MSU Department of Internal AuditPresents:Internal Audit Processes and Procedures Thomas Luccock, Director
Presenters • Thomas Luccock • Jana Dean • Steve Kurncz • Jim Jesswein
Overview of Topics • Organization and Mission • Internal Controls • Risk Assessment • Typical Findings • Fraud Awareness and SAS 99 • Information Technology Auditing • The Internal Audit Quiz Bowl
Our Mission “To assist University units in effectively discharging their dutieswhile ensuring proper control over University assets.“
Our Charter • Introduction • Purpose • Authority • Responsibility • Independence • Audit Scope • Special Investigations • Reporting • Audit Standards and Ethics
What is Internal Auditing? Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. -Courtesy of the Institute of Internal Auditors
The IIA Standards • Independence • Professional Proficiency • Scope • Performance of Audit • Management • Code of Ethics
Internal Controls • An integrated system to protect an entity’s resources and assess risk. • A system of checks and balances. • An established way to prevent and detect intentional and unintentional errors. • Examples include segregation of duties, reconciliation, and proper authorization. • Controls can be preventive or detective.
Who is Responsible for Internal Controls? Management Delegated to operational Areas Everyone in the Organization
Policy Statements • MSU Manual of Business Procedures http://ctlr.msu.edu/mbp/httoc.htm Travel Reimbursement Cash Handling Procedures Cell Phone usage practices It even covers flower purchasing requirements… • Departmental Policies
Procurement Card Policy • Manual Available at http://purchasing.msu.edu • Key Concerns- • Approval • Documentation • Appropriate Purchases
Regulatory Requirements • NCAA • / EPA • Contracts and Grants • Financial Aid • A133 • Record Retention • http://www.msu.edu/unit/msuarhc/
Organizational Risk • What is Risk? -The potential or likelihood of an event adversely impacting the assets of the organization or the organization’s business objectives. -courtesy of Jefferson Wells
The Big Picture Certain factors may impact the industry, organization, or the auditable unit.
What is Risk Assessment? • Its purpose: • To identify the level of uncontrolled risk. • To perform an independent appraisal of the design of an organization’s system of internal control. • Includes all the work activities that provide assurance that the auditable unit has appropriate controls in place to comprehensively, effectively, and efficiently manage its risks.
How can risk assessment be used? • To determine which areas within a given business process should be reviewed. • To design tests to verify the adequacy of the identified controls. • To support a cyclical approach to auditing.
Audit Tools used during a risk assessment • Opening meeting • Internal control questionnaires and flowcharts • Regulatory requirements • Prior audit reports and correspondence • Observation of daily activities • Risk Survey – plan to circulate periodically
Risk Assessment Approach • Quantifying Risk -High -Medium -Low • Degree of Control -High -Medium -Low Other risk assessment methods utilize convenient color coding.
Typical Findings • Deposits • Payroll • Reconciliation • Segregation of Duties • Procurement Cards • Travel Reimbursements
Fraud Awareness SAS 99 • Requirements • 24 Hour Hotline or web reporting • Complete Anonymity • 1-800-763-0764 • www.msu.edu/unit/intaudit/hotline.html Employee Responsibilities
Types of Fraud Fraud • Misstatements arising from fraudulent financial reporting (eg. falsification of accounting records) • Misstatements arising from misappropriation of assets (eg. theft of assets or fraudulent expenditures).
Fraud Facts • According to the Association of Certified Fraud Examiners (ACFE), U.S. businesses lose approximately 5% of their annual revenues to fraud. • Seventy five percent of companies surveyed by the KPMG reported that they had experienced at least one instance of fraud during the previous 12 months • The ACFE estimates that the median loss suffered by organizations with fewer than 100 employees is $190,000 per fraud scheme. previous version of the same study, completed in 2002, added that: • According to the ACFE, the median length of time between when a fraud begins and when it is ultimately detected is 18 months. • In its 2006 Report to the Nation, the ACFE reports that frauds are more likely to be detected by a tip than by other means such as internal audits, external audits, or internal controls.
The Fraud Triangle Opportunity Pressure / Motives Rationalization
Pressures and Motives • Financial pressures – rising debt/bills; spouse loses job; poor credit • Work Related Pressures – adverse relationship with management; promotions, compensation or other awards inconsistent with expectations • Vice pressures • Other pressures
Opportunity • Lack or circumvention of internal controls • Past failure to discipline wrongdoers • Management apathy • Unwillingness or inability to detect fraud • Lack of an audit trail
Rationalization • The organization owes it to me. • I am only borrowing the money. • They can afford it. • I deserve more. • It’s for a good purpose.
Profile of an Embezzler • Tends to be a trusted employee • Works long hours; first in/last out • Skirts mandatory vacation policy • Opposes cross training • Likeable and generous • Personality may change, moodiness may set in, when stress of embezzlement catches up to them, or when they are about to be caught • Evasive and usually good at lying
Fraud Red Flags • Not separating functional responsibilities of authorization, custodianship, and record keeping. No one should be responsible for all aspects of a function from the beginning to the end of the process. • Unrestricted access to assets or sensitive data (e.g., cash, personnel records, etc.) • Not recording transactions resulting in lack of accountability • Not reconciling assets with the appropriate records
More Red Flags • Unauthorized transactions • Controls not implemented due to lack of personnel or adequate training • “Walk through” approvals • Unimplemented Controls • Living beyond one’s means
Prevention • Senior management team sets the moral and ethical compass for others to follow • Management must clearly communicate zero tolerance for fraud and reinforce the message on a regular basis • Strict ethical code at all levels • Tighten computer security • Actively seek out red flags • Make staff accountable • Utilize MSU’s prevention tools • Learn and understand behavioral cues • Use the hotline!!
What is an Information Technology Audit? Information Technology (IT) auditing is defined as any audit that encompasses the review and evaluation of all aspects (or any portion) of automated information processing systems, including related non-automated processes, and the interfaces between them.
Risks IT infrastructure risks • Sensitive information • Monetary transactions processes • System access restrictions and enforcement • Weak password policies • Overall network security controls
IT Audit Scope • University policies and guidelines • Disaster Recovery Planning and Implementation • Acceptable Use Policy • Data Security and Backup Procedures • Managing Sensitive Data / PCI DSS Compliance • Industry standards • Password Policies • Security Planning and Implementation • Departmental Acceptable Use Policies
Information Technology Process • Scan of systems and associated network • COBIT Standards - 'Control Objectives for Information and related Technology‘ • IT Industry “Known Best Practices” • Partnership with Libraries Computing and Technology • Employee Responsibilities
Typical IT Audit Findings • Data backup procedures • Disaster Recovery Plan • Access controls • Security practices
IT Audit Sensitive Data Focus • Unit Managing Sensitive Data Procedures and Policies • Unit SSN and other sensitive data procedures and policies • Unit Payment Card Industry Data Security Standard (PCI DSS) Compliance • Unit policies regarding electronic and paper storage of credit card data • PCI DSS Compliance Questionnaire • Unit vulnerability scanning
Question I Jane is such a dedicated worker, she never misses work – no vacations, never calls in sick. Because she is always here, we do not need to train someone to be her back up. What Control Weaknesses exist in the above situation? • Jane could be committing fraud that could not be detected because no one ever does her job. • If something does happen and Jane is not available to perform her duties, no one else is able to step in because no one has been trained. • There are no control weaknesses. • Both a and b identify weaknesses.
Question II Claire’s department sells small items off of their departmental website. She accepts phone orders for this merchandise and stores the purchaser’s credit card number and information in an Excel spreadsheet, on her departmental share drive. Once a month Claire logs into WebCredit and runs all of the credit cards at once. Is Claire doing anything wrong? If so, why?
Question III Bob forgot his lunch money today so he borrowed from the petty cash fund. Which statement best describes if this is a control issue or if it is an acceptable practice. • That’s ok as long as Bob put an IOU in the petty cash fund. • That’s ok as long as Bob repays the next day or at least before the fund is reconciled. • Borrowing from university money is never acceptable and is considered a control violation. • This isn’t an issue as Bob always repays the money.
Question IV Mary collects registration money, prepares the deposit, agrees to the monthly fund ledger reports, and prepares the list of participants. Which statement concerning this scenario is true. • This makes sense because Mary is responsible for handling the conference, so she should be responsible for all areas. • This scenario lacks adequate segregation of duties. Someone else should be involved in at least one of the steps. The list of participants should be agreed to the fund ledger report by someone other than Mary. • Mary knows everything that is going on with the conference so it is more efficient to have her handle all the functions.
Question V Charley is a student employee on campus. He knows the rules dictate that he cannot work more than 29 hours in one week during the semester. He works 40 one week but will not work at all the second week. So Charley records 20 hours per week instead of 40 for week one and 0 for the second week. Is this acceptable? Why?
Question VI Sarah is the business manager. She has several employees that report to her and are responsible for posting all money received on their subsidiary system. Another employee prepares a deposit and sends by courier to the Cashiers Office. Sarah agrees the deposit ticket to the fund ledger each month. What step is Sarah missing?
Question VII Jim’s job is to enter mail-in conference registration forms that his department receives (for a conference they sponsor) into the AIS WebCredit system. After Jim charges the customer he keeps these forms (with full credit card numbers) in a locked cabinet for 3 years because he wants to provide them to the internal auditors, if necessary, and be able to dispute any chargeback claims? Is Jim following the recommended procedures? If not , why?