The Risks of Conducting Business Internationally

International-Business-RiskConducting business internationally carries many risks that domestic business does not. International business involves exposure to local economic conditions, fraud, and bribery. Business can be interrupted by political problems such as insurrections, problematic diplomatic relations, hostility from locals, and volatile foreign governments. Unstable currency exchange rates and exchange restrictions can also complicate international dealings. Finally, foreign earnings and investments are subject to restrictions, and tariffs, foreign withholding, and other tax issues can further restrict returns.

With all of these challenges in play, companies operating internationally should keep a careful eye on local conditions and internal logistics.  Regular visits by an internal audit team will help make sure risks are effectively controlled and will secure the financial interest of the parent company. Ultimately, preparation and constant attention are the best protection against threats to international business.

Logistical Risk

International business complicates supply chains and presents other logistical concerns. Your ability to deliver your product on time and on budget requires capable suppliers.

Two common tactics to mitigate logistical risk are supply chain diversification and granting exclusivity to one trusted supplier. On the one hand, if you diversify your supply chain extensively with suppliers from multiple nations or regions, you may reduce risks local to each region, such as severe weather and political unrest. This tactic is only feasible for businesses that have the resources to cover diverse work and resources.

Granting single supplier an exclusive license might get you into their territory, but it can also limit your growth. If you do grant a company an exclusive distribution agreement, make sure to set clear terms within the agreement. Terms should clearly state that exclusive distribution is intended to develop the entire geographical market in no more than two years. Set challenging business goals for your exclusive licensee, and plan a way out if the supplier fails to meet goals.

Regulatory Risk

There are many types of regulatory risk, but two of the most common involve environmental regulations and taxes. Environmental regulations can affect the entire bottom line, and many countries have stricter environmental standards than the United States. International business ventures that consider and respect local environmental attitudes are often more successful. As a result, local filing and permit regulations can be confusing; it is ultimately most efficient and cheapest to collaborate with local businesspeople, accountants, or lawyers.

Corruption Risk

For years many U.S. companies have regularly engaged in bribery, fraud, false bookkeeping, and other corrupt business practices in international business. The international business scene is dominated by a “don’t ask, don’t tell” culture, which is contrary to popular domestic “speak up” policies that encourages whistleblowing and ethical leadership. A serious anti-corruption compliance program is a crucial component for any business operating internationally.

In recent years the Department of Justice has emphasized the requirements for an adequate Foreign Corrupt Practices Act (FCPA) compliance program. So far, the vast majority of investigations have not gone before the SEC, but it is still extremely important that your company handle incidents properly. FCPA violations, before the SEC or not, are expensive and damage your business. In particular, routine violations cause employees and investors to lose confidence in corporate leadership. This is particularly true in the case of bribes; although government officials may be the end target, company officials often profit from the corruption as well.

Health and Safety Risk

Detailed knowledge of a country’s health and safety risks is a prerequisite for low level business travel, let alone establishing a permanent company presence. Ensure employees are up to date on all recommended vaccinations and that they take all prophylactic medications as directed. The Centers for Disease Control and Prevention provides all the information you need on specific cases.

In-country access to emergency healthcare is essential for all employees, as is telephone access to an adequate 24-hour emergency health center. Employees should also be familiar with emergency evacuation options. Additionally travel medical insurance may be needed for some employees.

Legal Risk

Business owners and corporate lawyers need to understand major legal differences between the U.S. and other countries. The U.S. is an English Common Law country, while most of the rest of the world is based on European Civil Law. This means that American law is almost never sets global precedents; in fact, U.S. law is often considered irrelevant.

The legal burden is on U.S. companies to ensure compliance with local laws. Companies should also know international business law. If a company’s lawyer knows the relevant law, the company’s standard distributor agreement will be more efficient and there will be fewer disputes with distributors.

Cultural Risk

Unfortunately, most American businesspeople have very limited knowledge of foreign cultures. They often know even less about foreign law. It is difficult to find a management team that can operate internationally with strong language skills and cultural awareness. So how can your company ensure that your business is well represented internationally?

Good training is essential. In order to achieve success, your team needs to overcome these cultural barriers by networking and actively participating in international partnerships. Truly investing interest in the local culture takes time, but diligence benefits not only the business, but your team; a deeper understanding of everyday cultural norms, both in and out of the workplace, will enhance everyone’s experience. That said, international positions require intense effort, so consider short-term postings for your international positions and virtual collaborations to supplement your teams.

Financial Risk

The U.S. dollar isn’t the infallible currency that it used to be. Companies must be diligent to mitigate against financial risk. Carefully consider employee qualifications, especially when hiring domestic employees to work internationally. Most American businesses seek international managers who have demonstrated their reliability in similar positions and who can communicate effectively both with local employees and American management.

Local management teams should also be accustomed to working ethically. For example, the right local management may have experience with the local business scene, but this authority is only valuable if it was earned in line with local law and with your company’s Code of Business Conduct. You should verify the accuracy of a potential employee’s reports from previous work, ensure that he or she was compliant with best practices, and check that he or she avoided fraud and other ethical pitfalls. Make sure you have the cultural context to ask the right background questions of international candidates; more than 75% of FCPA cases involving U.S. businesses concern the actions of third parties. Due diligence lessens your third party risk.

Political Risk

International businesses face several types of political risk. Local authorities may fail or refuse to enforce business deals. War, insurrection, and terrorism can disrupt business across an entire region. International assets of U.S. businesses can be seized due to nationalization.

Careful research and extra precautions can mitigate your political risks. Know your limitations as a business and be realistic. One option is to work with an organization like the Multilateral Investment Guarantee Agency (MIGA) of the World Bank. This agency of international experts promotes economic growth in areas plagued by political unrest; MIGA can advise your international dealings and can design a customized insurance policy for your company at a reasonable cost.

Takeaways

Best practices for international business include strong risk assessment and mitigation strategies against fraud, misconduct, and other potential problems. The global business arena is constantly changing, so any good strategy will demand regular updates, including internal audit teams to monitor the status of satellite locations routinely. Research into the local financial, cultural, and legal practices will pay off in risks avoided and business maintained.


Veronika Fritz - Internal Audit ExecutiveThis blog post was written by Veronika Fritz. Veronika is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services. Veronika is a CPA with over 18 years of audit and management experience. Her experience covers all areas of business including compliance, financial, operations and Information Technology. She has led the planning, development and successful execution of financial audits, Sarbanes-Oxley Engagements, pre- and post-implementation ERP system reviews, and business process evaluations. Veronika has expert knowledge in evaluating the design, integrity, effectiveness and reliability of internal controls for financial reporting processes and Enterprise Resource Planning software. She has been a trusted advisor to companies spanning various industries. If you would like more information about Vonya Global or if you have a questions for Veronika, you may contact her through this blog, the company website, twitter, or her LinkedIn Profile.


Handling Misconduct at the Management Level the Right Way

WhistleblowerRecently, the SEC awarded a whistleblower with more than $300,000. Though the employee first reported misconduct internally, the company failed to act and suffered greater consequences for inaction. This was the first such award given to a whistleblower working in compliance, and acts as a signal to the business community: respond appropriately to reports of misconduct, or pay the price.

It is easy for management to feel uncomfortable given such headlines. However, the lesson here is to encourage internal whistleblowing and adopt reporting procedures that maximize employee comfort.

Research proves that most whistleblowers try to report fraud internally before approaching the government. Employees only go to outside authorities when their complaints are ineffectively resolved or after they hit walls internally. To minimize your exposure to liability, enhance the comfort level of your employees and make sure that your company facilitates internal reports.

That same research shows that when businesses implement even-handed procedures for assessing complaints and treat reporting employees with respect, employees are far more likely to feel satisfied by the process, regardless of the result. Employees need to have confidence in the misconduct reporting process in order to use it.

Fortunately, there are some concrete strategies for encouraging internal whistleblowing:

Provide the Right Training

Let your employees know you have a reporting program, and demonstrate how to use it. Training helps employees see that you are committed to resolving misconduct complaints in house. Publicize your company’s internal reporting policy regularly, not just at hiring time, and remind everyone that they can report misconduct and fraud without fear of retaliation.

You should not tell your employees that they have to report internally first; regulators view this sort of mandate unfavorably, and such requirements have been expressly rejected by the SEC.

Put the Best Person in Charge

You need an open door policy and you need the right person behind that door; otherwise, no one will come in. Make sure the officer in charge of complaints is someone accessible that your employees can trust. Be absolutely certain that he or she understands confidentiality, and train them to be neutral.

Ensure that your investigator knows the applicable laws and tools to resolve issues. While protecting confidentiality is important, make sure the investigator communicates with everyone involved in a complaint. In order to maintain confidence in the system, the investigator should keep whistleblowers, the accused, and witnesses involved and informed.

Create an Avenue for Anonymous Reporting

Whether it is a comment box, an online form, or a hotline, make sure that your employees have a way to report misconduct and fraud without revealing their identity. No one likes to think that their organization could be dangerous or discriminatory, but it happens.

Talk To Your Employees About Their Experiences

Ask employees about misconduct routinely and in exit interviews. Be sure to let them know that responding is optional, but document willing answers thoroughly.

It is not a good idea to ask employees, during their employment or in an exit interview, to acknowledge whether they have disclosed anything confidential to the government. Furthermore, never ask employees to give up their anti-retaliation rights in any way.

Focus On the Process

Make sure all procedures are transparent. Explain the process in simple terms, not legalese. Always reassure employees, in no uncertain terms, that retaliation for reporting fraud or misconduct will not be tolerated.

Make sure that employees know that you are listening. When people complain about the fax machine, fix it. Listening to little complaints can foster confidence before a big complaint comes around.

Make It Worth Their While

Research and now experience shows that incentives, even just recognition, make employees more likely to report misconduct. Reward this kind of ethical behavior.

Lead By Example

Show your team that you are ethical and that they work for a company that does not tolerate unethical behavior. When reporting misconduct is simply an unpleasant but necessary aspect of doing business, employees are far more likely to take part.


Sargon-Youmara-Internal-Audit-ExecutiveThis post was contributed by Sargon Youmara, a Partner with Vonya Global. Sargon Youmara has 20 years of diverse experience in business risk consulting, internal audit and public accounting. He leads various internal audit initiatives and Sarbanes-Oxley projects to a wide-array of companies from start-ups to multi-national corporations. Sargon is the Risk and Internal Control knowledge partner to his clients and has a depth of experience in:

If you would like to contact or connect with Sargon directly you can find his profile on LinkedIn: http://www.linkedin.com/in/syoumara.

Creating a Speak Up Culture

Speak up CultureResearch and case studies have proven that a majority of employees do not speak up when they see fraud or misconduct in the workplace. This is true across a spectrum of businesses, even when employees have great IT security, sound internal audit procedures, and other corporate resources to report misconduct. Modern businesses face a major ethical challenge in creating a culture that encourages employees to report wrongdoing and in combating retaliation. Despite its challenging implementation, a speak up culture is crucial to legitimate company compliance and training efforts.

Cultural Change Starts With Management

In 2011, more than one-third of all workplace discrimination claims filed with the Equal Employment Opportunity Commission (EEOC) were for retaliation against employees who expressed their workplace concerns. What can companies do to ensure that employees are safe from retaliation? A speak up culture can allow businesses to maintain their edge, while overcoming biases against whistleblowing.

According to researchers at the University of Michigan, one of the most important factors in creating a speak up culture is ensuring that supervisors model appropriate behavior for employees. Employees will be more willing to report fraud or misconduct to supervisors if they have seen these supervisors express similar ethical behavior, especially following through on matters of misconduct. Employees who saw supervisors report ethical violations, conduct internal audits appropriately, or respond positively to complaints were far more likely to speak up.

Speaking Up: The General Motors Case Study

General Motors is a great example of a company that has struggled due to a lack of misconduct reports, but ultimately succeeded in reversing this trend by implementing a speak up culture. Harvard Business Review blogger Amy C. Edmondson points out several key problems that hampered GM’s employees from expressing concern and that ultimately led to compromised consumer safety. Specific issues involved broken communication channels, defective products that were approved only to be recalled, and lacking accountability among safety personnel. The resulting investigation highlights the importance of these crucial speak up practices:

Direct Exposure to Ethical Behavior

Employees are unlikely to risk bringing attention to potentially painful subjects such as fraud or internal audits if they believe these discussions will hurt their chances of success in the company. As the GM example shows, this individual mindset eventually causes problems for the company as a whole. Ethical leadership not only encourages employees to act on misconduct; it’s also good business.

Clear Channels of Communication—the More Direct, the Better

When important messages about serious company problems don’t get delivered, fatal flaws can easily erupt. Make certain that even the lowest ranking employee can communicate directly with higher-ranking management as needed to report ethical problems. Also, ensure that if an employee does come forward, he or she receives a timely, appropriate response. As with ethical behavior, when company leaders value good communication, so will employees.

Accountability

Edmondson points out that GM’s public apology was an effective, powerful step towards rebuilding trust with the public. GM also took responsibility for safety issues by recalling products. These efforts showed the public that there was no attempt to conceal mistakes and that the company was working to correct problems.

Training

To ensure that management is prepared to respond to ethical complaints, businesses must train leaders appropriately. Training should include education on how to handle failure personally and as a team. Formal training in speak up cultures is available from various sources. Best practice resources for creating a speak up culture are also available to businesses; here is one such resource from the Institute of Business Ethics.

Take Aways

Creating a speak up culture is essential for business success. There is no simple fix. This real problem requires real time and culture investment. Yet, solutions are within reach for any business willing to make the effort. Payoffs include legal, ethically-sound business practices, greater reputation, and happy employees. How can you afford not to invest in a speak up culture?


Sargon-Youmara-Internal-Audit-ExecutiveThis post was contributed by Sargon Youmara, a Partner with Vonya Global. Sargon Youmara has 20 years of diverse experience in business risk consulting, internal audit and public accounting. He leads various internal audit initiatives and Sarbanes-Oxley projects to a wide-array of companies from start-ups to multi-national corporations. Sargon is the Risk and Internal Control knowledge partner to his clients and has a depth of experience in:

If you would like to contact or connect with Sargon directly you can find his profile on LinkedIn: http://www.linkedin.com/in/syoumara.

Fraud Prevention for Venture Capital and Private Equity

Fraud-Segregation-of-DutiesIt happens all the time, human capital / resource constraints at start-ups and small to medium sized companies limit the ability to have a robust accounting and finance staff. In most cases one person is typically responsible for many tasks. When these tasks overlap, like: reviewing and paying invoices; setting up and approving new clients; setting up and approving new suppliers; and writing checks, making deposits, and conducting bank reconciliations, the company exposes itself to significant fraud risks. In audit terms, this is called Segregation of Duties.

Segregation of Duties

While having adequate Segregation of Duties (SOD) is an essential building block of sustainable risk management and internal controls for a business, it is difficult for a small business to implement and it often gets overlooked.

Embezzlement

I came to know the investors of a start-up Title Insurance Company in Chicago. The ownership hired an experienced Title Insurance executive as President and CEO. They also assigned the President full access to the bank account. The company was out of business within 6 months of hiring the CEO. The CEO embezzled all the cash, ignored all invoices and payables, and left town.

Inadequate Segregation of Duties hits the news on regular basis. Said one executive: “Given the size of our organization, the distribution and separation of duties is tough. It’s a staff of three, four people. They suggest we shuffle around more of the burden. I’m not saying that’s a bad idea, but it will be difficult to implement.”

Difficult to implement? Maybe. But it is not impossible or impractical. The first step is understanding the risk and how it relates to the business. The second step is to consider key controls that would mitigate the risk without adding burden to the business. Simple solutions include requiring approvals for big purchases by individuals other than the CFO, placing banking restrictions on large payments, and regularly reconciling the all accounts.

While the Segregation of Duties risk may seem minor to other strategic, operational, or compliance risks, the failure to control the risk could be catastrophic.


This blog post was authored by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit co-sourcing, outsourcing, and consulting services, a member of the Institute of Internal Auditors (IIA) Chicago Chapter Board of Governors, a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research, and the President of the Oz Park Baseball Association, a not-for-profit dedicated to providing fundamental based baseball in a safe environment in the city of Chicago. Steve was recently named The Institute of Internal Auditors’ Chicago Chapter’s New Member of the Year. If you would like more information about Vonya Global or if you have a questions for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.

Using Audit to Reduce Costs of Major Construction Projects

Construction AuditOrganizations involved in major capital projects are missing out on significant opportunities to reduce costs. This is not to say that construction managers are fiscally irresponsible, conversely they are very reluctant to spend money where it is not absolutely necessary. So much so that in an effort to contain costs, most organizations don’t budget funds for construction audits until the project is complete or nearing completion. However, this “Close-out” audit is only one component of a successful control and cost containment program. Vonya Global believes that investing in internal audit early in the construction process may save thousands or hundreds of thousands of dollars throughout the project. “Full-scope” construction auditing optimizes the effectiveness of internal controls, reduces total project costs, and maximizes cost recovery.

Close-out Construction Audit

At the project’s conclusion, the owner requires assurance that the General Contractor/Construction Manager (CM) has completed the work in accordance with the contract. A close-out audit provides the owner confidence that the contracted obligations were fulfilled and the billing was accurate per the contract terms. While this is a critical step to verify compliance with the contract, it doesn’t solve other problems caused by a poorly written contract. In fact, contracts rarely protect all the interests of the owner.

Full-Scope Construction Audit

Involving construction audit services at the beginning, rather than the end of a construction project is far more effective because it mitigates risk before it materializes. Audit’s first responsibility is to protect the owner’s interest by creating favorable contractual agreements and improving the project control environment. Keeping Vonya Global engaged throughout the construction project assures the effectiveness of the control environment and identifies inappropriate cost overcharges.

Protected Interest

In creating the contract (the binding agreement between the owner and all parties involved in the construction process), many owners place their trust in the knowledge of the General Contractor/CM and Architect to include all the appropriate provisions in the contracts. Most owners will then seek legal counsel to review the contract focusing on the insurance and indemnification sections. Additionally, the General Contractor/CM and Architect are often relied upon to track and control project costs. The result is an agreement which may not contain the necessary terms and conditions to adequately protect the interests of the owner, may not establish an effective system of internal controls, and may not establish a systematic means of monitoring contract compliance.

The American Institute of Architects (AIA) provides standard construction contracts, such as the:

  • AIA A101 for stipulated sum projects
  • AIA A111 and A121 agreements for cost reimbursable projects
  • A201 which contains the related General Conditions to the agreement

However, even these contract provisions require modification to fully protect the interest of the owner. For example, the Accounting Records or “Right-to-Audit” clause should be strengthened, and the Changes or “Change Order” clauses often require clarification. These modifications improve the owner’s control over project costs, and allow for recoveries.

An effective “Full-scope” audit program utilizing the construction audit services of Vonya Global establishes an effective control environment, defines expectations for all parties, reduces the potential for conflict, reduces total project costs, and reduces the owner’s risk. Performing a “Full-scope” construction project audit is a best practice, and the earlier a qualified Construction Auditor is involved in the project life-cycle, the greater the benefits to the project owner.


This blog post was co-authored by Steven Randall and Brian Felix. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services, a member of the IIA Chicago Chapter Board of Governors, a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research, and the President of the Oz Park Baseball Association, a not-for-profit dedicated to providing fundamental based baseball in a safe environment in the city of Chicago. Steve was recently named The Institute of Internal Auditors’ Chicago Chapter’s New Member of the Year. If you would like more information about Vonya Global or if you have a questions for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.

Exhaustive Management Review Control (“MRC”) Testing

Audit Overkill, CorpGov Necessity, or Value Add?

Management Review ControlAs we have discussed in previous articles, the PCAOB has come down hard on the public accounting firms for the adequacy of internal control testing when conducting the annual financial statement audit at their clients. The result in the current financial statement audit period has been significantly more testing by the public accounting firms than in years prior. This added testing is putting a burden on public registrants, and one specific area getting increased attention is Management Review Controls.

Management Review Controls

Management Review Controls monitor the results of operations and typically involve comparing recorded financial statement amounts to expected amounts to identify and investigate significant variances. A significant focus is placed on ensuring that the data that is being analyzed is complete and accurate. Examples could include:

  • 10K/10Q reviews to ensure that Financial Statements and Disclosures reflect a complete and accurate view of the business operations
  • Performing a variance analysis on the B/S where current month balances are compared to prior month and prior year
  • Performing a detailed review of organizational costs where variances from comparative periods or budget are analyzed
  • Peforming a detailed review of any material complex accounting treatment within the organization that might be proprietary to that industry
  • Review management’s review of the legal accruals to determine that it is complete and accurate

The public accounting firm now must demonstrate that they have exhaustively tested the design and operating effectiveness of Management Review Controls. To do so, the auditor will gather evidence to evaluate whether management defined metrics or thresholds that would identify a material misstatement and document the resolution of any identified outliers. To ensure that the appropriate information is analyzed, management has to first ensure that the “Information produced by the Entity” (IPE) is complete and accurate. The auditor will also use their judgment to evaluate if the design of the MRC is effective in identifying a material misstatement and if the operating effectiveness of the design is in place.

In the past, auditors evaluated management’s sign-offs and re-performed sample reviews related to management’s review. Not this year. Due to the requirements of the PCAOB, auditors are requiring a level of precision and specificity for the MRCs beyond prior years and reviewing far more documentation. Instead of reviewing management signatures which signify approval, auditors are interrogating management to understand the metrics used for their review and the resolution of identified outliers that would be indicative of their approval. Relying on system reports and excel spreadsheets has taken on a much deeper dive to ensure that the information used in the review is complete and accurate.

Why Investors Should Care

Producing audited financial statements to the SEC is not cheap. The Financial Executives International stated that the average financial statement audit of a public company in 2012 took almost 17,000 hours to complete at a cost of $4.5 million. That number is certainly going up for the 2013 audit cycle.

So, what do you think? Is the added testing overkill? Or, is the added testing necessary to demonstrate proper corporate governance? Or, does the added testing provide a value that goes far beyond its cost?

Let us know in the comments.


Veronika Fritz - Internal Audit ExecutiveThis blog post was written by Veronika Fritz. Veronika is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services. Veronika is a CPA with over 18 years of audit and management experience. Her experience covers all areas of business including compliance, financial, operational and IT. She has led the planning, development and successful execution of financial audits, Sarbanes-Oxley Engagements, pre- and post-implementation ERP system reviews, and business process evaluations. Veronika has expert knowledge in evaluating the design, integrity, effectiveness and reliability of internal controls for financial reporting processes and Enterprise Resource Planning software. She has been a trusted advisor to companies spanning various industries. If you would like more information about Vonya Global or if you have a questions for Veronika, you may contact her through this blog, the company website, twitter, or her LinkedIn Profile.


Attention Audit Committee: Who Can You Rely On?

Rely on Internal AuditAn article published in the Journal of Accountancy on December 17, 2013 highlighted that the PCAOB is focusing a lot of attention on auditing of internal control over financial reporting. The Center for Audit Quality lists internal control over financial reporting as one of its primary key risk areas of external auditor’s work heading into the 2013 audit cycle.

The PCAOB conducts annual audits of the Public Accounting Firm’s financial statement audit process. The results of the PCAOB audits were discussed in a speech given by Jeanette M. Franzel, PCAOB Board Member, on Oct. 13, 2013 at the NACD Board Leadership Conference 2013. During her speech, Ms. Franzel stated that relative to internal control over financial reporting “the external auditor failed to gather sufficient audit evidence to support the audit opinion” in 36% of audits during the 2011 audit cycle and 37% of audits during the 2012 audit.

Ms. Franzel is not stating that the public accounting firm financial statement opinion was wrong, rather that there was insufficient work completed to formulate the opinion. If there is insufficient work to formulate an opinion, the opinion becomes unreliable. An unreliable opinion should send a warning signal to investors.

The response by the public accounting firms this year has been to significantly increase internal control testing. The burden falls onto the external audit client (the publicly registered company) to provide evidence of risk assessments, internal control design, and internal control effectiveness. This results in increased time commitment from both the auditors and the audit client. Audit fees for the accounting firms are increasing as is operating costs for the audit client. The combination of these two unintended consequences is placing an onerous burden on public registrants.

As investors, we want to rely upon the accuracy of financial reports, which inherently means we want to rely on the effectiveness of internal control over financial reporting. Audit Committees are charged with the responsibility to maintain oversight on the accuracy of financial reports, which also inherently means assuring the effectiveness of internal control over financial reporting. The Audit Committee can’t do this alone; they must heavily rely on the public accounting firm opinion and there is a significant problem if the audit approach is unreliable.

There is an obvious answer to this. There is a group, typically in-house, charged with the responsibility to evaluate the effectiveness of internal control over key risk areas of the corporation, including financial reporting risks. This group has a time tested methodology for assuring the reliability of their work. This group has a set of professional standards they must adhere to while completing their work. Best of all, the public accounting firms can place reliance on the work of these qualified and accredited individuals reducing the amount of time public accounting firms spend on the audit. This group is the Internal Audit Department.

So Audit Committees, who can you rely on? Your Internal Auditors.



This blog post was written by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services, a member of the IIA Chicago Chapter Board of Governors, a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research, and the President of the Oz Park Baseball Association, a not-for-profit dedicated to providing fundamental based baseball in a safe environment in the city of Chicago. Steve was recently named The Institute of Internal Auditors’ Chicago Chapter’s New Member of the Year. If you would like more information about Vonya Global or if you have a questions for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.

Is Internal Audit Strategic?

Strategic Internal AuditAnswers to the above question has changed over time, as witnessed in the Report on the Strategic Role of Internal Audit published by Vonya Global every 2 years.

Here is the trend with Executive Management:
2008 = 44%
2010 = 42%
2012 = 57%

Vonya Global is conducting its fourth study on the Strategic Role of Internal Audit. The study is currently open and we are seeking participants. The study consists of a 14 question online survey and should take no more than 15 minutes to complete. Participants will have exclusive access to the preliminary results.

To participate in this study, click here:

Participate in the Strategic Internal Audit Study



Cyber Threats – Knowledge is Prevention

Cyber CrimeThere are many articles and reports published on the top risks that the organizations are facing today and the emerging risks for future. While regulatory risk, IT risk, strategic risk, and environmental risk among others seem to be the most common, cyber crime is a risk that can’t be ignored.

Cyber crime risk is a threat that targets us every day. A simple click of a mouse or touch pad could spell demise. The only way to prevent it is to increase the awareness of the risks, and make education a pivotal part of management’s communication plan. There is a recent scheme that needs attention and increased awareness.

Fictitious CFO emails, a new scam

It seems like every day someone becomes a victim of a new scam. Scammers use email, online ads, pop ups, and search results to trick you into sending them money and personal information. We just became aware of a new scam that has already cost corporations tens of thousands of dollars. Here is how it works:

    The real CFO leaves town. The CEO is not reachable. With this intelligence, an email gets sent to the person authorized to disburse funds, e.g. the Treasurer or the Controller from an outside email address disguised to look like the CFO’s. The CEO is typically cc’d. The email instructs for an immediate payment. Upon further inquiry back to the “fictitious CFO/CEO” a pressure tactic is used to do as instructed, otherwise the person will lose their job.
    The email of course is a complete hoax and the attached invoice includes wiring instructions to a fraudulent bank account. The threatening email from the CFO/CEO is sometimes enough for the employee to take action and as soon as the transfer is made, the money is gone forever.

Does this seem unrealistic? At the time I typed this, I knew of 2 companies who had fallen victim to this scam and a 3rd that fortunately caught it at the last minute.

If you get an email from the Senior Management requiring you to take drastic and immediate action, you better make sure the instructions are valid before you act.


This blog post was written by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services, a member of the IIA Chicago Chapter Board of Governors, a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research, and the President of the Oz Park Baseball Association, a not-for-profit dedicated to providing fundamental based baseball in a safe environment in the city of Chicago. Steve was recently named The Institute of Internal Auditors’ Chicago Chapter’s New Member of the Year. If you would like more information about Vonya Global or if you have a questions for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.

The Risk Stops Here: a Story About Little Risky

This contribution to the Internal Audit Blog comes to us from the late John Landreth. We lost John a few years ago, far too early. While John spent his career in internal audit, he spent his life giving back to his family and community. He was an ambassador for the profession and a friend to all internal auditors. Years ago John came up with an idea for a story about risk, a fun little story about a cute lead character nicknamed “Little Risky.” He allowed me to read an early draft of his story. While the story needed a little tweaking, I immediately loved the his idea. Eventually his story was published and then converted into a presentation. The following is the short presentation about our friend “Little Risky.” If you like it, I ask that you please share it with your friends and colleagues. Let’s keep the story going and John’s legacy alive.

All the best,
Steve


This blog was contributed in the memory of John Landreth (April 14, 1957 – June 6, 2010). John served as the Chief Audit Executive for a variety of Chicago based companies. Outside of internal audit, John was a board member of Park Ridge Baseball and Softball, and the Alliance for the Great Lakes, former member of Park Ridge Indian Scouts and the District 64 Caucus.