Seminar
Financial management risks and
financial controls
An update for internal auditors
20 May 2015
Chairman’s Welcome
Agenda
09.15-09.45
Registration and coffee
09.45-10.00
Welcome and opening remarks
10.00-10.45
Identifying and managing your financial risk
Kantilal Pithia, Senior Manager, Finance and Risk, Grant Thornton
10:30-11:15
Financial risks and financial control – the latest initiatives and
developments
Martin Robinson, Training Development Adviser, Chartered Institute of
Internal Auditors
11.30-11.45
Coffee
11.45-12.30
Focusing on the importance of accounting reconciliations, suspense
accounts and journal voucher processing
Michel Schurer, Director Internal Audit, EMEA AP, Crawford and Company
Claims Management
Agenda
12.30-13.15
Managing fraud in accounting systems and accounting manipulation
fraud
Alex Plavsic, Partner – Forensic, KPMG
13.15-14.00
Lunch
14.00-14.40
Internal audit and external audit – managing the organisation’s
expectations
Chris Baker, Technical Development Manager, Chartered Institute of Internal
Auditors
14.45-15.30
Benchmarking workshop – a roundtable discussion on current practice
on auditing financial systems
Martin Robinson, Training Development Adviser, Chartered Institute of
Internal Auditors
15.30-15.45
Summary feedback and close
Identifying and managing
your financial risk
Agenda
Financial risk
landscape





Financial risk balance
Trilogy of risk, effect and response
Risks across the landscape
Key effects and response
Influences on risk management
Managing
financial risk




Risk management governance
Strategy, risk principal and objectives
Risk culture, appetite and tolerance
Risk management cycle
Financial
Performance
 Achieving financial performance
Three lines of
defence
 Three Lines of Defence in risk management
 Summary
Summary
© 2015 Grant Thornton UK LLP. All rights reserved.
6
Financial risk balance
Management of financial risk has been heavily influenced by the financial crisis in 2007/08
Increasing demand from
How is equilibrium
achieved?
•
Board of directors and senior
executives are required to
fully understand all financial
risk within their organisation
•
Link business model /strategy
with financial risk and
financial performance
 Investors
 Shareholders
 Analysts and
 Regulators
for greater transparency
of financial risk
embedded in the
organisation and results
of risk assessments
Sharehold
er Value
Financial
results
Financial
Risk
A web of complex regulations, standards, policies and initiates aimed
at addressing the impact brought about by the crisis and requiring
organisations to consider and manage financial risk
© 2015 Grant Thornton UK LLP. All rights reserved.
7
Trilogy of risk, effect and response
“The major difference between a thing that might go wrong
and a thing that cannot possibly go wrong is that when a
thing that cannot possibly go wrong goes wrong it usually
turns out to be impossible to get at or repair”
Douglas Adams
"EU to probe popular US sites over data
use and search" (FT, April 2015)
"Healthy liquidity diet needed to survive
future financial shocks" (FT, April 2015)
"CME suspends two gold futures traders"
(FT, May 2015)
"Tesco takes first steps on long road to
recovery" (FT, April 2015)
© 2015 Grant Thornton UK LLP. All rights reserved.
8
Risks across the landscape
External
Internal
risks
risks
Credit risk
Market risk
Liquidity and
Funding risk
Operational risk
Financial risks
Compliance risk
Technology
including
cyber risk
Business
risk
Legal and tax
risk
Reputational/Brand risk
Pension risk
Non-financial risks
Sovereign/Countr
y risk
Sector/macro
risk
Ability to influence and control
© 2015 Grant Thornton UK LLP. All rights reserved.
9
Key effects and response
Effect
Non-financial
Financial
• Brand tarnished
• Customer loss
• Control weaknesses /
failures
•
•
•
•
•
Insolvency /administration
Large losses
No dividend payments
Balance sheet reductions
Stagnation in business
growth
• Inaccurate accounting and
reporting
Organisation
Response
•
•
•
•
•
•
Granular and new regulatory requirements
Enhanced reporting and disclosures
Enhanced board and executive governance
New/revised accounting Standards
Compliance
Risk Framework and risk appetite
© 2015 Grant Thornton UK LLP. All rights reserved.
•
•
•
•
•
•
Greater scrutiny
Accountability and transparency
Conduct/customer detriment
Transaction reporting
Volker rule/ Dodd Frank Act
Recovery and resolution plans
10
Influences on risk management
Internal management
.
Capital and
liquidity risk
management
Growing / Future
external impact
New accounting
standards / IFRS
9, 14 and 15
Enhanced
board
governanc
e
Conduct and
Compliance
Enhanced and
more granular
public disclosures
MiFID2
European
directives
Financial
risks
Transaction
Reporting
Sector /
Macro risks
Annual Reports
Strategic report
Principal risk
© 2015 Grant Thornton UK LLP. All rights reserved.
Improved
systems
and
controls
Non-Financial
risks
Risk
manage
ment and
framewor
k
.
Current external
drivers
Developed MI /
reporting
Emerging risk
Strategic, holistic
and forward looking
views
11
Risk management governance
The Board should be
firmly committed to
sound and prudent risk
management practices
that are aligned to
achieving the
organisation's strategic
objectives.
Business
Strategy/Mod
el
Business Outcomes
Risk
objectives
The Board need to
consider the principal
risks and uncertainties
facing the
organisation.
Identification
Risk
Culture
Risk
principals
Risk
Framework
Risk
Appetite
Risk
Tolerance
Risk Cycle
Assessment
Management
Reporting
Monitoring
Governance
© 2015 Grant Thornton UK LLP. All rights reserved.
12
Strategy, risk principal and objectives
Business Strategy is a long term plan of action designed to achieve a set of
goals or objectives, "roadmap"
The Board is responsible for embedding a governance and policy framework
designed to provide for appropriate control and monitoring consistent with the
risk principals and objectives.
Risk Management Principals
•Responsibility and clearly assigned and accepted
•Fully independent system of risk management established and
maintained
•Effective escalation and incident management processes
Risk Management Objectives
•All key risks to the achievement of strategic objectives are
identified, assessed, managed and monitored across the
organisation
•Key stakeholders have assurance that a framework is in place
© 2015 Grant Thornton UK LLP. All rights reserved.
13
Risk culture, appetite and tolerance
Implementing an effective risk management framework requires an appropriate
combination of policies, processes, controls, systems and procedures to accomplish
a set of objectives
Risk culture
•
•
•
•
Risk culture is critical to successful risk management
Defines values and behaviours that shapes risk decisions
Reinforces a clear and well communicated risk strategy and
risk appetite
Stresses the philosophy that all employees are responsible
for the management of risk
Risk appetite
•
The risk appetite statement should be directly linked to
organisation's short and long term strategic plans
• Address the firm's material risk and establishes clear
quantitative limits (measures of loss or negative outcomes)
and qualitative statements for risk that are difficult to
measure
Risk tolerance
•
•
© 2015 Grant Thornton UK LLP. All rights reserved.
Allocation of the firm's aggregated risk appetite statement
down the organisation: business line, legal entity, specific risk
categories, concentrations and other levels
Risk limits should be specific, measureable, frequencybased, reportable and based on forward looking assumptions
14
Risk management cycle
Risk management is the process of minimizing or mitigating the risk. It starts with the
identification and evaluation of risk followed by optimal use of resources to monitor
and minimize the risk
Risk Identification
•
•
•
Identification of all risks which could have a material impact
on the operation of the business and/or the achievement of
the business’s strategy and objectives.
Assess risk both present now and potentially future risk that
are both internal and external to the firm
Regular internal business meetings assist in risk
identification, and new risks may be identified through
analysis of root causes of other (related) risks
Risk Assessment
•
•
Develop an understanding of each risk, including cause,
potential likelihood of occurrence and the impact
Use an impact v likelihood matrix (probability) to quantify and
prioritise the risk
Risk Management
© 2015 Grant Thornton UK LLP. All rights reserved.
•
Risk management or risk mitigation process requires
identification of a range of options around managing
individual risks,
•
Mitigation planning include: mitigation, sharing, avoidance,
transfer or acceptance
15
Risk management cycle
Risk reporting needs to provide actionable intelligence to decision makers
and risk managers
Risk Reporting / Board MI
•
Risk reporting to Board and senior executives incorporate
Key Risk Indictors (KRI) that bring benefits to the
organization
• Provide an indication of actual risk against the organisation's
risk appetite and risk tolerance
• Provide a backward looking view on risk events, so lesson
can be learned by the past
• Provide an early warning for potential emerging / horizon risk
so proactive action can take place to mitigate / manage
• Balanced selection of risk indicators, covering performance
indictors, lead indictors and trends
• Selected indicators should drill down to the root cause of the
events
Risk Monitoring
•
•
© 2015 Grant Thornton UK LLP. All rights reserved.
Monitoring involves the on-going review of risks and
mitigation strategies, and is key to ensuring risk mitigation
priorities remain relevant as the business structure and
strategy changes.
Risks are monitored through the reporting of KRI, through
local business reporting and submissions to Risk
Management, incident tracking and through maintenance of
risk registers..
16
Achieving financial performance
Board and senior management
Business strategy and
model
Risk
framework and risk
appetite
Identity,
assess and
manage risk
Report, and
monitor
Business, division, legal entity and product
Budget
Actual v budgets
Actions taken
Forecasting
• Risk assessment begins and ends with specific strategic and business
objectives
Board and senior management
• Set defined performance targets and principal risks to delivery
• Evaluate risk-adjusted returns to the organisation
© 2015 Grant Thornton UK LLP. All rights reserved.
17
The Three Lines of Defence in risk
management
© 2015 Grant Thornton UK LLP. All rights reserved.
18
Summary
"Not everything that can be counted counts.
Not everything that counts can be counted".
Albert Einstein
•
Historically organisations viewed risk as a necessary evil to achieve higher returns and meet
shareholder value
•
In the current economic and regulatory environment, identifying, managing and exploiting
risk across an organisation has become increasingly important to it’s financial success
•
Regulators, shareholders, investors and analyst now scrutinize firms to understand the
governance, controls and processes in place to identify and manage risk to an appropriate
level for the organisation
•
•
An effective risk assessment provides a clear view of variables to which the firm may be
exposed to, whether internal or external, retrospective or prospective
© 2015 Grant Thornton UK LLP. All rights reserved.
19
Kantilal Pithia
Telephone +44 (0)20 7865 2688
Mobile +44 (0)7500 761 351
Email [email protected]
© 2015 Grant Thornton UK LLP. All rights reserved.
20
Financial risks and financial
control - the latest initiatives and
developments
Martin Robinson
Topics to be covered
• Financial control
• Financial reporting
• COSO requirements
• Impact of Sarbanes Oxley
Topics to be covered
• Financial Reporting Council
• Accounting Standards
• International Accounting Standards
Board
• Authorisation, segregation of duties
and management review
Crawford & Company
Michel Schurer
Director Internal Audit EMEA AP
Financial Controls
AGENDA
Balance Sheet Reconciliations /Journal Vouchers/ Suspense
Accounts. / Other
Michel./ Crawford
1.
2.
3.
4.
5.
Overview- Control framework: Core vs. Non Core
Journal Vouchers.
Suspense Accounts
Balance Sheet Reconciliations
Other
Career Summary: 25 years’ experience combining Internal Audit
(15), Finance (5) and External Audit (5)
Crawford and company. London, UK: Director Internal Audit, EMEA A/P
Koch Industries. London, UK: Director Internal Audit, Europe
Eisai Europe Ltd, London, UK: Director Internal Audit Europe
Russell Reynolds, London: International Financial Controller - Germany/Sweden
Unilever/ Bestfoods, Germany / UK, Financial Controller/ Audit Manager
Eaton Ltd, London, UK: International Internal Auditor
Deloitte & Touche, Gothenburg, Sweden: External Auditor
Education & Qualifications
CMIIA – Certified Oct 2007 (Institute of Internal Audit)
ACCA / FCCA – Qualified 2003. Elected Fellow – May 2008 (Chartered accountant)
University of Gothenburg/ Sweden - Bachelor of Science in Business Administration
Options in Accounting and Finance
French / German dual nationality
Personal
Married – 3 children; Passionate Tennis player
Crawford & Company WORLDWIDE
Strategy
- diversified claims services
History
- founded 1941
Head office - Atlanta, USA
Employees - 8,700
Locations
- 700 locations across
70 countries
Revenues
- US$ 1.2b
Listed
- NYSE
Unprecedented global catastrophes
27.02.10 – Chile: Earthquake
20.04.10 – Deepwater Horizon: Oil Spill
21.12.10 – Australia: Severe Flooding
02.02.11 – Australia: Cyclone Yasi
04.02.11 – Australia: Severe Flooding
05.02.11 – Australia: Bushfires
22.02.11 – New Zealand: Earthquake
11.03.11 – Japan: Earthquake & Tsunami
06.08.11 – UK Riots
--.10.11 -- Thailand: Floods
29.10.12 – Sandy
09.07.13 – Canada Floods
Overview Core vs Non Core
GL
Adjustments
GAAP, IFRS, Tax ..
Subledgers:
"Core"
Receivables,
Payables..
Journal Entries:
"Non Core"
29
Suspense
Accounts
Final
SEGREGATION OF DUTIES
• Segregation of duties (SOD) is one of the key concepts of internal
controls.
• Contributes to an organization’s system of checks.
• The concept of segregation of duties is to separate the following
responsibilities in each business process: ( C A R )
• Custody of assets
• Authorization
• Record keeping
• Reconciliation
• Ideally, no individual employee should handle more than one of the
above-noted functions in a process. If not:
• compensating controls should be considered. (preventative, detective
or monitoring controls) by an independent, supervisory-level employee
who does not have CAR responsibilities.
30
Journal Vouchers (JV)
31
Background
• Process entries that do not go through the “Core”
underlying systems (which should have strong controls)
• JV = Draft voucher awaiting approval and posting.
• JE (Journal Entry) = Posted entry.
• Manual vs Automated Journal Entries.
• Think “CAR” and “SOD”.
• Custody of relevant accounts, Authorisation, Record
keeping.
Step back
• What behaviours could be driven by current situation?
• Good year- understate assets/ overstate liabilities.
• Bad year – overstate assets/ understate liabilities.
• What controls are in place and are they applied.
• How could controls be circumvented and is this tested
Use common sense !!
Journal Vouchers (JV)
Characteristics of irregular entries
1. Not posted in GL (adjustment to final outside of books)
2. Made to unrelated, unusual or seldom-used accounts;
3. Made by individuals who typically do not make journal
entries;
4. Recorded at the end of the period or as post-closing
entries that have little or no explanation or description;
5. Made either before or during the preparation of the
financial statements that do not have account numbers;
32
6. Round numbers or a consistent ending number;
Journal Vouchers (JV)
Characteristics of irregular entries
7. To accounts containing complex /unusual items.
8. Contain significant estimates and period-end adjustments,
9. Prone to errors in the past,
10. Not reconciled timely or contain unreconciled differences,
11. Contain intercompany transactions,
12. Associated with an identified risk of material misstatement
due to fraud.
33
Suspense Accounts
Double-entry bookkeeping implies that all transactions
appear in at least two accounts or more and must
balance each other. You receive goods, a supplier
invoices, a payment from a customer but not sure…
Definition
A temporary resting place for an entry that will end up
somewhere else once its final destination is determined:
-Manually: Not sure where to book it for now.
-Systems: Transactions not properly coded.
34
Suspense Accounts
Multiple suspense
accounts
prevents unknown
transactions from being placed into the wrong areas of
the general ledger.
For example, payroll, tax, inventory, clients, suppliers.
Don’t forget to understand whether suspense account
bookings bypass other normal controls such as matching
goods received (GR) against PO and matching GR
against supplier invoices or SOD (CAR)
Clear out suspense accounts on a monthly or cyclical
basis, which will should give a zero balance.
Was it properly cleared ?
35
Balance Sheet Account Reconciliations
Basics
• Each account is assigned a preparer
• Compare GL and sub-ledger or other “source”.
• Reconciled regularly & timely, typically monthly/ quarterly.
• Must identify differences & explain.
• Un-reconciled items must be promptly resolved.
• Reconciliations must be reviewed, challenged & approved
36
Balance Sheet Account Reconciliations
Sources of Back up
Acceptable
External
Sub ledgers
Bank statement
Debtors
Contracts,
Payroll
Supplier statements
Fixed Assets
Inventory
Vendors
Other
Analysis of:
Reserves,
Accruals,
Warranty,
Bad Debt,
Def Tax
Not acceptable
- Copies of Journal entries
- Balance roll forwards.
- Employee emails "the account is correct"
-List of details with no source
37
Balance Sheet Account Reconciliations
38
Balance Sheet Account Reconciliations
How good is this ?
• Validate the Balance Sheet – Is it accurate ?
• Not best way to catch irregularities/ frauds etc.
• What is the reconciliation worth ?
• It may reconcile to the GL, but was the GL adjusted before
the reconciliation to make it match !
• Need to understand integrity in the process controls
39
JV, BS Recs and Suspense accounts are areas to assess
to gain an understanding whether the company is well
controlled.
This nevertheless indicates that there is a certain level of
control but don’t forget that it could be “worse” and bad
controls/ practices could be hidden further:
40
Some other risk areas
1. Booking unusual transactions well hidden in the P&L
under large volumes of transactions.
2. Not recording
1. Liabilities:
• Are all supplier invoices/ customer rebates
recorded.
2. Assets
• I sell to you but the money does not go to the
company. (Selling production scrap, pallets in
distribution, delivering more but not billing)
• Net-net deals (discounts, rebates, promotional
activities) - Tesco.
• Suppliers not passing on savings from sub
suppliers
41
Some other risk areas
3. Overpaying.
• I choose you as a supplier and you give me
something in return. (Kick backs). Bidding !
• You choose me as a supplier and I pay you off
through hidden invoices such as agency
commissions. (*)
4. Recording expenses on the basis of ambivalent
invoices. (*)
• Net-net deals (discounts, rebates, promotional
activities, - Tesco.
• Suppliers not passing on savings.
(*) Transparent invoices,
received against invoices.
42
matching
service/
goods
ACFE – Global Fraud
Survey
43
©2012 Association of Certified Fraud Examiners, Inc.
Closing Note
To find issues it helps to:
• Understand the business & the environment. (So you
scrap production rest metals)
• Identify and explore what does not get talked about.
(So we control inventory but not the pallets that ship it
around)
• Compare and contrast across industries.
• Refer to other subject matter bodies like ACFE, IIA.
Whether in commerce & industry or service or other
44
45
IIA
Managing fraud in
accounting systems and
accounting manipulation
fraud
Forensic
19 May 2015
Agenda
■ Latest fraud examples
■ Opportunities for fraud in financial systems
■ Financial red flags
■ Effective accounting fraud risk management
© 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
47
What we are seeing on the ground
Payment Diversion
Procurement fraud
Technology enabled
Accounting misstatement
© 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
48
Financial red flags
Payment Diversion
Technology enabled
• Pre-payment analytics
• Weak access controls
• Verification process
• Portal access not restricted
• Systems not forcing ‘four eyes’
• Sharing of passwords
Procurement fraud
• Third party due diligence
• Non-experts – VFM
• Transactional analytics
Accounting misstatement
• Reconcile to cash
• Hit the balance sheet
• Anomalous accounting entries
© 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
49
Red flag indicators of possible
earnings management
 Financial (or other) results that seem “too good to be true” or significantly better than
competitors
 Consistently close or exact match between reported and forecast results
 Unusual balance sheet changes or trends: for example receivables/WIP growing faster than
cash
 Unusual accounting policy: revenue before shipping, deferral of costs
 Accounting principles at variance with industry norm
 The pattern of shipping: most of quarter’s sales in last week or day of period
 Use of reserves/provisions to smooth out earnings: for example large additions to reserves
that get reversed in a later period
 Frequent and significant changes in estimates for no apparent reason
 Complex or unique business arrangements not well understood or appearing to serve little
practical purpose
© 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
50
Warning signs - accounts manipulation / fraudulent financial reporting
Lack of trust / poor
internal or external
auditor
relationships
Dominance /
lifestyle issues
Undue secrecy
Illegal unethical
practices
Significant director
share sales
High analyst or
other pressures
Declining industry
/ earnings
High hope value
Aggressive
forecasts
Highly-leveraged
rewards
Aggressive
accounting
policies
Unique products –
unique risks
Cash / funding gap
Results exceed
market trend
High management
turnover
Profit warnings /
credit warnings
Complex
corporate
structures
Related party
arrangements
Multiple banking
arrangements
Remote
operations
© 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
51
51
Fraud Triangle
Understanding the fraudster
 “Whatever it takes” to hit targets
 Personal debts
 Greed
 Addiction
 Fear of job loss if targets
not achieved
 Hidden in complex transactions
 Abuse of authority
 Exploiting errors
 Lack of segregation of duties
 Policies/procedures are easy
to bypass
 Lack of confidence that
reporting will result in action
 “It’s a victimless crime”




“I deserve it”
Lack of understanding of the standards
Code of conduct not taken seriously
Results are rewarded, not conduct
© 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
52
Integrity and ethical standards
■ 73% of US company employees have observed violations of law or their
company standards – “misconduct” in the past year;
■ 56% of those employees said that what they observed could cause “a significant
loss of public trust” if discovered;
■ 47% of employees across all sectors lacked confidence in reporting misconduct
to company hotlines;
■ 33% lacked confidence that appropriate action would be taken if they reported a
violation;
■ 48% lacked confidence that they would be protected from retaliation;
■ 52% lacked confidence that senior management knew what type behaviour really
went on inside the business.
Source: KPMG Integrity Survey
© 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
53
Fraud risk management
Understand the environment & relationships
■ CEO & CFO
■ CFO & Financial Controller
■ General Counsel
■ Auditors
■ Divisional management
Searching for a ‘bad environment in the extreme’
© 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
54
Ground we have covered
■ The explosion of payment diversion fraud: from outside, from inside and
collusively
■ Fraud triangle properly based model (both academically and anecdotally) to
anchor awareness training, an anti-fraud strategy and investigations
■ Employees across all sectors lacked confidence in reporting misconduct (US
survey)
■ Most companies still lurch from one fraud (broadly defined) to another because
they do not strategically address all elements of the motivations for fraud
■ Assess the environment: it is your biggest risk and biggest defence
© 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a
Swiss entity. All rights reserved.
55
Alex Plavsic
Partner - Forensic
Direct Line: +44 (0) 20 7311 3862
Mobile: +447710808969
Email [email protected]
The information contained herein is of a general nature and is not intended to
address the circumstances of any particular individual or entity. Although we
endeavour to provide accurate and timely information, there can be no guarantee
that such information is accurate as of the date it is received or that it will continue
to be accurate in the future. No one should act on such information without
appropriate professional advice after a thorough examination of the particular
situation.
© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG
Europe LLP and a member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative, a Swiss entity. All rights
reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks
or trademarks of KPMG International Cooperative (KPMG International).
Internal audit’s relationship with
external audit
Chris Baker
CIIA Technical Manager
20 May 2015
Its all ‘audit’ isn’t it?
INTERNAL
AUDIT
•
•
•
•
•
EXTERNAL
AUDIT
Complementary functions in the assurance framework.
Both are essential for effective governance.
Both use risk management as a starting point.
Independent, professional code of ethics and standards
Both provide assurance around financial management, including
preventing errors and fraud.
Differences between IA & EA
https://www.iia.org.uk/policy/policy-position-papers/internal-audits-relationship-with-external-audit/
INTERNAL AUDIT
EXTERNAL AUDIT
Employed by board &
senior executives
Appointed by owners &
shareholders
Discretionary
Legal requirement
All objectives and risks
Financial reporting risks
Reports are not publicly
available
Reports are publicly
available
Continuous
Financial cycle
Differences between IA & EA
INTERNAL AUDIT
EXTERNAL AUDIT
Employed by board &
senior executives
Appointed by owners &
shareholders
Discretionary
Legal requirement
All objectives and risks
Financial reporting risks
Reports are not
publicly available
Reports are publicly
available
Continuous
Financial cycle
Independent and objective
assurance and consulting... to
evaluate & improve governance, risk
management & control.
To obtain reasonable assurance financial
statements are free from misstatement,
error & fraud in accordance with
accounting principles
Blurred lines ?
Governance & culture
Financial systems
Risk management
IT infrastructure
Project & change
programmes
Cybersecurity
Fraud prevention
Value for money
IA & financial management?
Questions
Priority?
Objectives
Frequency?
Focus?
Change
Timing?
Risk
Response
Understand change & risk
Understand expectations
Explain & justify choices
Coordinate with EA
What does good coordination look like?
• Regular
communication.
• Aligned planning.
• Possible co-sourcing
or one-off joint
working
• Exchange of
information.
• Learning &
development
Case study example
Quarterly meeting timetable linked to
audit committee meeting dates:
Feb – planning discussions & progress
update.
May – Onsite EA progress meeting,
exchange of audit reports
Sept - finalising IA annual reports and
EA management letter. IT audit work
terms of reference
Dec – IA plan progress review, update
of strategic risk register . IT audit
report finalisation.
Thank you
[email protected]
Benchmarking and round table
discussion on current practise
on auditing financial systems
Martin Robinson
Discussion Points
• How do you focus on strategic financial risks?
• Do you try to incorporate a review of financial risks
in all audits you carry out?
• How do you relate and communicate with senior
finance management?
• What challenges do you face in auditing financial
risk and financial control?
• What are some of the key issues you have raised in
the past?
Seminar
Financial management risks and
financial controls
An update for internal auditors
20 May 2015