Foreign Currpt Practice Act,Sarbanes -Oxley Act & Internal Control..Must Read.. Us CMA Part 1 & CIA Part 1 exam..

 The Foreign Corrupt Practices Act (FCPA) and the Sarbanes-Oxley Act (SOX) both emphasize the importance of internal controls, but they address different aspects of corporate governance and financial reporting. The FCPA focuses on preventing bribery and corruption, particularly in international business dealings, while SOX aims to improve the accuracy and reliability of financial reporting for publicly traded companies. 

Here's a more detailed breakdown:

FCPA and Internal Controls:

• The FCPA, enacted in 1977, has two main components: anti-bribery provisions and accounting provisions. 
• The accounting provisions require companies to maintain accurate books and records and implement sufficient internal controls to prevent and detect bribery and financial fraud. 
• Internal controls under the FCPA ensure that transactions are properly authorized, recorded, and accounted for, making it difficult to conceal illicit payments. 
• These controls are crucial for preventing bribery and ensuring transparency in financial reporting. 

SOX and Internal Controls:

• SOX, enacted in 2002, was a response to major corporate accounting scandals like Enron and WorldCom. 
• Section 404 of SOX focuses on internal controls over financial reporting, requiring companies to establish, maintain, and assess the effectiveness of these controls. 
• SOX aims to improve the reliability and accuracy of financial disclosures, providing greater transparency and accountability. 
• The law also holds top executives personally liable for the accuracy of their company's financial statements. 
• A well-known framework used for implementing SOX 404 controls is the Internal Control Integrated Framework developed by COSO. 

Relationship between FCPA and SOX:

• While separate laws, FCPA and SOX are closely related, particularly in their emphasis on internal controls.
• Some argue that SOX has strengthened FCPA enforcement by improving the overall control environment and increasing awareness of financial reporting issues.
• SOX 404 requirements have been linked to increased enforcement actions related to the FCPA.
• Both laws aim to prevent fraud and promote ethical business practices. 

In essence, both FCPA and SOX require robust internal control systems, but they address different aspects of corporate governance. The FCPA focuses on preventing bribery and corruption in international business, while SOX focuses on improving the reliability of financial reporting for publicly traded companies. 

Get past exam MCQ Questions ⁉️ Esaay based questions ❓ here ✍️ Text on..9773464206

Best wishes 🍀 from Prof Mahaley Head Gmsisuccess Mumbai 

www.gmsisuccess.in

Internal Control deficiency and its remediation

Internal Control Deficiencies – How to Evaluate Effectively

An internal control deficiency is a flaw in the design or operation of a control that prevents it from effectively preventing or detecting misstatements on a timely basis. These deficiencies can arise from various factors, including improperly designed controls, operational failures, or lack of necessary competence in performing controls. They can lead to increased risks of misstatements, fraud, and operational inefficiencies. 

Types of Internal Control Deficiencies:

·         Design Deficiencies:

When the control is not properly designed to achieve the intended objectives. 

·         Operational Deficiencies:

When the control is properly designed but not executed as intended or consistently. 

·         Compliance Deficiencies:

When an organization fails to adhere to applicable laws, regulations, or internal policies. 

·         Significant Deficiency:

A deficiency that is of sufficient importance to merit attention by those charged with governance. 

·         Material Weakness:

A deficiency that creates a reasonable possibility of material misstatements in the financial statements. 

 

Examples of Internal Control Deficiencies:

·         Lack of Segregation of Duties: One person handling multiple tasks, increasing the risk of errors or fraud. 

·         Insufficient Documentation or Approvals: Not properly documenting transactions or obtaining required approvals. 

·         Failure to Segregate Duties: Failing to separate duties that could allow for fraudulent activities. 

·         Failure to Implement Controls: Failing to implement documented policies and procedures. 

Impact of Internal Control Deficiencies:

Increased risk of financial statement misstatements, Increased risk of fraud, Reduced operational efficiency, and Potential for legal and regulatory penalties. 

Importance of Identifying and Addressing Deficiencies: 

To ensure the integrity of financial reporting, To protect assets from fraud and theft, To improve operational efficiency, and To comply with regulatory requirements. 

Steps to Address Deficiencies:

·         Identify and Assess: Identify the specific deficiencies and assess their severity. 

·         Develop and Implement Remediation Plans: Develop plans to address the deficiencies and implement them effectively. 

·         Monitor and Evaluate: Continuously monitor the effectiveness of the implemented solutions. 

How to rectify internal control deficiencies?

The best way to rectify and address internal control deficiencies is to use a combination of proactive and reactive measures.

Proactive measures aim to minimize internal control deficiencies before the audit phase by initiating preventive measures. These measures include risk assessments, training, frequent internal audits, documentation, etc.  

Reactive measures come into the picture when internal control deficiencies have been identified. The following steps must be followed in this case:

·         Perform a root cause analysis for evaluating internal controls deficiencies. This includes an assessment of current policies procedures and implementation practices

·         Draft a corrective action plan including new initiatives that must be carried out and existing policy or procedural updates.

·         Allocate the required resources and implement required initiatives.

·         Monitor progress to validate if the corrective action is addressing the deficiencies.

·         Conduct periodic reviews for continuous improvement

 

Internal control deficiency remediation is the process of addressing and correcting weaknesses in an organization's internal control systems. This involves identifying deficiencies, analyzing their root causes, developing and implementing corrective action plans, and establishing a reporting mechanism to track progress. The goal is to strengthen controls and ensure they effectively prevent or detect material misstatements. 

Here's a more detailed breakdown:

1. Identification:

·         Internal Audit Reports: Distribution of internal audit reports highlights areas where controls are weak or could be improved. 

·         Periodic Reviews: Regular review of internal controls helps identify deficiencies early on. 

·         Examples of Deficiencies: These can include misconfigured software, expired policies, inappropriate data handling, or inadequate segregation of duties. 

 

2. Analysis and Root Cause:

·         Impact Assessment:

The severity of the deficiency is assessed, considering the potential for material misstatement. 

·         Root Cause Analysis:

Identifying the underlying reasons for the deficiency is crucial for effective remediation. 

 

3. Remediation:

·         Action Plans:

Management develops and implements action plans to address identified deficiencies. 

·         Examples of Remediation Actions:

This may involve redesigning controls, enhancing processes, or introducing new systems. 

·         Documentation:

Maintaining adequate documentation of the remediation process is essential. 

 

4. Reporting and Monitoring:

·         Regular Updates:

Management should provide regular updates on the progress of corrective actions. 

·         Continuous Monitoring:

Ongoing monitoring ensures that implemented changes are effective and that new deficiencies are identified promptly. 

 

5. Benefits of Remediation:

·         Reduced Risk of Material Misstatements:

Stronger internal controls minimize the risk of financial errors or fraud. 

·         Enhanced Compliance:

Effective internal controls are crucial for compliance with regulations and standards. 

·         Improved Operational Efficiency:

Stronger controls can streamline processes and improve operational efficiency. 

·         Increased Stakeholder Confidence:

Well-designed and functioning internal controls build confidence in financial reporting and the organization's overall management. 

 

 

www.gmsisuccess.in

 

 

Internal audit failure leads to corporate governance failure

Toshiba - a case of internal audit failure:

Toshiba, a 140-year-old pillar of Japan Inc, is caught up in the country's biggest accounting scandal since 2011. In 2011, Olympus Corp was embroiled in a scandal. In July 2015, Toshiba Corp president Hisao Tanaka and his two predecessors quit after investigators found that the company inflated earnings by at least $1.2 billion during the period 2009-2014. Toshiba is one of the early adopters of the corporate governance reforms initiated in Japan. The corporate governance structure met corporate governance standards. Time and again cases of corporate governance failures have provided evidence that good corporate governance structure does not necessarily lead to good corporate governance. Organisation culture is a critical determinant of the quality of corporate governance.

Some of the observations of the independent investigation committee of the company on internal audit demand discussion and debate.

The investigation committee observes, "According to the division of duties rules of Toshiba, the corporate audit division is in charge of auditing the corporate divisions, the companies, branch companies, and affiliated companies. However, in reality the corporate audit division mainly provided consultation services for the 'management' being carried out at each of the companies, etc (as part of the business operations audit), and it rarely conducted any services from the perspective of an accounting audit into whether or not an accounting treatment was appropriate."

The observations of the committee give the impression that the fault of the internal audit in Toshiba was that it focused on consultation service rather than assurance service. Should internal audit avoid providing consultation service? I do not think so. It was not the fault of the internal audit that it provided consultation service. The fault was that it did not pay attention to accounting audit.

In Toshiba, the top management used to set targets that are unachievable. There was excessive pressure from the top management to achieve those targets.

The variable pay is a significant portion of the total pay. The compensation of executive officers comprises a base compensation based on title and a role compensation based on work content. Forty per cent to 45 per cent of the role compensation is based on performance of the overall company or business department. 'Challenge' to achieve unachievable targets and performance-based pay provide enough motivation to manage earnings. Therefore, accounting audit should have been a focus area for internal audit.

Internal audit can function independently only if the audit committee is capable, independent and effective, and the internal auditor reports to the audit committee.

In Toshiba, the audit committee was neither capable nor independent. The three external members of the audit committee had no knowledge of finance and accounting. An ex-Chief Financial Officer (CFO), who was the CFO during the timeframe when accounting irregularities occurred, was the only whole time member of the audit committee. Therefore, the internal audit was not independent of the management. Earnings management had the tacit approval of the top management. Therefore, it is not surprising that accounting audit was excluded from the scope of internal audit. It is incorrect to infer that the accounting audit did not receive the attention of the internal audit because its focus was on providing consultation service.

Contemporary literature defines internal audit as 'assurance and consulting service'. The issue is of balancing between consultation service and assurance service. Problem arises when the internal auditor forgets that the internal audit is primarily an assurance function. The consultation service flows from the assurance service. Although, the primary objective of operation audit is to obtain assurance that the internal control that is installed to achieve operation objectives is adequate and operating effectively, the auditees look to the internal auditor for suggestions and consultancy. Such consultation service is a by-product of the assurance service. Auditees should not be denied the benefits of internal auditor's understanding of the industry and the business, and the challenges before the auditees in achieving operation objectives. Exclusion of consultation service from the scope of internal audit would result in sub-optimal utilisation of internal audit resources.

Organisation culture also determines the effectiveness of internal audit. The investigation committee observes, "A corporate culture existed at Toshiba whereby employees could not act contrary to the intent of their superiors". In such a culture an upright internal auditor cannot survive, particularly if he is not independent of the management. Perhaps, it is the reason that the internal audit in Toshiba had chosen the easy path of focusing on 'consultation service' only without reporting internal control weaknesses.

Internal auditor is the 'eyes and ears' and 'go-to man' of the audit committee. Therefore, internal audit failure leads to corporate governance failure.

www.gmsisuccess.com