Day in the life of an Internal Auditor Alka Abbi Tomar

Agenda My journey… Internal Audit Sarbanes Oxley

Journey thus far… On-site Audits Remote Audits

My role INDEPENDENT FUNCTION Responsibilities include Assist management with SOX 404 compliance Conduct Internal Audits Investigations Audit Committee (BoD) VP Finance, Corporate Controller Director Internal Audit/SOX

COSO Framework (New) Source: sox-online.com

COSO Framework (old) Internal Audit SOX Span of Internal Control Oversight of Entity / Process Policies and Procedures Components of Internal Control Identification and Analysis of Risks Foundation - Discipline and Structure SOX

Internal Audit

Thoughts about IA profession Not the police Based on LOGIC and COMMON SENSE Global profession Foundation is Ethics & Integrity Duty to the Company & its stake holders Part of an Organization Partnership - No longer the ‘gottcha approach’ but still INDEPENDENT Spans all areas of the organization Finance & Accounting Operations HR Sales and Marketing Compliance IT

What is Internal Audit Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Internal Audit Functioning Internal Audit Department Charter Approved by Audit Committee Annual Process Internal Audit Risk Assessment Selection of Audits Conduct Audits Conduct investigations Assist with compliance efforts such as SOX

Internal Audit Risk Assessment Assess Business Get inputs key members of the management team Review financial results, business and process documentation, corporate strategic initiatives during current and prior years Consider industry best practices Inherent risk of business activity Current and anticipated business changes Financial/transaction significance and trends Current control environment: staffing, policies, culture, changes Degree of legal/regulatory compliance requirements Consider Risks Develop Plan Summarize results of business activity risk assessments based on Significance and Likelihood Test conclusions with the Audit Committee Finalize internal audit plan for the year

Audit Methodology Planning Fieldwork Reporting Objective Background Scope Design Audit Plan Resources & timing Fieldwork Execute Audit Plan Discuss findings with process owner Obtain management remediation action Reporting Top Management Audit Committee

Examples of audits Finance and Accounting Operations Expense Audits Revenue Recognition Vendor Audit Operations Inventory Reverse Logistics Sales and Marketing Channel Partner Audit Marketing Fund Audit Compliance Audit Environment Audits Country Audit IT Security Audit   Human Resources Overtime laws Health Committee Free medical check-ups

Audit Techniques Interviews Analytical Email reviews / other forensic tools Substantive sample testing Continuous monitoring

Example 1: Country Audit Audit Objective: Based on understanding of the location’s business activities, the country Audit will include the following areas: Revenue Ensure orders were supported and booked properly, and revenue was recognized appropriately Operating Expenses and Expense Reimbursement To ensure company expenditures incurred were legitimate expenses, and were processed according to company policies and appropriate documentation maintained. Accounts Payable Vendors Payroll Balance Sheet Accounts and Reconciliations To ensure that balance sheet accounts have been properly reconciled with adequate supports and to search for unrecorded liabilities Cash Accounts Receivable Fixed Assets Liabilities Segregation of Duties Channel Sales Review Compliance Review

Example 2: Country Audit Key Audit Steps taken: Interviewed key process owners to understand the processes Obtain process documents and policies Data Analytics to identify areas of focus Sample testing of areas identified Separate steps for each area

Example 2: Country Audits Revenue Objective Ensure orders were supported and booked properly, and revenue was recognized appropriately Audit Procedures Review P&L and customer reports Revenue composition Major customers Unusual fluctuations Local Order to collection process Detailed sample testing for Supporting documents (customer PO, shipping docs, etc) – booking accuracy Proper cut-off Shipping terms Compliance with revenue recognition criteria – Based on Corporate (US) Fees are fixed and determinable Persuasive evidence of agreement Delivery of goods Collectability reasonably assured

Example 2: Country Audit Channel Partner Review Objective Channel stuffing Related party transactions FCPA compliance Sales Returns Audit Procedures Review list of channel partners and sales reports Volume Discount Growth Rebates Sales returns Review agreements with Channel Partners Interview with Channel partners

Example 2: Country Audit Key Findings: Revenue Cut-off evidence of shipment not available; revenue recognized in the wrong period Segregation of duties: AR Accountant – applies cash; credits; collection calls Channel Partner Related party transactions Channel stuffing Operating Expenses and Expense Reimbursement Accounts Payable Potential misappropriation funds -petrol cards Non compliance with Spending policy Leased property was subleased – not properly accounted for Payroll Terminated employees were paid Segregation of duties Payroll vs GL reconciliation not performed Payroll consultant handled competitor payroll Balance Sheet Accounts and Reconciliations Bank: Segregation of duties Fixed Assets: No confirmation of offsite assets No confirmations of demos, etc

Example 2: Reverse Logistics Audit In simple language…goods returned Audit Objective: To verify that goods returned are accounted for appropriately Key Audit Steps taken: Interviewed key process owners to understand the process Where are returns received? Who receives them? How is it supposed to be captured in the system Are items scrapped or refurbished? How are both scrap and refurbished items documented and traced Are there any known issues or areas of improvement Obtained list of assets returned in the books of accounts Surprise visit of the warehouse for physical count Compared actual inventory with books of accounts Observe security of warehouse

Example 2: Reverse Logistics Audit Key Findings Management had a project team to reconcile differences between goods that were scheduled to be received/ received and goods actually received – had been in place for a few years Physical count of goods returned was never conducted Access to goods returned area was not restricted Physical count observations Goods indicated as received were not in the warehouse Goods not on the list were in the warehouse Goods of a different Company were mistakenly received by the Company Items which were scrapped in the books were still in warehouse Items sent for internal use (for R&D) could not be traced to location Goods received had not been entered in the system for upto a week as research was ongoing on the order, etc

Example 2: Reverse Logistics Audit Management Remediation Warehouse area was redesigned Full physical count of goods returned was conducted and differences written off Access to goods returned area was restricted to responsible personnel Formal process was established to track Scrap Items circulated internally Items received were recorded in the system the date of receipt Goods received but not identified were recorded in the system Once identified to a specific sales order, it was transacted out of this ‘suspense’ account Bar coding/ scan was being established

Fraud

Fraud Not a part of an Internal Audit Helps with prevention Sometime with detection Investigations Revenue Recognition Check fraud Related party transactions Petrol card fraud FCPA (foreign corrupt practices act)

Fraud Triangle Pressure/Incentive Opportunity Rationalization

Sarbanes Oxley Compliance

What is Sarbanes-Oxley or SOX? Sarbanes-Oxley Act was passed in 2002 Section 301: Whistleblower policy Section 302: Quarterly Disclosure of control effectiveness Section 404: Annual Internal Control over Financial reporting (ICFR) report Section 906: Criminal penalties

Reliability on Financial Reporting (10-K) SOX 404 Objective Reliability on Financial Reporting (10-K) Improve Corporate Governance Increase Transparency Enhance Internal control over financial reporting (ICFR) Management requirement Document processes and controls Evaluate design and operation of controls Report on the effectiveness of its ICFR

How does SOX404 impact a Company? Management Reporting Annual 10-K SOX 404 Compliance Share Price SEC Reporting External Audit External Audit

Internal Control over Financial Reporting Assessment SOX 404 Methodology Planning Internal Control over Financial Reporting Assessment Reporting Risk Assessment Significant Accounts Scoping (identify processes in scope) Location Scoping Materiality Assess current state Evaluate design of controls Validate and update critical process documentation Narratives Risk and Control Matrices Test Plans Walkthroughs Tests of key controls Design solutions for control gaps Implementation of solutions for control gaps by management Retesting of remediated controls Self Assessment Assessment of deficiencies SOX 404 - Management Certification Jan-Mar 2011 Apr- June 2011 June – Oct 2011 July – Dec 2011 Jan – Feb 2012

Questions?