10 Things You Should Know About Internal Controls
The following podcast is from the AICPA Insights Live webcast series and covers 10 things one should know about internal controls as presented by Findley Gillespie and Steven Gin of Moss Adams. The list includes:
- Why a Training on Risk and Controls?
- Assessing the State of Controls at Your Organization
- Controls Maturity across the Three COSO Objectives
- Entity-Level Controls
- Information Technology Controls
- Segregation of Duties Controls
- Fraud Prevention Controls
- Documenting Policies and Procedures
- Responding to Deficiencies
- Recognizing Common Deficiencies
This podcast was originally recorded Nov. 15.
Welcome. Thank you for joining us today for AICPA Insights Live, "10 Things You Should Know About Internal Controls."
Presenting today are Findley Gillespie. Findley is Regional Partner-in-Charge of the firm's Business Risk Management and Control Solutions practice. He brings over fourteen years of internal audit implementation and public accounting experience and currently specializes in Sarbanes-Oxley, internal audit, controls based consulting, and federal contracting consulting. Findley has experience managing and directing all phases of internal audit and Sarbanes-Oxley implementations including risk assessment, documentation and internal controls testing for a variety of clients.
He also serves as the acting outsourced internal audit director for several publicly traded organizations and serves on the audit teams of our external audit clients with an emphasis on internal controls over financial reporting and Sarbanes-Oxley compliance. Additionally, Findley is a member of Moss Adams' government contracting industry group and has great familiarity with Federal Acquisition Regulations and Federal Cost Accounting Standards requirements.
Findley is also the practice's Quality Control Partner and the Life Sciences Regional Practice Leader.
Joining Findley today is Steven Gin. Steven is a senior manager with Moss Adam's Business Risk Management and Control Solutions Group. He has over ten years of experience performing business process and information technology control reviews in a variety of industries as well as working with numerous financial applications and computing environments. Steven has substantial internal audit experience executing projects end-to-end across multiple industries in areas of financial, operational and IT risk.
Steven also analyzes IT general computer and application controls for multiple client divisions and locations. Steven has worked on the implementation of governance, risk management and compliance software in SAP environments to enable the continuous monitoring of segregation of duties conflicts and to automate user provisioning. He has also developed custom scripts to allow for the automated analysis of accounts receivable, accounts payable, and payroll data.
Welcome Findley and Steven.
FINDLEY GILLESPIE, CPA: Thank you, Tania. Well today we want to dive in and we want to share 10 Things You Should Know About Internal Controls. So kind of like an open-book test, what we'd like to do is share actually what those ten things are now on the screen. Then what we will do is we'll walk through those during the course of today's presentation.
So real briefly is we'll start with the background on why we're even talking about risks and controls. Then we're going to talk about understanding some of those controls. Kind of what does a risk assessment look like; some key attributes of controls, some key considerations as you go through this. And then lastly is how to actually bring this back to your workplace -- how to actually practically do some of the things that we talked about today. So again that kind of keys up our presentation for today and what I'd like to do is just advance now and what we're going to do is we're going to take each of these ten topics.
Certainly there is an opportunity if you have questions while we're going through. Please let us know. You can type that on -- type that on your screen there and we can respond to that. If there are items that need to be clarified as we're going through, we can certainly address those. Otherwise, what we'll do is we'll address those at the end and we should have about five minutes at the end of our presentation to go through questions.
So with that said is why are we having a discussion on risk and controls?
Well, what you see here is a great quote from J. Edgar Hoover saying, "At a given -- at a given moment, there is a certain percentage of the population that's up to no good." So that's kind of why we're talking about controls today, and specifically controls -- not only are they good to help reduce some of the exposures, especially in today's economy. Not only -- well, not only are they good to help scale and provide for growth, they really help you achieve your business results, whatever the organization you're representing is today. As part of this, I do want to know -- a lot of times people say, "Okay, you're talking about internal controls, what does that mean? Isn't it only fraud?" The answer is No.
And so here are some examples of some of the exposures related to having poor controls. So here are some of the exposure areas. So certainly we started with fraud risk there at the top. But not only is it just fraud, it's also reporting. It's also operational effectiveness and efficiency. It's also on compliance and reputational risk. Again, keeping yourselves out of the headlines. Keeping yourselves out of the newspaper because you certainly don't want to. So you get good press.
As part of that, like I did say, is it certainly is not just fraud prevention. It's not, not, not. And a lot of times people think that controls are based solely off of that.
So what I wanted to highlight here on this slide is just speak towards some other things that controls can help you and your organization with. So let's walk through this list in detail.
So the first one is financial reporting. So good solid controls can help you to generate reliable and accurate financial reporting. That's one item.
The second item is good solid controls can help you to have effective operations, effective resource management that speaks towards the efficiency of your operations. The third thing is that it can help you comply with laws and regulations so having good controls, assessing risk and having controls that are designed to prevent risk from occurring, can help you with those compliances pieces. The next one is strategy and operational alignment. So again good controls not only are they at a tactical level to make sure things don't go south on the top three bullets. But they can also help you as you look towards strategy going forward.
So again, that's a key piece and a lot of times people go, okay, well, doesn't really help us cut a deal with the strategy question or where we're going next or what's that next channel for us, what's that next opportunity, what are we ultimately going to be? And you take as an example, if you look at Amazon certainly they started out selling books, right? But they are not a bookselling company, right? So some of those strategic discussions about where do we go in the future can be addressed through those controls.
And then the last area is safeguarding of assets and fraud prevention, right? Obviously a lot of people thing, any times there is control it always comes back to that. But really what it is, is all of these items including that fraud piece.
So again, those are the key things to cue up before you do that -- before you talk about them.
Let's talk a little bit about controls. So right now there is a lot of -- a lot of emerging discussion about controls and frankly there has been a lot of discussion since 2002, since the time that Sarbanes-Oxley came out. So for public companies that may be on the line or those that are familiar with that, Sarbanes-Oxley came out and through that there is really just kind of a scurry of momentum and discussion about controls. And what I'd say is from 2002 to now -- so we're now looking at an eleven-year period, is really there have been a lot of changes in control and how people view it, what they do. Some of those trends are -- trends are up here on this screen.
So specifically kind of the macro look at this is one is internal controls are good. Not a surprise there. But internal controls are good and certainly speaking to a crowd from the AICPA, I'm sure that we all understand that they are good and we need those.
The other piece of that comment there, that first bullet is that management and the auditors shouldn't ignore internal controls. And certainly this speaks towards some management teams where controls have largely been ignored. They go, "Well, the size of our organization we can just get comfortable with it without having good controls. I review things. I talk to people a lot. We know it's well controlled." So again management shouldn't ignore controls. And likewise the auditor shouldn't ignore controls. They shouldn't go, "Oh, well, we're just going to take a fully substantive approach to our audit or to our other work that we're providing to clients."
So again, that's the first full kind of macro theme or trend.
The second one is that internal controls are essential for all organizations regardless of size, regardless if you're a public company, a private company, if you're government, whatever it may be -- is all of those, it's important. And then also you know that kind of large and small -- so really wherever you are is good controls are essential for all organizations.
What that said is there is not a one-size-fits-all, which speaks towards some of the bottom section. And really what we've seen, and again kind of taking this last ten or eleven-year look at internal controls is that really there's been some changes in how people perceive internal controls and how things -- those are structured. And so really kicked off through SOX, but then obviously COSO has been very active. COSO 2013 just came out this summer after being amended a couple of times and delayed a few times. But COSO 2013 just came out earlier this summer. There has been a lot of activity out of COSO because after the original framework, it was largely just kind of dormant. Certainly other standard setters have had a lot to say about that and some of those key points are just how do you assess good controls? What does good control -- controls actually look like? Do you do "top-down" approach? Do you do "bottoms-up," etc.?
So again these are the reasons why we're talking about risks and controls today and we hope as we go through the next nine points, those will be items that help support your analysis of support, kind of where you're going at your organization with respect to controls.
STEVEN GIN, CISA: Thanks, Findley. Now that we've had an opportunity to provide you with a high-level background on risks and controls, we'd like to dive a little bit deeper into the risk assessment process and a couple of controls topic areas just to help organizations manage those risks that we identify.
This is a pretty good high-level diagram of a full-risk assessment process. As you can see, it starts with the risk scoping and planning, moving on to risk identification, risk assessment, management risk response, and internal audit work plan. That's a little bit of an optional step as you can see there. It comes off of a management risk response of reducing risk.
And I think one thing that we should note when you're conducting a risk assessment across your organization, it's important to include stakeholders from multiple and various aspects of the organization so that might include finance, IT, operations. So as you go through each of these steps in scoping risk, identifying risk, assessing risk and weighting the likelihood and magnitude of potential risk, you have a very well balanced and blended list of your risks so that you can address it in a meaningful and appropriate way.
That having been said, we can move onto the next slide which are some risk assessment factors that you can consider. We wanted to illustrate some of these factors and you know really -- these are divided into two categories -- impact and likelihood. As I discussed, this process should really include multiple stakeholders. Each one is going to have a different reaction or a different feel for how impactful or how likely a particular risk may be.
And some of these areas -- I mean we have a lot that we can look at here, but in terms of the impact we have effect on your goals, financial amounts at risk, certainly your regulatory compliance and system compliance, health and safety, contractual compliance are some impact factors.
And likelihood is really -- really what is the potential for something to really happen. What could go -- as opposed to impact being how badly could it go wrong? Likelihood is will it go wrong? What is the likelihood that it could go wrong?
Once you complete a risk assessment and really have this listing of risks, the next thing that you would want to do and what's really useful for presentation to senior management is to apply it to a risk map. What we have on screen is a visual representation of risks or actually of process and control areas. The two axes that you see here going across the bottom are the likelihood of the control or process to have issues. Going up the vertical access we have the importance to business performance.
FINDLEY GILLESPIE, CPA: Great, and so Steven, as part of that again the key piece here is -- ultimately starting with kind of an assessing risk, right? You need to start with determining that scope and that planning. That was kind of the first part of that flow chart that we showed you. Then it's identifying the risks. So just getting that population brainstorming, coming up with all the risk factors. And then this as part of the risk assessment shown -- Steven walked through some of those items in terms of impact and likelihood. Some of those things you should consider on the prior slide. This ultimate is a great graphical explanation, a great opportunity for you to say, "Okay, where does -- where does something plot out?"
And so specifically as you go through and you determine your scope, you've brainstormed, you've identified all these risks. As you begin to evaluate, this is a great tool for that. And what it really allows you to do is -- okay, what is the likelihood of having problems? Is it low? Is it high? Kind of moving on that horizontal axis there, right? And then also how important? What's the significance or magnitude or impact to the organization just vertically up this page.
And so what you get is you get some items that just naturally gravitate up and to the right. Some items just naturally gravitate down to the lower left, right? And so really this becomes a way and a good graphical way to present to your audit committee, to your board, etc. just to show what's going on.
And so some of this can be done either at a risk level or you see on this chart, we've actually got it at a process level. So again it's an opportunity for you to present this in a way and really evaluate some of the things. It's not a perfect science, but it allows you to naturally see what kind of -- ends up into the red, into that yellow band or down in the green. So again kind of traffic lighting some of these items.
STEVEN GIN, CISA: And this map is actually a very useful diagram as we move into the next slide. If you are able to succinctly aggregate your risks into processes, this kind of lets you move into the next step which is identifying controls to help you address those risks.
As you work within your organization and meet with folks and understand, here what are my risks? And how are we -- what are we doing to basically control those risks? There are certain areas that you can focus in on. Sometimes you may have controls that exist and that are already in place and other times you may need to implement controls. And so as you look at what you may need to implement, you really need to always consider the cost benefit of controls.
Certainly we want to have strong internal controls. We love to have as auditors all of that control, but that should really never come at the cost of reduced or ineffective business operations. So certainly cost benefit is going to be one of the primary things that we consider. And so in order to have high benefit at a low cost we should look at leveraging automated controls. These are going to be -- these are going to vary from organization to organization and will largely be dictated by system abilities or system limitations. But this is always going to be your first area and your low hanging fruit, I think.
The next area that we have to focus on is your desired level of control assurance relative to risk. Again going back, or looking back at the process map, if you've got an area in that lower left-hand quadrant that's not particularly risky, perhaps you don't really need a very detailed, preventive control and you can get by with a set of detective review control.
And then the next item is effects of compensating controls. So certainly there may be risks that are just inherent to the nature of an organization's business or that you just simply don't have a control for. So in that case we need to look at what else am I doing further down the stream that can be a control to shore up that risk? What is my ultimate backstop control?
And a lot of times, in terms of financial risk, you see those in very high level or detailed management reviews.
The next area is while looking at your controls, what can you improve? So in identifying controls, as I said, look for IT controls first. We'll get into IT controls in details a little bit later on. Next would be -- before implementing a new control, ask what could go wrong? Is there another control that limits maximum exposure? Again, looking downstream to see what backstop controls you may have. Then ultimately always keeping in mind the likelihood and magnitude of exposure of the control with the proposed cost benefit.
Now we wanted to talk about controls maturity and kind of what that means and what that sounds like and lay it across the COSO objectives.
There are three main internal control objectives. Those are going to be operations, financial and compliance. Sometimes, I think as Findley alluded to in one of the earlier slides, we have a strategic objective as well. That is going to vary from organization to organization but typically these three that are highlighted here on this slide are going to be ones that keep you safe, keep you out of jail and insure a safeguarding of assets.
There are five levels of internal controls maturity or control environment maturity. They go from least mature, on the left, to most mature, on the right -- as unreliable, informal, standardized, monitored, and optimized. We can step through these just in a little bit of details.
Level 1 controls -- or Level 1 control environment is unreliable. We basically have no real idea of what's going on. Nothing is documented, nothing is really designed. It's kind of like the wild, wild West.
Level 2 is a step up. We have some activities and controls that are designed and in place. They may not be documented and they may not be trained or communicated so we have the issue of somebody in accounts payable performs a control and if they leave, a little bit of that tribal knowledge goes with them and that activity is not taking place any longer.
The next level which is standardized, we have control activities designed and in place. Control activities are documented and communicated and deviations likely not to be detected. So better, not as strong. We have at least more people have an idea of what's going on from a controls perspective and we have controls that are designed and in place.
Level 4 is monitored and this is really where -- as internal auditors or CPAs, this is where we like to have our companies or our organizations be. We have standardized controls with periodic testing to determine that design is effective and operation is effective. We may have automation. So we've got a little bit of investment in controls at this point.
And Level 5 is optimized. Honestly, we don't see it very often, but this is mostly characterized by an internal controls framework where you have real-time monitoring. This is largely going to be system driven.
FINDLEY GILLESPIE, CPA: Again, so Steven, on this. This paints kind of an example of how controls can kind of progress from left to right. So unreliable, you know, Steven, mentioned the wild, wild West, right? So this is where there aren't controls. And it's not just that they are not written down. It's just that there aren't. So it's kind of wild, wild West as he mentioned.
Then kind of moving to Level 2 informal. This is where things are -- you've got some controls. They are in place, but nothing is documented. Nobody would know if it didn't happen, etc.
Then you get to standardized. This is where things are actually being done each month. So you have some consistency. Maybe it's every week or maybe every two weeks. You've got some of that down. Nobody's actually got a log that says here's all the controls that need to be done. But an underlying thing -- say bank recs as an example. The bank recs are being done. They're being done the same on the same kind of form every month, etc. The key piece here is that nobody is really reviewing those. So if you don't have somebody -- if that doesn't get done, somebody is out on vacation. No one knows to check for that and make sure it's done, etc. That's really where we're talking about to Level 4. That's where you make that transition from -- where you've got some controls in place, but if they don't happen no one knows to Level 4 which kind of that monitored piece where somebody is actually reviewing that. The controller at your organization or if you are the controller you're reviewing what maybe a staff accountant or a GL accountant may be doing or an accounting manager may be doing over those recs. And so that's that key piece.
And when you kind of get to Level 4, we know that it's being -- we know that things are being done. We've got the controls. Somebody is reviewing to make sure that it's done and done right, done timely. We also have a list of what those controls are so we know that they are done every month instead of kind of helter-skelter. Maybe what you see in an informal environment, kind of that Level 2 environment.
And then Steven says, a lot of times we don't see kind of that Level 5, that optimized piece, because a lot of that is really real-time reporting. The area where we see most of that -- the best example of that is really through some automated tools like workflow, over AP. So having that approval chain so you actually see that things are going through the process. It provides some of that monitoring. Anytime you get some kind of the exception reports getting spit out of the system. That's where that optimized is. But frankly a lot of times it's not with -- it's difficult to have that over a lot of areas because they're so manual. You can't kind of see that real time piece.
So again, that's kind of just a frame-up, paint an example -- Level 1 no controls, wild, wild West; Level 2 okay somebody is doing a bank rec, but it kind of looks different each month. Maybe they're just doing it on a napkin. Number 3, they're doing it on the same thing every month -- the same format, but nobody is reviewing to see that the rec is done. Level 4, we're written down -- hey, we need to reconcile all our balance sheet accounts. There is a checklist. Someone is actually reviewing that rec, etc. So that's kind of that continu -- continuum, if you will of controls.
And so our encouragement for you today is that after you've analyzed the risk is to look at some of these controls and build out -- move towards that monitored status. So some of you, I'm certainly -- I'm sure already have some of that monitored pieced. And so what we want to do is drive some of those other areas that don't have kind of that control rigor around them. Drive them to monitor and that's what we'd like to do.
So again, Steven, back to you.
STEVEN GIN, CISA: Thanks, Findley. On the next slide we've got some factors that you can consider as you implement controls or work within an organization to enhance the effectiveness of your existing internal controls. We have some overall themes here. It's two pretty long lists of, on the one hand, things that are -- provide us less assurance in terms of risk and, on the other hand, things that provide us greater reliability in terms of risk. But we see some overall themes here.
We're looking for, I think, direct coverage. We're looking for multiple levels of review where possible. We're looking for segregation of duties and we're looking for good timing across periods and timeliness of control activities. You'll also see that the second and third items there are manual controls vs. automated controls and complex controls vs. simple controls.
So really as you're designing or identifying controls, again any time you can leverage your system and have the system kind of do the idiot check, the fat finger check, all of that stuff for you, just reduces the potential downstream impact of issues or errors.
Complex controls vs. simple controls. I think we all love to see simple controls. Things that, as a control activity, are not hard to understand. A reviewer shouldn't have to review ten different documents together to determine that something was done correctly. That a bank rec was done. It should just be a one sheet with supporting documentation underneath. That's really the kind of the thing that we're looking for in terms of a simple control.
With that I'd like to hand it off to Findley to discuss entity-level controls.
FINDLEY GILLESPIE, CPA: Perfect. Thanks, Steven. So what we're going to do now is kind of these next couple of sections, right? So after understanding kind of maturity, we're going to speak toward some specific types of controls and we're going to start with entity-level controls.
I see actually there is a question regarding segregation of duties and we're going to get to that as a section here -- one of our ten items. So with that, let's start with entity-level controls and then we'll jump into some other areas as well. All right.
So entity-level controls. This is where it all starts. In fact, I had a discussion with one of my controllers this morning about this is that entity-level controls are paramount. Those are the foundation on which all other controls are built really and so coming back to kind of those COSO terms. Control activity those are those specific controls -- reconciling cash, three-way matching AP, those are control activities. The control environment is that thing that stands and it's a foundational item behind what's being done at kind of the control activity level. That's really these entity-level controls.
And so there is a whole slew of key principles here at the top of the screen. What I've done is I've highlighted in bold, two of those.
The first one is integrity and ethical values and the second one is commitment to competence. And so what we've seen and studies support this is, is basically where you have a workplace where you have the proper tone at the top that speaks towards integrity and a commitment to competence -- so actually hiring people that know what they need to do so that they've got -- they've got education and experience that facilitates them to be able to do their job well. When you have those items and you kind of get that integrity and that commitment to competency, when you have those -- those will have a significant impact on your organization, your ability to actually have good controls.
And you see at the bottom here. Here's a quote -- not a quote, but here's a statement that actually came out of a study that was done over entity-level controls. And so as part of that specifically, what it said -- it says that senior management commitment to strong internal controls is the number one factor to a strong control environment. So that's the number one thing. So senior management and some of you are representing senior management here today on the call. That is the number one thing in going to support a strong control environment.
And so as part of that, when you have that, then these other two foundational items -- not only do you have to have senior management saying, "Yeah, we're bought in. We've got great tone at the top." We need to have kind of the integrity and the commitment to competency. Because then when you really get that -- that pairing of items, then you've got employees that know what to do, they're committed to doing the right thing, and management wants them to do the right thing. So senior management, the executive team, the board, etc. -- they've got that behind them.
So let's dive in and see what a little bit more that looks like specifically. All right, so I already said the senior leadership buy-in is critical. We've already talked about that. So if you're on the call and you're seeing that senior leadership, that senior management, executive team, etc., you are the tone at the top. You set that.
The second thing is the policies and procedures should be complete. They should be user friendly. They should be regularly reviewed. One of the things that we see a lot of at organizations, especially organizations where we come in to help them initially -- kind of -- again develop that maturity, is that when we come in, is that nothing is documented, nothing's done. That's one option.
Another option is where they've got all this great documentation, but nobody does it. And either of those are a key problem. Either of those is a problem. So if there is no documentation on what the policies and procedures are. What's supposed to be done. Are there controls? Again coming back to that maturity framework, right? So you're kind of Level 2, Level 3 -- some controls are being done, but nobody is really documenting it. We don't know what to do every month, right? Or having great policies and procedures but nobody follows them. Those are both, both, both, both problems.
And that second one really fits into the entity-level control problem where you -- where people have put together a policy and procedure, but nothing is being done. And so really it's kind of that third bullet here is: Personnel should be required to acknowledge and adhere to these policies and procedures. They need to be executed. They need to be pulled through. They need to be done, otherwise these great things that you may have written, just don't matter.
Again, that kind of fits into the last piece. And we're here this whole -- this whole morning room talk about internal controls obviously or this afternoon depending on where you're sitting today. But if you have a control, you've talked about a control, but it's not actually done. It doesn't matter. You're not going to ever get that -- that benefit. It ties back into those policy and procedures. The policies and procedures -- Hey, here is how it's supposed to work, but it doesn't work that way -- it's a big, big problem. And again that's in entity-level control type of an issue.
So as part of those entity-level controls, there is also an element of kind of the level of precision. So a lot of entity-level controls are things like the tone at the top. Frankly they're somewhat intangible. There are certainly tangible elements, pieces of them. Are policies and procedures out there? Do we actually ask employees to do what's in those things? Certainly there is some tangible piece on that. But ultimately what's critical to understand is kind of that level of precision -- how direct or indirect are some of these controls? Because there can be direct entity-level controls. So let's walk through that.
The first one here is what we described as things that are important but they are indirect. So as an example of that, you may have a board meeting, right? That's an important thing. It's an important governance mechanism within an organization. It's great for corporate governance. You absolutely need those certainly, right? But those aren't going to detect if somebody hasn't done the reconciliations of the balance sheet, right? So again, it's important, but it's indirect.
You're not able to provide or get a lot of comfort down at the really detailed levels at those items because they are indirect. But then there is also some items that are direct, but not precise. So the second example.
So if you have a department head and they review a flash report, you're a sales organization and there are flash reports every day -- okay, what happened last day -- yesterday in sales. Here's what happened. Right?
You know it may be direct -- they're looking at specific data. They're not just having discussions on other -- kind of a higher level, right? So it may be direct to look at, specific data. But it's not very precise. You look at and they go -- yeah, well we saw that we sold X; we saw that this happened yesterday. Whatever it may be. But it's not -- doesn't have that level of precision. And so those are kind of the first two buckets.
The third one is where you can get a lot of the bang for the buck so to speak on your internal controls. And this is where you've got entity-level controls. So again it's not transactional controls. It's entity-level controls. But they are both direct and precise. And so here is a listing of them. Here's five that we threw up there, but there are five of them here that speak towards-- Here's a control that is not only direct, right? As we saw in the above example, but it's also precise.
So month-end -- the month-end close accounting meeting -- so if you get that and you've got a package of information and you grab all the key stakeholders and you sit around and you go through that in a detailed way. That can be an entity-level control.
If you have a budget to actual comparison, and it's not just kind of swag -- you know, "Yeah, it's pretty good and our budget is bad anyway, so we're doing better than that. But you know --" Right? So, but if you have a real hardly review of that, that can be one of those entity-level controls that actually can provide you assurance over the underlying controls. And that's ultimately what we're talking about in entity-level controls. Is having those higher level controls that can provide you assurance that the underlying things are being done and being done correctly.
So we've got a couple of other examples down there. I'm not going to read through them to you right now. But you can certainly read those. But again the idea behind these entity-level controls is you're doing the things -- first, you're doing the things that are important -- the top. And then you're doing the things that are direct and precise. Those things that will help provide you some assurance about other areas. So again, this is kind of -- just a very short section on entity-level controls. We could talk all hour about entity-level controls. But this is kind of a quick snapshot of what those are.
And now what we're going to do is we're going to speak towards kind of another area of pervasive controls. In this case, IT controls and how those are pervasive throughout the organization. Steven?
STEVEN GIN, CISA: Thanks, Findley. I think there are two objectives or two kind of sub-objectives with this section. And the first is on the next slide is to provide a high-level background to IT controls, IT general controls and really how they support everything that we've talked about up until now in this presentation. And then for a couple of slides, talk about application controls. Give you some examples -- what are the objectives of application controls and really what are the benefits? We have talked about that several times already and we'd like to give you some takeaways.
So in the next slide we begin with a statement that general controls impact control reliability. I'd like to come back to that. And if you take a look at the diagram down on the bottom left-hand, you can see on the top, we have -- we have a couple of layers here. The first layer is the application layer. And within that layer we have kind of all of what we've been talking about this morning.
We've got business processes. We've got infrastructure. We've got people and we've got success indicators. And they are all working with information. So ultimately that information is going to reside in a number of different places and this diagram -- this vertical diagram represents what we call the IT stack.
And so these are all of the places in which your data either resides or moves from place to place as transactions are being processed and recorded. As wires are coming in and out, as orders are coming in and out and things like that. And at the top of that we've got the application ridge which is really the piece of IT that most users in an organization touch. They are -- they are in an ERP. They are in ADP or some kind of payroll system. They are in the fixed asset system. That's really what they deal with.
But really that applications sits and accesses data and data management is the next layer down so that's -- that's really your database. What are my tables? What are all the records that are being accessed to really store financial transactions?
The next layer below that we've got the operating system so this is going to be logically where -- where does my application data and also my database data reside. Controls and access to that are important as well.
The next two layers down are network and physical -- so network is really going to be -- how is my data moving around from place to place and physical is going to be -- where is my data when it's in storage or when it's being accessed.
And so, really the reason that we have this statement at the top -- general controls impact control reliability is that if not for IT general controls and controlling everything that is in this data stack, you really don't have a lot of certainty over the information that's being transacted at the top.
There is not really a lot of value to perform your reconciliations if access to your general ledger is poorly controlled or there are administrative users or super users that you don't know about. And so on the right, we've got a statement and some -- the IT general control areas. And those are computer operations, security and access, change management and program development which really is a little bit of a subset of change management.
And the first three -- computer ops, security and change management -- really do apply to every layer of the stack. Program development really applies more just to applications and perhaps new systems implementations. These are really all of the areas that you need to look at when you're looking at IT general controls and having good controls over all these things.
For the next couple of slides, we'd like to talk about application controls and these are going to be controls that are not -- they're not general controls. They actually kind of reside within your application and they enable users or the application itself to have some control or some safeguards over the data that's being transacted in and through your system.
So the first type of application control that we have here is input and access controls. Those might include data checks and validations, automated authorization, approval and override, segregation of duties. Again this -- the input and access controls might include, you know, when you are keying something into your ERP, does it perform a check to make sure that you're not putting -- you're not trying to post a journal into a GL account that doesn't exist? Does it return an error to the user and say, "Oops, that's not -- that's not allowed."
Kind of a next step to that is, well, if your ERP does let users know, does it then give them the ability to create a new general -- a new general ledger account, and is that being controlled?
So there are -- like an onion, there are a lot of different layers to application controls as well.
The next type of application controls is file and data transmission controls. So if you get the error logs, exception reportings. You'll see this a lot when you have batch jobs that run at night. You might roll up a subledger to some other ledger. If you have EDI transactions falling in and out, what are the controls around that?
Processing controls. We've got automated file identification and validation, functionality and calculations, audit trails and overrides which is very critical and really again going to be driven largely by your system. Interface balancing and duplicate checks and then output controls. So they've got GL and subledger posting, update, authorization and reporting. Again, just kind of four broad areas of application controls.
Through these application controls we have four -- four major goals. The first is that input data is accurate, complete, authorized and correct. These are really in all the things that we care about. Is the right person putting in data into the place where it should go and is it the right kind of data. Is it at the right time? And things like that.
Data is processed as intended in an acceptable time period. Again speaking to the timeliness of data. Output and stored data is accurate and complete. This we care about because we want systems to speak effectively to one another. We want systems to store data correctly. We don't want a problem with data input into one system to roll up into another system.
And the last -- lastly a record is maintained to track data processing from input to storage to output. You know, really what is -- what is your ability to audit transactions through data?
Here we've got the -- we have the benefits of application controls so we've been harping on applications controls a lot and here is really why we care. Applications controls are reliable. They reduce the likelihood of errors due to minimal intervention. We really want the system to do all of the safeguarding, as much as possible. We want the system to tell us -- "Hey, that's a bad GL account. You're putting in a date that's not valid or what have you."
Benchmarking is a reliance on IT general controls that can lead to concluding that application controls are effective year to year without retesting. And a really good example of this is any testing that you might need to do with respect to key reports -- if you have key - customer reports that are generated within your organization, oftentimes auditors will want to take a look and say, "Well, how is this report being generated? Management is relying upon it to do some kind of an MD&A disclosure or what have you."
So as auditors we go in and we take a look and say, "Okay, where are -- where is all of this data being pulled from? And who has the ability to modify this report?" And once we test that once -- let's say we tested it this year, if IT general controls are sound -- meaning that access to data is appropriate and restricted, the ability to change programs is restricted and there is good sound controls there, where changes were tested. Then we can rely and say, "Well, if IT general controls are good, and no one is making changes to reports that shouldn't be made, if we look at the report next year, and see that no changes have been made from the previous year, we don't have to test it anymore." So this is going to reduce the work that you do year over year.
And that leads into our third application control benefit, time and cost savings. So really application controls take less time to perform. The systems that are doing them are doing them all the time and immediately. And they don't cost anything. You've already paid for that -- your IT infrastructure so you should leverage it and utilize it and get your maximum return from it.
Now I'd like to move into talk about segregation of duties. And Findley, I didn't see the question come through about SOD? Is that something that we might want to talk about in advance so we can frame as we do the discussion?
FINDLEY GILLESPIE, CPA: Yeah, certainly so. One of the questions we had was specifically -- somebody asked the question: Can you give an example if you have only a two-person office and who should review the bank rec, who should receive cash, make deposits, etc. And so I think what we do is -- let's kind of go through these next slides and to the attendee who asked that question, if we kind of get to the end of the segregation of duties and we haven't answered that. Feel free to ask us again.
Steve, why don't you kind of cover the next -- next couple of slides and then we'll add this example specifically in.
STEVEN GIN, CISA: Sure thing. Thanks. And I do to that question also. Thank you.
So segregation of duties simply are from a definition perspective means having more than one person required to complete a function or a task. And you -- this can kind of be done where this actually should be looked at two ways. One being physically. Is there a separate person that is handling paper, or signing checks, handling invoices, receiving cash like based on the process, do we have different people physically doing things? And secondly, we have to look at -- going back to IT, we have to look at well, in the system, who really has the ability to do what? Because even though, Joe and Bob are two individuals who segregate a duty, if in the system both of them have access to do both functions, we really don't have any assurance or we can't really rely on the segregation of duties because their access is not really restricted.
So these are kind of some bullet points that we have to talk about SOD. Segregation or separation of duties is a critical element of internal controls and really is vital in fraud prevention, and does help reduce or prevent errors. But really I think one of the things that we really look to SOD for is that fraud prevention and having -- reducing the ability of one person to do damage to an organization by way of excessive responsibilities or system assets.
Controls and processes should be designed to implement the system of checks and balances. That's really what we're looking from SOD. And it really is necessary for organizations of all sizes. I think to address the question, it can be challenging for organizations with limited staff or for remote locations. The ways that we can address that are to think outside the box. Try to implement adequate controls. Sometimes SOD just simply is not -- is not a possibility or it's not in a cost-benefit analysis -- it's not going to be beneficial to the company to hire another individual to segregate a function. So we have to look downstream. Sometimes we do have to look for those backstop controls. Sometimes we have to look for monitored controls. Maybe we can look systematically in the system and insure on a timely basis, perhaps each week, that if one person is performing a task which should be segregated, that they're not -- that they're not doing anything that's funny or fishy.
The last bullet there is that it may involve additional training. Sometimes you may have to bring in an individual that is not in a particular function or organizational unit and have them just as a new job duty perform that check or perform that balance to makes sure that nothing unusual is taking place.
FINDLEY GILLESPIE, CPA: Great. Steven, what I'd like to do now is actually ask a couple of questions that were brought up as kind of -- actually now a couple of people say, "I hear you. But in a small group, how do you actually handle that?"
And one of the things that I would like to encourage and tell people is this: is this is an opportunity for you to be a little bit creative -- I know we're all accountants on the call, right? But be a little creative in terms of how you do this. So there is certainly an opportunity to give some of these key pieces -- depending on how small your office really is -- give key pieces to other individuals. And again, as Steven just talked about, we want to break essentially that beginning to end chain and slice that into different people, or break that piece into different people.
So a specific example is okay, well, bank recs, receiving cash, making deposits, etc. You know, one of the things -- if you're in a really small office, if this really means two people in the office, not two people in accounting -- which is a critical difference. But two people in an office, one thing that I always, always, always encourage owners to do is get the bank statement to their house. Have it sent to their house. And then they actually have the statement directly from the bank and -- I don't mean to belittle anybody -- I don't even reconcile my own bank account, but sit down and if you're ... sit down with the owner and say, "Here's how you can actually reconcile your own bank statement." And if primarily, if they are responsible for signing all the checks, and they get the bank statement, they can have much, much, much better visibility into what's going on, then say if you only have -- if you have two people trying to split it all out and who's taking the deposit. Well, they're also filling out this or that or whatever. So that's kind of my comment there. Look and be creative. You can have people outside of your accounting department take things to the bank, make the deposit. You have somebody stamp the check. Restrictively stamp it when it comes in. You have FOR DEPOSIT ONLY into ABCO. Be creative. But look at other people throughout the organization who could do some of that for you.
If you still don't have anybody who can do that, then what I'd recommend is have the owner get the statements -- have him restrict who can sign the account, have them get the statements and frankly teach them to do their own bank recs, which is very, very easy. But teach them all the nuances of -- okay, we've got three accounts, now rolled together, etc.
That's what we want to do. That's kind of my comment there. What I'd like to do now is jump to fraud prevention controls which is really our seventh area. And speak towards a couple of things.
We're talking about -- we're talking about controls. Everyone always gravitates toward fraud. I love this quote we saw -- or this fact we saw from Fast Company. "82 percent of executives admit to cheating on the golf course." So if you're an executive today, this wasn't to belittle you. You're probably in the remainder there. You're in the 18%.
But the reason we're talking about fraud today is because fraud is pervasive. Fraud, people always say, "Oh, that could never happen to me." And the answer is "Yes, it actually can happen to you." It certainly does.
So with that said, there are really three things. It's called the Fraud Triangle. These are the things that, if in place, create an opportunity ripe for fraud.
So the first one is opportunity. Does somebody have -- actually have the ability, based on your weak controls based on the facts and circumstances. Maybe they are out on a site location and it is that office of only two. They have the ability to get -- receive the cash. They have the ability to write off AR. Those types of things we were just talking about over cash, right? So they have the opportunity, meaning that there is not proper controls there.
Two they've got on the lower left, kind of that incentive or pressure, either because -- either because they've got some pressure at home, maybe in this environment, right? Or maybe they had a rental property and everything was fine, but then their tenants moved out and they're trying to make ends meet. And whatever that kind of incentive or that pressure is.
And then the last piece is the rationalization. And so what people do is they go, "Okay, well, you know what? I've been working so hard, we might as well -- I'm kind of owed it." That's kind of that rationalization piece.
So as part of that between those three things, if we have those three elements in place, your organization is ripe for being defrauded. It's very, very sad. But that's -- that's what the case is.
And so what we want to do is we want to have -- build controls to get rid of that opportunity at the top. Because then you're left with just the other two things. People are going to have pressures and there is going to be some incentive. Now certainly you can change the way comp plans are written as an example to decrease some of that pressure and incentive. You can change -- certainly can't change some of their personal things going on in life. But there are certain areas where you can remove some of the pressure.
And you can change some of the rationalization, you know. Being good to your employees. It's critical to be good to your employees, right? So they don't go, "Well, you know, if they really paid me for all my overtime, I'd be earn -- I should get this anyways." Some of those kinds of attitude type pieces.
But that top one, we as accountants -- we can address specifically, very, very easy -- reduce that opportunity.
And so what I'd like to do now is kind of speak towards the types of fraud. So the first one actually is not misappropriation of assets. I did that intentionally because fraudulent financial reporting is much, much, much more rampant than anyone ever considers or thinks about. So realize that's the case.
And that is the numbers are wrong. So whether it's because he had turn something into the bank, whether it's because the operational performance at a site -- "Boy, we just can't show the boss that we're behind budget." Whatever may be that reporting piece where the numbers are wrong. That's one.
Second one is misappropriation of assets. This is what everybody always thinks when they think fraud. They think fraud -- okay somebody is stealing cash. They're stealing inventory. They're stealing fixed assets. Right? So that fits into this one.
The third one is expenditures and liabilities for an improper purpose. This is the one where people go, "Ah yeah." Time and expense for expense reports. Okay, I can see how this -- they put -- they charge this through on the company dime, right?
That fourth one is cost and assets obtained by fraud. Or sorry. Revenue and assets obtained by fraud, right? Somehow you received revenue, you got property, etc. through a fraudulent means. So as an example, you had a piece of equipment that you had rented and nobody ever picked it up. So if we've got some construction companies out here today, on the call, we've seen instances where equipment just gets left and then it gets lost and then somebody's got it. We know that. We don't know who and so that's an example of that.
Cost and expenses avoided by fraud. Kind of the opposite side of that. Somehow you get away without having to -- the company gets away without having to incur that expense.
And then the last one is the senior financial -- senior management financial misconduct. So this is the overriding of controls -- all of those things that kind of fit into it.
Here's where the types of fraud and so it's not just taking cash or inventory or fixed assets, which is always the one that always gets a lot of attention obviously.
So the question now is what do you do? What is your response to fraud? Well, internal controls are key. It gets rid of that top piece of the pyramid. You need controls to segregate duties, monitor system access, safeguard susceptible assets, look at cash, use positive pay in your bank account, all those things, right? So get controls in place.
Then look at some of those preventive controls and make sure that they are actually designed properly. Then get detective controls to see if there is anything left, right? So look at that residual fraud risk factor. And so what you want to do is you want to have controls that speak toward preventive and detective. You want controls that address each of those types of fraud. Not just the misappropriation but then also are the financials right, etc. And so again, that's what we want you to do with fraud.
So moving into slide eight and our eighth point. Steven?
STEVEN GIN, CISA: All right. So now we're kind of moving into a section of things that you can take back with you to your organization and begin to make an immediate impact on managing risk and setting up some controls.
So internal controls -- if you have policies and procedures -- are policies and procedures that an entity puts in place to help ensure the entity meets its goals and objectives. Below I've kind of bullet-pointed some areas or some things that you should consider when you're documenting your own policies and procedures.
You should try to have them be standardized, they should be clear. They need to be approved by the appropriate level of management so that review, that approval needs to be reviewed on a periodic basis. They should cover the intended business process completely. They should highlight control activities and ideally indicate who is responsible for those control activities, primarily and perhaps even a list of backup. They should be distributed to all affected stakeholders so that everybody knows -- Hey, in my department, so-and-so is the person that I need to rely on to do this control. And if I notice anything unusual, perhaps I can let somebody know. And lastly, is be updated, reviewed and approved periodically to ensure relevance and applicability. This is really important in the face of change; changes to the organization really will impact. A new system implementation, for example, may have a large downstream impact on the way controls are performed on a daily basis so that's always a good opportunity to review your policies and procedures and update them appropriately.
This next slide we have some common types of controls and we can kind of apply those same principles to these types of controls. One of the things that we're seeing or that's a bit of an emerging trend is that evidence of documentation be more detailed. That evidence of a thought process be documented and sign off or review cover the appropriate period, and really here, I guess a number of controls we have. Financial reporting controls which might include bank recs, expense report approval or three-way matching and segregation of duties.
Common operational controls might include contract approval and authorization limits, expense approval and budgetary expenditure review, so performing a budget actual.
And some compliance controls might include the legal review of contracts, and some federal and state human resource compliance controls, any health, safety or environmental controls that your organization might be subject to. And again in terms of the application of these controls, how the application of those document -- documentation principles -- you know, how do we document our review effectively.
With that I'm going to move -- we'll move into topic 9. We're running a little bit short on time, but we'll talk next about to how to respond to deficiencies or areas of weakness that might be identified.
FINDLEY GILLESPIE, CPA: Great. So thanks, Steven. So just the last couple of minutes here. We've got about three minutes left. The fourth point is really a takeaway for you to take home. Kind of speaking towards two things.
Now we have two questions. People asked and I want us to respond to. It's about controls, it's about this section we're talking about.
One is what is positive pay? Positive pay in the simplest form is what you do is you give the bank your check register and you tell the bank, don't cash any checks that people present to you unless it has -- unless it matches my list. So what you want is three field positive pay. It's actually my favorite control. I know this sounds all geeked out on accounting, but it's true. You want the payee, the check number and the amount, and so you want that three-field positive pay. And basically what you're going to do is you're going to give your check register to the bank and then when someone washes the check, right? Or they -- they take that $10,000 check and add another zero in it, and it becomes a $100,000 check. When they go to cash that at the bank, the bank goes, "Uh-uh. It doesn't match, we won't pay you."
Or if they say, "My name is Findley Gillespie. Somebody steals my check and crosses it out. Then boom, that goes -- they take that name, they change it to somebody else and it's ABCCO. The bank knows when they go to cash it, they go, "Wait. That doesn't match the log."
Again, that's what positive pay is. It's my favorite, favorite, favorite, favorite control. It's a group -- it's one of my top five favorite controls, I should say.
Barbara, you asked three-way match over AP. That's basically just making sure that the PO or some sort of purchase order or some sort of upfront approval of the purchased, matched -- it was actually received and that matches the invoice that came in from the vendor. So making sure that those three are the same. So again, the costs are right, the quantities, etc.
All right. So in terms of responding to deficiencies, this is the ninth thing that you should know about the state of controls right now. One of those takeaways is there are a lot of different deficiencies. They're going to come from different areas. As part of that specifically, one of those things that you may be receiving is a management letter comment. That's something that you may be receiving from your auditors.
They may be doing a review, a compilation or something. They're going to say, "Hey, here's what we saw as we were looking at some of your controls." And this right here is -- this is a great takeaway. You can take this home and go, "How do I respond to it?" Here are the items that you should consider in going through -- going through frankly, evaluating that.
Now certainly it's not restricted to just management letter comments. In fact, actually, this chart right here shows the difference between kind of an internal audit perspective -- whether it be someone like Steven and I -- we serve as the outsourced internal audit group. Sometimes we've served as a co-sourced internal audit group to companies, helping them with controls, right? So that's kind of our column.
The external audit -- a lot of times people go, "Boy, I get an external audit?" So if all my controls must be evaluated, their answer is no, no, no, no. And you go back to their engagement letter which is their contract with you, it clarifies that.
So as part of that, just look at -- here's a tool. You can take these slides. You get a copy at the end of the day. You can say, "Okay, what would really a kind of internal audit function do? What would we do internally?" So you hire somebody to help you out. Vs. what would the external auditor do? So again, that's kind of just a comparison because a lot of times people go, "Boy, we get an external audit. Controls must be great." Well, the answer is numbers have to be right; the controls may not be.
So moving into really our tenth area, what we've got now on the next few slides is really a takeaway for you. Some kind of key hot topic areas. Now these aren't the most common restatements. They aren't areas where controls are the worst at companies. These are just kind of the hot trends, the current trends, if you will, in controls and some of those trends in deficiencies.
So just to walk you through the first one as an example is contingency planning. This is something where people just don't have contingencies developed really over their organization. And so you've got pieces here about economic crisis, systems failure, data breaches. You've got all those pieces. You got certainly the risk coming out as a reputational risk, right? It seems like every week somebody is leaking somebody's credit card information, right? So these are the things that you want to avoid. Right?
So what we've got on these next few slides are ten items just for you to consider as you go through. They are not the most significant deficiencies out there, but they're kind of the current trends and comments.
So again, kind of to wrap up today's discussion is this -- we went through some background on why controls, assessing risks, kind of some key areas within each of the controls. And then, lastly is kind of what to do -- you need to develop policies and procedures, you need to identify controls, get working on that maturity of controls that Steven and I talked about.
So with that said, I know that we've had a chance to respond to some of the questions -- probably a group applied to the entire group today. If there are any other questions that people have -- I know that -- I know we are at the top of the hour right now. We'd love to address that. Steven and I will be hanging on for a few minutes here. So if you have any questions, feel free to ask them.
Also just a couple of housekeeping items is -- this is just one in a series of many CPE events and so if you're -- you know -- if you're a CPA and you're getting short on credits, you need them in before now and December, feel free to just look this up. You can click on that link, put that in your browser and sign up for more. And again, the certificates will be being sent out to you, etc. If you have any questions, feel free to go back to the AICPA website and they can help you with that.
So with that said, unless there are any questions, and I'm not actually getting many. So we either covered it or people want to take off for this great afternoon. With that said, I think we'll go ahead and end today's discussion.
Thank you so very much for attending and again if you have any questions, feel free to log in, send an email, and feel free to also reach out to Steven or I. You'll get a copy of these slides. It's got our contact information. If you have any specific questions, feel free to reach out to us. Thank you again. Thank you so much for your time and attention today and have yourself a great weekend. Bye.