Entity Level Controls And

©20

11 L

arso

nAlle

n L

LP

111

©20

11 L

arso

nAlle

n L

LP

Entity Level Controls and Fraud

Michael Kosinski, CPA

[email protected]

239-280-3517

©20

11 L

arso

nAlle

n L

LP

2

Objectives

• Discuss the nature of entity level controls• Review the operating environment and the

proper structure to provide effective controls• Review the risk assessment process and

considerations of organizational risks and fraud

©20

11 L

arso

nAlle

n L

LP

3

Is Greed Good?

What

•Aggressive financial reporting

Message

•Tax fraud

Are

•Personal expenses in the company

You

•Unrealistic estimates

Sending?

•Don’t tell the auditors

©20

11 L

arso

nAlle

n L

LP

4

People are your assets

Feedback

Compensation Evaluations

Competence

Inadequate Staffing Defined Roles

Staffing Levels

Short Staffed Turnover

©20

11 L

arso

nAlle

n L

LP

5

Internal Controls• “MF Global Holdings Ltd.’s bankruptcy, the eighth-largest

in U.S. history, is exposing a lack of internal controls that may have prevented a last-minute rescue of Jon Corzine’s futures broker.” Washington Post Nov 2, 2011

Functional

Entity

©20

11 L

arso

nAlle

n L

LP

6

What are entity level controls?

Influence the company’s culture

Instills the tone of the company

Attitudes, awareness, and actions of management

©20

11 L

arso

nAlle

n L

LP

7

Entity Level Controls

Entity Level

Control Environment

Risk Assessment

Communication

Monitoring

©20

11 L

arso

nAlle

n L

LP

8

Is it enough just to say it?• “Boards should be absolutely certain that the company is

run properly from a fiduciary standpoint in every degree. I am a great believer in the audit committee having full access to the auditors in every way, shape, and form.”—former Sunbeam Chairman Al Dunlap

• “You’ll see people who in the early days … took their life savings and trusted this company with their money. And I have an awesome responsibility to those people to make sure that they’ve done right.”—former WorldCom CEO Bernard Ebbers

©20

11 L

arso

nAlle

n L

LP

9

Is it enough just to say it?• “We are offended by the perception that we would waste

the resources of a company that is a major part of our life and livelihood, and that we would be happy with directors who would permit that waste. … So as a CEO, I want a strong, competent board.”—former Tyco CEO Dennis Kozlowski

• “It’s more than just dollars. You’ve got to give back to the community that supported you.”—Adelphia founder John Rigas

• People have an obligation to dissent in this company.”—former Enron CEO Jeffrey Skilling

©20

11 L

arso

nAlle

n L

LP

10

Or do you have to live it?

• “It is not simply a case of having a set of procedures and processes, nor is it just about having controls in place. Reliance on a poor control is often worse than having no control at all. [The trustees must have] … a clear understanding of the business and what can go wrong.” - Tony Rawlins - (2001)

©20

11 L

arso

nAlle

n L

LP

111111

©20

11 L

arso

nAlle

n L

LP

The Control Environment

©20

11 L

arso

nAlle

n L

LP

12

Control Environment

Sets the tone

Foundation for all other controls

Provides structure and discipline

Most cost effective and efficient control

©20

11 L

arso

nAlle

n L

LP

13

What does it look like?

Ownership

Integrity

Structure

Accountability

Responsibility

Oversight

Philosophy

Competence

©20

11 L

arso

nAlle

n L

LP

14

Soft Controls

Philosophy

Competence

Integrity

©20

11 L

arso

nAlle

n L

LP

15

Integrity

Articulate

Inform

Demonstrate

Approaches

Day to day activities New hires Investigate violations

Vendor interactions Periodic updates Timelines and consistent

Customer interactions Understandable Communicate actions

Intolerance of violations Available Monitor compliance

©20

11 L

arso

nAlle

n L

LP

16

Competence

Hire

Train

Sustain

Approaches

Critical Skills In-house Oversight

Knowledge External Evaluate

Ability Professional services Analyze roles

Interviews Cost Benefit

©20

11 L

arso

nAlle

n L

LP

17

Oversight

Establish

Evaluate

Review

Approaches

Independence Management Performance

Responsibilities Risks Audit

Skepticism Effectiveness Advisors

Policies

©20

11 L

arso

nAlle

n L

LP

18

Philosophy

Mitigate

Diligence

Processes

Approaches

Reporting risks Judgment Adjustments

Suppliers Attitudes Estimates

Customers Accounting principles

Employees Authorization

©20

11 L

arso

nAlle

n L

LP

19

Structure

Establish

Align

Maintain

Approaches

Organizational chart Roles Appropriate reporting

Streamlined layers Functions Current job descriptions

Reporting lines Processes Communication

Clear roles

©20

11 L

arso

nAlle

n L

LP

20

Accountability and Responsibility

Assign

Articulate

Review

Approaches

Responsibility Links Nature of position

Authority Empowerment Key personnel

Segregation Limits

©20

11 L

arso

nAlle

n L

LP

21

Small Business Challenges

• Management influence• Segregation of duties• Qualified personnel• Limited oversight• Technology

©20

11 L

arso

nAlle

n L

LP

222222

©20

11 L

arso

nAlle

n L

LP

The Risk Assessment Process

©20

11 L

arso

nAlle

n L

LP

23

Risk Assessment

RespondAnalyzeIdentify

©20

11 L

arso

nAlle

n L

LP

24

Risk Analysis

Estimate Significance

Assess Probability Managing the Risk

©20

11 L

arso

nAlle

n L

LP

25

Risk Assessment

Reporting Objectives• Establish

Document Communicate

• Apply Principals

RiskManagement• Risk Identification• Organization and

Relationships• Anticipate and

mitigate

FraudConsideration• Assess• Monitor

©20

11 L

arso

nAlle

n L

LP

26

Reporting Objectives

Identify Assertions

•Significant accounts•Underlying transactions

Capture Activities

•Review activities•Appropriately presented

Appropriate Policies

•Policies vs. industry•Detail vs. industry

©20

11 L

arso

nAlle

n L

LP

27

Risk Analysis Aspects

Competency

IT Infrastructur

e

Probability

Reassess

Business Process

©20

11 L

arso

nAlle

n L

LP

28

•Assertions and accounts•Business processes and SupportIdentify•Maps the internal controls•Identifies controls and risksControls•Interacts with external parties•Suppliers, investors, creditorsInformation

•Considers factors impacting reporting

Internal vs. External

©20

11 L

arso

nAlle

n L

LP

29

Overall Risks - External RisksCompetition

Customers and Technology

Regulation and Economy

Company

©20

11 L

arso

nAlle

n L

LP

30

Overall Risks - Internal Risks

InformationTechnology

PersonnelManagement

Access to Assets

Nature of Organization

©20

11 L

arso

nAlle

n L

LP

31

Fraud Considerations

•Comprehensive brainstorming•Consider override controlsAssess•Compensation practices•Incentives and pressuresReview•Investigate and reporting•Remediation of instancesInvestigate

•Consider fraud in management•Consider innternal auditOversight

©20

11 L

arso

nAlle

n L

LP

323232

©20

11 L

arso

nAlle

n L

LP

Communication

©20

11 L

arso

nAlle

n L

LP

33

Communication Objectives

• Communication exists between management and governance to provide relevant information

• All personnel receive a clear message about reporting, and internal controls

• Communication is effective and absent of fears of retribution

©20

11 L

arso

nAlle

n L

LP

34

Communication to Employees

Management

IC Critical to all Employees

Roles and Responsibilitie

s

Relation of Job to Others

Unexpected Events

©20

11 L

arso

nAlle

n L

LP

35

Communication to ManagementManagement

Operating Issues Customer Needs

Continuous Improvement Competition

Misstatements

©20

11 L

arso

nAlle

n L

LP

36

External Communication

Company

Suppliers

Vendors

RegulatorsAudit

Prospects

Shareholders

©20

11 L

arso

nAlle

n L

LP

37

Facilitating Internal Control

Communicate Financial Reporting Objectives

• Financial reporting, IC, policies and responsibilities• Communicates IC information and code of conduct

Develop Alternative Means of Communication

• Mentoring and other channels• Whistleblower and anonymous hotlines

Board of Directors

• Open discussions with management• Communicate expectations for financial information• Meets with external advisors and internal audit

©20

11 L

arso

nAlle

n L

LP

383838

©20

11 L

arso

nAlle

n L

LP

Monitoring

©20

11 L

arso

nAlle

n L

LP

39

Monitoring – Small Business

• Tend to be informal• Based on ongoing activities• Examples

– Significant variances from expectations– Inaccuracies in financial information– Operating issues and shortages– Customer and vendor complaints– Communications from third parties

©20

11 L

arso

nAlle

n L

LP

40

Ongoing Monitoring

Normal Management

Third party communication

Supervision

Reconciliations to physical assets

Communications from auditors

Certifications

©20

11 L

arso

nAlle

n L

LP

41

Ongoing Activities

Management

• Variances• Budget

Comparisons• Benchmarking• Key statistics

Third Party

• Customer payments

• Bank balance reconciliations

• Vendor statements

• Noncompliance from regulators

Supervision

• Segregation of duties

• Supervisor reviews• Adjustments• Approving

vendors• Review

accuracy

©20

11 L

arso

nAlle

n L

LP

42

Ongoing Monitoring

• Reconciliation to physical assets– Subsidiary schedules and bank statements– Fixed asset and inventory counts

• Auditor Communication– How many adjustments were made– Deficiency communications

• Certifications– Independent verifications– Not typical for small to mid sized businesses