Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers' professional and personal knowledge and understanding.
The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.
Copyright © 2019 by John Wiley & Sons, Inc. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750–8400, fax (978) 646–8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748–6011, fax (201) 748–6008, or online at www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762–2974, outside the United States at (317) 572–3993, or fax (317) 572–4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Cataloging-in-Publication Data
Names: Doxey, Christine H., 1955- author.
Title: Internal controls toolkit / Christine H. Doxey.
Description: First Edition. | Wiley : Hoboken, New Jersey, [2019] | Series: Wiley corporate F&A series | Includes index. |
Identifiers: LCCN 2019011646 (print) | LCCN 2019021944 (ebook) | ISBN 9781119554400 (Adobe PDF) | ISBN 9781119554417 (ePub) | ISBN 9781119554394 (hardcover)
Subjects: LCSH: Managerial accounting. | Auditing, Internal. | Corporate governance.
Classification: LCC HF5657.4 (ebook) | LCC HF5657.4 .D69 2019 (print) | DDC 658.15/11—dc23
LC record available at https://lccn.loc.gov/2019011646
Cover Design: Wiley
Cover Image: © Liyao Xie/Getty Images
Companies of all sizes are subject to a variety of risks. Among them are legal, regulatory, strategic, operational, financial, and reputational. Each functional organization is subject to one or more of these types of risk, each of which may impact the company's bottom line. Companies use a number of policies and tools, such as insurance, establishment of reserve funds, and investment policies, and standards of control to manage risk.
The concept of internal control is one of the trademarks of effective governance and good business operations. Without a strong system of internal control, organizations cannot ensure that the interests of company stakeholders are being protected. Strong internal controls support organizational goals and objectives, while helping safeguard against the risks of financial loss, operational waste, environmental irresponsibility, corporate fraud, and even reputational damage that can be irreparable. Internal control over financial reporting continues to be a major area of importance in the governance of an organization.
This toolkit provides a series of standards of internal control and the risks they mitigate for all enterprise-wide operations. The fraud risks for today's corporate environment are significant as indicated by the statistics provided in the following sections. The standards will set the foundation for good control and will help to mitigate the risk of fraud. According to the 2018 Report to the Nations prepared by the Association of Certified Fraud Examiners (ACFE), Anti-fraud controls work. The ACFE analyzed 18 anti-fraud controls were analyzed and every one correlated to lower fraud losses and faster fraud detection.
PwC's 2018 Global Economic Crime and Fraud survey states that:
| Payment and Business Process Fraud Statistics | |||
| Organization | Report | Key Findings | Source of Information |
| Association of Certified Fraud Examiners (ACFE) | 2018 Report to the Nations | Occupational fraud is extremely costly. Twenty-two percent of occupational frauds caused at least $1 million in losses.
Fraud schemes can be very difficult to detect. The typical occupational fraud lasted 16 months before it was discovered. Tips are the most effective way to detect fraud. Forty percent of cases were detected by a tip—far more than by any other method. Anti-fraud controls work. Eighteen anti-fraud controls were analyzed, and every one correlated to lower fraud losses and faster fraud detection. High-level perpetrators do the most damage. The median loss in frauds committed by owners/executives was $850,000. Among non-owners/executives the median loss was $100,000. Criminal fraud referrals are declining. Over the past 10 years, the percentage of occupational frauds referred to law enforcement has declined by 16 percent. |
https://www.acfe.com/article.aspx?id=4295001895 |
| Association of Finance Professionals (AFP) | 2018 AFP Payments Fraud and Control Survey Report | Seventy-seven percent of organizations experienced business email compromise (BEC).
Fifty-four percent of BEC scams targeted wires, followed by checks at 34%. Seventy-seven percent of organizations implemented controls to prevent BEC scams. Seventy-four percent of organizations experienced check fraud, a slight decrease from 2016. Twenty-eight percent were subject to ACH debit fraud and 13% were subject to ACH credit fraud. Sixty-seven percent of payments fraud was discovered by the organization's treasury staff. |
https://commercial.jpmorganchase.com/pages/commercial-banking/services/2018-AFP-Survey |
| Kroll | Global Fraud & Risk Report 10th Annual Edition 2017–2018 | 84% of companies surveyed worldwide experienced a fraud incident in 2017.
86% reported at least one cyber-incident, and 70% reported security incidents. Confidential information is coming under increasing threat. Executives are feeling a heightened sense of vulnerability to fraud, cyber-, and security risks. Information theft, loss, or attack (29%), virus/worm attack (36%), physical theft or loss of intellectual property (41%). Theft of physical assets or stock (27%), email-based phishing attack (33%), environmental risk (including damage caused by natural disasters such as hurricanes, tornadoes, floods, earthquakes, etc.) (28%). Management conflict of interest (26%), data breach resulting in loss of customer or employee data, IP/trade secrets/R&D (27%), workplace violence (23%). |
https://www.kroll.com/en-us/global-fraud-and-risk-report-2018 |
| Experion | The 2018 Global Fraud and Identity Report | With most consumers owning smartphone and mobile devices (91%), followed closely by laptop computers (83%), the digital marketplace is here now. Technology is supporting the large volume of online interactions between businesses and consumers. But the real currency of digital commerce is trust.
When it comes to online engagement, three-quarters (75%) of businesses are interested in more advanced security measures and authentication processes that have little or no impact on the customer. At the same time businesses understand that their customers take comfort in the security measures they already have in place for digital transactions. In contrast, almost three-quarters of businesses (72%) cite fraud as a growing concern over the past 12 months and nearly two-thirds (63%) report the same or higher levels of fraudulent losses over that same period. |
https://www.experian.com/assets/decision-analytics/reports/global-fraud-report-2018.pdf |
The intended audience for this toolkit includes individuals whose responsibilities fall within the functions delineated later. Within companies, those roles may include the chief executive officer (CEO), chief financial officer (CFO), chief human resources officer, controller, internal controls management, internal audit management, treasurer, and anyone within the chain of command for procurement, AP, payment processing, payroll, sales, AR, collections, treasury, company operations, security, and IT.
This toolkit defines the standards of internal control for all aspects of a manufacturing enterprise that also provides customer and professional services. In addition to the breadth of coverage, this toolkit addresses the depth of processes within each category, and offers a wealth of information about the functions and available controls to manage risk associated with each of them. As such, it is a great reference for many roles within these wide-ranging corporate functions within companies of many sizes. It may serve as a training tool for corporate employees who wish to learn more about internal controls standards and risk management processes.
This toolkit also provides guidelines, best practices, and other tools to assist companies in their enterprise-wide focus on risk management through the standards of internal control.
The standards are the product of over 30 years of experience in the finance, accounting, and internal controls field. The standards are a body of work that leverages experience at large technology, telecommunications, and manufacturing companies. They were developed when implementing internal control programs for approximately 100 business processes and sub-processes that include all aspects of financial operations, the fiscal closing process, logistics, and procurement.
Since the standards were compiled from internal controls best practices used to mitigate risk, they can be used to set the foundation for the requirements of the Sarbanes Oxley (SOX) Act 404. This is a perfect fit, since the standards follow the COSO internal control framework and philosophy and are easily customizable to meet the needs of an organization. When the concept was launched at large technology companies, the standards were used as part of a quarterly balance sheet review process to validate the effectiveness of internal control programs, to ensure that risk was mitigated, and to determine that remediation activities were completed. The standards of internal control can be leveraged to enhance an existing controls program or to validate your current SOX 404 work.
The basic premise of the standards is that critical corporate controls should be the foundation for all internal control programs, regardless of the company's size or industry. The three critical controls are: (1) Segregation of Duties, (2) Delegation of Authority, and (3) System Access. The standards stress that these critical controls should be embedded for all business processes and sub-processes to properly mitigate risk.
The standards are updated when there is a significant change to the business process or system environment. As an example, standards are updated when a business process is automated, or a new ERP system is implemented, upgraded, or consolidated.
The standards should be immediately revised if a fraud has been perpetrated. A fraud indicates that the risk has not been properly evaluated or a critical control has not adequately implemented. Lastly, the standards should be reviewed if the cost of the control is not in line with the overall benefit to the organization.
As noted, the standards of internal control can be easily customized to fit any company and can be linked to an entity's corporate policies as suggested in the diagram below. Standards can also be integrated with functional policies, procedures, work instructions, and systems of controls using a solid foundation of business ethics establishing the support for the overall program.
A quarterly review process is highly recommended with the inclusion of a series of self-assessment, assertions, and action item follow-ups to ensure that open issues are remediated in a timely manner. An example is the quarterly balance sheet review program previously mentioned. This review includes a review of the standards applicable for the business process, a look at pending remediation items and plans, and a review of account reconciliations. This approach not only supports the requirements for SOX programs but defines the specifics of a continuous control monitoring (CCM) process.
Key Point: The standards define a series of internal controls that address the risks associated with key business processes, sub-processes, and entity-level processes. The following example takes a look at the standard for the invoice processing sub-process within accounts payable.
The following general standards of internal control apply to all business processes. It should be noted that any of these general requirements may be superseded by a more stringent or specific control within an individual business process.
| General Standards of Internal Control | |
| 1.1 | Managers are responsible for integrating effective internal controls into all company operations. This responsibility includes identifying, assessing, and managing risks that affect the accomplishment of their business objectives. The resulting internal control activities must be monitored to verify they are effective and working as intended. |
| 1.2 | All employees must comply with the company code of conduct. |
| 1.3 | Statements of corporate policy must be adhered to by all operating units. Policies and procedures established within operating units must, at a minimum, meet and not be in conflict with the control requirements specified by corporate policy. Policies and procedures must be periodically reviewed and updated. |
| 1.4 | The company's financial statements must be prepared in conformity with accounting principles. In addition, no false or intentionally misleading entries shall be made in the company's accounting records. |
| 1.5 | Adequate segregation of duties and control responsibilities must be established and maintained in all functional areas of the company as one of the three critical corporate controls. In general, custodial, processing/operating, and accounting responsibilities should be separated to promote independent review and evaluation of company operations. Where adequate segregation cannot be achieved, other compensating controls must be established and documented. |
| 1.6 | All representations made in the annual letter of representation must be supported and the appropriate documentation must exist and be retained in accordance with the controller, financial representation, and controls assurance process and statements of corporate policy. |
| 1.7 | Costs and expenses of all operating units must be maintained under budgetary control. Comparisons of actual expenses to budgeted amounts must be performed on a regular basis, and all significant variances explained. |
| 1.8 | All operating units must develop a system of internal controls to ensure that the assets and records of the company are adequately protected from loss, destruction, theft, alteration, or unauthorized access. |
| 1.9 | Critical transactions in the company's business processes must be traceable, authorized, authenticated, have integrity, and be retained in accordance according to corporate policies. |
| 1.10 | The business records of the company must be maintained and retained in accordance with corporate policies. |
| 1.11 | The corporate policy on proprietary, confidential, or trade secret information must be adhered to. As a result, employees and contractors must refrain from unauthorized disclosure of sensitive or confidential information. Adequate security must also be maintained in disposing of this information. |
| 1.12 | All computer systems and/or software applications that will impact the operation of a business process must have the adequacy of their internal controls verified through the user acceptance process prior to implementation. |
| 1.13 | Contracts that legally bind company or a subsidiary company to any obligation can only be executed by purchasing personnel (for agreements pertinent to their areas of responsibility) or individuals duly authorized under company's delegation of authority policy. Legal should review and approve all contracts and “right to audit” clauses should be included in the contracts. |
| 1.14 | The company's internal control standards apply to all third parties who are in the possession of company assets. Examples of such third parties include outsourcing partners, sub-contractors, or public warehouses. Operating units are required to take appropriate actions to ensure compliance. |
| 1.15 | All operating units must develop, maintain, and enforce written policies and procedures that include internal controls, processes, roles, and responsibilities. |
This toolkit is organized by 16 business processes and sub-processes. Each business process section has an Introduction, Process Overview, Metrics, and Statement on the Application of Internal Controls.
The metrics included in this toolkit provide recommendations and definitions for measurements, indicators, and analytics for each of the 16 business processes included. Metrics can be used to analyze a process and determine if there are fluctuations in results that may indicate a fraud risk or anomaly.
Some business process sections include key definitions that will help understand the details of the business process and the necessary internal control standards. Each sub-process has an introduction and defines the applicable standards of internal control and identifies the risk if the standard is not implemented. A glossary and addendum are also provided as additional references.
The table below depicts the organizational structure of the material provided in “The Internal Controls Toolkit.”
