Internal Controls Optimization

February 21, 2008

These slides are incomplete without the benefit of the comments made at the session. The
information and considerations presented herein do not constitute legal or any other type of
professional advice.   
 Internal Controls Optimization

Mattel

In August 2007, Mattel, Inc. announced it was recalling approximately one million
toys in the U.S. made in China due to excessive amounts of lead in the paint used.
• Recall included the following toys
Sesame Street
Fisher Price
Cars

Issue stems from vendors choosing to use cheaper, unapproved paint instead of the
approved “safe” paint

Questions about how this could happen appear everywhere

Stock price declined

PricewaterhouseCoopers Page 2
 Internal Controls Optimization

Reaction - Mattel
In light of the lead paint issue, Mattel sent out a press release to customers letting
them know of the recall and how to return affected toys

A review of the procedures followed by all products manufactured by vendors in

China was performed

Internally, Mattel took the following steps:

• Created a Corporate Responsibility Group, which includes Product Integrity sub-
group
• Created a new function of the Product Integrity Policy and Audit, which functions
as an internal audit organization to monitor Mattel and vendor facilities
compliance with Product Integrity standards

• Public reaction was everything from apologies in the WSJ or several articles

• This took place to late in the year to recover for the Christmas shopping season

PricewaterhouseCoopers Page 3
 Internal Controls Optimization

Société Généralé

In January 2008, Société Généralé suffered a loss of $7.1 billion (€4.8 billion) due to
actions taken by a trader

Appears to be the result of a combination of management mishap, a security breach

and compliance process failure – level of fraud currently in question

Prosecutors contend trader made bets in one direction to rack up big gains then
made fake trades in opposite direction to hide the risk

In order to avoid detection, the trader would delete the fake trades before they were
checked then re-enter them when the check was complete

Personal Gain - No

PricewaterhouseCoopers Page 4
 Internal Controls Optimization

Reaction - Société Généralé

After the fraud was uncovered, the following actions were taken by the company:
• The trader involved was suspended and legal action is being taken
• The board of directors approved decision to terminate the mandates of
executives responsible for supervision and controls of operations
• In order to support capital adequacy levels, a capital increase was launched to
compensate for the loss due to fraud
• Justice review for criminal actions
• Company disclosed flaws of the system of control within the bank

PricewaterhouseCoopers Page 5
 Internal Controls Optimization

Others:
Financial Reporting Controls Failures
– Enron, Worldcom, Société Généralé
– Options Backdating, Restatements
– And many more

Operational Controls Failures

– Boeing (Delay in 787 production), Mattel (Product Recalls for lead paint)
– Shrink or spoilage, Down manufacturing facilities, Inventory mismanagement
– Many more

Compliance Controls Failures

– Chiron (Flu vaccine does not pass FDA standards), FAA – Parts tracking

Strategy and Fraud Controls Failures

PricewaterhouseCoopers Page 6
 Internal Controls Optimization

Question: Did a System of Control exist?

Every company, every industry has one!

Question is - How effective is it?

• Quality Control policies and procedures
• Procurement process
• Vendor relations
• Trading policies and procedures
• Trading systems
• ERP systems
• Monitoring systems
• Customer satisfaction
• Manufacturing processes

PricewaterhouseCoopers Page 7
 Internal Controls Optimization

Understanding the System of Control

 Have you made a clear linkage between risk and controls? Have you
asked “what can go wrong?” How does all of this relate to our Strategy?
• Effectiveness and efficiency of operations
• Reliability of financial reporting (Relevant FS Assertions)
• Compliance with applicable laws and regulations

PricewaterhouseCoopers Page 8
 Internal Controls Optimization

Internal Controls Maturity Framework

Unreliable Informal Standardized Monitored Optimized
- Unpredictable - Control activities - Control activities - Standardized - Integrated
environment are designed are designed, in controls with internal controls
where and in place but place and are periodic testing with real time
for effective
control are not adequately monitoring by
design and
activities are adequately documented management
operation with
not designed documented reporting to and continuous
or in place management improvement
Level 1 – Unreliable
• Unpredictable environment where control activities are not designed or in place
Level 2 – Informal
• Disclosure Activities and Controls are designed and in place but are not adequately documented
• Controls mostly dependent on people
• No formal training or communication of control activities
Level 3 – Standardized
• Control activities are designed and in place
• Control activities have been documented and communicated to employees
• Deviations from control activities will likely not be detected
Level 4 – Monitored
• Standardized controls with periodic testing for effective design and operation with reporting to management
• Automation and tools may be used in a limited way to support control activities
Level 5 – Optimized
• An integrated internal control framework with real time monitoring by management with continuous improvement
(Enterprise Wide Risk Management)
• Automation and tools are used to support controls activities and allow the organization to make rapid changes to the
control activities if needed
PricewaterhouseCoopers Page 9
What is Internal Controls Optimization?
 Internal Controls Optimization

Internal Controls Optimization

A continuous process of establishing the right controls at the right cost to

manage at the greatest efficiency and highest effectiveness your operational,
financial reporting, compliance and strategic objectives

PricewaterhouseCoopers Page 11
 Internal Controls Optimization

Internal Controls Optimization is achieved through:

An efficient and systematic process to define the risks which are
likely to impact the achievement of the organization's objectives
Identification of the existing controls universe and quantification of the
costs, process impact, and reliability associated with the operation
and validation of those controls
Identification of existing controls which will most efficiently and effectively
mitigate and manage those risks; elimination of redundant, inefficient or
ineffective controls
Redesign, automation, or implementation of new controls, to
increase the efficiency and effectiveness of the existing system of
controls
Design and implementation of a management oversight and reporting
structure to monitor the effectiveness of the system of controls, its
infrastructure, and the identification of process improvements
PricewaterhouseCoopers Page 12
 Internal Controls Optimization

Opportunities for Internal Controls Optimization

Governing Risk: Develop a comprehensive perspective on risk beyond

financial reporting. Evaluate and asses the risk that impacts operational
and strategic value of the business.

Enhancing Compliance: Enable the stakeholders within the company to

view Compliance functions (e.g., Internal Audit and other compliance
groups) as valuable assets to the company resource base – as internal
compliance consultants who can demonstrate the linkage of
compliance to business success.

Realizing Operational Benefits: Tangible metrics that demonstrate

quantitative and qualitative benefits that the business can understand and
support, e.g., cost reduction, production throughput, etc

PricewaterhouseCoopers Page 13
 Internal Controls Optimization

Opportunities for Internal Controls Optimization (cont.)

Improving Information Reliability: Moving beyond data and information

within disparate systems. Enabling information availability to drive
business decisions that are based on sound controls that support reliable
data.
Managing Change: Controls designed to move with the business and
provide the stability needed in ever-changing business models, e.g.,
outsourcing, M&A, shared services, etc.

PricewaterhouseCoopers Page 14
 Internal Controls Optimization

Benefits of Internal Controls Optimization

Reduce financial and business risks, costs and effort for your company
resources

Improve enterprise risk management, business and operational

processes and compliance process

Integrate systems and processes along with your operational and

compliance controls

Clarify roles and responsibilities and key business objectives and risks to
enhance the accountability within your organization

Utilize Internal Audit to spend more time assisting the company with new
risk management concerns.

PricewaterhouseCoopers Page 15
The Path Towards Internal Controls
Optimization
 Internal Controls Optimization

Understanding the System of Controls

Organizations should be able to evaluate their controls environment, through self and risk
assessment practices.

Obtain attributes of key controls and processes.

Review the unique aspects of your business that may require more or less time spent on
internal controls assessments
• “Tone at the Top”
• Decentralization,
• Diversity of products and revenue streams,
• Lack of standardization,
• Previous challenges or financial restatements
PricewaterhouseCoopers Page 17
 Internal Controls Optimization

Understanding the current environment

Business Strategy

Current Processes

Qualified Employees and clear roles and responsibilities

Use of Technology

How well do I know my people are operating in the most efficient

and effective manner?

PricewaterhouseCoopers Page 18
 Internal Controls Optimization

Risk-Based Approach

Goal: To identify the “right” controls. It’s not about finding a specific number of
controls, but identifying the controls that mitigate the key risks for the organization
Internal key risks to the organization should be identified either from a
financial, operational, or compliance perspective
The current business environment and corporate strategy will drive the
organizational direction and effect the specific risks encountered

This is a dynamic and ongoing process that must be revisited frequently as

business, market, and technology environments evolve

PricewaterhouseCoopers Page 19
 Internal Controls Optimization

Conducting the Risk Assessment

The organization should perform the following on the path to Controls
Optimization:
 Identify strategic business objectives
 Distinguish and align financial, operational and compliance objectives
 Determine the key risks
 Define the measures for internal control effectiveness
 Identify key or impacted processes
 Review previous control failures and strengths
 Assess pervasiveness and suitability of company level controls

PricewaterhouseCoopers Page 20
 Internal Controls Optimization

Rationalize Internal Controls

Aligning and prioritizing the ‘right’ controls to the identified risks:

 Entity Level Control
• Strategic management and oversight
• Direct versus indirect
• Business Performance Reviews
 Transactional level controls
• Manual versus Automated Controls
• Preventative versus Detective
 Information Technology General Controls
• Change Management
• Security
• Program Management
• Operations

PricewaterhouseCoopers Page 21
 Internal Controls Optimization

Optimize Internal Controls

Perform optimization assessment, considering the following:
 Identify duplicate controls
 Assess pervasiveness and suitability of entity level controls
 Opportunities for further automation
• Eliminating the human factor
 Reliance on spreadsheets and other desktop applications
 Appropriate Segregation of Duties
 Effectiveness of transaction level controls
• Preventative versus detective
• Utilization of monitoring controls

PricewaterhouseCoopers Page 22
 Internal Controls Optimization

Creating a Sustainable Controlled Organization

Creating sustainable infrastructure:

 Leadership and strategy (Leverage Corporate Values)
 Accountability and reinforcement
 Risk management and infrastructure
 People and communication
 Testing approach and plans
 Change management procedures

Building on the Value

 Leveraging Controls Optimization Investment
 Ensuring there is a measurable and sustainable compliance function

PricewaterhouseCoopers Page 23
 Internal Controls Optimization

Why Internal Controls Optimization Stalls

Narrow focus on subset of compliance and risk areas instead

of broad across-the-organization focus.

Non-dedicated project team or lacking experience within

compliance and risk areas.

Project objectives not clearly articulated and expected benefits

not defined.

Only viewing internal controls optimization as a cost reduction

initiative instead of a business enabler that increases
operational resilience and reliability.

PricewaterhouseCoopers Page 24
 Internal Controls Optimization

Seven Keys to Consider for Optimal Control

1. There has to be a realization of the cost vs. benefit on any
control

2. Does the Board, Executive, Senior Management, Line

Management and Employee base understand the importance
and value of your control environment

3. Control is not a “Finance Thing”

4. How do we leverage our technology investments

5. Risk comes in many shapes, sizes and types

6. How does the smallest impact ripple to big waves

7. How does our system of control adapt to change

PricewaterhouseCoopers Page 25
 Internal Controls Optimization

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon
the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to
the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its
members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act,
in reliance on the information contained in this publication or for any decision based on it.

© 2007 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP (a Delaware limited liability
partnership) or, as the context requires, other member firms of PricewaterhouseCoopers International Ltd., each of which is a separate and independent
legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers LLP.

PricewaterhouseCoopers Page 26