Internal Audit

 
I
n
t
e
r
n
a
l
 
A
u
d
i
t
C
o
n
t
r
o
l
s
 
 
W
h
o
 
N
e
e
d
s
 
T
h
e
m
?
M
o
l
l
y
 
M
u
r
p
h
y
 
C
I
A
,
 
C
F
E
R
a
h
e
e
l
 
Q
u
r
e
s
h
i
 
C
P
A
H
o
u
s
e
k
e
e
p
i
n
g
:
Please silence your cell phones
Take notes – share ideas!
Feel free to ask questions
throughout the presentation.
To enhance and 
protect organizational
value
 
by providing risk-based and
objective assurance, advice, and
insight.
I
n
t
e
r
n
a
l
 
A
u
d
i
t
M
i
s
s
i
o
n
 
S
t
a
t
e
m
e
n
t
 
 
 
 
Every profession has its
own language, including
audit.
W
h
a
t
 
i
s
 
R
i
s
k
?
 
A
 
s
i
t
u
a
t
i
o
n
 
i
n
v
o
l
v
i
n
g
 
e
x
p
o
s
u
r
e
 
t
o
 
d
a
n
g
e
r
.
(
M
e
r
r
i
a
m
-
W
e
b
s
t
e
r
)
T
h
e
 
h
a
z
a
r
d
 
o
r
 
c
h
a
n
c
e
 
o
f
 
l
o
s
s
.
 
(
d
i
c
t
i
o
n
a
r
y
.
c
o
m
)
A
 
p
r
o
b
a
b
i
l
i
t
y
 
o
r
 
t
h
r
e
a
t
 
o
f
 
d
a
m
a
g
e
,
 
i
n
j
u
r
y
,
l
i
a
b
i
l
i
t
y
,
 
l
o
s
s
,
 
o
r
 
a
n
y
 
o
t
h
e
r
 
n
e
g
a
t
i
v
e
 
o
c
c
u
r
r
e
n
c
e
t
h
a
t
 
i
s
 
c
a
u
s
e
d
 
b
y
 
e
x
t
e
r
n
a
l
 
o
r
 
i
n
t
e
r
n
a
l
v
u
l
n
e
r
a
b
i
l
i
t
i
e
s
,
 
a
n
d
 
t
h
a
t
 
m
a
y
 
b
e
 
a
v
o
i
d
e
d
t
h
r
o
u
g
h
 
p
r
e
e
m
p
t
i
v
e
 
a
c
t
i
o
n
.
(
b
u
s
i
n
e
s
s
d
i
c
t
i
o
n
a
r
y
.
c
o
m
)
W
h
a
t
 
a
r
e
 
I
n
t
e
r
n
a
l
 
C
o
n
t
r
o
l
s
?
I
n
t
e
r
n
a
l
 
C
o
n
t
r
o
l
s
 
a
r
e
 
s
t
e
p
s
 
w
i
t
h
i
n
 
a
 
p
r
o
c
e
s
s
d
e
s
i
g
n
e
d
 
t
o
 
p
r
o
v
i
d
e
 
r
e
a
s
o
n
a
b
l
e
a
s
s
u
r
a
n
c
e
 
r
e
g
a
r
d
i
n
g
 
t
h
e
 
a
c
h
i
e
v
e
m
e
n
t
 
o
f
o
b
j
e
c
t
i
v
e
s
:
E
f
f
e
c
t
i
v
e
n
e
s
s
 
a
n
d
 
E
f
f
i
c
i
e
n
c
y
 
o
f
O
p
e
r
a
t
i
o
n
s
R
e
l
i
a
b
i
l
i
t
y
 
o
f
 
F
i
n
a
n
c
i
a
l
 
R
e
p
o
r
t
i
n
g
C
o
m
p
l
i
a
n
c
e
 
w
i
t
h
 
a
p
p
l
i
c
a
b
l
e
 
L
a
w
s
,
R
e
g
u
l
a
t
i
o
n
s
,
 
P
o
l
i
c
i
e
s
 
&
 
P
r
o
c
e
d
u
r
e
s
T
y
p
e
s
 
o
f
 
I
n
t
e
r
n
a
l
 
C
o
n
t
r
o
l
s
 
P
r
e
v
e
n
t
i
v
e
:
Systematic field requirement checks (i.e. the
system won’t allow text in a numeric field).
Assigning user access rights.
Automatic log-off after a period of inactivity.
Electronic approvals.
 
What are some other preventive internal
controls?
T
y
p
e
s
 
o
f
 
I
n
t
e
r
n
a
l
 
C
o
n
t
r
o
l
s
 
D
e
t
e
c
t
i
v
e
:
Reconciling invoices to the ledger
(payments).
Review of bank reconciliations.
Periodic review of user access rights.
Supervisory review of a report.
 
What other detective internal controls can
you think of?
W
h
a
t
 
a
r
e
 
s
o
m
e
 
o
f
 
t
h
e
 
i
n
t
e
r
n
a
l
 
c
o
n
t
r
o
l
s
 
t
h
a
t
 
y
o
u
e
n
c
o
u
n
t
e
r
 
e
v
e
r
y
 
d
a
y
?
 
Computer username/password (DUO)
Preset time out on screen saver
49er Mart approval path
Card swipe door locks
2 signatures on DPRs
Reconciliations
Speed limit signs
 
P
r
o
c
e
s
s
 
S
t
e
p
s
 
v
s
 
C
o
n
t
r
o
l
s
“A 
process step
 
is a task, activity… that
moves an input closer to the final objective.”
The office 
submits
 the reimbursements to
the Travel Office within 30 days
Faculty members 
verbally
 request
supplies.
 
 
 
 
P
r
o
c
e
s
s
 
S
t
e
p
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
C
o
n
t
r
o
l
The department admin 
collects
timesheets and 
files
 them.
The office 
submits
 the
reimbursements to the Travel
Office within 30 days.
Faculty members 
verbally
request supplies.
Supervisors 
review
 timesheet
submissions monthly to ensure
they were completed on time.
Supervisors 
review
 and 
approve
all travel reimbursements for
accuracy before submission to
the Travel Office.
Department staff 
match
 the
purchase order, invoice and
receiving slip before marking
the supply as received in 49er
Mart.
A
p
p
 
S
t
a
t
e
 
l
o
s
t
 
$
1
.
9
 
m
i
l
l
i
o
n
 
t
o
 
f
r
a
u
d
 
a
t
 
h
a
n
d
s
 
o
f
 
L
A
 
m
a
n
,
i
n
d
i
c
t
m
e
n
t
 
a
l
l
e
g
e
s
Excerpt taken from the Winston-Salem Journal Mar 27, 2018
A Los Angeles man stole $1.9 million from Appalachian State University by creating a
fake company and posing as an employee of a construction company the university hired
to construct a health sciences building, federal prosecutors said in indictments unsealed
Friday.
According to indictments and other court documents, federal prosecutors say Ho Shin
Lee registered a company called Royce Hub Trading Inc., as a corporation in California
on Nov. 18, 2016. He described himself as chief executive, chief financial officer and
secretary of the company and said that the company was in the business of “general
merchandise.” Then on Nov. 23, 2016, Lee used a $100 check to open up a bank account
for Royce Hub Trading at JP Morgan Chase. Lee told the bank that he was the president
of Royce Hub Trading and the sole account holder, court documents said.
Appalachian State University hired Charlotte construction company Rodgers Builders to
build a new health sciences building on the campus. The construction company filed a
form on Oct. 14, 2016, with the school to enable wire transfers and direct deposits.
On Dec. 2, 2016, an employee at the university received an email from someone claiming
to be a controller for Rodgers Builders. The email address was fake, federal prosecutors
said. The email contained a direct deposit form and instructions to change banking
information that Rodgers Builders had previously submitted.
The change would result in redirecting any money the university sent to Lee’s newly-
created bank account, federal prosecutors said.
And that’s what happened on Dec. 8, 2016, when the
university sent a wire transfer payment of $1.96 million to
what officials thought was Rodgers Builders but was really
Lee, federal prosecutors allege.
Lee received the funds on Dec. 12, 2016, and transferred
the funds through a series of different financial transactions
between Dec. 14-19, 2016, according to the indictments.
Lee created two more accounts at separate banks in Los
Angeles for Royce Hub Trading Inc.
Federal prosecutors said Lee made these financial
transactions to “conceal, in whole and in part, the nature,
location, source, ownership, and control of the fraud
proceeds,” indictments allege.
Ho Shin Lee, 31, of Los Angeles, Calif., was
indicted by a federal grand jury in Charlotte on
14 counts of money laundering, according to a
news release from the U.S. Attorney’s Office in
the Western District of North Carolina.
Lee is facing a maximum of 20 years in prison
and a $500,000 fine for each of the 14 counts.
Appalachian State University 
got back $1.54
million through civil forfeiture proceedings
against bank accounts that Lee is alleged to
have set up to launder the money.
Loss of funds due to unconfirmed changes
made to the vendor’s direct deposit bank
account information
Reputational damage from the negative
publicity
Verify the direct deposit bank account change with the vendor.
Validate that the employee worked for the vendor.
o
The genuine company’s web address was rodgersbuilders.com, but the
email used in the scheme was sent from
accounts@rodgersbuildersinc.com
.
Require that a lien waiver be submitted at the same time as the payment
request.
Based upon fraud alerts, Accounts Payable (AP) have enacted “best
practices” related to direct deposits as of April 17, 2017. Below is a list
of changes:
1.
All direct deposit changes for vendors must be done using the
Direct Deposit Vendor Authorization Form.
2.
Once the form is received with the changing banking information,
Accounts Payable will contact the company to verify the validity of
the change.  The contact information to reach the company must
come from preexisting contact information in Banner and not from
the change forms received.
Definition of Phishing: Identity theft scam
that allows an individual to gain access to
sensitive or personal business information
that can be used to steal identities, monies,
and more.
In August 2018, North Carolina A&T and Elon
reported that they were hit with a phishing
email scam.
The hacker obtained access to campus email
addresses and sent an email to the payroll
office to change a direct deposit account to a
cash card based in California.
Additional impacts:
Hacker deleted access to the employee’s paystub.
One other employee’s paystub was deleted, but their
salary payment wasn’t re-routed.
Financial losses due to diverted funds and/or
equipment failure.
Resource losses resulting from staff members losing
valuable time to fix the damage.
Reputational damage from the negative publicity.
Employee education and training.  Never click on links in an
email-always type the address directly into the address bar.
Use hard to guess passwords (short phrases) and change them
frequently. Treat them like the keys to the kingdom.
Keep systems current with the latest security patches and
updates.
Install antivirus software, updates, and monitor the results.
The university’s online Security Awareness training program
o
Training includes several videos.
o
Employees are encouraged to complete the 
Security Awareness
Training 
module in Canvas.
DUO two-factor authentication 
(Required for university employees in early
2019)
o
Adds an extra layer of protection to your NinerNET account by
requiring two factors to verify your identity.
o
Effective method for preventing unauthorized access to many university
systems including Gmail, my.uncc, Banner, Dropbox, Kronos, and
Canvas.
FBI Warns of Phishing Fraud Schemes Targeting Universities and their Students:
As of May 2017, financial losses to higher education institutions have approached one million dollars in some recent
incidents.
C
o
m
m
o
n
 
S
c
h
e
m
e
s
Vendor Bank Account Scams
o
Scammers spoof the actual email address of the vendor company.
o
Pose as a vendor on a project (i.e. construction) and direct emails to the university’s accounting office with
bank account changes for future payments.
W-2 Scams
o
Scammers pose as high level executives (such as the university president) when requesting W-2 information
from payroll employees.
Payroll Schemes
o
Scammer purports to be a university executive and sends a spoofing e-mail with a PDF attachment.  Upon
opening the PDF, the user is prompted to enter log-in credentials.
o
The scammer uses the credentials to log into the payroll system and changes the employee’s deposit
information to have payments sent to a pre-paid credit card.
Definition for Conflict of Interest:  An incompatibility
between one’s private interests and one’s public or
fiduciary duties.
Special Review of Campus Services Finds Wasted Money,
Nepotism
Excerpt taken from the Atlanta Journal-Constitution, Aug 12 ,2018
In May 2018, a whistle-blower complained to the Georgia Tech
University System’s ethics hotline regarding a possible conflict
of interest that existed.
An investigation revealed that former Executive Vice Presidents
Steve Swant, Lance Lunsway, Thomas Stipes, and Paul Strouts
exploited relationships with vendors by getting a school vendor
to pay for the following:
o
Football Suite
o
Expensing after-hours dining and drinking
o
Playing golf with vendors during work hours
Swant also received pay from a company for serving on its
board.
Misuse of University resources (time and money)
Appearance of impropriety
Reputational damage from the negative publicity
Tone at the Top - Investigators found that the culture at Georgia
Tech was “an environment of the wild, wild west.  People feel
like they can do what they want.” Senior Management’s
behavior sets a role model for others.
Require ethics training for Faculty and Staff (at least annually).
Require individuals to complete a conflict of interest declaration
(at least annually).
Need to update the manual expense reporting to an electronic
process.
A
d
d
i
t
i
o
n
a
l
 
I
n
t
e
r
n
a
l
 
A
u
d
i
t
 
S
e
r
v
i
c
e
s
Evaluate and make recommendations
where needed in:
Policies and procedures
Internal controls
Process changes
Conduct audit education
Perform process reviews
Investigate (ethical and compliance)
fraud
Slide Note

Internal Audit Issues - Spring 2016

Embed
Share

This presentation delves into the significance of internal audit controls, their types, and importance in enhancing organizational value. Learn about preventive and detective controls and how they contribute to risk management and operational efficiency.

  • Internal audit
  • Controls
  • Risk management
  • Preventive measures

Uploaded on Feb 20, 2025 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Internal Audit Controls Who Needs Them? Molly Murphy CIA, CFE Raheel Qureshi CPA

  2. Housekeeping: Please silence your cell phones Take notes share ideas! Feel free to ask questions throughout the presentation.

  3. Internal Audit Mission Statement To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

  4. Every profession has its own language, including audit.

  5. What is Risk? A situation involving exposure to danger. (Merriam-Webster) The hazard or chance of loss. (dictionary.com) A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action. (businessdictionary.com)

  6. What are Internal Controls? Internal Controls are steps within a process designed to provide reasonable assurance regarding the achievement of objectives: Effectiveness and Efficiency of Operations Reliability of Financial Reporting Compliance with applicable Laws, Regulations, Policies & Procedures

  7. Types of Internal Controls Preventive: Systematic field requirement checks (i.e. the system won t allow text in a numeric field). Assigning user access rights. Automatic log-off after a period of inactivity. Electronic approvals. What are some other preventive internal controls?

  8. Types of Internal Controls Detective: Reconciling invoices to the ledger (payments). Review of bank reconciliations. Periodic review of user access rights. Supervisory review of a report. What other detective internal controls can you think of?

  9. What are some of the internal controls that you encounter every day? Computer username/password (DUO) Preset time out on screen saver 49er Mart approval path Card swipe door locks 2 signatures on DPRs Reconciliations Speed limit signs

  10. Process Steps vs Controls A process step is a task, activity that moves an input closer to the final objective. The office submits the reimbursements to the Travel Office within 30 days Faculty members verbally request supplies.

  11. Process Step Control The department admin collects timesheets and files them. Supervisors review timesheet submissions monthly to ensure they were completed on time. Supervisors review and approve all travel reimbursements for accuracy before submission to the Travel Office. Department staff match the purchase order, invoice and receiving slip before marking the supply as received in 49er Mart. The office submits the reimbursements to the Travel Office within 30 days. Faculty members verbally request supplies.

  12. App State lost $1.9 million to fraud at hands of LA man, indictment alleges Excerpt taken from the Winston-Salem Journal Mar 27, 2018 A Los Angeles man stole $1.9 million from Appalachian State University by creating a fake company and posing as an employee of a construction company the university hired to construct a health sciences building, federal prosecutors said in indictments unsealed Friday. According to indictments and other court documents, federal prosecutors say Ho Shin Lee registered a company called Royce Hub Trading Inc., as a corporation in California on Nov. 18, 2016. He described himself as chief executive, chief financial officer and secretary of the company and said that the company was in the business of general merchandise. Then on Nov. 23, 2016, Lee used a $100 check to open up a bank account for Royce Hub Trading at JP Morgan Chase. Lee told the bank that he was the president of Royce Hub Trading and the sole account holder, court documents said. Appalachian State University hired Charlotte construction company Rodgers Builders to build a new health sciences building on the campus. The construction company filed a form on Oct. 14, 2016, with the school to enable wire transfers and direct deposits. On Dec. 2, 2016, an employee at the university received an email from someone claiming to be a controller for Rodgers Builders. The email address was fake, federal prosecutors said. The email contained a direct deposit form and instructions to change banking information that Rodgers Builders had previously submitted. The change would result in redirecting any money the university sent to Lee s newly- created bank account, federal prosecutors said.

  13. Image result for university construction And that s what happened on Dec. 8, 2016, when the university sent a wire transfer payment of $1.96 million to what officials thought was Rodgers Builders but was really Lee, federal prosecutors allege. Lee received the funds on Dec. 12, 2016, and transferred the funds through a series of different financial transactions between Dec. 14-19, 2016, according to the indictments. Lee created two more accounts at separate banks in Los Angeles for Royce Hub Trading Inc. Federal prosecutors said Lee made these financial transactions to conceal, in whole and in part, the nature, location, source, ownership, and control of the fraud proceeds, indictments allege.

  14. Ho Shin Lee, 31, of Los Angeles, Calif., was indicted by a federal grand jury in Charlotte on 14 counts of money laundering, according to a news release from the U.S. Attorney s Office in the Western District of North Carolina. Lee is facing a maximum of 20 years in prison and a $500,000 fine for each of the 14 counts. Appalachian State University got back $1.54 million through civil forfeiture proceedings against bank accounts that Lee is alleged to have set up to launder the money.

  15. Loss of funds due to unconfirmed changes made to the vendor s direct deposit bank account information Reputational damage from the negative publicity

  16. Image result for controls Verify the direct deposit bank account change with the vendor. Validate that the employee worked for the vendor. oThe genuine company s web address was rodgersbuilders.com, but the email used in the scheme was sent from accounts@rodgersbuildersinc.com. Require that a lien waiver be submitted at the same time as the payment request.

  17. Based upon fraud alerts, Accounts Payable (AP) have enacted best practices related to direct deposits as of April 17, 2017. Below is a list of changes: 1. All direct deposit changes for vendors must be done using the Direct Deposit Vendor Authorization Form. 2. Once the form is received with the changing banking information, Accounts Payable will contact the company to verify the validity of the change. The contact information to reach the company must come from preexisting contact information in Banner and not from the change forms received.

  18. Image result for phishing Definition of Phishing: Identity theft scam that allows an individual to gain access to sensitive or personal business information that can be used to steal identities, monies, and more. In August 2018, North Carolina A&T and Elon reported that they were hit with a phishing email scam. The hacker obtained access to campus email addresses and sent an email to the payroll office to change a direct deposit account to a cash card based in California. Additional impacts: Hacker deleted access to the employee s paystub. One other employee s paystub was deleted, but their salary payment wasn t re-routed.

  19. Financial losses due to diverted funds and/or equipment failure. Resource losses resulting from staff members losing valuable time to fix the damage. Reputational damage from the negative publicity.

  20. Image result for controls Employee education and training. Never click on links in an email-always type the address directly into the address bar. Use hard to guess passwords (short phrases) and change them frequently. Treat them like the keys to the kingdom. Keep systems current with the latest security patches and updates. Install antivirus software, updates, and monitor the results.

  21. The universitys online Security Awareness training program oTraining includes several videos. oEmployees are encouraged to complete the Security Awareness Training module in Canvas. DUO two-factor authentication (Required for university employees in early 2019) oAdds an extra layer of protection to your NinerNET account by requiring two factors to verify your identity. oEffective method for preventing unauthorized access to many university systems including Gmail, my.uncc, Banner, Dropbox, Kronos, and Canvas.

  22. FBI Warns of Phishing Fraud Schemes Targeting Universities and their Students: As of May 2017, financial losses to higher education institutions have approached one million dollars in some recent incidents. Common Schemes Vendor Bank Account Scams o Scammers spoof the actual email address of the vendor company. o Pose as a vendor on a project (i.e. construction) and direct emails to the university s accounting office with bank account changes for future payments. W-2 Scams o Scammers pose as high level executives (such as the university president) when requesting W-2 information from payroll employees. Payroll Schemes o Scammer purports to be a university executive and sends a spoofing e-mail with a PDF attachment. Upon opening the PDF, the user is prompted to enter log-in credentials. o The scammer uses the credentials to log into the payroll system and changes the employee s deposit information to have payments sent to a pre-paid credit card.

  23. Definition for Conflict of Interest: An incompatibility between one s private interests and one s public or fiduciary duties. Special Review of Campus Services Finds Wasted Money, Nepotism Excerpt taken from the Atlanta Journal-Constitution, Aug 12 ,2018 In May 2018, a whistle-blower complained to the Georgia Tech University System s ethics hotline regarding a possible conflict of interest that existed. An investigation revealed that former Executive Vice Presidents Steve Swant, Lance Lunsway, Thomas Stipes, and Paul Strouts exploited relationships with vendors by getting a school vendor to pay for the following: o Football Suite o Expensing after-hours dining and drinking o Playing golf with vendors during work hours Swant also received pay from a company for serving on its board.

  24. Misuse of University resources (time and money) Appearance of impropriety Reputational damage from the negative publicity

  25. Image result for controls Tone at the Top - Investigators found that the culture at Georgia Tech was an environment of the wild, wild west. People feel like they can do what they want. Senior Management s behavior sets a role model for others. Require ethics training for Faculty and Staff (at least annually). Require individuals to complete a conflict of interest declaration (at least annually). Need to update the manual expense reporting to an electronic process.

  26. Image result for partnering Additional Internal Audit Services Evaluate and make recommendations where needed in: Policies and procedures Internal controls Process changes Conduct audit education Perform process reviews Investigate (ethical and compliance) fraud

More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#