Posts Tagged ‘internal audit’

Small Company Structure vs. Internal Controls….

June 11th, 2009 Comments off

     During one of my prior engagements I was challenged with a situation in which we had a serious possibility of fraudulent accounting activities. The source was one of our foreign offices, which had only a small operating staff, and even worse, only a few accounting folks. There was not a broad enough staff to implement all the necessary levels of control to have a strong level of comfort to say all was operating perfectly. What triggered the entire situation was the combination of operating expenses that continued to exceed Budget in a very material way, as well as the delay, or cancellation of payments for shipments into their country. What was even more amusing was the fact that the country entity even passed a corporate audit after improprieties were suspected. After I was given the green light for a surprise audit, as a inter-country supplier, we effectively blew the lid off what was happening within that country. I’m actually quite proud of the work that was done on that situation.

     There real question though is how do you put effective controls in place to prevent fraud or other improprieties? In my current engagement, I find myself with a company that has a Finance staff that is much leaner than normal for a company of this size. Fortunately I have a GREAT staff that I am able push hard and we have implemented new documentation, new control procedures, and a level of financial reporting that is consistent with GAAP and fully supported with all the necessary documentation. So what’s the big deal? Try reaching this level with a small entity, where habits are long-lived, and financial disciplines are an afterthought.  To the Company’s credit, we also have great Management team that is both open, and supportive, of the change. They’re also seeing the benefits of the improved financial reporting on their ability to run the business and make informed decision. Great, so we now have solid reporting. What next?

     Next is the task of putting a more rigid control structure in place and implementing regular audit procedures that will prevent the temptation or likelihood that fraud will be perpetrated against the Company. But how do you do this when you don’t have the resources to add additional headcount, engage external resources, or implement new software platforms?  It comes through the diligence and integrity of the existing staff and cross-testing the existing resources. In the most elemental spirits of internal audit and Sarbanes-Oxley, it comes from having an effective control environment, appropriate risk assessments, as well as the necessary monitoring to determine that all controls are effective and that any necessary correction actions are undertaken. 

But our Company doesn’t have it’s financials audited?

-But our Company does not have an Audit Committee?

     Doesn’t matter…create the necessary level of communication with the Shareholders and Executive Team and keep them informed as to how the resources of the company are being protected. Ultimately, the inattention to these areas, will at a minimum, result in funds being diverted from the Company, or worse, could lead to the demise of the Company.  In a positive outcome, the actions taken will lead to a significantly higher level of trust in the financials and a higher valuation as it might relate to any acquisition activities your Company may find itself in. What is your commitment to ensuring that the proper controls are in place?

Thanks for reading . . . .

Jeffrey Ishmael

Moss-Adams conference recap; “Back in Black”

June 3rd, 2009 Comments off

     Today I was given an invite to attend the Moss-Adams conference, “Back in Black – Paving a Path to Profitability”. It was their first in what they hope is an annual event. The conference opened with a number of comments by key Moss-Adams personnel, was followed by three breakout sessions, and ended with a lunch and closing remarks by Pat Haden of Riordan, Lewis, and Haden. RLH was a prime participant in the conference, taking part in a number of the panel discussions.

     Interestingly enough, the previous CEO of Moss-Adams, Bob Bunting, delivered the opening remarks through a pre-taped video. What was worthy of note is that Bunting is currently in Dublin attending an IFAC summit regarding IFRS. Bunting spent quite a bit of time discussing the pending adoption of IFRS and the various considerations. As a bit of validation to some of my recent posts, he directly discussed the lack of training that is currently happening and the absence of an IFRS presence at the University level. As he discussed the specific rollout dates for each country it became apparent to thos in attendance that this is a legitimate issue. In an electroninc poll conducted w/ attendees through the room at the close of the video opening, 84% of attendees believe that IFRS will be mandated in the U.S.. However, Bunting was also quick to comment in his video that the adoption of IFRS was not going to be the result of actions taken by the SEC, but through overall Market pressures that would force the U.S. to adopt the new standards.

     I would like to say that the breakout discussions were incredibly informative, but there seemed to be little new information that was discussed or presented that isn’t already being actively covered daily by the media. Unfortunate for what could have been some very interesting topics. However there were a number of other polls taken in the morning that were interesting.

–  Attendees believed that Domestic opportunities would provide the highest area for growth, with a 54% weighting versus International at 46%.

-Attendees were still somewhat pessimistic when it came to growth in the second half of 2009. Approximately 63% of attendees believed business would be flat to negative 3-8%. Of this number, 29% believed they would encounter declines of greater than 8%.  Only 37% believe that business might improve. Of the optimists, 19% believed business would increase 3-8% and 18% believed business would increase greater than 8%.

-When asked what the biggest key to success would be in 2010, 48% responded it would be “Improved General Economic Conditions”. Of the remainder, 18% mentioned Access to Capital, 16% mentioned Production Improvements, 3% mentioned Competitive Pricing, and the remaining 15% mentioned Internal Efficiencies. What’s worthy to note is the 3% that mentioned competitive pricing. I find tremendous value in the statistic that companies are not looking to improve their situation by engaging in price wars. They are looking to improve operating and production efficiencies.

Thanks for reading . . . .

Jeffrey Ishmael

Quality Control…or is it Quality of Controls?

September 17th, 2008 Comments off

It’s a bit disheartening to continue reading about so many instances the last few days of internal fraud carried out at both private and public companies. There’s no need to look any farther than to see examples in the last few day, which include American Intl. Pasta Company (fraudulent reporting), Hilfiger ($19m embezzled), and Quest ($10m “questionable” transfer). As a Finance professional who has worked at both smaller and larger entities, the biggest question I have is what were the levels of audit / control that were supposed to be in place and why didn’t they detect this activity sooner? It’s an easy question to ask but we don’t need to look any farther than some of the most recognized institutions, which have some of the most stringent controls, for examples of controls gone bad. Do you recall the collapse of that English banking institution formerly known as Barings as a result of the futures trading and wiping out the banks reserves entirely? How about more recently, Jerome Kerviel of Societe Generale and his 7.2 billion Euro loss on his futures trading?
Whether public or private, every company needs to have these levels of control in place to detect potential mis-dealings by employees. And it’s not going to be found just within the Finance department. It’s going to be found in Purchasing, Marketing, Logistics, and every other functional area of the organization. It’s not just going to be in the form of embezzled funds, but in inappropriate relationships, kickbacks, or even something as elaborate as a shell corporation, which I discovered had been set up by a country manager at our Mexican subsidiary. The foundation for having these controls is not just the documentation of certain processes. It needs to start at the top of the organization and putting in place an environment of control that communicates to employees what their span of authority is. Defining what their decision making limits are, and if pending decisions are outside of those limits, what the escalation process is for approval.

Within the scope of a SOX framework, it outlines the need for a “suitable and recognized control framework”. There are a number of segments that comprise this framework, but from overall view, there key areas to address. These areas include, as discussed, a Control Environment, Risk Assessment, Information / Communication, and Monitoring. Now, as I’ve mentioned with all my posts, this is only meant as a summary and not an exhaustive commentary. Our ultimate goal as Finance professionals should be the ability to generate company financials that are free from error and allow the key players in the organization to make informed business decisions. To generate information that can be trusted and relied on in the growth of the business. Only after we have managed to deliver this, as a functional area, can we fullfill the remainder of our role as an advisor on other corporate matters.

It would be easy to spend a week discussing the topic of internal controls, structuring an internal audit, and the follow-up activities of such an audit. Not quite possible here. The intent here is to have you consider the topic, whether it’s appropriately addressed within your organization, or that maybe it’s in need of a refresher due to material changes in staff, market, or regulations. What is the Quality of your Controls?

Thanks for reading . . . .

Internal Audits & a review of Information Systems

August 28th, 2008 Comments off

In my last few posts about the internal audit process I reviewed the approaches that were applied to the Finance/Control and Sales/Marketing areas. Equally important, perhaps the most, was the review of the Information Systems. For my time at MGE, I had actually found system uptime and the quality/consistency of data to be some of the best at any company I had worked with. I had not encountered any issues with security breaches of info, nor had I heard any horror stories.

This was one area of the audit that we had any differences of opinion regarding the findings of the auditors and the processes that we had in place. It finally came down to an “recognition” of their findings as opposed to agreement. We also found ourselves in a position in which one finding in the North American audit was the direct result of directives from our headquarters in France not to implement specific action plans. Some of the findings of the auditors included:

1. No comprehensive Disaster Recovery plan. This was the interesting one since we had such a plan in each of our capital budgets for the previous two years and were told by our headquarters that there was no room for this in the Budget. Well….I guess there would be now. The auditors were looking for defined system recovery requirements, storage and data locations, emergency procedures, along with a recovery framework.

2. Lack of segregation / out of date access rights. This was an area that I had addressed in an earlier post regarding access to Finance info. While we had addressed this issue within the Finance department, there was not the follow through to address this on a greater company-wide basis. This was a valid point but ranked lower on their priority list.

3. Lack of formal IS procedures. Another interesting one since they were looking for a set of KPI’s to be implemented to measure the performance of this group. It came down to the fact that we did not use their KPI’s. We had a fairly extensive list of indicators that we used to measure everything from system uptime, storage performance, user service requests, to project management.

4. Platform access rights. We had a single individual who had access rights to both the Production and Development environments within a certain software application. It was a little difficult to get around this since we only had one person who had an expertise in this platform and were not going to make additional investments in the platform moving forward. Point noted….

As I had mentioned in earlier posts about the internal audit process, this continued to be a very valuable process to help identify potential areas of risk. Fortunately, there continued to be very few surprises as we progressed through this project. I would highly suggest to any Senior Finance professional coming into an organization to read the last internal audit report, or conduct one if one has never been undertaken. Know where your risk is and how your career could potentially be impacted.

Thanks for reading . . . .

When Audit teams and Sales staff collide….

August 18th, 2008 Comments off

In my last commentary on Internal Audits, I went into an overview on the segment concerning Finance & Control. When it comes to this group, internal audit exercises are rather straightforward and generally not intimidating. But how do you coordinate this same exercise for a group that’s not used to being questioned and are accustomed to generally running in a fairly independent fashion, like the Sales department? Answer, very carefully and with a bit of handholding. Again, like the Finance portion of the audit, this is only intended as a brief overview and there was a much more comprehensive approach behind the scenes.

Although the intended scope of review for this department was not going to be the least bit exhaustive, it did mean that Sales personnel were going to be questioned on protocols and that their approach was going to come under some level of scrutiny. With regards to the auditors, they were going to key some of the following topics:
1. Efforts & action plans to achieve synergies with the parent company.
2. Project margin tracking was in place to achieve the original commitments.
3. Sales personnel bonus plans were definitely structured and approved.
I knew that the first couple parts were not going to be much of an issue, but once you start questioning Sales folks about their bonus plan you know there’s the potential for fireworks.

As we went through the various topics, we began to dig into more detail about how higher value jobs were being quoted and how the change orders on those jobs were being charged to the customer, or in some cases, how they weren’t. Fortunately, we had already implemented a new reporting structure prior to the audit that had us tracking the margin progression of every job over a specified value. We would track every progression in the job to the point that if we encountered even 50bp of margin change by the completion of the job we could bridge every element contributing to that change. For the better or the worse….

The delicate balance in this portion of the audit was working with the Sales team, who were instinctively working in the best interests of the customer and meeting their goals, and the Audit team, who was only focused on whether protocols were being followed, regardless of the outcome. We encountered some very short tempers but were able to work through it once each party understood the motives of the other. Not that the Audit team really cared…..
The valuable perspective for this part of the audit was that you had one group who worked in multiple shades of grey, and the Audit team who only worked in black and white, and how do you generate a productive outcome? We did so by educating all parties involved and making sure that all parties were working towards the same outcome – Making sure the company continues as a growing and profitable entity while mitigating risk.

Thanks for reading . . . .

Internal Audit – Finance & Control

August 14th, 2008 Comments off

In my last posting about embracing the Internal Audit process, I spoke to the value this exercise can provide to any current or new Finance leader. For the audit that we had gone through after the close of purchase for the final minority share of our business, we performed a comprehensive review on six key areas of our operations. I outlined these areas in my last post, and today, will go into a little more detail on the area of Finance & Control. It’s still best to keep in mind that this was an audit that spanned approximately 8-weeks so even a more specific overview is still a summary at best and the level of underlying detail is much greater than what is represented here.

As far as our review of the Finance area, the goal was to assess the adequacy of our primary Finance & Accounting processes, Credit management, and our application of Group Accounting principles. To break this review down a little further, we were going to run through some of the following steps:
1. An analytic review of our financial statements along with our external auditor reports.
2. A review of our systems and processes that supported our financial reporting.
3. Reviews of our delegations of authority.
4. Our compliance with Group Accounting principles.
5. Invoicing, Credit, and Cash management.
6. Assess the valuations of our balance sheet reserves.
7. Reviews of our fixed assets and associated valuations.
8. Reviews of employee expense reports.

This was certainly not a simple review and necessitated extensive time to pulling documents and reviewing our processes. Further, each one of these process needed to be assessed a risk-weighting that determined what degree of risk it posed to achieving our results and generating accurate reporting. There were three distinct levels of risk depending on what “Findings” were associated with each area. A “Finding” could either be quantified through it’s potential impact to results or qualified through a breach of corporate policies or guidelines, or the ability to impact the reputation of our corporate parent.

Again, since we had already been operating under the umbrella of our corporate parent for a number of years, we had already embraced their guidelines and reported our results according to Group Accounting principles. Therefore, our preparation level was already very good with respect to this audit. Any anxiety levels aside, it was a process that should be embraced by any Finance leader that is new to the organization and needs to uncover potential areas of risk.

Thanks for reading . . . .

How accessible is your Finance data?

August 13th, 2008 Comments off

It seems like a bit of an odd question at first considering we typically work under structures of system permissions, protocols, and how often user profiles should be audited. The key phrase here is “should be”. It’s very easy to become somewhat complacent and rely on written procedures that are in place and the assumption that they are being followed. I was doing some pretty extensive work on some forecasting files, which unexplainably, I could not find during my next session. These were in folders that I constantly worked in and allowed limited access to only a few individuals. I was now unable to locate and needed to know what happened and who was in the files last. For all I knew, I might have mistakenly saved them to a new location….

I ended up finding the files after only minimal effort, but what I found in the process was more disturbing. I requested from our IT group a list of individuals who had general access to the Finance drive and then the permissions that were granted to each one of those individuals. Keep in mind that we only had approximately 30 people in our Finance department. What I got back was a list of about 70 people that had access to our drive! Are you kidding! It didn’t take long to see that a number of these individuals were no longer with the company. There was also a population of folks that had transferred to other functional areas in the company. Most of those that had transferred had not recently accessed the data. Regardless, this had to be immediately corrected.

Our IT group, that same morning, received a corrected list of individuals that should have access to the Finance drive and the changes were implemented immediately. There were some updates to permissions, but these were relatively minor. Lesson learned. Although we had specific protocols in place, they were not always being followed as directed. We also learned that we had to increase the level of communication between HR and IT, and in a much more formal manner. I have always incorporated a certain level of paranoia into my daily routine in regards to identifying risk. This was one more confirmation of that approach. So I ask the question – “How accessible is your Finance data?”

Thanks for reading . . . .

Internal Audits – embrace & value the process.

August 7th, 2008 Comments off

While I had always participated in the internal audit process and provided my portion of the contribution, I’m not sure I really appreciated the process until I was the person actually leading the Finance team and responsible for everything that happened “under my watch”. During my time with MGE, it was decided by our parent company, Schneider Electric, that they would be purchasing the remaining portion of our company and converting us to a wholly-owned subsidiary of their $13 billion conglomerate. At the close of the transaction, Schneider sent in a full team to conduct a comprehensive internal audit on our process, documented procedures, and potential areas or risk.

The audit was not going to cover just the Finance department, but encompass every area of the organization. This was going to be an 8-week process that was going to cover Inventory & Logistics, Sales & Marketing, IT, as well as Human Resources. Their main objective was to assess the potential risks within each one of these areas and rate those levels of risk according to their importance and the ability to potentially have a material effect on our financial results. We also wanted to determine what levels of internal control and monitoring we had in place to deal with the risk, and if necessary, propose recommendations to correct either the situation or our ability to follow the risk.

Since we had always had a very good relationship with Schneider Electric there was no significant anxiety of the proposed audit, but this effort was much more comprehensive than previous audit engagements. We were hosting individuals from Los Angeles, Chicago, and Paris, along with occassional visits from external auditors Mazars and Moss Adams. Perhaps there was no significant anxiety since we had always operated our entity with a high level of control and accountability. Ultimately, our audit concluded and in a very satisfactory manner with some areas that were noted for improvement and a timeline for follow-up and modifications.

This is obviously a process that can be addressed in much more detail considering this was an 8-week engagement, which I will in future posts. I will spend more time discussing the audit engagement for each area. The most significant takeaway was the additional insight that it gave us into our organization and receiving an unbiased view of our operations. For any new CFO, this is a critical step to go through and assess what the strengths and weaknesses are for the organization and what the areas of risk are for you in the execution of the company’s financial goals. An area that certainly shouldn’t be left to chance & is well worth the 4-8 weeks that you might invest.

Thanks for reading . . . .

How well documented are your internal controls?

July 29th, 2008 Comments off

     Regardless of the size of organization you might be managing, one of the best documents that you can have in place is the one that sets the groundrules for spending and entering into commitments on behalf of the company.  Depending on the company, this document can be referred to as a Schedule or Delegation of Authority.  I’ve learned to refer to it as the D.O.A. (no pun intended for those that do not adhere to the guidelines…..).  This is the document that doesn’t leave anything to chance regarding approval levels and notifies each managing level as to their spending / commitment capabilities.

     The typical Delegation of Authority will state the purpose & applicability of the document and covers the ground rules for executing documents, engaging in binding agreements, or approving material decisions on behalf of the company.  This document will typically break decision makers into primary categories, which individually address Managers, Directors, Vice Presidents, and Executive Officers.  Considering the wide scope of purchases that could be covered by such a document, it usually tries to cover those areas that could have a materially negative impact on the company.  These areas might include leases, service contracts, capital expenditures, credit limit authorizations, or check signing authority.  Keep in mind that these are only a sampling of the areas, and depending on complexity of the organization, may involve dozens of areas to specify.  Further, depending on the global footprint of your company, this should also be coordinated with all foreign offices.  In one particular version that we drafted, orders of certain magnitude were required to be approved by the Chairman to ensure that appropriate margin levels were achieved and key global managers were also aware of the transaction.

     If you’re currently operating without a DOA, then now may be the perfect time to address this area and start putting together that first draft.  There won’t be a single version that you’ll draft and distribute. This is a dynamic document that will continue to evolve as your company grows and hopefully begins moving into new segments.  I’ve been mentored by some fantastic Finance professionals and the constant message has been one of paranoia.  What’s going to get you next?  This is one additional tool that will hopefully mitigate adverse reactions on the part of employees, that while not intentionally malicious or fraudulent, could have a material effect on your results.  And that’s really what this document is about…increased communication throughout the company.

Thanks for reading . . . .