Seminar Financial management risks and financial controls An update for internal auditors 20 May 2015
Seminar
Financial management risks and financial controls
An update for internal auditors
20 May 2015
Agenda
09.15-09.45 Registration and coffee
09.45-10.00 Welcome and opening remarks
10.00-10.45 Identifying and managing your financial risk
Kantilal Pithia, Senior Manager, Finance and Risk, Grant Thornton
10:30-11:15 Financial risks and financial control – the latest initiatives and
developments
Martin Robinson, Training Development Adviser, Chartered Institute of
Internal Auditors
11.30-11.45 Coffee
11.45-12.30 Focusing on the importance of accounting reconciliations, suspense
accounts and journal voucher processing
Michel Schurer, Director Internal Audit, EMEA AP, Crawford and Company
Claims Management
Agenda
12.30-13.15 Managing fraud in accounting systems and accounting manipulation fraud Alex Plavsic, Partner – Forensic, KPMG
13.15-14.00 Lunch
14.00-14.40 Internal audit and external audit – managing the organisation’s expectations Chris Baker, Technical Development Manager, Chartered Institute of Internal Auditors
14.45-15.30 Benchmarking workshop – a roundtable discussion on current practice on auditing financial systems Martin Robinson, Training Development Adviser, Chartered Institute of Internal Auditors
15.30-15.45 Summary feedback and close
6 © 2015 Grant Thornton UK LLP. All rights reserved.
Financial risk
landscape
Agenda
Managing
financial risk
Financial
Performance
Three lines of
defence
Summary
Financial risk balance
Trilogy of risk, effect and response
Risks across the landscape
Key effects and response
Influences on risk management
Risk management governance
Strategy, risk principal and objectives
Risk culture, appetite and tolerance
Risk management cycle
Achieving financial performance
Three Lines of Defence in risk management
Summary
7 © 2015 Grant Thornton UK LLP. All rights reserved.
Financial risk balance
How is equilibrium
achieved?
Sharehold
er Value
Financial
results
Financial
Risk
Increasing demand from
Investors
Shareholders
Analysts and
Regulators
for greater transparency
of financial risk
embedded in the
organisation and results
of risk assessments
Management of financial risk has been heavily influenced by the financial crisis in 2007/08
• Board of directors and senior
executives are required to
fully understand all financial
risk within their organisation
• Link business model /strategy
with financial risk and
financial performance
A web of complex regulations, standards, policies and initiates aimed
at addressing the impact brought about by the crisis and requiring
organisations to consider and manage financial risk
8 © 2015 Grant Thornton UK LLP. All rights reserved.
"EU to probe popular US sites over data
use and search" (FT, April 2015)
"Healthy liquidity diet needed to survive
future financial shocks" (FT, April 2015)
"CME suspends two gold futures traders"
(FT, May 2015)
"Tesco takes first steps on long road to
recovery" (FT, April 2015)
Trilogy of risk, effect and response
“The major difference between a thing that might go wrong
and a thing that cannot possibly go wrong is that when a
thing that cannot possibly go wrong goes wrong it usually
turns out to be impossible to get at or repair”
Douglas Adams
9 © 2015 Grant Thornton UK LLP. All rights reserved.
Risks across the landscape
Internal
risks
External risks
Ability to influence and control
Compliance risk Credit risk
Operational risk
Technology
including
cyber risk Legal and tax
risk
Business
risk Reputational/Brand risk
Sovereign/Countr
y risk Market risk
Liquidity and
Funding risk
Pension risk
Non-financial risks Financial risks Sector/macro
risk
10 © 2015 Grant Thornton UK LLP. All rights reserved.
Effect Non-financial
• Brand tarnished
• Customer loss
• Control weaknesses /
failures
Financial • Insolvency /administration
• Large losses
• No dividend payments
• Balance sheet reductions
• Stagnation in business
growth
• Inaccurate accounting and
reporting
Key effects and response
Organisation
Response • Granular and new regulatory requirements
• Enhanced reporting and disclosures
• Enhanced board and executive governance
• New/revised accounting Standards
• Compliance
• Risk Framework and risk appetite
• Greater scrutiny
• Accountability and transparency
• Conduct/customer detriment
• Transaction reporting
• Volker rule/ Dodd Frank Act
• Recovery and resolution plans
11 © 2015 Grant Thornton UK LLP. All rights reserved.
Influences on risk management
Sector / Macro risks
Non-Financial risks
Financial risks
Enhanced
board
governanc
e
Risk
manage
ment and
framewor
k
Improved
systems
and
controls
Current external
drivers
Internal management
Annual Reports
Strategic report
Principal risk
.
Capital and
liquidity risk
management
Growing / Future
external impact
Enhanced and
more granular
public disclosures
Developed MI /
reporting
Emerging risk
Strategic, holistic
and forward looking
views
New accounting
standards / IFRS
9, 14 and 15
European
directives
Conduct and
Compliance
MiFID2
Transaction
Reporting
.
12 © 2015 Grant Thornton UK LLP. All rights reserved.
Risk management governance
Business
Strategy/Mod
el Business Outcomes
Risk
Framework Risk
Appetite Risk
Culture
Risk
Tolerance
Identification Monitoring Assessment Reporting Management
Risk Cycle
Governance
Risk
objectives
Risk
principals
The Board should be
firmly committed to
sound and prudent risk
management practices
that are aligned to
achieving the
organisation's strategic
objectives.
The Board need to
consider the principal
risks and uncertainties
facing the
organisation.
13 © 2015 Grant Thornton UK LLP. All rights reserved.
Strategy, risk principal and objectives
Risk Management Objectives
•All key risks to the achievement of strategic objectives are
identified, assessed, managed and monitored across the
organisation
•Key stakeholders have assurance that a framework is in place
Business Strategy is a long term plan of action designed to achieve a set of
goals or objectives, "roadmap"
The Board is responsible for embedding a governance and policy framework
designed to provide for appropriate control and monitoring consistent with the
risk principals and objectives.
Risk Management Principals
•Responsibility and clearly assigned and accepted
•Fully independent system of risk management established and
maintained
•Effective escalation and incident management processes
14 © 2015 Grant Thornton UK LLP. All rights reserved.
Risk culture, appetite and tolerance
Risk appetite
• The risk appetite statement should be directly linked to
organisation's short and long term strategic plans
• Address the firm's material risk and establishes clear
quantitative limits (measures of loss or negative outcomes)
and qualitative statements for risk that are difficult to
measure
Implementing an effective risk management framework requires an appropriate
combination of policies, processes, controls, systems and procedures to accomplish
a set of objectives Risk culture
• Risk culture is critical to successful risk management
• Defines values and behaviours that shapes risk decisions
• Reinforces a clear and well communicated risk strategy and
risk appetite
• Stresses the philosophy that all employees are responsible
for the management of risk
Risk tolerance
• Allocation of the firm's aggregated risk appetite statement
down the organisation: business line, legal entity, specific risk
categories, concentrations and other levels
• Risk limits should be specific, measureable, frequency-
based, reportable and based on forward looking assumptions
15 © 2015 Grant Thornton UK LLP. All rights reserved.
Risk management cycle
Risk Management
• Risk management or risk mitigation process requires
identification of a range of options around managing
individual risks,
• Mitigation planning include: mitigation, sharing, avoidance,
transfer or acceptance
.
Risk management is the process of minimizing or mitigating the risk. It starts with the
identification and evaluation of risk followed by optimal use of resources to monitor
and minimize the risk Risk Identification
• Identification of all risks which could have a material impact
on the operation of the business and/or the achievement of
the business’s strategy and objectives.
• Assess risk both present now and potentially future risk that
are both internal and external to the firm
• Regular internal business meetings assist in risk
identification, and new risks may be identified through
analysis of root causes of other (related) risks
Risk Assessment
• Develop an understanding of each risk, including cause,
potential likelihood of occurrence and the impact
• Use an impact v likelihood matrix (probability) to quantify and prioritise the risk
16 © 2015 Grant Thornton UK LLP. All rights reserved.
Risk management cycle
Risk Monitoring
• Monitoring involves the on-going review of risks and
mitigation strategies, and is key to ensuring risk mitigation
priorities remain relevant as the business structure and
strategy changes.
• Risks are monitored through the reporting of KRI, through
local business reporting and submissions to Risk
Management, incident tracking and through maintenance of
risk registers..
Risk reporting needs to provide actionable intelligence to decision makers
and risk managers Risk Reporting / Board MI
• Risk reporting to Board and senior executives incorporate
Key Risk Indictors (KRI) that bring benefits to the
organization
• Provide an indication of actual risk against the organisation's
risk appetite and risk tolerance
• Provide a backward looking view on risk events, so lesson
can be learned by the past
• Provide an early warning for potential emerging / horizon risk
so proactive action can take place to mitigate / manage
• Balanced selection of risk indicators, covering performance
indictors, lead indictors and trends
• Selected indicators should drill down to the root cause of the
events
17 © 2015 Grant Thornton UK LLP. All rights reserved.
Achieving financial performance
Board and senior management
Board and senior management
• Risk assessment begins and ends with specific strategic and business
objectives
• Set defined performance targets and principal risks to delivery
• Evaluate risk-adjusted returns to the organisation
Business strategy and
model
Risk
framework and risk
appetite
Identity,
assess and
manage risk
Report, and
monitor
Budget Actual v budgets Actions taken Forecasting
Business, division, legal entity and product
19 © 2015 Grant Thornton UK LLP. All rights reserved.
Summary
• Historically organisations viewed risk as a necessary evil to achieve higher returns and meet
shareholder value
• In the current economic and regulatory environment, identifying, managing and exploiting
risk across an organisation has become increasingly important to it’s financial success
• Regulators, shareholders, investors and analyst now scrutinize firms to understand the
governance, controls and processes in place to identify and manage risk to an appropriate
level for the organisation
•
• An effective risk assessment provides a clear view of variables to which the firm may be
exposed to, whether internal or external, retrospective or prospective
"Not everything that can be counted counts.
Not everything that counts can be counted".
Albert Einstein
20 © 2015 Grant Thornton UK LLP. All rights reserved.
Kantilal Pithia
Telephone +44 (0)20 7865 2688
Mobile +44 (0)7500 761 351
Email [email protected]
Topics to be covered
• Financial control
• Financial reporting
• COSO requirements
• Impact of Sarbanes Oxley
Topics to be covered
• Financial Reporting Council
• Accounting Standards
• International Accounting Standards
Board
• Authorisation, segregation of duties
and management review
Balance Sheet Reconciliations /Journal Vouchers/ Suspense
Accounts. / Other
Michel./ Crawford
1. Overview- Control framework: Core vs. Non Core
2. Journal Vouchers.
3. Suspense Accounts
4. Balance Sheet Reconciliations
5. Other
AGENDA
Crawford and company. London, UK: Director Internal Audit, EMEA A/P
Koch Industries. London, UK: Director Internal Audit, Europe
Eisai Europe Ltd, London, UK: Director Internal Audit Europe
Russell Reynolds, London: International Financial Controller - Germany/Sweden
Unilever/ Bestfoods, Germany / UK, Financial Controller/ Audit Manager
Eaton Ltd, London, UK: International Internal Auditor
Deloitte & Touche, Gothenburg, Sweden: External Auditor
Education & Qualifications
CMIIA – Certified Oct 2007 (Institute of Internal Audit)
ACCA / FCCA – Qualified 2003. Elected Fellow – May 2008 (Chartered accountant)
University of Gothenburg/ Sweden - Bachelor of Science in Business Administration
Options in Accounting and Finance
Personal
French / German dual nationality Married – 3 children; Passionate Tennis player
Career Summary: 25 years’ experience combining Internal Audit
(15), Finance (5) and External Audit (5)
Strategy - diversified claims services
History - founded 1941
Head office - Atlanta, USA
Employees - 8,700
Locations - 700 locations across 70 countries
Revenues - US$ 1.2b
Listed - NYSE
Crawford & Company WORLDWIDE
Unprecedented global catastrophes
27.02.10 – Chile: Earthquake
20.04.10 – Deepwater Horizon: Oil Spill
21.12.10 – Australia: Severe Flooding
02.02.11 – Australia: Cyclone Yasi
04.02.11 – Australia: Severe Flooding
05.02.11 – Australia: Bushfires
22.02.11 – New Zealand: Earthquake
11.03.11 – Japan: Earthquake & Tsunami
06.08.11 – UK Riots
--.10.11 -- Thailand: Floods
29.10.12 – Sandy
09.07.13 – Canada Floods
29
Overview Core vs Non Core
GL
Adjust-
ments FinalGAAP, IFRS, Tax ..
Subledgers:
"Core"
Receivables,
Payables..
Journal Entries:
"Non Core"
Suspense
Accounts
SEGREGATION OF DUTIES
• Segregation of duties (SOD) is one of the key concepts of internal controls.
• Contributes to an organization’s system of checks.
• The concept of segregation of duties is to separate the following
responsibilities in each business process: ( C A R )
• Custody of assets
• Authorization
• Record keeping
• Reconciliation
• Ideally, no individual employee should handle more than one of the above-noted functions in a process. If not:
• compensating controls should be considered. (preventative, detective or monitoring controls) by an independent, supervisory-level employee who does not have CAR responsibilities.
30
Journal Vouchers (JV)
31
Background • Process entries that do not go through the “Core”
underlying systems (which should have strong controls) • JV = Draft voucher awaiting approval and posting. • JE (Journal Entry) = Posted entry. • Manual vs Automated Journal Entries. • Think “CAR” and “SOD”. • Custody of relevant accounts, Authorisation, Record
keeping. Step back • What behaviours could be driven by current situation?
• Good year- understate assets/ overstate liabilities. • Bad year – overstate assets/ understate liabilities.
• What controls are in place and are they applied. • How could controls be circumvented and is this tested
Use common sense !!
Journal Vouchers (JV)
32
Characteristics of irregular entries 1. Not posted in GL (adjustment to final outside of books)
2. Made to unrelated, unusual or seldom-used accounts;
3. Made by individuals who typically do not make journal
entries;
4. Recorded at the end of the period or as post-closing entries that have little or no explanation or description;
5. Made either before or during the preparation of the financial statements that do not have account numbers;
6. Round numbers or a consistent ending number;
Journal Vouchers (JV)
33
Characteristics of irregular entries 7. To accounts containing complex /unusual items.
8. Contain significant estimates and period-end adjustments,
9. Prone to errors in the past,
10. Not reconciled timely or contain unreconciled differences,
11. Contain intercompany transactions,
12. Associated with an identified risk of material misstatement
due to fraud.
Suspense Accounts
34
Double-entry bookkeeping implies that all transactions
appear in at least two accounts or more and must
balance each other. You receive goods, a supplier
invoices, a payment from a customer but not sure… Definition A temporary resting place for an entry that will end up
somewhere else once its final destination is determined:
-Manually: Not sure where to book it for now.
-Systems: Transactions not properly coded.
Suspense Accounts
35
Multiple suspense accounts prevents unknown
transactions from being placed into the wrong areas of
the general ledger.
For example, payroll, tax, inventory, clients, suppliers.
Don’t forget to understand whether suspense account
bookings bypass other normal controls such as matching
goods received (GR) against PO and matching GR
against supplier invoices or SOD (CAR)
Clear out suspense accounts on a monthly or cyclical
basis, which will should give a zero balance.
Was it properly cleared ?
Balance Sheet Account Reconciliations
36
Basics • Each account is assigned a preparer • Compare GL and sub-ledger or other “source”. • Reconciled regularly & timely, typically monthly/ quarterly. • Must identify differences & explain. • Un-reconciled items must be promptly resolved. • Reconciliations must be reviewed, challenged & approved
Balance Sheet Account Reconciliations
37
Sources of Back up
Acceptable
External Sub ledgers Other Bank statement Debtors Analysis of: Contracts, Payroll Reserves, Supplier statements Fixed Assets Accruals, Inventory Warranty, Vendors Bad Debt,
Def Tax
Not acceptable
- Copies of Journal entries - Balance roll forwards. - Employee emails "the account is correct"
-List of details with no source
Balance Sheet Account Reconciliations
39
How good is this ? • Validate the Balance Sheet – Is it accurate ? • Not best way to catch irregularities/ frauds etc. • What is the reconciliation worth ? • It may reconcile to the GL, but was the GL adjusted before the reconciliation to make it match ! • Need to understand integrity in the process controls
40
JV, BS Recs and Suspense accounts are areas to assess
to gain an understanding whether the company is well
controlled.
This nevertheless indicates that there is a certain level of
control but don’t forget that it could be “worse” and bad
controls/ practices could be hidden further:
Some other risk areas
41
1. Booking unusual transactions well hidden in the P&L
under large volumes of transactions.
2. Not recording
1. Liabilities:
• Are all supplier invoices/ customer rebates
recorded.
2. Assets
• I sell to you but the money does not go to the
company. (Selling production scrap, pallets in
distribution, delivering more but not billing)
• Net-net deals (discounts, rebates, promotional
activities) - Tesco.
• Suppliers not passing on savings from sub
suppliers
Some other risk areas
42
3. Overpaying.
• I choose you as a supplier and you give me
something in return. (Kick backs). Bidding !
• You choose me as a supplier and I pay you off
through hidden invoices such as agency
commissions. (*)
4. Recording expenses on the basis of ambivalent
invoices. (*)
• Net-net deals (discounts, rebates, promotional
activities, - Tesco.
• Suppliers not passing on savings.
(*) Transparent invoices, matching service/ goods
received against invoices.
Closing Note
44
To find issues it helps to:
• Understand the business & the environment. (So you
scrap production rest metals)
• Identify and explore what does not get talked about.
(So we control inventory but not the pallets that ship it
around)
• Compare and contrast across industries.
• Refer to other subject matter bodies like ACFE, IIA.
Whether in commerce & industry or service or other
-
47 © 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
Agenda
■ Latest fraud examples
■ Opportunities for fraud in financial systems
■ Financial red flags
■ Effective accounting fraud risk management
48 © 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
Payment Diversion
What we are seeing on the ground
Technology enabled
Accounting misstatement Procurement fraud
49 © 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
Payment Diversion
Financial red flags
Technology enabled
Accounting misstatement Procurement fraud
• Pre-payment analytics
• Verification process
• Systems not forcing ‘four eyes’
• Third party due diligence
• Non-experts – VFM
• Transactional analytics
• Weak access controls
• Portal access not restricted
• Sharing of passwords
• Reconcile to cash
• Hit the balance sheet
• Anomalous accounting entries
50 © 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
Red flag indicators of possible
earnings management
Financial (or other) results that seem “too good to be true” or significantly better than
competitors
Consistently close or exact match between reported and forecast results
Unusual balance sheet changes or trends: for example receivables/WIP growing faster than
cash
Unusual accounting policy: revenue before shipping, deferral of costs
Accounting principles at variance with industry norm
The pattern of shipping: most of quarter’s sales in last week or day of period
Use of reserves/provisions to smooth out earnings: for example large additions to reserves
that get reversed in a later period
Frequent and significant changes in estimates for no apparent reason
Complex or unique business arrangements not well understood or appearing to serve little
practical purpose
51 © 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
51
Remote
operations
Multiple banking
arrangements
Related party
arrangements
Complex
corporate
structures
Profit warnings /
credit warnings
High management
turnover
Results exceed
market trend
Cash / funding gap
Unique products –
unique risks
Aggressive
accounting
policies
Highly-leveraged
rewards
Aggressive
forecasts
High hope value
Declining industry
/ earnings
High analyst or
other pressures
Significant director
share sales
Illegal unethical
practices
Undue secrecy
Dominance /
lifestyle issues
Lack of trust / poor
internal or external
auditor
relationships
Warning signs - accounts manipulation / fraudulent financial reporting
52 © 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
Fraud Triangle
“Whatever it takes” to hit targets
Personal debts
Greed
Addiction
Fear of job loss if targets
not achieved
Hidden in complex transactions
Abuse of authority
Exploiting errors
Lack of segregation of duties
Policies/procedures are easy
to bypass
Lack of confidence that
reporting will result in action
“It’s a victimless crime”
“I deserve it”
Lack of understanding of the standards
Code of conduct not taken seriously
Results are rewarded, not conduct
Understanding the fraudster
53 © 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
Integrity and ethical standards
Source: KPMG Integrity Survey
■ 73% of US company employees have observed violations of law or their
company standards – “misconduct” in the past year;
■ 56% of those employees said that what they observed could cause “a significant
loss of public trust” if discovered;
■ 47% of employees across all sectors lacked confidence in reporting misconduct
to company hotlines;
■ 33% lacked confidence that appropriate action would be taken if they reported a
violation;
■ 48% lacked confidence that they would be protected from retaliation;
■ 52% lacked confidence that senior management knew what type behaviour really
went on inside the business.
54 © 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
Fraud risk management
Understand the environment & relationships
■ CEO & CFO
■ CFO & Financial Controller
■ General Counsel
■ Auditors
■ Divisional management
Searching for a ‘bad environment in the extreme’
55 © 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
Ground we have covered
■ The explosion of payment diversion fraud: from outside, from inside and
collusively
■ Fraud triangle properly based model (both academically and anecdotally) to
anchor awareness training, an anti-fraud strategy and investigations
■ Employees across all sectors lacked confidence in reporting misconduct (US
survey)
■ Most companies still lurch from one fraud (broadly defined) to another because
they do not strategically address all elements of the motivations for fraud
■ Assess the environment: it is your biggest risk and biggest defence
© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG
Europe LLP and a member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative, a Swiss entity. All rights
reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks
or trademarks of KPMG International Cooperative (KPMG International).
The information contained herein is of a general nature and is not intended to
address the circumstances of any particular individual or entity. Although we
endeavour to provide accurate and timely information, there can be no guarantee
that such information is accurate as of the date it is received or that it will continue
to be accurate in the future. No one should act on such information without
appropriate professional advice after a thorough examination of the particular
situation.
Alex Plavsic
Partner - Forensic
Direct Line: +44 (0) 20 7311 3862
Mobile: +447710808969
Email [email protected]
Its all ‘audit’ isn’t it?
• Complementary functions in the assurance framework.
• Both are essential for effective governance.
• Both use risk management as a starting point.
• Independent, professional code of ethics and standards
• Both provide assurance around financial management, including preventing errors and fraud.
INTERNAL AUDIT
EXTERNAL AUDIT
Differences between IA & EA
INTERNAL AUDIT
Employed by board & senior executives
Discretionary
All objectives and risks
Reports are not publicly available
Continuous
EXTERNAL AUDIT
Appointed by owners & shareholders
Legal requirement
Financial reporting risks
Reports are publicly available
Financial cycle
https://www.iia.org.uk/policy/policy-position-papers/internal-audits-relationship-with-external-audit/
Differences between IA & EA
INTERNAL AUDIT
Employed by board & senior executives
Discretionary
All objectives and risks
Reports are not publicly available
Continuous
EXTERNAL AUDIT
Appointed by owners & shareholders
Legal requirement
Financial reporting risks
Reports are publicly available
Financial cycle
Independent and objective assurance and consulting... to evaluate & improve governance, risk management & control.
To obtain reasonable assurance financial statements are free from misstatement, error & fraud in accordance with accounting principles
Blurred lines ?
Governance & culture
Risk management
Project & change programmes
Value for money
Financial systems
IT infrastructure
Cybersecurity
Fraud prevention
IA & financial management?
Questions
Priority?
Frequency?
Focus?
Timing?
Response
Understand change & risk
Understand expectations
Explain & justify choices
Coordinate with EA
Objectives
Change
Risk
What does good coordination look like?
• Regular communication.
• Aligned planning.
• Possible co-sourcing or one-off joint working
• Exchange of information.
• Learning & development
Case study example Quarterly meeting timetable linked to audit committee meeting dates: Feb – planning discussions & progress update. May – Onsite EA progress meeting, exchange of audit reports Sept - finalising IA annual reports and EA management letter. IT audit work terms of reference Dec – IA plan progress review, update of strategic risk register . IT audit report finalisation.
Benchmarking and round table
discussion on current practise
on auditing financial systems
Martin Robinson
Discussion Points
• How do you focus on strategic financial risks?
• Do you try to incorporate a review of financial risks
in all audits you carry out?
• How do you relate and communicate with senior
finance management?
• What challenges do you face in auditing financial
risk and financial control?
• What are some of the key issues you have raised in
the past?