Instilling good governance and ensuring full compliance with an effective internal control program. Presented at Corruption and Compliance South & South East Asia Summit, September 2012, Hilton Hotel, Singapore.
9. “When we envision internal controls in
modern organizations, the typical
things one thinks about are finance
and accounting procedures, such as
revenue recognition rules, balance
sheets, and cash flow statements.”
finance & accounting procedures
11. “Or you might also think about your
corporate IT systems , such as
ORACLE, SAP, and the databases and
programs that keep track corporate
transactions.”
corporate IT systems
13. “Or you might think about general
company policies & procedures, such
as the rules we all follow to get our
expense reports approved.”
company policies & procedures
15. “These are typical examples of
internal controls. But they can be as
obscure or esoteric. Internal controls
should make sense to the people
that have to comply with them.”
humanize internal controls
19. “Everyone has seen a restaurant
guest check. You knows what it is and
how it works. But how many people
this of this as an internal control?”
restaurant guest check
23. “When the waitress takes your order,
the first internal control comes into
play when you tell the waitress what
you want. She writes it down. This
simple data entry drives restaurant
operations.”
take your order
24. “The waitress repeats your order as
additional an control to verify the
data, and correct it if it is incorrect.”
take your order
26. “The segregation of duties is another
internal control because the kitchen
must translate the written data into an
allowed order on the menu.”
prepare your order
27. “The kitchen uses the order to
manage production , preparing the
meal as described in the guest check,
and pulling raw materials from
inventory.”
prepare your order
28. “The segregation of duties is also a
fraud prevention control. The kitchen
operates to the written order,
preventing the waitress from
recording an inexpensive item but
delivering an expensive item.”
prepare your order
30. “When your order is ready the waitress
uses the order to verify customer
requirements against kitchen
production output.
serve your order
31. “There is a final verification when
your meal arrives. If you dispute the
order, the wait staff can compare your
dispute against the written order.”
serve your order
33. “After you eat, you must pay. The
cashier reviews the guest check to
calculate sales price and record the
sales revenue from your meal.”
pay for your order
40. “It doesn’t feel like an internal control.
It’s not bureaucratic. It helps
restaurant employees do their job
more effectively, so they use it
effectively.”
restaurant guest check
44. “It is simple because it only requires
a small piece of paper passed from
user to user without special tools or
equipment.”
45. “It is effective because one item
drives nearly every aspect of the
business: sales, customer services,
operations, production, inventory,
revenue, accounting, planning,
management oversight...”
46. “It is an efficient control because it
does not interfere with how each
employee does his or her job. This
internal control helps employee their
job more efficiently.”
48. “This internal control was developed
organically. It wasn’t implemented by
legal or finance or compliance. It was
developed over time by the users
themselves to make their job easier.”
49. “There are probably similar internal
controls in your company developed
by the users themselves.”
51. “Let’s look at the opposite end of the
spectrum. The Internal Control -
Integrated Framework was
commissioned the Committee of
Sponsoring Organizations of the
Treadway Commission.”
52. “This is a formal framework for
internal control systems that is
employed by a majority of
multinational companies.”
53. “There are four key concepts in the
Internal Controls - Integrated
Framework.”
57. “Internal controls are not just things,
they are people at every level of an
organization. Internal controls rely on
people for their effectiveness and are
affected by the inherent faults of
people.”
affected by people
61. “Internal control should be directed at
achieving company objectives. An
internal control that is not tied to a
corporate objective is not an effective
internal control.”
achieve objectives
62. 1. process
2. people
3. assurances
4. objectives
63. “Internal controls are processes
effected by people that provide
reasonable assurances that you are
meeting or achieving your corporate
objectives.”
84. “Information processing allows us to
verify data entry, comparing file totals
with control accounts, and control
access to data, files, and programs.”
information processing
92. “Physical security provides cameras,
locks, and physical barriers to protect
cash, property, and inventory.”
physical security
93. 1. segregation of duties
2. retention of records
3. super vision or monitoring
4. information processing
5. authorization of transactions
6. top-level reviews
7. electronic security
8. physical security
101. “To implement risk-focused internal
controls, you have to do a formal risk
assessment. This is something
everyone talks about, but rarely does.”
risk assessment
102. “Everyone has seen a typical risk
matrix. It is a tool to compare two
dimensions of data, the probability of
risk and the magnitude of harm, to
help you measure threats.”
103. High Magnitude High Magnitude
Low Probability High Probability
Magnitude of Loss
Low Magnitude Low Magnitude
Low Probability High Probability
Probability of Risk
risk matrix
104. “How many people have actually
plotted out risks their company
faces? This should not be merely a
thought experiment, but a formal risk
assessment.”
108. “Lawyers, accountants, risk officers,
experienced business professionals
are all risk experts. Their job is to
understand the risks our companies
face based on their professional
experience, training, and individual
expertise.”
risk experts
110. “But individual opinions are too
subjective, especially when risk
assessments are made by limited
individuals insulated from day-to-day
operations.”
subjective opinions
112. “Relying on risk experts is not
enough. To develop effective internal
controls, you need to supplement
subjective individual opinions with
objective risk data.”
objective data
113. “Without objective risk data, you do
cannot have a risk-focused program.
And you cannot demonstrate to
regulatory authorities that you have
appropriate controls in place.”
objective data
115. “The data in this presentation is
derived from reports from the
Association of Certified Fraud
Examiners. This presentation was
delivered in Asia, and uses Asia data.
But global data is similar.”
125. “Financial statement risk and
corruption risks are both high risk
because of the high occurrence and
high cost. Corruption is a current hot
topic, but the data shows financial
statement fraud is a greater risk.”
127. Sales 21.0%
Operations 15.4%
Accounting 15.1%
Exec/Upper Mgmt 14.0%
Purchasing 10.7%
Warehousing/Inventory 4.0%
Finance 4.0%
Customer Service 3.3%
Marketing/Pub Relations 2.9%
Board of Directors 2.9%
Mfg and Production 2.2%
Human Resources 2.2%
Information Technology 1.5%
Internal Audit 0.4%
Research and Dev 0.4%
Legal 0.0%
probability of the risk
128. “The sales department is the most
frequent source of risk, probably
because corruption is the most
frequent category of risk. But the top
5 overall departments are similar, all
with double digits risks.”
129. Exec/Upper Mgmt $829
Board of Directors $800
Legal $566
Purchasing $500
Finance $450
Marketing/Pub Relations $248
Warehousing/Inventory $239
Human Resources $200
Accounting $180
Mfg and Production $150
Operations $105
Research and Dev $100
Sales $95
Information Technology $71
Customer Service $46
Internal Audit $13
magnitude of the loss
130. “Upper management and the board
of directors are the source of the
greatest median loss per event,
probably because financial statement
fraud is the most costly form of
fraud.”
131. Exec/Upper Mgmt 10.0
Accounting 3.5
Purchasing 2.8
Operations 1.7
Finance 1.7
Sales 1.1
Warehousing/Inventory 1.0
Board of Directors 1.0
Marketing/Pub Relations 0.4
Customer Service 0.3
Legal 0.2
Human Resources 0.2
Mfg and Production 0.2
Information Technology 0.2
Research and Dev 0.0
Internal Audit 0.0
adjusted risk profile
132. “The adjusted risk profile shows
upper and executive management is
the source of greatest source of risk
to the company.”
134. “External data is not enough. It helps
you benchmark your risk analysis, but
the key to developing risk-focused
controls is collecting your own
internal data.”
137. “When you need unfiltered data about
your company, you cannot rely on risk
experts, because they don’t know
what is happening with manager-level
and line-level employees.”
company constituents
138. “You need to discover open secrets
that everyone knows on the shop floor
but that never reach management.”
company constituents
140. “Employees know who is lazy in their
organization. They might not turn in
their co-workers, but they will tell you
the steps people skip.”
human laziness
142. “Employees know who is careless in
their organization. They might not turn
in their co-workers, but they will tell
you the mistakes people make.”
human carelessness
144. “Employees know who is dishonest in
their organization. They might not turn
in their co-workers, but they will tell
you how people steal from the
company.”
human dishonesty
149. “A formal risk assessment is time
consuming. It requires putting all your
constituents in a room having each of
them teach you about the risks they
see every day.”
formal risk assessment
158. 1. segregation of duties
2. retention of records
3. super vision or monitoring
4. information processing
5. authorization of transactions
6. top-level reviews
7. electronic security
8. physical security
159. “But your work is not done. You also
have to assess the effectiveness of
your proposed controls.”
162. “Every internal control has a price. It
may be the financial cost to
implement, or the loss of operational
efficiencies due to burdensome
process steps or procedures.”
cost of mitigating or avoiding
163. “Do not allow the cost of mitigation to
exceed the value of the risk. You
need to know the effectiveness of
each internal control.”
cost of mitigating or avoiding
165. “Effectiveness is measured by the
reduction in median losses of
organizations with an internal control
versus organizations without the
same internal control.”
166. Hotline 59.2%
Employee Support Programs 59.0%
Surprise Audits 51.5%
Fraud Training for Managers/Execs 50.0%
Fraud Training for Employees 50.0%
Job Rotation/Mandatory Vacation 46.8%
Code of Conduct 46.6%
Management Review 40.0%
Anti-Fraud Policy 40.0%
External Audit of ICOFR 34.9%
Internal Audit Department 30.6%
Independent Audit Committee 30.0%
External Audit of F/S 25.0%
Management Certification of F/S 25.0%
Rewards for Whistleblowers 23.2%
effective loss reduction
167. “Hotlines were the most effective, but
the top 5 internal controls yielded
50% or greater median loss
reduction.”
168. Hotline $100 $245
Employee Support Programs $100 $244
Surprise Audits $97 $200
Fraud Training for Managers/Execs $100 $200
Fraud Training for Employees $100 $200
Job Rotation/Mandatory Vacation $100 $188
Code of Conduct $140 $262
Management Review $120 $200
Anti-Fraud Policy $120 $200
External Audit of ICOFR $140 $215
Internal Audit Department $145 $209
Independent Audit Committee $140 $200
External Audit of F/S $150 $200
Management Certification of F/S $150 $200
Rewards for Whistleblowers $119 $155
benefit of loss reduction
169. “Companies without hotlines suffered
median losses of $245k per event.
Companies with hotlines suffered
only $100k median losses per
event.”
170. “Since hotlines have the greatest
effective loss reduction, let’s do a
quick case study to examine hotlines
further and compare them with other
sources of risk detection.”
180. “Hotlines are the most effective
internal control, reducing median
losses by almost 60%. Tips are the
number one source for detecting risk,
resulting in 13% more tips.”
“Why is this important?”
importance of hotlines
182. “Regulators are paying whistleblower
bounties to get tips. If you don’t have
a hotline, you are telling 13% of
people with tips to take them
somewhere else.”
whistleblower bounties
191. 1. segregation of duties
2. retention of records
3. super vision or monitoring
4. information processing
5. authorization of transactions
6. top-level reviews
7. electronic security
8. physical security
198. License and Credits
This presentation, excluding the images, is provided under creative commons attribution license.
http://creativecommons.org/licenses/by/3.0/
You are free to share, copy, distribute, and transmit this work; to remix, adapt this work; and to make commercial use of the work; under the condition that you attribute
this work to me by including the following attribution “Effective Internal Controls by Eric Pesik. Used with permission,” and URL Link:
http://www.slideshare.net/ericpesik/
Microsoft Office Online:
Except as noted below, all images in this presentation are from Microsoft Office Online. Used with permission from Microsoft:
http://office.microsoft.com/en-us/images/
Flickr Creative Commons:
The following images are from flickr creative commons and are licensed and used under creative commons attribution license:
http://creativecommons.org/licenses/by/2.0/deed.en
Art Coffee House Waitress by Wonderlane
http://www.flickr.com/photos/wonderlane/293137892/
Waitress by Adikos
http://www.flickr.com/photos/adikos/4319818916/
Rutherford Grill by Neeta Lind
http://www.flickr.com/photos/neeta_lind/2517034517/
Serving Food by Adrian Nier
http://www.flickr.com/photos/adriannier/4004167201/
Donut Shop Owner by Robert Couse-Baker
http://www.flickr.com/photos/29233640@N07/7104455917/
Two chorizo burritos with cheese and sour cream by Rick
http://www.flickr.com/photos/spine/1994814081/
Waiter by Hans Van Den Berg
http://www.flickr.com/photos/myimage/4353456304/
Blue Telephone by UggBoy♥UggGirl
http://www.flickr.com/photos/uggboy/5345135964/
Association of Certified Fraud Examiners:
All data is from the Association of Certified Fraud Examiners, Report to the Nations on Occupational Fraud and Abuse, 2010 Global Fraud Study based on 1,843 cases
of occupational fraud that were reported by the Certified Fraud Examiners who investigated them. http://www.acfe.com
Committee on Sponsoring Organizations of the Treadway Commission:
The Internal Control — Integrated Framework was commissioned by the Committee on Sponsoring Organizations of the Treadway Commission. It establishes a common
definition of internal control that services the needs of different parties for assessing and improving their control systems. http://www.coso.org