pace and some businesses may not be able to reap the benefits. IA needs to understand the evolving risk landscape related to the business. Tech will continue to disrupt the landscape and IA needs to reassess what data means to them going forward. Auditors help organizations avoid getting into trouble by identifying issues early and avoid them being surfaced by regulators or the media.

The Cyber Readiness Gap. Organizations may not be prepared for the attacks they are expecting. Ransomware is a big issue and thinks will get worse. Only half the organizations surveyed have a plan to address ransomware attacks. IA can help to scrutinize cybersecurity practices and plans. IT security governance needs to include the human factor in corporate risk analysis and assessment. IA can move from a supportive to front-seat role when building crisis-resilient culture.

More than Compliance with ‘A’. Transforming a compliance program into a value-adding activity starts with IA. Compliance with AML regulations are important. However, many managers do not see value in compliance work. IA needs to ensure compliance can provide real assurance. It is important to do the right thing and do things correctly. Ask yourself why there is a compliance requirement in the first place. IA needs to work with the first and second line of defence to ensure all risks are being addressed. IA should also question the need for, existence of, and adequacy of compliance with A. Sometimes, the original risks may not be present and hence the compliance requirement should not be relevant. One needs to examine the adequacy and effectiveness of the mitigating control. The audit needs to maximize the use of resources and analytics. One can use trend analysis to understand whether risk is increasing or decreasing. Effectiveness of controls can be tested with analytics.

‘But it should not be compliance simply for compliance sake. Internal audit should consider the overarching business objective and the controls that help mitigate risk to the achievement of the objective – even when examining compliance-related controls.’

Stop Clicking, Start Coding. SQL queries can enable internal auditors to uncover greater insights from organizational data. Data needs to be analysed etc. Some auditors are required to learn SQL. It is a language for managing data held in databases. To be good, logical thinking and reasoning are important and necessary for coding. SQL can be tailored for auditing needs and for ad-hoc queries. SQL and other audit software can form a powerful set of analytical tools.

Internal Audit needs risk management too. Managing its own risks can improve the audit function’s performance and demonstrate that it practices what it preaches. One key risk of IA is whether the department is strategically positioned within the organization its objectives. Other risks are whether the department has enough staff, on assurance etc. Reputation risks are important too, and so is compliance risks. Operational risks are like the resourcing problems, annual audit plan etc. If audits are behind schedule by about a month, it needs to be highlighted as a red flag. IA can also do a risk control self-assessment to evaluate internal controls in place.

The Cashier Cash Thief. Mounting family pressures and opportunity cause a trusted warranty clerk to pocket payments from customers. IA must emphasize the importance of SOD and monitor any exceptions. Trend analysis would allow organization to detect fraud more timely. Routine audits are vital for all cash processes. Mandatory vacations and rotation of duties should have prevented fraud from happening.

In Safe Hands. Organizations must grapple with a host of issues when determining how to best protect their data and manage the way it’s used. In Europe, there is a General Data Protection Regulation that goes into effect in spring 2018. It is a stricter regulation than ever before. Firms need to obtain consent for data collected from individuals. IA needs to go back to the drawing board to strike a balance. Respecting someone’s privacy rights is actually a soft skill and needs a soft approach. Privacy controls need to be engineered into business processes. Businesses must be clear about what they need the data for. Many companies do not know where their data comes from and how it is used. IA can be a role model in innovation etc.

Great tech expectations. As technology becomes more integrated with business processes, auditors must raise their IT skills. New auditors usually have better skills than older ones. People with expertise in IT will be in demand. Those with experience in DA will have an advantage over those who don’t. Experience with audit-specific software is also a plus. Auditors need to have an understanding of the infrastructure and applications being used. New authors are not usually well versed in soft skills. IA needs to have a good understanding of flow, controls and governance. Determine the specialty skills needed. Maintaining the right mix of generalists and specialists is a key IT challenge. IA needs to have a training plan for the IT risk and controls. Training hours need to be tracked and there needs to be information sharing at every meeting.

Building a data analytics program. Six strategies can facilitate progress when starting or furthering an analytics program. Many functions suffer from pitfalls/ setbacks. The six strategies are (1) create awareness rather than a silo; (2) understand the data before investing in a tool; (3) plan sufficiently; (4) think big picture; (5) Partner with IT; (6) Take advantage of visualization tools for inspired reporting.

#PurposeServiceImpact. The IIA’s 2017-2018 Global Chairman of the Board J Michael Peppers encourages IA to unify around the three concepts in his powerful hashtag. Purpose, Service and Impact are important words for our profession. It is about the why we do things. We should help enhance shareholder value through our work. Service is basically walking the talk. It is important to establish credibility with clients. We are both change agents and educators and need to do the right thing. Volunteering is important and internal auditors should strive to give back to the society. Always try to make a positive difference. We need to understand the purpose of the organization.

‘The best and most successful internal auditors I know understand that internal auditing is more than just a job: it is a sincere effort to improve the lot of others, whether organizations or individuals.’

The Root of the Matter. Performing root-cause analysis requires that auditors recognize common myths associated with the process. Addressing root cause will prevent the issue from recurring. Complex problems may be due a variety of factors. There may not be a single root cause at times. Use the 5 Why techniques. Sometimes, two root causes can lead to one problem. Some brainstorming is required to address all the root causes. One can use the fishbone diagram and identify problems in different categories like: Man, Machine, Measurements, Method, Materials, and Mother Nature. One can also use scatter diagrams to pair cause and effect and look for relationships. Good recommendations in the audit report should address the root causes of a problem. However, IA should understand that RCA requires time and resources and the organization must weigh the pros and cons of doing it.

Seven Steps to Transformation. IA can assist management throughout the many stages of business change. The first is pre-implementation review. It helps management to identify problems at the planning stage. Ask yourself what is the best ERP project model for ERP packages? The other steps are process/controls analysis, In-flight reviews, IT and User Acceptance Testing and Output/Results testing. The last 2 steps are post-implementation reviews and comparison to project management reviews.

It’s only one word. Excessive audit report wordsmithing is often a disservice to the client – and the audit function. Let those who did the work have a say in the changes. Never make a change unless you can explain why that change is necessary. Otherwise, you are just changing for personal preference. Always explain the reasons for any change to the person who wrote the original drafts. Do not be too anal about phrasing as this will result in rewriting and delays and frustrations.

‘Far too often, the lead, manager, chief audit executive doesn’t like what is written and starts editing the audit report. The process often results in a report the auditor no longer recognizes and, in the worst situations, it says something the auditor never intended it to say.’

The Data Analytics Strategy. Adding analytics to the audit methodology requires careful change management. Funding and resources needs to be provided. Integrate data analytics requirements into the audit methodology. Look for quick wins if possible. Use a champion to lead the strategy. CAE must emphasize that analytics is good as it improves audit efficiency. Analytics can add value not just to fieldwork, but also risk assessment and planning. Data is also evidence and that’s what sells well.

From ratings to Recommendations. Behavioural psychology suggests internal auditors’ approach could benefit from more carrot and less stick. Audit gradings are hated by auditees as it sends a signal that they did something wrong and that things are really bad. The SDT (self-determination theory) shows that human motivation is optimized when the following 3 are present: developing one’s skills (competency); exercising free will (autonomy); feeling connected with others (relatedness). Give your auditee the chance by sharing about common goals and building good relationships with them.

IIA Magazine Jun 2016 issue

A toxic culture is present when your work negatively affects your health – physically and emotionally. An example of such could be a change in management or management through fear and intimidation. The two options are to leave or to name the problem and discuss to make it better. Payroll should have continuous checks and balances. It is not good to report risks on an ad-hoc basis. Talent issues and development need to be addressed. There is a strong need to fight corruption. However, whistle-blowing hotlines might be underutilized, as employees fear retaliation after reporting. There are some companies which do not trust enterprise cloud deployments still.

The Fire Drill. Auditors can learn to deliver a focused message that results in management action. Effective planning of our work is the key. For instance, we can look at past audit findings. Next, one should compensate with competence, meaning backing up observation with data and experience. Sell with the passion of a champion. Findings should be sold to address a control weakness that is causing an unacceptable risk. One needs to communicate the big risks well. In the end, we need to deliver a focused message that can result in management action.

The Tech-Savvy Auditor. Effective use of audit technology can enable audit departments to provide valuable insights. Most IA staff are not familiar with IT or have weak IT backgrounds. This is not acceptable. Technology can lead to a more efficient audit and also might cut fraud losses. There is a need to improve the audit software. There should be a data analytics centre in-house. There is a need to review software usage.

Integrating Key Risks and Performance Indicators. IA can leverage its risk knowledge to improve operational performance and reduce risks exposures. IA can provide assurance on the achievement of objectives. IA can encourage the formalization of KPIs and KRIs. KRIs can serve as an early signal of increasing risk exposure. There needs to be a formal project charter. There needs to be a KPI framework with proper planning, reporting, monitoring etc. The key metrics need to be identified and a dashboard can help to present graphically the results. The KRI should be closely linked to the KPI.

Toxic Leaders, Toxic Culture. IA can identify unhealthy behaviors that may undermine the organization. Culture will affect an organization’s success. Therefore, identifying the toxic leader is important. Toxic leaders want power and control. These tend to be autocratic leaders. They could have a strong sense of entitlement and focus on themselves and not the organization. Exerting power through fear can undermine morale. They do not like to be challenged and seek to manipulate others. Closed-minded leaders think of ‘My way or the highway’. There is no need to confront the toxic leader. IA can refer the person to compliance or legal counsel. One can use behavioural psychology to analyse. For a more objective method, one can look at the reasons for turnover and examine turnover rates. One can also look at employee engagement survey results. One needs to use experience and facts as much as possible.

Analytics and the small audit department. No matter the size of an audit function, analytics can be implemented for big gains. How to go about using analytics? Some simple ones to consider are benchmarking, variance analysis, ROA, turnover etc. The analytics must have goals and performance measures. Selecting the right data source is the key and there is a need to verify the accuracy of the source. Brainstorming can help to identify key data. It is crucial to have a plan that will allow IA to continue to improve its analytics capability. It is important to attain small wins in analytics.

Business Risk. Keynote speakers for this year’s IIA International Conference identify emerging risks facing organizations. Cyber risks is at the top of the priority list for many. Ransomware is a big threat to hospitals nowadays. Other threats include politics, the economy and terrorism. Social media risks sometimes aren’t within an organization’s control. Auditors should use corporate culture to work in their favour. An organization must monitor the external environment closely. There should be a common understanding of what the risk appetite and risk cultures are. Audit needs to adjust fast and invest continually in education. IA now also needs to learn to be innovative.

An Anti-corruption Check-up. Capability maturity models can help organizations assess the effectiveness of the anti-corruption programs. This model was developed at Carnegie Mellon University. One can use the model to identify strengths and weaknesses. There are basically 4 levels of maturity. There are 7 components that form the basis of anti-corruption maturity model. There is a need to tally the scorecard too.

Craft Our Role. IA should create the role for themselves that is best for both the organization and their own personal development. IA needs to be ingenious, use creativity and resourcefulness when developing their role. Do not limit the scope to be too small. It is important to be familiar with the business in order to value add properly. The control environment needs to be evaluated properly. One can develop business acumen. It is crucial to ask the right questions. IA should network more with the other departments to build rapport and also to get a feel about the management style in the department. Learn to practise combined assurance. One can work with another dept for a joint review. This is the way to maximize external resources.

Fraud and related-party transactions. IA can identify red flags and reduce the risk and impact of related-party fraud. IA need to be able to recognize related-party fraud risks. Providing loans at below market rates is a red flag. Failing to disclose the related-party nature of the loan is a red flag. IA should try to identify related party transactions. Try to identify whether employees have link to companies that transact with the organization itself. It is also possible to compare cost variations among vendors to see how they differ from the average cost. The organization should not pay costs significantly above market prices.

Communicating Results. Sharing audit observations is one of the most important tasks auditors perform. Communicating properly can help enhance rapport. Make sure the observations are correct and are not challenged by management. Plan the timing of issue dissemination, which is as soon as possible. Try not to surprise management at the end of the audit. Write clearly. Exercise diplomacy.

‘One of the quickest ways to lose management’s respect is to make it clear that IA does not understand what is has been auditing. The answer is to take the time to learn the business, processes, and risk associated with the audited area.’

Care and Feeding of The Company’s Culture. How can IA help to ensure a healthy organizational culture? Auditing culture is certainly work examining. Healthy organizations should have guidance on norms and expectations and a healthy tone at the top. Transparency is important. Management should think long term and have a sound strategy. Ask yourself whether the root cause is behavioural or cultural in nature. The problem with culture is that it is not clear cut and might be hard to evaluate. Those who are toxic in nature might be held accountable and be responsible.

 

IIA Magazine Oct 2016 issue

There needs to be reporting beyond just financial type. There is a need for a risk-based approach and to look at the major objectives of the organization. It is important to have a policy for conflict of interests. Do not simply give customers what we think we can deliver, but ask them what they need. Company culture is crucial in the employee rating of their CEO. Those CEOs who are the founders, have lower pay, have good profitability usually have better ratings. Some FIs are concerned by the staffing of their AML team and the adjustment needed for new regulations. The US is the most cyber aware country. However, there are some countries which are lacking in cybersecurity preparedness and that is a concern. Brexit might have the effect of changing the impact of globalization over time.

The Art of Recommending. Internal Auditors walk a fine line when presenting recommendations to management. IA needs to show how the recommendations fix gaps and mitigate risk. There needs to be a cost vs benefit analysis too. Recommendation can either be to address a gap or as a suggestion for improvement. There needs to be both internal and external sources of information. One needs to spend time documentation down potential recommendations. It should address the root cause. Avoid addressing a person. Indicate a repeat finding. Explain how the recommendation will mitigate the risk. For areas for improvement, list them separately from the gaps. Some external info could be ‘IIA research materials, professional literature, networking, procedures from other organizations.’

‘It is a good practice to jot down recommendation ideas as soon as they come to mind, even though they may not find a place in the final report. Even if internal audit testing does not result does not result in a finding, the auditor may still recommend improvements to the current process.’

‘It is internal audit’s prerogative to provide recommendations, regardless of whether management agrees with them. Persuasive and open-minded discussions with process owners are important to achieving agreeable and implementable recommendations.’

Big Data and IA. Today’s data analytics expand auditors’ ability to tap into all types of info generated by the organization. Auditors can mine data and analyse them. IA can use statistics or visualization tools to help them too. One can test all the transactions now. There is also a great variety of data available. Velocity of data now makes it possible for IA to perform continuous auditing. Learn to understand the data and acquire the analytics tools. It is also important to develop a road map too. Big data can be harnessed in a meaningful way.

Is IA in your Audit Universe? IA should seek to enhance and protect organizational value. IA should be audited via a QAR (quality assurance review). One can evaluate the IA’s conformance to the standards, code of ethics, efficiency and effectiveness of the IA activity. It must be conducted by someone who is objective in nature. An external assessment needs to be conducted once every 5 years.

Blurred Lines. Internal auditors need to have the skills and perspective to deal with frauds that don’t match the standard villain story. One needs to look for the motivations and benefits. IA needs a clear perspective on how to approach fraud. One needs to analyse why did the fraudster want to commit the crime.

Taking the Lead on Nonfinancial Reporting. Internal audit is well-positioned to examine how its organization reports on nonfinancial issues. European companies now need to disclose in the annual report how they are discharging social, environmental and ethical issues. Non-financial info is important to gauge the society’s impact. Management needs to be concerned over non-financial reporting. Sustainability reports should disclose how the company performs in some specific areas. You need good non-financial reporting systems. In the US, sustainability reporting is not mandated and not practiced by many companies. Non-financial data are often over-looked by IA. IA needs to have the right process competencies for effective non-financial reporting. There needs to decisions on materiality over nonfinancial reporting. Strong communication skills are the key. It is possible to create a multidisciplinary team that can provide combined assurance. IA needs to engage the first line of defense first.

Audit processes take flight. The updated COSO Internal Control-Integrated Framework is at the heart of Boeing’s internal audit work. The new COSO framework has 17 guiding principles across the 5 control components. The principles-based approach is being used. It is important to give weight to all of the COSO components. Keep the focus on inherent risks. Every audit requires a detailed process flowchart.

Privacy in the workplace. Organizations must find ways to accommodate employees’ personal technology use while also meeting regulatory and other requirements. Digital technology has changed a lot of things. Privacy issues are becoming more important. Employees tend to violate privacy risks more. IA should be able to understand where the risks lie. A lot of data is being collected and analysed. Some form of employee monitoring is necessary, but not excessively. Who is responsible for lost data on a cloud? In the US and Europe, there are a lot of acts that company must comply in relation to global privacy laws and regulations. In Europe or Japan, the privacy laws are more absolute. There needs to be a strong governance/ privacy framework in place. A risk assessment should be performed on a frequent basis to evaluate the impact of changes to regulation. If an organization expands, IA should make sure controls are in place to manage privacy. Training and awareness needs to be made at every level. Trust must be built between employers and employees.

A Unified Approach to Compliance. Failure to comply with regulation could lead to fines and reputational damage. There needs to be a co-ordination between IA and compliance function. IA needs to understand the business goals and how the compliance team plans to assist the business in achieving them. One can examine from both a macro and a micro level. The IA charter should clearly document the role of the IA team in compliance. We should focus on the foundations of the assessment. IA should sound out levels of residual risks that are greater than risk appetite. How does the organization ensure completeness in the assessment? IA can rely on the compliance team to update them on the regulations. Key compliance decisions must be documented. IA and compliance teams should meet to discuss once in a while. IA can share audit reports with the compliance teams. IA can leverage and use the compliance risk assessment. However, IA should check whether it is complete. To achieve the IA mission, IA needs to include compliance too.

The Power of Rhetoric. Understanding the powers of persuasion and applying key rhetorical skills can improve the work of any IA. IA needs to possess rhetoric to persuade the auditee to accept the recommendations. The key elements are speech, audience, text. The author is usually the engagement lead. All members and groups of audience needs to be considered. The audit report is the written text. The team selected must be capable and know how to perform the engagement. Logos appears to one’s logic and the supporting documents. Pathos focuses on the audience’s irrational modes of response and is an appeal to emotions. Design of slides must be beautiful and also simple to read. Word selection is important and IA should give a balanced view.

The Red Flags of Fraud. Internal auditors’ knowledge of the business makes them ideal candidates to detect unethical behaviour. Fraud affects the bottom line and active measures to detect it are better. Red flags are signs that it could occur. IA can do a red flag analysis. There are different types of fraud, financial statement fraud, employee fraud, tech fraud etc. For FS fraud, personal enrichment is common. IA can scan the GL to look out for unusual trends etc. Analytical procedures can be used too. Employee theft of cash is possible. Other types of fraud are employee expense reimbursement fraud, payroll fraud and kickback scheme. Most frauds usually happen only after a year of service, because the employee needs to learn of the internal controls first. The chance of fraud is greater if the person is in financial difficulty. Data analytics can help to review red flags. Anti-fraud training must be conducted. Early detection is the key as if the fraud persists, the loss will be even greater.

‘Ethos is established when the audience determines that the author is qualified, trustworthy, and believable.’

Anticipating Information Security Regulation. As threats and data breaches become more common, so will regulatory oversight. Data breaches are more common and the risk to consumers are growing. One needs to establish a security risk assessment process. IA can adopt ISO 270001 to enhance their information security program. An employee security awareness program is very important too. IA needs to validate and assess the control environment too.

IIA Magazine Feb 2017 issue

IIA Feb 2017 Issue

Internal Auditors need to provide maximum return on investment and audit the right things. They need to understand the company’s strategic mission, objectives and KPIs. More auditors need to base their work on the International Standards for the Professional Practice of Internal Auditing.

The 5 emerging threats are (i) global economic uncertainty; (ii) increased regulatory burden; (iii) significant industry changes; (iv) business model disruption; (v) cybersecurity threats. Global economic uncertainty seems to a bigger risk in 2017 as compared to previous years. In the compliance space, with the new US administration, enforcement areas could see some change. Trump could change the legislative, regulatory and executive actions under Obama’s reign.

Although most companies feel that they could detect a sophisticated cyberattack, many of them do not have an adequate communication strategy in the event of a significant attack. Also, some of the BCP might be lacking. The continuous monitoring of cyberattacks is also a challenge.

Data Mining. By leveraging data, internal auditors can address issues beyond the reach of traditional analysis techniques. It involves making use of data which had previously no formulated relationships, patterns. Artificial intelligence, machine learning, statistics and database systems all come into play. Some of the techniques auditors can use are predictive modeling (IF), data segmentation (data clustering), neural networks (artificial intelligence), link analysis (links between records), deviation detection (red flags). The use of email mining can identify red flags in fraud etc. Social network analysis is also possible. IA should continue to look for ways to innovate their audit testing.

Intelligent Assessments. Use cognitive technology to help identify high-risk areas. These are intelligent computer systems that can aid in the performance of risk assessments. For instance, this tool can extract and analyze text from audit reports and analyze trends and high-risk areas. Natural language processing (NLP) has the power to tap into every sentence of every report to churn out more information. The machine will convert text to a certain structure and add meaning to the text and teach the computer to understand audit concepts. Words like ‘fraud’, ‘finding’, ‘auditee’ can be flagged out.

Turning Up the Heat on Fraud. A fraud risk assessment can help auditors take the organization’s ethical temperature. There are many ways to do it, example, through surveys, focus groups, workshops etc. The focus is mainly on fraud risk. It works best in small brainstorming sessions with operational management. Using the ACFE’s Fraud Risk Assessment Tool can be useful as it provides a structured approach. Risk assessment is about identifying where fraud might occur and the potential perpetrators. IA can do surveys to measure the ethical climate and voting can be anonymous. The results of the survey can be discussed with management. If there are high risk areas with fraud risks, IA can pay more attention to them.

The Accidental Discovery. Small or remote locations can be more susceptible to embezzlement, especially when they are not audited regularly. Confront someone after the facts have been reviewed. Look at the big picture. Controls that aren’t operating effectively are as good as them not being there.

Auditing what matters. Add value by selecting audits that contribute to achievement of strategic objectives. Auditors now should start looking at this area. Look at where the company spends the most money, what their main programmes are etc. Find out who is responsible for the strategy and make them IA’s stakeholders. Traditional audit activities can move towards strategy too. IA should use the COSO ERM framework in its entirety. The aim is for IA to a strategic partner to management. Don’t fear failure and find out more from the auditee by talking to them. The trick is to engage with processor owners easy and evaluate control design. IA should do the following: (i) Identify and define the risks; (ii) rate the risks; (iii) address risks in detail. Getting management buy-in is also important. The CAE must convince the AC to highlight the need for a strategic approach. Most IA wants to be a trusted advisor.

Core Principles and the QAIP. The new IPPF in 2015 can be incorporated into the QAIP to show that the IA is aligned with the mandatory IPPF elements. Learn to develop a concept and approach that is easy to understand. Core principles are a mandatory element of the IPPF. IA need to have general conformance with the Code of Ethics and Standards. The 5 steps are (i) establish a maturity framework (ineffective, partially effective, effective, sustainable, world class); (ii) map core principles with the standards and code of ethics; (iii) Define characteristics of maturity in 3 aspects of standards and QAIP characteristics, infrastructure and process characteristics, core principles and specific characteristics; (iv) perform internal and external assessment consistent with requirements of QAIP; (v) Evaluate and report maturity levels for core principles.

Champion of Trust. By modelling high standards of ethical behaviour, IA can help shore up faith in the organizations they serve. How can IA be a trusted advisor that is well respected? One way is via ethical commitment. IA needs to model ethical conduct in everything they do. IA must have the courage to sound off before things get in trouble. Ethical commitment is the key to a well-functioning IA. Ethics should come naturally to all. We also need to build ethical resilience (integrity, courage, honesty, accountability, trustworthiness).

Infusing IT Auditing into Engagements via a three-phase approach. The tech sector is growing at a rapid rate. Internal auditors also need to develop IT-related capabilities. IA needs to think about the future of integrated auditing. For a start, IA can incorporate IT perspectives into current audit engagements. This can involve documenting down what are the IT automated controls. One can also read IT policies or those on change management. One should also identify resources and pinpoint where they are stored (example: servers). Map core IT resources and data to key business objectives. Respond to IT risks and identify audit objectives that can add value. An integrated audit can help in this. In the middle term, IA can build an IT audit team, understand the IT framework like COBIT, perform IT audits and also foster relationships with IT and management. In the long term, IA can leverage on data analytics and obtain professional certifications (like IIA and CISA).

Breaking Down The Standards. With the right strategy, practitioners can divide conformance into bite-size, easily digested portions. The standards consist of attribute standards (series 1000 to 1322) and performance standards (series 2000 to 2600). Some IA may neglect the attribute standards and focus on the performance standards instead. However, both are very important. IA should perform an assessment of how well they are conforming to the Standards. An external assessment must be conducted once every 5 years. The audit work program needs to be reviewed and approved by the CAE before engagement commencement. Ultimately, conforming and understanding the principles behind the Standards are important.

Auditing Organizational Governance. IA has an integral role to play in improving the organization’s strategic performance. This area is becoming increasingly important in recent years. Governance reviews can help prevent governance failures. Less than 1 in 6 IAs conduct reviews for their organization’s strategy. Sometimes, it might be difficult to conduct a separate governance review. Rather, it might be easier to incorporate it as part of routine audits. One can focus on both the governance structures as well as the organizational culture. Some of the soft controls can include management competence/style; mutual trust and openness; strong leadership; high performance and quality expectations; shared values and understanding; high ethical standards. However, for some of these measures, there are no hard data to analyse. Hence, it is important for IA to read the signs. IA can also provide a more advisory role, which is educating board about developments and trends in the industry and governance best practices. In terms of strategic reviews, IA has much to work on. There is a tendency to focus on weaknesses in financial reporting etc.

Good Governance is All About Quality. The 5 quality rules are (i) customer focus; (ii) management leadership; (iii) Teamwork; (iv) Measurement; (v) Total commitment to continuous improvement.

 

IIA Magazine April 2017 issue

Business Resiliency is about the organization’s ability to quickly adapt to risk events such as these while maintaining continuous operations and safeguarding its employees, assets, and brand equity.

Malware, Ransomware and man-in-the-middle attacks are common security issues for organizations

Some organizations lack a clear risk management program and that is a problem. Lack of resources, complexity and inability to get started are some of the reasons cited.

1. Communication errors/ misinformation over company performance through channels other than financial reports; 2. Environment, health and safety is an area which is high risk, but not many IA covers this.

Cyber risks are also a main area where IA needs to be concerned about.

Learn to work smart and not harder. Employers should 1) acknowledge the problem; 2) appreciate the employee; 3) identify the root cause; 4) define the roadblock; 5) Devise a solution (training, resource allocation, process improvements); 6) Circle back. Guiding an employee well will result in an increase in productivity and morale.

The Data Museum. IA can compile organizational data in structured exhibits. Auditors need to use data warehousing principles to clean the data and structure it once that it is ready for analysis. Before storing data, consider the following: relevance, reliability; reusability; rarity. For instance, SQL can be used to extract, transform and load the data. Learn to run SQL statements. As for audit tools, auditors can use data visualization and advanced reporting techniques. Use a relational database and start small. Ensure that there are audit trails and logs.

The Many Facets of Risk. Risk is always multi-faceted. Look at the product and market research life cycle. It is important to do the strategy and competitive analysis like via SWOT, Porters’ 5 forces etc. Financial Management like NPV calculations aid in project-making decisions. Operations Management is about maintaining the optimum amount of inventory, like the EOQ method. Forecasting sales and demand is also a risk. Human resource risks and quality management risks are also possible. IA can act to cross-pollinate risks via mathematical or management methods.

Life of Luxury (Embezzlement). When too much power, accounting and budgeting etc, resides with the head, too much risks exists and there is potential fraud risk. There were too many over budgeted accounts in this case. Also, a person spending excessively or leading a lavish lifestyle will arouse suspicion. There are many lessons that the IA can learn: include riskier businesses in the IA plan; question how beneficial is the whistle-blowing hotline; an audit on payroll can detect payment to ficitious persons/ other people; review the acceptable use policy for all corporate-issued credit cards.

Resilience Through Crisis. Organizations all need to overcome crises and emerge stronger. The BP oil-spill PR was handled badly. IA can audit the crisis management plan. A crisis team should be cross-functional and with each goal clearly defined. IA should also be part of the team to ensure that the team is addressing the appropriate issues. The team should identify potential crises and IA can chip in. Next, a comprehensive crisis plan should be developed. Effective communication is the key and there must be a plan to inform stakeholders quickly. It is also important to have a spokesperson to handle the media etc. General templates can be used for media statements. Experts can be used as well. Crisis simulations should be conducted, like table-top exercises etc. IA should be the observer in all simulations. After the crisis, the crisis management team should evaluate the effectiveness and the performance of the plan.

Hit the Ground Running. The trend is to convert interns in IA into the permanent establishment as they already understand some of the company’s operations. One option is to transfer existing staff to IA. Interns who perform well stand to be converted. Interns are also less costly and can be used during peal-periods. There needs to be a significant investment in developing a good internship programme. There needs to be a plan all along. When you plan, it is important to prepare a job description, program budget, hiring plan and schedule. Provide guidelines for the interns to do work and make the audit project interesting for them. Teach them soft skills in the audit. Give them real assignments. Stretch them and ensure that they can contribute and make their internship meaningful.

Climbing the Scale. Turn to maturity models. Maturity models can rank from 1 to 5. They can be expanded into many business areas nowadays. Maturity models can be more meaningful than a simple pass/fail. Using this can convey a more positive collaborative tone too. Acknowledge what the client is doing already to improve processes and controls. A maturity model also focuses more on processes than people and seems more non-threatening. The models you can use are CMMI, C2M2, COBIT, P3M3, RMM, TMMi etc. Develop a dynamic risk assessment approach. IA should provide both assurance and insight. One can use the ISO standardized frameworks to compare the organization’s maturity level against. At times, the highest level of maturity might not be required as a lot of resources will be required. Maturity models can be very judgemental indeed. To succeed, IA needs to choose the correct model and be flexible when applying it. Build the best model and find a project champion if possible.

From the Same Playbook. IA needs to align its work with the organization’s strategy. There are debates as to whether IA should provide assurance around risks affecting company strategy. It depends on the CAE. However, not all top executives will want to discuss strategy with the CAE. There can be a disconnect as IA usually does not audit the latest transformations and developments in the company. Some IA prefer to audit compliance, which they are more familiar with. Two big risks are not having effective strategy or not executing them properly. CAE should think like CEOs and think through different perspectives and figure out how to maximize shareholder value. IA can perform gross profit margin analysis etc. There needs to be a balance between strategic-level audits and compliance based audits. Have discussions with management and the audit committee on strategy. It is for IA to look into strategy risks and the risks of entering any particular strategy.

Three Lines in Harmony. A Centralized testing model will enable the 3 lines of defence to rely on each others’ work. Front-line management is the first line of defense, risk/compliance functions are the second line of defense, internal audit is the third line of defense. It is important to co-ordinate so as to ensure all areas are covered and there are no duplications. Relying on others can also provide an increase in efficiency. Ensure that there are proper service agreements if there is a centralized testing unit. Automatic testing preferred and desired. There is a need to document the risk framework.

Signature Audits. Auditors should try to identify and respond to emerging risks. Most IA confirm concerns already identified by management. IA can do a mystery shopper role, or perform simulations to test controls. IA now need to be more innovative and curious. Signature Audits refer to thinking out of the box to design appropriate test procedures (example: penetration testing or social engineering). IA can identify best practices or try to circumvent processes rather than test them.

A Real Look at Real World Corporate Governance by David Larcker/Brian Tayan

Preface. How do you assemble the best board of directors? How do you pick the best CEO? This books examines the factors for corporate success.

Introduction. Societal leaders should do more. Lehman Brothers went under and there was a need to shake up the industry. The Dodd-Frank Wall Street Reform and Consumer Protection Act was passed in 2010. Is this the solution to all problems? There is an issue of ‘procedure over substance’. There might be unintended consequences to improving corporate governance. High-level ideas might not be met well at the ground level. As it is empirical in nature, corporate governance can be research and studied. This is better than just theory. It is essentially the theory of separation between owners and the management. The fear is that the management protects self-interest at the expense of shareholders. This is essentially an agency problem that needs to be solved. One will want to do so in a cost effective manner. The requirements must be clear as those that are ambiguous are not effective in the long run. The issue of poor corporate governance is actually quite poor in recent times. The problems are there but finding the solutions are much harder. We need to focus on the big-picture issues.

Board of Directors. Most of the board members should be ‘independent’ of management. They are elected by shareholders. The board’s role is to advise and monitor management. They have a right to question management’s plans in order to ensure that it is adding to shareholder value. Sometimes, they can also offer strategic advice to management. They are also expected to maintain an oversight function and monitor management. What does it mean when a board is functioning well? How do you know that the board selected can perform all of the above satisfactorily?

Lehman Brothers – A Case of Form over Substance. A board also has to provide oversight so that regulatory and legal requirements are being met. Some of the ‘best practices’ in the market have not been proven before and appear vague. There are issues when choosing board members as giving them a 3 year term might seem too long. Does independence standards help to improve corporate performance? Very little. Interlocked directors might lack independence but they have the know-how of the two companies and can form synergies. How can you tell whether a board is effective? The Lehman Board had diverse directors on-board. What went wrong? Upon closer inspection, you will realize that there is no one of financial expertise on-board. In addition, there is a lack of people with current business experience. Some of them were also well into retirement and couldn’t be expected to understand complex finance. Those with non-profit backgrounds didn’t help to value-add as well. The guy appointed to chair audit committee didn’t know about finance. There were also not many finance committee meetings. Structure of the board is important. However, there is little evidence to show that it is effective.

Are CEOs the best Directors? A CEO is very important as a candidate for a director in another company. This is because he has the right experience in making decisions etc. It is not uncommon for CEOs to sit on the boards of other organizations. However, this trend is declining. This is because companies have guidelines that prohibit outside directorships for their current CEO. Now, the trend is to recruit more junior senior management or retired CEOs. Current CEOs may not be the best bet. This could be because they are too busy caring about the affairs at their current company. CEOs have the ability to deal with failure/crises. In recent studies, there is little evidence to show that hiring CEOs as directors can positively contribute to operating performance. Is there a shelf life to director experience? Earning fees elsewhere might also impair their independence.

Are the Directors of Failed Companies Tainted? After a failure or scandal, the stock price will plunge. The damage might be long-lasting as well. The company might face lawsuits as well. Lastly, there might be turnover in the company too. Non-executive directors from failed banks managed to find directorships elsewhere. The reputation of the directors might get hit. Is it the directors’ responsibility to detect any malfeasance? There is some evidence that shows that executives of failed companies are treated more strictly. The Board is assumed to have less time to detect problems and hence cannot be fully blamed for any malfeasance. This is an issue that must be discussed in greater detail.

Part II: Accounting and Controls. Hiring an external auditor has a deterrence and detection help. External auditors only check on a sampling basis. They tend to focus on revenue accounts that rely on management estimates. This leaves room for manipulation. Auditors are expected to maintain professional scepticism throughout the audit. Accounting requires discretion at times and there might not be ‘correct’ accounting. Malfeasance can still occur even in the audited accounts. Revenue recognition/expense recognition/misclassification/OCI/tax accounting are all areas that can go wrong.

What’s Wrong with GAAP? In the US, GAAP is used. Companies can still retain considerable discretion over financial reporting. Non-GAAP information might also be reported as a supplement. These often include non-cash items, amortization, restructuring etc. Non-GAAP often paint a rosier picture of the company. SOX requires a company which non-GAAP earning to reconcile them with GAAP earnings and provide both figures. Often, one-time costs are included in the GAAP earnings. It is important to try and steer clear from non-GAAP adjustments. However, non-GAAP earnings might have higher information value. Non-GAAP earnings usually do not include one-off items that are unlikely to recur. Fluctuations on mark-to-market instruments also hit GAAP earnings even though contracts specify that some options cannot be exercised until expiration. Companies have to report a gain when their credit quality deteriorates as they can repurchase their bonds in the open market at a discount.

Royal Dutch Shell: A Shell Game with Reserves. For investors, it is difficult to know the frequency to which accounting manipulation occurs. Management is often involved in accounting fraud. There often has to be multiple failures of governance issues. The organization might have poor culture. Fraud escalates over time. Shell overstated their oil reserves by over 23% in 2004. How did such an incident occur? Governance and leadership failures occurred. Royal Dutch Shell was known for their scenario planning. Decision making was institutionalized. Lower oil prices in the 1990s and 2000s put pressure on profits. Standards for rigorous training fell and managers were given less autonomy. Employees were asked to contribute ideas on operating. The culture was shifting unknowingly. Management also promised investors unrealistic results on looking for new oil reserves to replenish used ones. Oil companies are required to disclose their proven reserves as it indicates their future profitability. These do not affect the current balance sheet though. Reserve calculations are not audited. Valuers’ are supposed to select the most conservative estimate. Management did not communicate important information to the board. There was a lack of oversight by the Board. How do auditors satisfy themselves that estimates are accurate/reasonable.

Baker Hughes: De-Corrupting Foreign Practices. What can a company do to fix its problems? How did Baker Hughes respond to FCPA violations? It improved its practices. Effective governance solutions are business-like. It is common to accept bribes etc. FCPA was enacted in 1977. It was illegal for a US company to offer payments to a foreign official for the purpose of ‘obtaining or retaining business’ or ‘securing any improper advantage’. If your company has dealings overseas, it is very difficult to track. There is a fine line between facilitating payment and a bribe. The company, Baker Hughes, started strengthening their reforms. Before hiring agents, sufficient due diligence according to FCPA must be conducted. Compliance will review large value transactions etc. The company’s business operations improved thereafter. Division managers were more aware of the regulations etc. Controls should not just restrict activity, it should promote positive performance. Can company’s act and improve controls even before a crisis emerges? That is the challenge. What metrics should be measured.

Even at its best, there is a limit to how effective internal controls can be. Controls restrict activity but they cannot prevent malfeasance. At some point, an awareness of correct behaviour needs to be ingrained in the culture of the company. – David Larcker and Brian Tayan

Part III: CEO Succession Planning. The CEO is extremely important for the company. There are 4 ways to select: 1) CEO-in-waiting; 2) horse race; 3) external recruit; 4) inside-outside approach (two-prong). Board members tend not to favour external candidates. As for internal candidates, there is a risk that they may not perform as they have not assumed such a role before. Succession planning is a process that must be managed well. It is the board’s responsibility to choose well. The right structure must be set and be in place.

Sudden Death of a CEO. A well groomed company might learn to adapt to changing situations. Most boards require at least 90 days to find someone. This is a topic that not many boards spend sufficient time on. For sudden death cases, it is imperative to find someone suitable fast. Internal candidates should be constantly groomed to take up greater leadership roles and responsibilities. Poor succession planning can have an effect on future profitability of a company. Succession planning should be treated seriously. Disclosure of such plans may not be wise as well. The stock price immediately after the sudden death of the CEO reflects whether the company had good/poor governance mechanisms. The benefit of hiring internally is that it is much faster.

HP: The CEO Merry-Go-Round. The Board must plan for contingencies. The current CEO must also be open and receptive about such discussions. HP is an example where multiple breakdowns occurred. HQ acquiring Compaq was a major issue as the board didn’t agree with it. It appeared that HP was moving away from its core business model. There was a HP tried to grow through external acquisitions rather than grow organically. There were also issues with disclosure of financial information with the board and a sexual harassment scandal with the ex-CEO. There were frequent changes in CEO from 2000 to 2011. The board were not clear on their strategy of hiring a CEO. Is it right to constantly view internal candidates as bad?

Apple: Is CEO Health Public or Private? The SEC encourages companies to disclose information about whether a company will be adversely affected due to vacancy in leadership. Health information is private in nature. Should such information be disclosed? When Steve Jobs’ health failed in 2008, the Board covered it up. In Jan 2009, Apple claimed that it was a hormonal imbalance that caused him to lose weight. Warren Buffett had no qualms about disclosing his state of health to his shareholders. He felt that such information would allow shareholders to make informed decisions of the company. How extensive should the disclosure be?

Part IV: Executive Compensation. This is a controversial process indeed. Compensation must be at a level where it attracts, retains and motivates people. It should be paid in a manner that encourages unnecessary risk taking. The compensation committee should design a suitable package. It should use benchmarking and evaluation against the external labor market. The plan must be approved by the Board. Now, shareholders can give their ‘say on pay’. The Board must consider what reactions their pay package will have on significant shareholders. What is a ‘correct’ pay package?

What is a CEO Talent Worth? Some believe that CEOs are over-paid. In such cases, shareholder activism is encouraged. Is the rise in CEO compensation commensurate with the growth rates in revenue of the company? The highest paid CEOs and celebrities earn about the same amounts. There is a distinction as CEOs of large companies earn substantially more than CEOs of small companies. It is important for a certain amount of pay to be based on performance.

What does it make to make $1 million? There are various methods to calculating executive compensation. It is not so straightforward as there might be vesting periods, contingent payments and accruals. The first method is the ‘expected compensation’ for the year. The next method is ‘earned compensation’ for the year. This refers to those that an executive ‘earns the right to keep’ as cash. The last method is ‘realized compensation’, meaning how much executive can keep as cash for a given year. Which is preferred? It depends on whether you are forward or backward looking in nature.

Netflix: Equity on Demand. It is important to align compensation with corporate objectives. Netflix offers a lot of flexibility and room for empowerment in their culture. They treat employees like adults. Pay is very attractive at Netflix as they do not want employees to leave. However, they expect employees to work hard and to do the job of 2 normal workers. Only the best performers get retained. Their involuntary turnover is higher than the industry. However, those that get cut receive a severance package. Employees are definitely receiving a competitive wage. They have unlimited vacation time. They are however, expected to take as much as they deem is necessary. They also can choose how to be compensated, either via cash or stocks. Usually, one will not be able to exercise stock options immediately. If you expect the company stock price to rise, it might not wise to exercise it so soon. Many companies use BS model to estimate liability at balance sheet date for financial reporting. Stock options are good because they encourage risk taking and provide better alignment to company’s objectives. Netflix doesn’t offer cash bonuses. Employees can choose a compensation mix that is right for them.

Conclusion. The board must be qualified and engaged in their work. They have possess the requisite skills and knowledge. Case-by-case analysis must be made in order to assess board quality. Controls can only do so much to protect the organization against fraud. Succession planning is an on-going process and must be executed well. There is no ‘one-size-fit-all’ governance solutions that can be implemented. To have effective governance, one needs to learn from case studies etc.

Audit Analytics by Sean Elrington

Data analytics is useful for good governance as it provides better assurance as compared to manual sampling. Is the need to hire consultants necessary for straight-forward audit tests? It can help recover unnecessary spending. There may be resistance from the other departments if audit wants to perform 100% checks. There are still auditors which do not use data analytics.

Common Objections to Using Audit Analytics. Some auditors are too busy to learn and to change. The data may not be readily available. In addition, the cost has to be justified. Some are too intimidated by change. You need an understanding of ERP, database structures, views, tables etc. The benefit is that you might save time for data analysis. How will analytics help audit productivity? As it requires less man-hours, analytics can be useful. Although in the short-run, probably more work will be required. If the error is systematic, testing 100% of the population might not be very useful. In such cases, it will be better just to test a few samples and fix the control first. Analytics is here to stay.

Questions that the IT manager will ask you. Why can’t the auditors use Excel? Excel has its limitations on data size. Random sampling is not a good way to detect fraud. Data can be amended easily in excel and it does not have much data security. Sorting can be slow and Excel lacks functions like Benford’s Analysis. Modern audit software have data logs too. It is good to host the data on a server especially when there are multiple users. If you rely on the IT department to generate data for you, there is a risk that the data could be manipulated before being provided to you. There is an issue of how much access that an audit should be given. Data should be obtained from production and not the data warehouse. In the data warehouse, bad data might have been removed already. Application controls rely on passwords and roles to work. Relying on the controls in the ERP system might not be useful when there is collusion. Data might be present from different systems and auditors can’t simply draw the data from one ERP system.

Considerations when choosing audit software. Some of the functions that are heavily used are extract, join, relate, summarize, stratify, classify and age. Continuous monitoring is a lot more expensive and complicated. Is training a big consideration? Do you need to write your own scripts? Or can you buy scripts? What is your required return on investment? Will learning the software help the auditors in their career development? How much technical support is needed? What are the server requirements?

Analytic Software Tools. Picalo is a free tool that can be downloaded online. Some of the other software besides Excel are TopCATTs, Arbutus Software, IDEA, Monarch, Picalo, ACL. ACL usually requires a lot of training before users will know how to use.

Testing for Duplicate Payments. One can test both exact and fuzzy matches. There are multiple reasons why this might occur. First, you have to ensure that there are no duplicate vendors by scrutinizing the vendor’s details. For exact match testing, you can use ‘Substring’; ‘Include’; ‘Exclude’; ‘Alltrim’ formulae to remove dashes, hyphens etc. Testing should be performed on fields like Invoice Number, Vendor Number, PO Number, Date, Amount etc. Deconstruction techniques are used for Fuzzy matches. They use techniques like Soundex, Soundslike, HEX etc. Some of the algorithms are Levenshtein distance, Metaphone etc.

P2P Vendor Analytics. Some of the objectives are 1) vendor master file is correct; 2) employees are not vendors; 3) no duplicate or unused vendors. Match vendor information with employee information. Check out vendor addresses to ensure that they are not mail drop addresses used by delivery services. Sort the number of vendors by payments per year. Use a vendor name fuzzy match. Find vendors with missing fields to check whether the vendor master is well-kept or not.

Purchase Card Analytics. Objectives are 1) only authorized employees are using cards; 2) card purchases are acceptable. Try and detect transactions by authorized card-holders. Find cardholders not in employee master file. List top spenders by department. Find transactions in excess of authorization limits. Identify weekend and holiday purchases.

FCPA analytics. Objectives are 1) test that there are no suspicious payments made to individuals or entities; 2) verify that gifts received are permitted. Identify payments made to high risk countries. Identify cash payments. Identify unusual gifts. Identify credit card spending with unusual Merchant Category Codes. Find unusual vendors, like PEPs etc. Flag out payments with the words ‘facilitate’. Match to watch-lists, world-check etc.

P2P Payment Analytics. Objectives: 1) POs are unique and properly filled; 2) SODs are working; 3) controls to match invoice and PO amounts are accurate. Detect split purchases. Find duplicate payments. Find POs that were raised late. Look out for people who can create and approve their own POs. Look out for unauthorized purchasers. Ensure that there is approval for all POs. Compare a list of payments to prohibited vendor lists.

GL Analytics. Objectives: 1) Only authorized employees are making GL entries; 2) GL entries are acceptable. Detect duplicate GL entries. Look for suspicious wordings like ‘park’; ‘temp’; ‘reverse’; ‘suspense’. Detect GLs made at odd timings. Detect payment voucher and look out for approvals etc. Look out for frequently changed or reversed accounts. Find temporary accounts.

Healthcare Analytics. Objectives: 1) procedures billed to the correct code; 2) appropriate charges are billed to correct account; 3) reasonable timeline of patient activities.

Fraud Facts. Whistle-blower hotlines are a great way to detect fraud. Some level of fraud might be acceptable. It depends on the organizational culture. It is not the auditor’s responsibility to detect fraud. Look out for transactions with fraud symptoms. In general, there are two types of fraud: 1) Fraudulent financial reporting and 2) misappropriation of assets. It is hard to distinguish whether it was an honest mistake or fraudulent. The top from the top must be correct.

Common Business Frauds. You might need the help of a skilful financial auditor to deconstruct fraudulent financial reporting. Financial fraud is a very serious matter. Misappropriation of assets often involve kickbacks. Multiple payees could be an issue. Duplicate payments are a potential source of fraud too. A shell company could be used to deliver fictitious services. Detect maintenance which has been performed too frequently. Physical inspection of works/goods can help. Look out for defective delivery of goods/services by having good IC over the receipting of goods and services. See how often different employees reject or accept goods based on their quality. Inaccurate pricing is one of the type of risks too. Contract rigging means awarding to the lowest bid, but later subsequently changing the product specs so that the contractor will have to deliver more and thus can earn more money. Check contracted projects over their original budgets. Contract rigging is difficult to detect if you are not familiar with the goods. Bid rigging is very difficult to detect. Ensure that there are no phantom employees or contractors. Look out for invalid employees’ wages.

Interesting Fraud Stories. The fraud triangle occurs when there is 1) opportunity; 2) motivation; 3) rationalization. Don’t let non-trained employees do the accounts. Do not let the salespeople collect the cash. Be wary of bribery to win contracts etc.