1 00:00:00,240 --> 00:00:03,120 What's up audit fans. I'm back and today 2 00:00:03,120 --> 00:00:04,560 we're looking at designing 3 00:00:04,560 --> 00:00:06,640 internal controls. A big thank you to 4 00:00:06,640 --> 00:00:08,400 Charlene who wrote to me 5 00:00:08,400 --> 00:00:10,480 through facebook and said, "Oh look I'd 6 00:00:10,480 --> 00:00:11,599 really love something 7 00:00:11,599 --> 00:00:14,559 about how to design internal controls". 8 00:00:14,559 --> 00:00:16,000 This isn't something that the auditor 9 00:00:16,000 --> 00:00:16,960 would normally 10 00:00:16,960 --> 00:00:19,039 do because when we design internal 11 00:00:19,039 --> 00:00:20,640 controls for our client we 12 00:00:20,640 --> 00:00:23,119 actually create a self-review 13 00:00:23,119 --> 00:00:24,560 independence threat. 14 00:00:24,560 --> 00:00:26,720 But if you're an internal auditor or 15 00:00:26,720 --> 00:00:28,720 you're providing some recommendations 16 00:00:28,720 --> 00:00:30,240 or if you're studying and it's quite a 17 00:00:30,240 --> 00:00:32,320 common question to be asked 18 00:00:32,320 --> 00:00:34,719 what sort of internal controls should be 19 00:00:34,719 --> 00:00:35,600 used 20 00:00:35,600 --> 00:00:38,079 to minimize a particular risk, today I'm 21 00:00:38,079 --> 00:00:40,000 going to address it with a four-step 22 00:00:40,000 --> 00:00:40,800 process. 23 00:00:40,800 --> 00:00:45,840 Let's get into it. 24 00:00:46,220 --> 00:00:52,069 [Music] 25 00:00:54,480 --> 00:00:56,559 Hi and welcome to AmandaLovesToAudit. 26 00:00:56,559 --> 00:00:58,320 My name is Amanda, I do love 27 00:00:58,320 --> 00:01:01,520 audit, and I'm really excited to be 28 00:01:01,520 --> 00:01:04,159 here back again on my YouTube channel. 29 00:01:04,159 --> 00:01:05,199 We're just starting our 30 00:01:05,199 --> 00:01:07,119 university semester here in Australia so 31 00:01:07,119 --> 00:01:08,960 it's full steam ahead for me, 32 00:01:08,960 --> 00:01:10,720 really, really busy. But I wanted to give 33 00:01:10,720 --> 00:01:12,000 a shout out to 34 00:01:12,000 --> 00:01:15,200 all of my returning viewers from places 35 00:01:15,200 --> 00:01:15,759 like 36 00:01:15,759 --> 00:01:18,320 Canada, Indonesia, Namibia, Nigeria, South 37 00:01:18,320 --> 00:01:19,360 Africa, USA, 38 00:01:19,360 --> 00:01:22,479 Germany, Uganda, did I say Uganda twice? 39 00:01:22,479 --> 00:01:22,880 No. 40 00:01:22,880 --> 00:01:25,759 Ghana. It's really amazing. Somebody in 41 00:01:25,759 --> 00:01:28,000 the comments asked if I'm Malaysian 42 00:01:28,000 --> 00:01:30,560 and I'm not. So my parents are both from 43 00:01:30,560 --> 00:01:31,439 China 44 00:01:31,439 --> 00:01:34,560 in the Guangzhou region of China. I 45 00:01:34,560 --> 00:01:37,439 don't speak any Chinese. So my parents 46 00:01:37,439 --> 00:01:38,799 came here, my mom came here when she was 47 00:01:38,799 --> 00:01:39,680 five years old, 48 00:01:39,680 --> 00:01:43,119 my dad came in his teenage years. 49 00:01:43,119 --> 00:01:46,399 And when my mom was growing up, she 50 00:01:46,399 --> 00:01:48,560 went to kindergarten not knowing any 51 00:01:48,560 --> 00:01:49,520 English, 52 00:01:49,520 --> 00:01:51,759 so when she talked with an accent she 53 00:01:51,759 --> 00:01:54,000 received a lot of bullying, 54 00:01:54,000 --> 00:01:55,759 even then you know a lot of racism 55 00:01:55,759 --> 00:01:57,280 against Asians. So 56 00:01:57,280 --> 00:02:00,079 when she had kids, and we were the only 57 00:02:00,079 --> 00:02:01,840 Asian kids in our school, 58 00:02:01,840 --> 00:02:04,159 she said I want you to sound Aussie. I 59 00:02:04,159 --> 00:02:05,920 want you to be able to blend in so that 60 00:02:05,920 --> 00:02:08,560 if you can sound like everybody else, 61 00:02:08,560 --> 00:02:11,440 then hopefully you won't experience the 62 00:02:11,440 --> 00:02:12,080 same 63 00:02:12,080 --> 00:02:15,280 levels of racism and discrimination 64 00:02:15,280 --> 00:02:18,239 that she experienced as a child growing 65 00:02:18,239 --> 00:02:19,040 up. 66 00:02:19,040 --> 00:02:21,760 And so when I was, I think three or four 67 00:02:21,760 --> 00:02:22,080 years 68 00:02:22,080 --> 00:02:25,520 old, my mother said to my grandmother, 69 00:02:25,520 --> 00:02:27,280 who she looked after us a lot. She 70 00:02:27,280 --> 00:02:29,120 said look that's it, we're not speaking 71 00:02:29,120 --> 00:02:30,480 any Chinese anymore, 72 00:02:30,480 --> 00:02:33,519 English only. So I really only know 73 00:02:33,519 --> 00:02:34,640 enough 74 00:02:34,640 --> 00:02:37,599 Cantonese to get by at Yum Cha. I know 75 00:02:37,599 --> 00:02:38,560 that I want to eat 76 00:02:38,560 --> 00:02:42,319 ha gao, cha siu bao, 77 00:02:42,319 --> 00:02:45,519 pai gwat, dan tats. I know that I don't want 78 00:02:45,519 --> 00:02:47,360 to eat the fung jao which is 79 00:02:47,360 --> 00:02:50,239 the chicken foot, but really that's the 80 00:02:50,239 --> 00:02:51,360 extent of 81 00:02:51,360 --> 00:02:54,160 my Chinese language skills, so that's 82 00:02:54,160 --> 00:02:55,280 enough about me. 83 00:02:55,280 --> 00:02:59,280 I've been a tiny bit busy recently, 84 00:02:59,280 --> 00:03:02,239 I've just won the national teaching 85 00:03:02,239 --> 00:03:03,360 excellence award 86 00:03:03,360 --> 00:03:05,840 for the business, economics law and 87 00:03:05,840 --> 00:03:06,560 related 88 00:03:06,560 --> 00:03:09,120 category. I'll have a video more on that 89 00:03:09,120 --> 00:03:10,560 a little bit later because I'm doing a 90 00:03:10,560 --> 00:03:11,680 big speech, 91 00:03:11,680 --> 00:03:13,120 a whole lot of other things, so I was 92 00:03:13,120 --> 00:03:15,040 really excited to 93 00:03:15,040 --> 00:03:18,080 receive that. And all of you out there in 94 00:03:18,080 --> 00:03:19,920 YouTube land were a really big part of 95 00:03:19,920 --> 00:03:21,040 that as well, so 96 00:03:21,040 --> 00:03:23,040 I did a survey a little while ago asking 97 00:03:23,040 --> 00:03:24,560 about whether you thought the resources 98 00:03:24,560 --> 00:03:26,319 were high quality 99 00:03:26,319 --> 00:03:28,159 and some feedback and a lot of those 100 00:03:28,159 --> 00:03:29,920 quotes and a lot of those 101 00:03:29,920 --> 00:03:31,760 pieces of information made it into my 102 00:03:31,760 --> 00:03:33,599 application so thank you 103 00:03:33,599 --> 00:03:36,239 so much to everybody that's out there 104 00:03:36,239 --> 00:03:38,000 that filled in that survey. 105 00:03:38,000 --> 00:03:41,200 For everyone who's new, welcome! I love 106 00:03:41,200 --> 00:03:41,760 audit, 107 00:03:41,760 --> 00:03:43,920 and you'll hear that, you'll see that in 108 00:03:43,920 --> 00:03:45,840 everything that we do. So I'm just going 109 00:03:45,840 --> 00:03:48,640 to switch camera positions a little bit 110 00:03:48,640 --> 00:03:50,959 so that then I can have my writing 111 00:03:50,959 --> 00:03:53,519 coming up here so just hang on. 112 00:03:53,519 --> 00:03:55,680 So today we're getting into how do I 113 00:03:55,680 --> 00:03:57,599 design an internal control? It's a really 114 00:03:57,599 --> 00:03:58,720 common exam 115 00:03:58,720 --> 00:04:00,959 question just to see that you can do the 116 00:04:00,959 --> 00:04:02,159 other perspective. 117 00:04:02,159 --> 00:04:03,519 And if you're studying management 118 00:04:03,519 --> 00:04:05,920 accounting, how to design an internal 119 00:04:05,920 --> 00:04:07,519 control can be really important because 120 00:04:07,519 --> 00:04:09,200 management accounting is about, 121 00:04:09,200 --> 00:04:10,640 number one doing accounting from within 122 00:04:10,640 --> 00:04:12,400 the firm, but also 123 00:04:12,400 --> 00:04:14,959 designing the management systems that 124 00:04:14,959 --> 00:04:15,599 make sure that 125 00:04:15,599 --> 00:04:18,880 everyone in the organization is working 126 00:04:18,880 --> 00:04:22,880 together, moving in the same direction. 127 00:04:22,880 --> 00:04:24,960 There are going to be four steps in our 128 00:04:24,960 --> 00:04:27,280 process. So step number one 129 00:04:27,280 --> 00:04:32,479 is going to be about identifying 130 00:04:32,479 --> 00:04:35,919 the potential misstatement. 131 00:04:37,360 --> 00:04:41,040 Now the reason that we need to do this 132 00:04:41,040 --> 00:04:47,199 is that remember a control is a response 133 00:04:47,440 --> 00:04:49,600 to a risk. So essentially we have to 134 00:04:49,600 --> 00:04:51,520 identify the risk. What is the potential 135 00:04:51,520 --> 00:04:52,639 misstatement, 136 00:04:52,639 --> 00:04:55,759 the potential error that could occur? So 137 00:04:55,759 --> 00:04:56,160 that's 138 00:04:56,160 --> 00:05:00,560 step number one. Then step number two, 139 00:05:00,560 --> 00:05:01,840 And I'm going to just move that up a 140 00:05:01,840 --> 00:05:03,680 little bit, is 141 00:05:03,680 --> 00:05:06,240 we have to ask ourselves the question, do 142 00:05:06,240 --> 00:05:07,199 we want to 143 00:05:07,199 --> 00:05:11,280 prevent the issue from happening or 144 00:05:11,280 --> 00:05:14,479 are we trying to detect an error 145 00:05:14,479 --> 00:05:17,600 afterwards? So in a lot of circumstances 146 00:05:17,600 --> 00:05:20,560 where it's a control around a process, 147 00:05:20,560 --> 00:05:22,080 I want to try and prevent, right? 148 00:05:22,080 --> 00:05:24,000 Prevention is always better than a cure. 149 00:05:24,000 --> 00:05:24,960 So you have to think am I going to 150 00:05:24,960 --> 00:05:25,919 prevent 151 00:05:25,919 --> 00:05:28,880 or do I want to detect. Now detecting is 152 00:05:28,880 --> 00:05:29,759 about 153 00:05:29,759 --> 00:05:31,199 picking up that there's a mistake 154 00:05:31,199 --> 00:05:34,320 perhaps after a process has happened. 155 00:05:34,320 --> 00:05:36,240 So you have a manufacturing process, 156 00:05:36,240 --> 00:05:39,039 you're making a good and then 157 00:05:39,039 --> 00:05:41,600 there is quality control. So you know you 158 00:05:41,600 --> 00:05:42,880 have everything in the process, the 159 00:05:42,880 --> 00:05:44,479 machines doing the right things, checking 160 00:05:44,479 --> 00:05:45,840 their parts. 161 00:05:45,840 --> 00:05:48,639 And the quality control at the end is to 162 00:05:48,639 --> 00:05:49,440 make sure 163 00:05:49,440 --> 00:05:51,919 that you detect any issues before they 164 00:05:51,919 --> 00:05:53,680 go out, you know the product goes out to 165 00:05:53,680 --> 00:05:55,360 the customer. So you have to think 166 00:05:55,360 --> 00:05:57,120 do I want to try and prevent or do I 167 00:05:57,120 --> 00:05:58,400 want to try and detect. 168 00:05:58,400 --> 00:06:00,080 Now I'm going to do this with a live 169 00:06:00,080 --> 00:06:01,759 example as well after, so I'm just going 170 00:06:01,759 --> 00:06:03,440 to go through the theory first. 171 00:06:03,440 --> 00:06:06,400 So part one, identify the potential 172 00:06:06,400 --> 00:06:08,639 misstatement, so what is the risk? 173 00:06:08,639 --> 00:06:12,160 Part two, am I thinking about preventing 174 00:06:12,160 --> 00:06:13,919 or detecting? 175 00:06:13,919 --> 00:06:19,520 Then, you actually need to design 176 00:06:19,600 --> 00:06:24,240 an effective 177 00:06:25,039 --> 00:06:28,080 and efficient 178 00:06:30,960 --> 00:06:33,840 internal control. Now what do I mean by 179 00:06:33,840 --> 00:06:34,479 effective? 180 00:06:34,479 --> 00:06:36,560 Effective, I mean, that it has to work. It 181 00:06:36,560 --> 00:06:38,160 has to prevent 182 00:06:38,160 --> 00:06:41,199 the error that you've got. And when I say 183 00:06:41,199 --> 00:06:42,240 efficient, 184 00:06:42,240 --> 00:06:44,800 I mean that efficient is it's not going 185 00:06:44,800 --> 00:06:46,479 to cost us too much resources 186 00:06:46,479 --> 00:06:48,560 because remember when it comes to 187 00:06:48,560 --> 00:06:50,080 internal controls 188 00:06:50,080 --> 00:06:52,720 you have to think about the cost versus 189 00:06:52,720 --> 00:06:54,319 the benefit. 190 00:06:54,319 --> 00:06:56,720 So, in a supermarket, to make sure that 191 00:06:56,720 --> 00:06:57,599 people don't 192 00:06:57,599 --> 00:07:00,560 steal from a supermarket, I could make 193 00:07:00,560 --> 00:07:02,400 every single person have to go through 194 00:07:02,400 --> 00:07:03,199 an airport 195 00:07:03,199 --> 00:07:05,280 x-ray screening type of thing when they 196 00:07:05,280 --> 00:07:06,639 leave the store. 197 00:07:06,639 --> 00:07:09,919 That would be very, very beneficial, 198 00:07:09,919 --> 00:07:13,199 however, it would cost a lot in terms of 199 00:07:13,199 --> 00:07:13,759 time 200 00:07:13,759 --> 00:07:18,240 for my customers, effort 201 00:07:18,240 --> 00:07:21,680 to get it done, and also 202 00:07:21,680 --> 00:07:24,960 it would be really expensive, okay? 203 00:07:24,960 --> 00:07:28,160 So I need to balance the benefit 204 00:07:28,160 --> 00:07:29,840 of preventing or detecting a 205 00:07:29,840 --> 00:07:31,840 misstatement with the cost. 206 00:07:31,840 --> 00:07:32,880 So you got to think about that in 207 00:07:32,880 --> 00:07:35,120 your design. Now 208 00:07:35,120 --> 00:07:36,960 also, when you're thinking about the 209 00:07:36,960 --> 00:07:39,759 design, you have to consider whether you 210 00:07:39,759 --> 00:07:40,800 want 211 00:07:40,800 --> 00:07:44,080 a manual control, so somebody physically 212 00:07:44,080 --> 00:07:47,759 doing something, versus some sort of 213 00:07:47,759 --> 00:07:50,800 automated or 214 00:07:50,800 --> 00:07:54,639 IT or systems 215 00:07:55,919 --> 00:07:58,400 based solution, okay? Because if you do 216 00:07:58,400 --> 00:07:59,199 have 217 00:07:59,199 --> 00:08:00,720 something that needs a manual control, 218 00:08:00,720 --> 00:08:02,800 remember humans can make mistakes. 219 00:08:02,800 --> 00:08:04,639 With an automated system you've got to 220 00:08:04,639 --> 00:08:06,319 be really careful because 221 00:08:06,319 --> 00:08:07,840 if you don't program the system 222 00:08:07,840 --> 00:08:09,840 correctly, it can still make a mistake so 223 00:08:09,840 --> 00:08:11,199 if you don't program it correctly it 224 00:08:11,199 --> 00:08:12,000 could still 225 00:08:12,000 --> 00:08:15,039 go wrong. So our 226 00:08:15,039 --> 00:08:18,240 fourth thing that we want to think about 227 00:08:18,240 --> 00:08:21,120 is monitoring, 228 00:08:22,080 --> 00:08:24,479 all right? Are we doing something to 229 00:08:24,479 --> 00:08:25,599 check the control? 230 00:08:25,599 --> 00:08:28,240 Essentially we need to make sure that we 231 00:08:28,240 --> 00:08:29,199 are 232 00:08:29,199 --> 00:08:32,240 checking the 233 00:08:32,240 --> 00:08:35,039 operation 234 00:08:36,479 --> 00:08:40,640 of the control. 235 00:08:40,640 --> 00:08:43,039 Okay, a really great example of that 236 00:08:43,039 --> 00:08:44,800 monitoring aspect 237 00:08:44,800 --> 00:08:48,080 is if we have a bank and you go with 238 00:08:48,080 --> 00:08:50,160 your card, 239 00:08:50,160 --> 00:08:54,160 and I have one in my pocket actually, 240 00:08:54,160 --> 00:08:57,680 so here's my card for my bank account. 241 00:08:57,680 --> 00:09:00,640 I go to the ATM, I put it in, I get the 242 00:09:00,640 --> 00:09:01,440 pin wrong. 243 00:09:01,440 --> 00:09:03,839 Oh okay, that's the wrong pin. I remember 244 00:09:03,839 --> 00:09:05,440 the right pin, I put it in. 245 00:09:05,440 --> 00:09:08,240 The bank at the end of the day, will get 246 00:09:08,240 --> 00:09:09,040 a report 247 00:09:09,040 --> 00:09:10,959 that says what are all the cards where 248 00:09:10,959 --> 00:09:12,640 an incorrect pin was entered 249 00:09:12,640 --> 00:09:15,519 or perhaps an incorrect pin was entered 250 00:09:15,519 --> 00:09:16,240 more than 251 00:09:16,240 --> 00:09:19,440 three times or we actually chewed up the 252 00:09:19,440 --> 00:09:20,240 card. 253 00:09:20,240 --> 00:09:22,000 So we want to check that the control is 254 00:09:22,000 --> 00:09:23,839 operating effectively. We want to check 255 00:09:23,839 --> 00:09:25,360 that the operation of the control is 256 00:09:25,360 --> 00:09:27,120 working because remember, 257 00:09:27,120 --> 00:09:31,839 we know that when the control 258 00:09:31,839 --> 00:09:34,800 stops working, 259 00:09:34,880 --> 00:09:38,320 what happens? My regular viewers will 260 00:09:38,320 --> 00:09:40,800 know this. When the control stops working 261 00:09:40,800 --> 00:09:44,240 then we have an increased risk 262 00:09:44,240 --> 00:09:51,839 of errors and misstatements, 263 00:09:52,080 --> 00:09:53,440 all right? And we definitely don't want 264 00:09:53,440 --> 00:09:55,279 that. We don't want to have misstatements 265 00:09:55,279 --> 00:09:55,680 going 266 00:09:55,680 --> 00:09:59,040 into the financial records and 267 00:09:59,040 --> 00:09:59,360 the 268 00:09:59,360 --> 00:10:02,160 accounting of the firm. So to recap, 269 00:10:02,160 --> 00:10:04,480 I'm going to scroll quickly back up. 270 00:10:04,480 --> 00:10:06,880 Number one, identify the potential 271 00:10:06,880 --> 00:10:08,079 misstatements. 272 00:10:08,079 --> 00:10:10,000 Number two, decide whether you want to 273 00:10:10,000 --> 00:10:11,680 prevent or detect. 274 00:10:11,680 --> 00:10:15,600 Number three, design an effective 275 00:10:15,600 --> 00:10:17,519 and efficient internal control, thinking 276 00:10:17,519 --> 00:10:19,680 about the cost versus the benefit. 277 00:10:19,680 --> 00:10:22,000 That cost could be the time it takes, the 278 00:10:22,000 --> 00:10:22,880 dollars 279 00:10:22,880 --> 00:10:25,040 to actually implement it, the effort it 280 00:10:25,040 --> 00:10:26,160 might take. 281 00:10:26,160 --> 00:10:28,079 Think about whether you want manual or 282 00:10:28,079 --> 00:10:30,720 automated systems. 283 00:10:30,720 --> 00:10:33,040 And then consider the monitoring. What 284 00:10:33,040 --> 00:10:35,760 are we doing to monitor this control 285 00:10:35,760 --> 00:10:37,519 to make sure that it's always working? Is 286 00:10:37,519 --> 00:10:39,040 it if something goes wrong a system 287 00:10:39,040 --> 00:10:40,560 flags with us. 288 00:10:40,560 --> 00:10:44,240 So now let's look at a practical example. 289 00:10:44,240 --> 00:10:46,320 So in my practical example, I'm going to 290 00:10:46,320 --> 00:10:48,000 think about 291 00:10:48,000 --> 00:10:51,120 a retail operation. And I'm using a 292 00:10:51,120 --> 00:10:52,320 retail operation 293 00:10:52,320 --> 00:10:55,040 because it's something that we can 294 00:10:55,040 --> 00:10:56,800 imagine in our minds, we've all been 295 00:10:56,800 --> 00:10:59,440 shopping to a store. Now I need to find 296 00:10:59,440 --> 00:11:00,640 something, oh let's just, I have a 297 00:11:00,640 --> 00:11:01,920 notebook here. 298 00:11:01,920 --> 00:11:05,440 So a big thank you to Microsoft for 299 00:11:05,440 --> 00:11:05,760 300 00:11:05,760 --> 00:11:07,040 they sent me a notebook the other day. 301 00:11:07,040 --> 00:11:08,959 I'm an MIE expert which is a Microsoft 302 00:11:08,959 --> 00:11:09,920 Innovative 303 00:11:09,920 --> 00:11:12,320 Educator expert and I got a little 304 00:11:12,320 --> 00:11:13,920 goodie bag from them and it includes a notebook. 305 00:11:13,920 --> 00:11:14,880 So say we're 306 00:11:14,880 --> 00:11:17,920 a retail operation and we're selling 307 00:11:17,920 --> 00:11:19,600 fancy notebooks. So let's say this is 308 00:11:19,600 --> 00:11:21,200 like, you know, it's leather and it's 309 00:11:21,200 --> 00:11:22,079 really fancy. 310 00:11:22,079 --> 00:11:24,720 So what is the risk? So let's start with 311 00:11:24,720 --> 00:11:26,399 step one. 312 00:11:26,399 --> 00:11:30,079 The risk is going to be 313 00:11:30,079 --> 00:11:33,200 theft of inventory, 314 00:11:34,079 --> 00:11:35,519 all right? If people steal the inventory 315 00:11:35,519 --> 00:11:36,800 they're not buying it and we're not 316 00:11:36,800 --> 00:11:39,040 making revenue, so we've got our risk 317 00:11:39,040 --> 00:11:42,560 of misstatement, is a theft of inventory. 318 00:11:42,560 --> 00:11:44,959 And we might also have the, so let's talk 319 00:11:44,959 --> 00:11:47,279 about the theft of inventory risk. 320 00:11:47,279 --> 00:11:51,680 So then I have to think prevent 321 00:11:51,680 --> 00:11:55,120 or detect so that's P or D. In this one, I 322 00:11:55,120 --> 00:11:56,000 definitely want 323 00:11:56,000 --> 00:11:59,040 to try and prevent theft, okay? I don't 324 00:11:59,040 --> 00:12:00,320 want to detect the theft 325 00:12:00,320 --> 00:12:01,760 after it's happened, I want to try and 326 00:12:01,760 --> 00:12:04,160 prevent people from stealing 327 00:12:04,160 --> 00:12:07,600 my item from my store, so prevent or 328 00:12:07,600 --> 00:12:08,399 detect. 329 00:12:08,399 --> 00:12:11,839 Now number three comes the actual part 330 00:12:11,839 --> 00:12:12,320 of 331 00:12:12,320 --> 00:12:15,200 designing the internal control. Well I 332 00:12:15,200 --> 00:12:16,079 want something 333 00:12:16,079 --> 00:12:18,399 that will stop people from stealing my 334 00:12:18,399 --> 00:12:20,000 product. I got a couple of different 335 00:12:20,000 --> 00:12:21,200 options 336 00:12:21,200 --> 00:12:24,079 here. And it might be that I might need 337 00:12:24,079 --> 00:12:26,639 to have multiple things in place. 338 00:12:26,639 --> 00:12:30,800 I could have security cameras, 339 00:12:30,800 --> 00:12:32,720 all right? But if i have security cameras 340 00:12:32,720 --> 00:12:34,160 someone's going to need to be watching 341 00:12:34,160 --> 00:12:36,560 them, so if i have security cameras 342 00:12:36,560 --> 00:12:40,560 that could be a deterrent potentially. 343 00:12:40,560 --> 00:12:46,079 I could also have RFID 344 00:12:46,079 --> 00:12:48,720 stickers 345 00:12:49,360 --> 00:12:53,519 on the inventory, 346 00:12:53,519 --> 00:12:55,920 all right? So an RFID sticker or one of 347 00:12:55,920 --> 00:12:57,760 those security tags, so 348 00:12:57,760 --> 00:12:59,440 often it could be like a little sticker 349 00:12:59,440 --> 00:13:01,040 that's placed on an individual item or 350 00:13:01,040 --> 00:13:03,040 it could be a big removable tag. So if 351 00:13:03,040 --> 00:13:04,399 you bought clothing 352 00:13:04,399 --> 00:13:06,079 from a department store often those will 353 00:13:06,079 --> 00:13:07,839 have like a big tag on it 354 00:13:07,839 --> 00:13:10,000 that the sales checkout person will have 355 00:13:10,000 --> 00:13:11,040 to remove. So 356 00:13:11,040 --> 00:13:14,240 an RFID sticker or some sort of security 357 00:13:14,240 --> 00:13:15,519 tag, 358 00:13:15,519 --> 00:13:19,040 or security tag. 359 00:13:19,040 --> 00:13:22,480 Now given that this is a book, like 360 00:13:22,480 --> 00:13:24,079 a hole, I don't want to punch a hole in 361 00:13:24,079 --> 00:13:25,839 my notebook for the tag, 362 00:13:25,839 --> 00:13:27,920 so a little RFID sticker might be a good 363 00:13:27,920 --> 00:13:30,079 idea and that's why a lot of stuff comes 364 00:13:30,079 --> 00:13:33,920 shrink wrapped in plastic. That is 365 00:13:33,920 --> 00:13:35,279 just so 366 00:13:35,279 --> 00:13:37,040 that they can then stick the RFID 367 00:13:37,040 --> 00:13:38,800 sticker on there and it's come a long 368 00:13:38,800 --> 00:13:39,680 way. 369 00:13:39,680 --> 00:13:41,360 The old days RFID stickers were really 370 00:13:41,360 --> 00:13:43,440 expensive, now I'm seeing supermarkets 371 00:13:43,440 --> 00:13:44,000 even, 372 00:13:44,000 --> 00:13:45,920 use them on things like expensive meat 373 00:13:45,920 --> 00:13:47,199 products. So 374 00:13:47,199 --> 00:13:49,839 I've got my security cameras. I've got my 375 00:13:49,839 --> 00:13:52,639 RFID stickers. 376 00:13:52,639 --> 00:13:55,040 I'm going to have, with the RFID 377 00:13:55,040 --> 00:13:55,839 sticker, 378 00:13:55,839 --> 00:14:00,839 needed with that is going to be the RFID 379 00:14:00,839 --> 00:14:03,839 detectors 380 00:14:04,240 --> 00:14:07,600 at the store, woops 381 00:14:07,600 --> 00:14:11,519 can't spell store, entry exit. 382 00:14:11,519 --> 00:14:13,279 That is also why a lot of stores will 383 00:14:13,279 --> 00:14:15,760 only have one entry exit point 384 00:14:15,760 --> 00:14:18,320 so that they can put those big gates up 385 00:14:18,320 --> 00:14:20,160 and often you will see those gates will 386 00:14:20,160 --> 00:14:22,079 be covered in advertising and things so 387 00:14:22,079 --> 00:14:23,600 you don't notice that it's there. So 388 00:14:23,600 --> 00:14:24,240 you've got 389 00:14:24,240 --> 00:14:27,360 your RFID, your stickers, etc. 390 00:14:27,360 --> 00:14:32,560 The last thing that we might do is also 391 00:14:32,639 --> 00:14:35,760 a store bag check, 392 00:14:36,720 --> 00:14:38,320 all right? So that when you leave the 393 00:14:38,320 --> 00:14:39,839 store they say look, 394 00:14:39,839 --> 00:14:42,560 can you open your bag, you know bags 395 00:14:42,560 --> 00:14:44,000 of a bigger size 396 00:14:44,000 --> 00:14:47,120 to make sure that that's happening. So 397 00:14:47,120 --> 00:14:50,639 that's an example here for the fact that 398 00:14:50,639 --> 00:14:53,839 we've got our theft. Let's do another 399 00:14:53,839 --> 00:14:56,240 example. My next example is still going 400 00:14:56,240 --> 00:14:58,079 to go back to my notebooks, 401 00:14:58,079 --> 00:15:01,920 but my risk is going to be 402 00:15:01,920 --> 00:15:07,600 the risk of charging the customer 403 00:15:07,760 --> 00:15:11,120 the wrong price, right? And that 404 00:15:11,120 --> 00:15:13,839 is going to result, for us, in inaccurate 405 00:15:13,839 --> 00:15:15,680 sales. So that's affecting our accuracy 406 00:15:15,680 --> 00:15:16,959 assertion. 407 00:15:16,959 --> 00:15:20,160 Now of course, in terms of prevention or 408 00:15:20,160 --> 00:15:22,560 detection, I want to try and 409 00:15:22,560 --> 00:15:26,160 prevent, okay? Then coming 410 00:15:26,160 --> 00:15:29,360 into the control. 411 00:15:29,360 --> 00:15:31,279 One thing that I could do and I can 412 00:15:31,279 --> 00:15:33,120 remember the days where when you went to 413 00:15:33,120 --> 00:15:34,320 the supermarket, 414 00:15:34,320 --> 00:15:36,160 you didn't actually have barcodes. There 415 00:15:36,160 --> 00:15:37,519 was a little sticker that somebody 416 00:15:37,519 --> 00:15:39,279 manually added to the product and then 417 00:15:39,279 --> 00:15:40,880 you typed it in 418 00:15:40,880 --> 00:15:43,519 into the cash register. So we could use 419 00:15:43,519 --> 00:15:46,399 barcode scanning, 420 00:15:46,399 --> 00:15:50,160 barcodes on good 421 00:15:50,160 --> 00:15:53,360 and scan 422 00:15:53,360 --> 00:15:56,480 at the register, 423 00:15:56,480 --> 00:15:59,360 okay? So that's going to be my control. 424 00:15:59,360 --> 00:16:00,000 Now, 425 00:16:00,000 --> 00:16:02,160 in terms of the control it's very cheap, 426 00:16:02,160 --> 00:16:03,440 it's efficient, you have to have, 427 00:16:03,440 --> 00:16:05,519 obviously, a cash register system, 428 00:16:05,519 --> 00:16:07,600 but the one thing that we want to do 429 00:16:07,600 --> 00:16:11,680 here in terms of the monitoring, 430 00:16:13,279 --> 00:16:15,680 all right? Is that we might want to do 431 00:16:15,680 --> 00:16:17,440 something like 432 00:16:17,440 --> 00:16:22,800 check price overrides, 433 00:16:22,800 --> 00:16:24,320 all right? So if somebody tries to 434 00:16:24,320 --> 00:16:26,000 override the price, 435 00:16:26,000 --> 00:16:27,839 there's a couple of different options, 436 00:16:27,839 --> 00:16:29,360 you could have you need 437 00:16:29,360 --> 00:16:31,600 manager, whoops that's meant to be an r, 438 00:16:31,600 --> 00:16:33,279 manager 439 00:16:33,279 --> 00:16:36,800 to approve any price overrides 440 00:16:36,800 --> 00:16:39,279 or at the end of the day, you could have 441 00:16:39,279 --> 00:16:42,720 a daily report 442 00:16:42,880 --> 00:16:44,800 about those overrides. And that's really 443 00:16:44,800 --> 00:16:46,079 common in retail stores where they'll 444 00:16:46,079 --> 00:16:46,800 say okay, 445 00:16:46,800 --> 00:16:48,959 give me the end of day report, oh 446 00:16:48,959 --> 00:16:50,240 yeah this was overwritten because this 447 00:16:50,240 --> 00:16:51,440 was damaged, 448 00:16:51,440 --> 00:16:53,360 this person had an extra discount, this 449 00:16:53,360 --> 00:16:55,279 was the manager's discretion, 450 00:16:55,279 --> 00:16:57,040 so you want to monitor how many prices 451 00:16:57,040 --> 00:16:58,720 were incorrect. 452 00:16:58,720 --> 00:17:00,480 Often there's also a thing that says 453 00:17:00,480 --> 00:17:01,839 oh look if the shelf says 454 00:17:01,839 --> 00:17:04,640 five dollars, but your thing says ten 455 00:17:04,640 --> 00:17:06,400 dollars you get whatever the shelf 456 00:17:06,400 --> 00:17:08,400 price is, so that could be one of your 457 00:17:08,400 --> 00:17:10,160 override codes. 458 00:17:10,160 --> 00:17:12,720 Now I realized back here when I was 459 00:17:12,720 --> 00:17:14,160 designing the controls for 460 00:17:14,160 --> 00:17:17,520 the risk of theft. Then, 461 00:17:17,520 --> 00:17:20,959 the store bag check 462 00:17:20,959 --> 00:17:22,559 could be one of those monitoring 463 00:17:22,559 --> 00:17:24,319 controls, so I realized I forgot there that I 464 00:17:24,319 --> 00:17:26,000 forgot to talk about the monitoring, 465 00:17:26,000 --> 00:17:30,480 but the store bag check could also 466 00:17:31,280 --> 00:17:35,120 be part of that monitoring process. 467 00:17:35,120 --> 00:17:38,400 I hope that that clarifies to everybody 468 00:17:38,400 --> 00:17:42,559 how you can design an internal control 469 00:17:42,559 --> 00:17:44,880 and remember to take it step by step. 470 00:17:44,880 --> 00:17:46,480 Think about the risk, 471 00:17:46,480 --> 00:17:48,799 do I want to prevent or detect, what are 472 00:17:48,799 --> 00:17:50,799 the control activities that I could do, 473 00:17:50,799 --> 00:17:53,440 automated or manual or with our systems 474 00:17:53,440 --> 00:17:55,440 or a combination of both, 475 00:17:55,440 --> 00:17:56,880 and then what am I going to put in place 476 00:17:56,880 --> 00:17:59,520 to monitor to make sure that control 477 00:17:59,520 --> 00:18:01,760 works properly. So I want to thank you 478 00:18:01,760 --> 00:18:03,440 for watching this video. Of course, if you 479 00:18:03,440 --> 00:18:05,679 haven't already considered subscribing. 480 00:18:05,679 --> 00:18:07,919 For all of those internal auditors out 481 00:18:07,919 --> 00:18:09,600 there, you might want to check out 482 00:18:09,600 --> 00:18:11,360 auditopia. It's a new 483 00:18:11,360 --> 00:18:13,440 internal audit community that I'm 484 00:18:13,440 --> 00:18:14,640 involved with. 485 00:18:14,640 --> 00:18:17,200 It has free resources that people are 486 00:18:17,200 --> 00:18:17,840 sharing, 487 00:18:17,840 --> 00:18:20,360 internal audit checklists, and 488 00:18:20,360 --> 00:18:22,240 documentation. 489 00:18:22,240 --> 00:18:24,880 And we've also got regular webinars to 490 00:18:24,880 --> 00:18:25,919 help you become 491 00:18:25,919 --> 00:18:28,080 a better internal auditor. I'm really 492 00:18:28,080 --> 00:18:30,720 excited to be part of the auditopia team. 493 00:18:30,720 --> 00:18:32,960 I'll be working with them to create some 494 00:18:32,960 --> 00:18:34,640 content for some courses 495 00:18:34,640 --> 00:18:36,880 that they're going to have. Big thank you, 496 00:18:36,880 --> 00:18:38,799 I want everybody to stay safe, 497 00:18:38,799 --> 00:18:40,960 stay well, I've checked myself on the 498 00:18:40,960 --> 00:18:43,200 vaccination schedule, I'm hopefully 499 00:18:43,200 --> 00:18:45,440 going to be vaccinated in September or 500 00:18:45,440 --> 00:18:46,720 October of this year, 501 00:18:46,720 --> 00:18:48,880 so I'm really excited about that. But, 502 00:18:48,880 --> 00:18:51,360 stay safe, stay well wherever you are 503 00:18:51,360 --> 00:18:57,840 and I'll see you next time. 504 00:18:57,930 --> 00:19:12,060 [Music] 505 00:19:12,400 --> 00:19:14,480