internal controls - ibat boi internal control... · october 15, 2013 . what’s in store ......
TRANSCRIPT
What’s in Store
Define internal control
Review the components
Discuss control activities
Discuss different scenarios
Internal Control Defined
Internal control is a process, implemented by
an entity’s board of directors, management,
and other key personnel, designed to provide
reasonable assurance regarding the
achievement of:
effective & efficient operations
reliable financial reporting
compliance with applicable laws & regulations
Committee of Sponsoring Organizations (COSO)
Components of Internal Control
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information & Communication (MIS)
5. Monitoring
Where Does It All Begin?
Board of Directors is ultimately responsible!
Sets tone of the organization
Cannot delegate responsibility
May be personally liable
Risk Management and Internal Controls
(SR 95-51)
www.federalreserve.gov/bankinforeg/srletters/1995/sr9551.htm
Elements of Risk Management
Active board and senior management oversight
Adequate policies, procedures, and limits
Adequate risk management, monitoring, and
management information systems
Comprehensive internal controls
Types of Control Activities
Directive
Written policies/procedures
Verbal communication
Memorandums
Preventative
Dual controls
Segregation of duties
Proper Authorizations/Approvals
Passwords
Security of assets
Detective
Audit
Reconcilements
Performance reviews
Cameras
Preventative Controls
1. Segregation of duties (process)
2. Dual controls (physical)
3. Limits
4. Required vacations/Rotation of duties
5. Timely reconciliations
6. Authorizations/Approvals
Segregation of Duties
Assigns the responsibility of:
Authorizing/initiating transactions
Recording/posting transactions
Reconciling the account
Maintaining custody of assets
…to different individuals!
Scenario #1
Bob, a loan officer, wants to simplify the lending
process for his customers so he keeps a stack of loan
disbursement checks at his desk.
After he approves the loan, he fills out the check for the
amount borrowed and gives the loan customer the
check.
Dual Controls
Requires employees to perform critical
activities as a “team”
Cash vault
Blank bank checks
Dormant accounts
Scenario #2
Sally, a 5 year employee in the customer services
area, is entrusted with the bank’s dormant accounts.
If a customer wants their money, she verifies their
ownership of the account and disburses the funds to
them. She then immediately reconciles the accounts
to ensure they still balance to the general ledger
account.
Limits
Check signing authority
Wire transfer
Loans
Aggregating limits
Purchasing authority
Expense reimbursements
Scenario #3
Bob, a loan officer (remember him?), has a lending
limit of $25,000. One of his good friends and
customer needs a loan for $40,000.
So, Bob talks Jim, a new loan officer with a lending
limit of $15,000, to aggregate his authority with Bob’s
so the loan can be made without having to waste time
by going through the designated committee process.
Mandatory Vacations
A fraud usually falls apart in two weeks
Require employees/officers be absent from
their duties
Deny/restrict IT access
Enforce compensating controls
Effective rotation of personnel
Scenario #4
Frank, the bank’s IT Security Officer, reviews,
on an annual basis, employee access to the
system. He removes access for all retired or
fired employees and for any others who no
longer work for the bank.
Reconciliations &
Authorizations/Approvals
Timely
Dated
Performed by someone independent of
posting/authorizing the transaction
Approved by a supervisor
Scenario #5
Betty, an employee in the wire transfer area,
reviews and reconciles incoming and outgoing
wires on a weekly basis when she receives the
bank statement from the correspondent bank.
Independent Review
Someone outside the function
Internal Audit
Loan Review
Director’s Exam
External Audit
NOTE: Examiners do not fill this gap.
Bank Failures In the News
Barings Bank – 1995 (Was it the Stock Market?)
Oakwood Deposit Bank – 2002 (Was it the Kite?)
Internal Control Failure:
Barings Bank
What happened to Nick?
Read his poor story at www.nickleeson.com
Types of Fraud
Embezzlement
Loan Fraud
Kiting
Counterfeit Checks
Forgery
Unauthorized Wire Transfers
Counterfeit Debit Card Transactions
False Expense Claims
Picture of Fraud
Perpetrated by “Nice People”
Friendly
Helpful
Knowledgeable
Most co-workers do not tell
WHY?
Tattletale
Snitch
Stool Pigeon
Rat Fink
Inside Perpetrators
Typically – college-educated white male
Nearly 75% of offenses committed by men
Median losses:
by men nearly 4 times than by women ($185,000 vs. $48,000)
by managers 4 times than by employees
by executives 16 times than those of their employees
Association of Certified Fraud Examiners
Inside Perpetrators (cont’d)
Most occupational fraudsters are first-time offenders with clean employment histories
87% had never been charged or convicted of a fraud-related offense
84% had never been punished or terminated by an employer for fraud-related conduct.
Association of Certified Fraud Examiners
Inside Perpetrators (cont’d)
In 81% of cases, the fraudster displayed one or more behavioral red flags that are often associated with fraudulent conduct.
Most commonly observed behavioral warning signs: Living beyond means (36%)
Financial difficulties (27%)
Unusually close association with vendors or customers (19%)
Excessive control issues (18%)
Association of Certified Fraud Examiners
Frequent Types of Fraud at Banks
Check Fraud
Forgery
Counterfeit
Alteration
Credit and Debit Card Fraud
Identity theft (counterfeit, lost or stolen, mail/telephone order, internet)
Employee Fraud
Teller/Vault shortages
Redirecting customer funds for personal benefit
Ghost Employees – Payroll Fraud
Kiting
Less common than in past, but still occurs
Elements for a Fraud Environment
Weak Internal Controls
Poor Management Oversight
A Family Affair
“Short Cuts”
Dual Roles
Vacation – “Are you kidding me?”
Commission/Bonus Dependent Employees
What Examiners Look For…
Board review of internal audit
Appropriate system of internal controls Clear lines of authority Independence of control areas
Sufficient separation of duties
Adequate policies & procedures
What Examiners Look For… (cont’d)
Reliable, accurate, & timely reports Adequate testing & review of information systems
Official structures reflect actual practices
Receptiveness to exam findings; Willingness to
correct problems/violations Dominant decision maker
High turnover of board members, senior
management, & employees
Review
1. Allowing the cashier to prepare journal entries for an account and then reconcile that account is a violation of which internal control function? a. Separation of Duties b. Dual Control c. Supervisory Review d. Limits e. Reconciliations
Review
2. Who is ultimately responsible for ensuring that a bank’s system of internal controls is adequate? a. Internal audit department b. Board of directors c. Executive officers d. Each employee e. The external auditor
Review
3. True or False?
Internal controls can give management absolute
assurance that an organization’s objectives and goals
will be achieved efficiently and economically; that
financial statements will be reliable; and that laws
and regulations will not be broken.
Can You Spot a Scam?
Test your ability at:
www.sonicwall.com/phishing/index.html
www.lookstoogoodtobetrue.com
www.fakechecks.org