Internal Audit Controls

The Singapore Auditing Standards (SSA) addresses the auditor's responsibility to not only identify but also assess the risks associated with material misstatement in financial statements. This is made possible by mapping the company and its internal or external environment, including internal controls. The SSA defines internal controls as processes that are “designed, implemented and maintained” by people responsible for management and governance. This is done to provide realistic assurance that the company's objectives will be achieved in terms of reliable effectiveness and efficiency in business operations and financial reporting. Additionally, this is done to go in lines with the applicable laws. Controls as such are any elements of what constitutes internal control. This report is a discussion of objectives and importance of internal controls in entities and how effective they are using the case study of McDonald’s Company, whose nature of business is fast food.

Statement of the Problem

McDonald’s is an international entity established in various countries like America and Singapore and exhibits the scenario of how internal controls, though established can be rendered ineffective (Goh, 2009). J. Edgar Hoover, a director in the FBI currently stated that in any system there are people who are up to no good. Findley Gillespie Partner with Moss Adams LLP applied this to internal controls, stating that the aspect was good enough to lead the company to growth. As such, it would inhibit those who were up to no good from performing non-procedural behaviors. Internal controls can help one achieve internal results in business hence lead to growth. However, failure to implement effective internal control systems lead to minimized returns in the entity, both as depicted in the daily operations and financial reports as pointed out by Goh (2009). Types of internal control range from financial, human resource, operational, information technology and quality controls to safety controls (Spacey, 2017)

Financial Controls and Management Override at McDonalds

Financial controls involve putting measures to prevent the loss of cash or any financial misrepresentation which may affect the financial position. According to SSA, an auditor should estimate likelihood of occurrence of a risk in order to assess its future probability (https://isca.org.sg/media/777818/ssa-700r-jan-2016.pdf). One of the current issues facing firms is lack of risk assessment on the part of internal auditors. Presently auditors perform only sample audits which may not be effective enough. It is to this effect that McDonald’s loses huge amounts of money to fraudulent managers in its chains globally.

In ISA 24015, the term management override is used to refer to managers being able to manipulate records in accounting and exhibit fraudulent financial reports as they can override the controls (Vijayakumar & Nagaraja, 2012). At McDonald’s, a manager got arrested and was charged with felony. The board cited the fact that he had stolen $ 3, 800 while continuously pretending to refund the amount to customers who returned one of the store’s products, Big Mac (Spink, Ortega, Chen & Wu, 2017). This depicted the disadvantage that a financial control system override can cause. Such instances have occurred severally at other chains of the giant store, portraying how useless their information system and risk assessment process can be turned into.

Audit Analysis and Recommendation

From an auditor’s perspective, the fact that fraud has occurred alone is enough to raise eyebrows and conduct a risk analysis. SSA provides that significance of the risk should be assessed to gauge whether it is material enough to affect the financial reports badly (https://isca.org.sg/media/777818/ssa-700r-jan-2016.pdf). Theft of $ 3, 800 is significant to McDonald’s, showing a disadvantage of internal control systems. First, operationally, the sum is sufficient enough to purchase raw materials to make several hamburgers, one of the main products the company sells. Secondly, the amount will lead to loss of funds in ways the company cannot apprehend hence leading to a gross misrepresentation in the financial statements. Due to this fact, the company should employ control measures like automating the customer refund process with systems that leave behind audit trails. Secondly, the firm should deploy internal auditors to its branches. These aspects would ensure the material misstatement risk is minimized hence leading to profit maximization, one of the entity’s goals.

Information Security

Information security internal controls should be able to defend the company against cyber threats and other information technology attacks, especially those which keep on changing with time (Vijayakumar & Nagaraja, 2012). SSA holds that when exercising judgment on which risks qualify to be called significant, the auditor should judge whether the misappropriation amounts to fraud or is just a risk. Information security fraud is presently a threat to many entities. Ranging from malware to phishing attacks, the criminal act has caused many companies to lose as much as millions of dollars (Vijayakumar & Nagaraja, 2012).

McDonalds Case

Recently in Asia, a McDonald’s delivery application was found to have leaked confidential client information to its more than one million applicants (Spink et. al., 2017). Names, home addresses and phone numbers are just a few examples of the private details leaked by the API. This incident amounted to information security data leak whose blame points at weak internal information security control systems. In addition to this, there was poor communication system with respect to clients. Several customers who queried the support staff were only responded to haphazardly (Spink et. al., 2017). Prompt and proper response would have amounted to remedial corrective measures for the poor controls.

In another case, a 17-year-old received a penalty of 60 days for skimming not only credit but also customer debit details in McDonald’s (Spink et. al., 2017). The scenario was an insider scam case which mesmerized many employees at the retail chain. Police investigated the matter, linking all the dots to the same store. The culprit had apparently stolen merchandise severally using duplicates of many customers’ cards. The teenager sold the goods on e-bay, fetching more than $ 13, 000 in profits (Spink et. al., 2017). There have been card fraud trends recently, a matter which food industries should watch carefully. Insufficient control measures at McDonald’s have led to numerous incidences of identity theft, presenting a case that amounts to information security fraud.

Audit Analysis & Recommendation

The case means that McDonald’s, having internal control systems that can be manipulated, does not consistently monitor to check whether its credit cards systems perform suspicious activities. The duplicate customer cards could only be accessed at odd hours beyond working time. This could even be a case of a manager overriding the system to collude with a fraudster since the log-ins should be non-functional during non-working hours. According to SSA, apprehending a firm’s selection as well as application of the accounting policies entails aspects like the methods which the firm in question employs while accounting for significant or unusual transactions (https://isca.org.sg/media/777818/ssa-700r-jan-2016.pdf). This puts the firm at future risk of potential fraudsters hence is a high magnitude risk as per audit risk assessment.

According to Goh (2009), fraud risk occurrence can be minimized through establishing a fraud hotline as well as dual controls. McDonald’s should establish response or report centers where clients and employees can report fraud incidences. In this manner, any fraud occurring, such as management override, will be realized and thwarted with immediate force.

The giant fast food chain should also put in place dual internal control measures. For example, there should be a finger-print authentication system for all employees who handle monetary transactions. In addition to this, employees should be trained on password security so that no one can log into the financial systems using their passwords. If implemented, these internal security measures will see the entity block the fraudulent activities which materially mislead the operational activities and financial disclosures as pointed out by Goh (2009).

Human Resource

Risks in Human Resource, for which internal controls mechanisms should be put, include but are not limited to factors like ghost workers and overpayment collusions and work safety measures (https://bizfluent.com). For internal controls with respect to personnel to be successful, the rules have to be first put in place, followed by their implementation, employee communication, maintenance and finally monitoring and corrective mechanisms (Inness, Turner, Barling & Stride, 2010).

McDonalds Scenario

Employee safety mechanism is one aspect that most companies are currently putting strong measures to cater for. McDonald’s workers have on several occasions claimed that they sustained burns while at work (Spink et. al., 2017). The personnel claimed that they were denied breaks to run the injured places under water as the procedure should be. Instead they were told to put ice cubes on them and carry on with work as the managers purported the schedule was too busy to find time for conducting protocoled procedures.

Audit Analysis & Recommendation

This scenario portrays inefficient work safety control procedures. Managers are overriding on the company policies due to their positions to oppress employees, a circumstance which is causing the company loss of funds through legal cases. Moreover, such incidents lead to loss of staff due to high turnover rates as observed by Schultz, Bierstaker & O’Donnell (2010). This pushes the company to incur hidden costs such as recruitment and job advertisement charges. The internal auditors in McDonald’s should strongly engage management and advise on the importance of work safety measures, emphasizing on their advantages. As such, the company should train supervisors on how to handle injury cases in addition to insurance schemes which it has already put in place. Job training itself is a control measure with regards to human resource fraternity (Grossman & Salas, 2011).

How Auditors’ Performance can be Enhanced

ISA 315 outlines factors in the control environment. As such it assists to enhance performance of external auditors. First, it points out to the external auditors on areas of concern such as commitment to competence, management philosophy, and organization structure and authority and responsibility assignment. In essence, auditors can curve out the audit scope from the outlined factors. In addition they can know which areas to rely on when issuing out audit reports as observed by Caramanis & Lennox (2008).

Conclusion

ISA 315 states that internal control systems which are effective can only provide realistic or reasonable but not absolute assurance (Vijayakumar & Nagaraja, 2012). I therefore disagree with Findley Gillespie who claims that the control can absolutey lead to good results and company growth. This is because, as Edgar Hoover states, despite there being internal controls, there always have to be people who are upto no good and who can tamper with the controls. This is because of factors such as management override. McDonalds has put in place several internal control measures yet they still appear ineffective at times. Despite this fact, the company should tighten its policies on financial, human resource and information technology control measures. If this is adhered to, fraudulent cases that lead to material misstatement will be inhibited.

References

Caramanis, C., & Lennox, C. (2008). Audit effort and earnings management. Journal of accounting and economics, 45(1).

Goh, B. W. (2009). Audit committees, boards of directors, and remediation of material weaknesses in internal control. Contemporary Accounting Research, 26(2).

Grossman, R., & Salas, E. (2011). The transfer of training: what really matters. International Journal of Training and Development, 15(2).

https://bizfluent.com

https://isca.org.sg/media/777818/ssa-700r-jan-2016.pdf

Inness, M., Turner, N., Barling, J., & Stride, C. B. (2010). Transformational leadership and employee safety performance: A within-person, between-jobs design. Journal of Occupational Health Psychology, 15(3).

Schultz, J. J., Bierstaker, J. L., & O’Donnell, E. (2010). Integrating business risk into auditor judgment about the risk of material misstatement: The influence of a strategic-systems-audit approach. Accounting, Organizations and Society, 35(2).

Spacey, J. (2017). 10 Types of Internal Controls. Simplicable. Retrieved 19 October 2017, from https://simplicable.com/new/internal-controls

Spink, J., Ortega, D. L., Chen, C., & Wu, F. (2017). Food fraud prevention shifts the food risk focus to vulnerability. Trends in Food Science & Technology.

Vijayakumar, A. N., & Nagaraja, N. (2012). Internal Control Systems: Effectiveness of Internal Audit in Risk Management at Public Sector Enterprises. BVIMR Management Edge, 5(1).