Internal Audit Report

Internal Controls Over Cash Management

Corporate Treasury Review
 Table of Contents

Executive Summary

Executive Summary 3

Objectives, Scope & Procedures Performed 5

Background

General Background 6

Issues and Observations

Detailed Issues & Observations 7

Appendices

I: Internal Control Assessment 17

This report provides management with information about the condition of risks and internal controls at one point in time.
Future changes in environmental factors and actions by personnel may significantly and adversely impact these risks and
controls in ways that this report did not and cannot anticipate.

2 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review

 Executive Summary
Internal audit reviewed the treasury function located at corporate headquarters that provides service to the entire firm as a
centralized management function under the direction of the CFO and corporate treasurer. An estimated $X,XXX of funds are
transferred, managed and distributed, including cash positions, foreign exchange and daily cash needs on a monthly basis.
Banking relationships, primarily Bank A and Commercial Bank B, service cash management accounts and related foreign
exchange activity.
The objective of this review was to obtain an understanding of key processes in the treasury function (cash management,
electronic fund transfers, investments and foreign exchange hedging), evaluate the adequacy and effectiveness of the
associated internal controls, and identify opportunities for process improvements.

The following is a summary of the issues and observations noted during this review. Each issue/observation has been
prioritized based upon its business impact to the company. For each issue, a page reference and agreed upon area
management implementation plan to address each issue for corrective action have been noted.

Issues/Observations Priority See Page

Investment activity authorizations and approval limits are not established in the cash investment policy
1. 7
and foreign exchange hedging and electronic funds transfer policies are not documented.
2. Cash forecasting is done on a limited basis, typically not extending further than one day ahead. 8
Effective use of control disbursement accounts and positive pay services should be continuously
3. 9
reviewed for potential cost savings and increased efficiencies.
Low volumes of payables are executed using electronic payments, specifically ACH, in place of checks
4. 10
and wires.

5. The use of non-standard electronic funds transfer forms should be limited for exceptions. 11

6. The wire transfer/ACH repetitive template setup and change approval process should be segregated. 11

A list of specimen signatures and approval limits is not maintained in treasury to verify proper
7. authorization of wire transfer, ACH and special check requests. Overall, disbursement procedures are 12
not documented. Checks held overnight for pickup are not adequately safeguarded.

3 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review

 Executive Summary (Continued)
Issues/Observations Priority See Page
A contingency plan is not in place to generate signed checks, should the main printer go out of service
8. 13
for an extended time period.
Foreign exchange policies and procedures and company-wide training are needed to communicate
9. roles, responsibilities, dependencies and impacts. Currently, the company experiences significant 14
foreign exchange losses resulting from inconsistent intercompany activities.
The activities of initiation, matching, confirming and recording FX hedging transactions are not
10. 15
documented and performed by a single individual.
Subsidiary FX hedging best practices have not been assimilated and implemented company-wide as
11. 16
applicable.
Bank account structure and services should be documented and reviewed for improved process and
12. 16
cost savings.

Priority: Low Medium High

4 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review

 Objectives, Scope, & Procedures Performed
Objectives

• Assess and evaluate the adequacy of applicable treasury and operational

internal controls
• Assess and evaluate the efficiency of applicable business processes
• Evaluate compliance with applicable policies and procedures
• Identify opportunities for process and internal control improvement

Scope

• Cash management
• Disbursements (focus on electronic fund transfers)
• Investments
• Foreign exchange hedging
• Bank relationship management

Summary of Procedures Performed

• Interviewed key management and personnel regarding strategy, policies and

procedures
• Reviewed documentation to support interviews
• Performed limited transaction testing to validate existing policies and
procedures utilized

5 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review

 General Background
Treasury Functions
• Cash management
• Bank account management
• Electronic payments
• Investments
• Foreign exchange exposure management
• Risk management (insurance)*
• Stock buyback program*
• Stock option administration*
* Not in scope of this review
6 Source: www.knowledgeleader.com
Cash Management Backgrounds
• Cash management, investment and foreign exchange
functions are performed by the treasury staff with
direction from treasurer and CFO
• Company utilizes cash management services with Bank
A
• The treasury function consists of the treasurer and four
FTEs. In addition, six credit and collections and two risk
management FTEs all report to the treasurer.
Sample Audit Report - Treasury Review
 Detailed Issues and Observations
General Controls
Issues/Observations
1. Polices and Procedures: The cash investment policy
does not address authorizations and approval limits for
investments. In addition, the foreign exchange hedging
and electronic funds transfer policies have not been
documented.
The cash investment policy has been updated and approved by
the board; however, the policy does not establish
authorizations and approval limits for investment activities
and is not supported by documented procedures defining
processes, authorities, limits and monitoring controls.
A written foreign exchange hedging policy has not been
developed. An FX hedging policy is needed which clearly
articulates management’s objectives and sets the tone for
treasury’s evolving processes and procedures in this area.
(See additional FX issues and recommendations on pages
14 – 16.)
A written electronic funds transfer policy (and supporting
procedures) has not been documented. Employees
authorized to initiate, approve, and release wire transfers
and ACH transactions, and the dollar amounts related to
their authorization levels, are not documented and
periodically compared to users’ system functionality.
Protocols for handling deviations from the use of the
company’s standard EFT request form are also needed.
Business Impact: Inconsistent understanding and application
of policies and procedures
Loss of process knowledge due to employee absence or
turnover
7 Source: www.knowledgeleader.com
Responsible Party
Management Implementation Plan
& Resolution Date
A. Develop a current and comprehensive set of • List responsible parties
treasury department policies and procedures, and
• Estimated date or
obtain appropriate approval from the board of
month/quarter of completion
directors or committee of the board.
• May include need for
Written policies for key treasury functions are extremely
immediate action or list as
beneficial and critical to optimizing controls and
completed if corrected prior
risk awareness. Policies communicate the
to report issuance
objectives and importance of key functions,
provide a framework for action consistent with the
stated objectives, and establish controls to
minimize risks. To be most effective, they should
be supported by written procedures containing
sufficient detail to efficiently transfer knowledge of
applicable processes, control activities, forms,
systems, reports and communication. Once
established and approved, appropriate policy and
procedure maintenance, re-certification, and
distribution processes should be implemented to
ensure they remain current and are accessible to
and understood by appropriate personnel.
Further, the authorization and coordination of personnel
between company and banking vendor partners,
including transaction execution and other critical
controls, is paramount to preventing unauthorized
transactions.
Sample Audit Report - Treasury Review
 Detailed Issues and Observations
Cash Management
Responsible Party
Issues/Observations Management Implementation Plan
& Resolution Date
2. Cash Forecasting: Cash forecasting is not performed A. Evaluate the potential yield, decision making • List responsible parties
because cash requirements are only calculated one day benefits, and improved matching of cash
• Estimated date or
in advance. needs/uses
month/quarter of completion
The treasury staff prepares a same-day cash position and B. Develop a process and report to compile short,
forecasts following day wire transfer settlements. In • May include need for
medium and long term forecasts
addition, accounting prepares a quarterly balance sheet immediate action or list as
and income statement forecast, which is used by treasury C. Coordinate analysis with the treasurer, CFO and completed if corrected prior
to anticipate future cash positions. CEO on strategic investing/borrowing initiatives. to report issuance
Discuss additional opportunities with bank
Currently, treasury and the CFO do not view the development of relationship personnel to determine ongoing
a formal cash forecasting model as an urgent matter. strategic analysis.
Nevertheless, short, medium and long term cash forecasts
could enable treasury to invest cash more strategically.
Business Impact: Limits ability to make strategic
investment/borrowing decisions to maximize return and limit
costs. (See item #3)

8 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review

 Detailed Issues and Observations
Cash Management
Responsible Party
Issues/Observations Management Implementation Plan
& Resolution Date
3. Bank Accounts and Services: Effective use of control A. Company should review the benefit of • List responsible parties
disbursement accounts (CDA) and positive pay implementing CDA and confirmation payment on
• Estimated date or
services should be continuously reviewed for potential all disbursement accounts versus the cost of
month/quarter of completion
cost savings and increased efficiencies. service.
CDA services are used for the company’s A/P account; • May include need for
B. If cost-justified, eliminate the ZBA cushion when
however, they are not used for the company payroll and immediate action or list as
determining the daily cash position following
several other zero balance accounts. To compensate, a completed if corrected prior
implementation of CDA. (See issue #2)
significant “cushion” ($XX,XXXX - XX,XXX) is left in the to report issuance
Bank A concentration account to cover unforeseen check
clearings. The cushion funds are set up to sweep into an
overnight money market fund, and although the foregone
interest income currently does not justify the cost of CDA
services, this situation could change and should be
monitored.
Confirmation payment is used exclusively on the main A/P
account. Confirmation payment should be considered for all
check disbursement accounts as it protects the company
from unauthorized payments clearings, including fraudulent
items and altered amounts on valid checks, and is generally
low cost.
Business Impact: Increased fraud exposure

Decreased ability to fund disbursements exactly

Inefficient use of cash

9 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review

 Detailed Issues and Observations
Disbursements
Responsible Party
Issues/Observations Management Implementation Plan
& Resolution Date
4. Electronic Payments: Low volumes of payables are A. Establish ACH as the preferred method of • List responsible parties
executed using electronic payments, specifically ACH, payment.
• Estimated date or
in place of checks and wires.
month/quarter of completion
Organizations are strategically migrating towards electronic
payments, specifically ACH, from checks and wires in order • May include need for
to reduce processing and bank costs. immediate action or list as
completed if corrected prior
On average, the company processes approximately X,XXX to report issuance
checks, XXX wire transfers and XX – XX ACH transactions
per month. There is approximately a $10 savings for
utilizing ACH instead of a wire transfer and nearly $XX
savings when using ACH in place of traditional checks.
Assuming half of the wire transfers and checks could be
converted to ACH transactions, the cost savings in service
fees per year could be around $XX,XXX per year.
In addition to the cost savings, ACH payments simplify the
payment and reconciliation processes and minimize
exposure to fraud.
Routine repetitive transactions are primary targets for
conversion to ACH pre-approved transaction processing.
Business Impact: Substantial unnecessary bank fees

Time and labor cost associated with check processing

(authorizations, reconciliation)

Increased fraud exposure

10 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review

 Detailed Issues and Observations
Disbursements
Responsible Party
Issues/Observations Management Implementation Plan
& Resolution Date
5. Standard Form Templates: The use of non-standard A. Develop formal procedure to pre-screen and • List responsible parties
electronic funds transfer forms should be limited for approve non-standard templates on a limited basis.
• Estimated date or
exceptions.
B. Enforce use of approved templates and ensure all month/quarter of completion
Company has a standard wire request form, but treasury also business unit requesting parties are notified,
processes wire transfer requests documented on non- • May include need for
trained and managed for policy and procedure
standard forms. The use of non-standard forms increases immediate action or list as
compliance.
the chance for detail oversight or manual error in approving completed if corrected prior
and executing requests and should be limited to approved C. Verify that OFAC compliance procedures are to report issuance
exceptions. operating effectively and determine if modifications
to treasury processes impact compliance efforts.
Business Impact: Inefficient use of time due to researching
proper requestors and approvals or seeking missing
information
Increased chance of fraud or OFAC compliance issues too

6. Repetitive Wires: The wire transfer/ACH repetitive A. Segregate the authority to approve payment • List responsible parties
template setup and change approval process should be instructions, including instructions to set-up and
• Estimated date or
segregated. change repetitive wire/ACH templates, from the
month/quarter of completion
authority to approve and send wires or ACH
The senior treasurer initiates instructions to setup or change
transactions. • May include need for
repetitive wire transfer/ACH templates (e.g., hedging
immediate action or list as
settlements, investment settlements) and is typically the B. Develop and maintain a segregation of duties
completed if corrected prior
person who approves transactions using the repetitive matrix that details authority, initiation, approval,
to report issuance
templates. Repetitive wire/ACH templates should be execution, recording and release duties, including
approved independently of the person who approves and manual and system processing (access/application
releases outgoing wires using the templates. functions).
Business Impact: Improper segregation of duties that could
lead to inappropriate activities
Increased fraudulent exposure

11 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review

 Detailed Issues and Observations
Disbursements
Responsible Party
Issues/Observations Management Implementation Plan
& Resolution Date
7. Disbursement Procedures and Signature Lists: A list of A. Develop and maintain written procedures and a • List responsible parties
specimen signatures and approval limits is not specimen signature list of authorized approvals for
• Estimated date or
maintained in treasury to verify proper authorization of use in the disbursement request verification
month/quarter of completion
wire transfer, ACH and special check requests. Overall, process.
disbursement procedures are not documented. Checks • May include need for
B. Develop training and communication of updated
held overnight for pickup are not adequately immediate action or list as
procedures to ensure personnel understand and
safeguarded. completed if corrected prior
comply with procedures.
Disbursement procedures are established, but they are not to report issuance
documented. Documented procedures outlining acceptable C. Store “held for pickup” checks in a more restricted
payment request practices (e.g., forms, information and and secure area.
approvals) should be developed. The procedures should D. Verify that authority and related segregation of
include verification standards and require usage of current duties controls are in place to minimize
approval authority lists, containing printed names, limits and opportunities for fraud.
specimen signatures of people from whom treasury can
accept wire transfer, ACH and special check requests.
Check issuance and related procedures should address
balancing (e.g., issued checks to source files or
documents), mailing, special handling, safeguarding check
stock and signed checks held overnight, voids, stop pays,
and positive pay exception items. For example, signed
checks designated as “held for pickup” are kept in a locked
drawer in the corporate receptionist area. These checks
should be stored overnight in a locked facility that is located
in a more secure area.
Business Impact: Inconsistent understanding and application
of policies and procedures
Loss of process knowledge due to employee turnover
Increased fraudulent exposure and unauthorized transactions

12 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review

 Detailed Issues and Observations
Disbursements
Responsible Party
Issues/Observations Management Implementation Plan
& Resolution Date
8. Contingency Planning: A contingency plan is not in A. Develop a contingency plan to efficiently produce • List responsible parties
place to generate signed checks should the main and sign checks in the event the main printer is out
• Estimated date or
printer go out of service for an extended time period. of service.
month/quarter of completion
Company has one specially configured printer connected to B. Establish adequate chain-of-command signing
Oracle, which treasury uses to create around 1200 signed • May include need for
authorities and dual signature release procedures
checks per week from blank paper stock. A backup printer immediate action or list as
to ensure contingency plans prepare for check-
or contingency plan is not in place to avoid disruption of completed if corrected prior
signer absence.
vendor check payments if the existing printer malfunctions to report issuance
for an extended period of time.
Business Impact: Payment delays and strained vendor
relations
Inefficiencies
Increased costs to use alternate payment methods (e.g., wires)
Some state laws require terminated employee payment
requirements that may include penalties for noncompliance
in the event of automated check processing problems

13 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review

 Detailed Issues and Observations
Foreign Exchange
Issues/Observations
9. FX Policies and Procedures: Foreign exchange policies
and procedures and company-wide training are needed
to communicate roles, responsibilities, dependencies
and impacts. Currently, the company experiences
significant foreign exchange losses resulting from
inconsistent intercompany activities.
A company-wide foreign exchange policy has not been
developed and distributed to appropriate corporate and
subsidiary level personnel. A written FX policy is needed
which clearly states the rationale and implications of non-
compliance with the policy and includes examples of
accepted and prohibited foreign exchange activities at all
levels (e.g., subsidiary, corporate). At a minimum, these
examples should include intercompany, transaction and
translation activities. The intercompany section should
clearly stipulate that intercompany transactions are to be
denominated in the same currency between entities and
provide guidance on steps to perform to ensure that
intercompany transactions net to zero by currency at all
times. Currently, the company experiences significant
foreign exchange losses resulting from inconsistent
intercompany activities.
A company-wide FX policy and training is imperative because
inconsistent processes are resulting in unpredictable gains
and losses for the company.
Business Impact: Unpredictable FX gains and losses
Inability to achieve financial plan
14 Source: www.knowledgeleader.com
Responsible Party
Management Implementation Plan
& Resolution Date
A. Develop FX policies and procedures, which outline • List responsible parties
the company’s hedging strategy and objectives
• Estimated date or
and offer sufficient guidance for users to
month/quarter of completion
understand and comply with the policies.
• May include need for
B. Conduct company-wide FX hedging and
immediate action or list as
accounting training to ensure all affected personnel
completed if corrected prior
understand their roles, responsibilities, activities
to report issuance
and interdependencies.
C. Monitor compliance and conduct additional
targeted training, as situation dictates.
D. Evaluate the use of incorporating a program of
foreign cash forecasting (see # 2) and delayed
repatriation/pooling of foreign currency or foreign
bank pooling to offset FX currency requirements.
Sample Audit Report - Treasury Review
 Detailed Issues and Observations
Foreign Exchange
Responsible Party
Issues/Observations Management Implementation Plan
& Resolution Date
10. FX Process Segregation of Duties: The activities of A. Document specific duties of each employee • List responsible parties
initiation, matching, confirming and recording FX involved in hedging activities.
• Estimated date or
hedging transactions are not documented and are
B. Ensure that the initiation, matching and month/quarter of completion
performed by a single individual.
confirmation/settlement activities are performed by
One treasury analyst performs the entire process of executing • May include need for
different personnel.
FX hedging transactions, matching trades and settling immediate action or list as
hedged positions. This same employee proposes journal C. Assign key back-up personnel to assist in hedging completed if corrected prior
entries to record hedging gains and losses and prepares FX process, as well as create a plan of action in to report issuance
hedging analysis reports for management. Over- absence of key personnel.
concentration of duties reduces control effectiveness and
could lead to performance issues if the person leaves or is
absent for an extended period of time. FX hedging process
backup personnel should be identified to help alleviate
some segregation of duties issues. These duties should be
documented per a formal company policy.
Business Impact: Improper segregation of duties that could
lead to inappropriate activities
Increased fraudulent exposure
Possible forfeiture of hedging opportunities should key
personnel be absent

15 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review

 Detailed Issues and Observations
Foreign Exchange
Responsible Party
Issues/Observations Management Implementation Plan
& Resolution Date
11. FX Hedging Best Practices: Subsidiary FX hedging best A. Analyze current subsidiary performance to identify • List responsible parties
practices should be assimilated and implemented best practices.
• Estimated date or
company-wide, as applicable.
B. Develop benchmark or diagnostic tool. month/quarter of completion
Certain company subsidiaries consistently perform well in the
area of managing foreign exchange hedging gains and C. Implement best practices to applicable • May include need for
losses. A process should be developed to routinely collect subsidiaries. immediate action or list as
information regarding what the well-performing subsidiaries, completed if corrected prior
such as Japan, are doing. The “best practices” should be to report issuance
incorporated into a benchmark or diagnostic tool and used
to improve the foreign exchange hedging performance of all
company subsidiaries.
Business Impact: Decreased losses resulting from improved
subsidiary foreign exchange performance.

12. Bank Account Structure: Bank account structure and A. Establish a formal procedure for regularly • List responsible parties
services should be documented and reviewed for evaluating bank accounts and service fees to
• Estimated date or
improved process and cost savings. determine whether the accounts are still necessary
month/quarter of completion
or the fees can be negotiated lower. Inactive
Although company enforces centralized control over bank
accounts should be closed in order to reduce • May include need for
accounts, treasury does not document and periodically
banking fees and internal costs. immediate action or list as
review the bank structure and services. The number of bank
completed if corrected prior
accounts should be evaluated regularly in order to
to report issuance
continuously improve the control and management of cash.
Additionally, each account requires overhead in the form of
bank costs, funding costs, and costs to reconcile and
monitor.
Business Impact: Increased risk of fraudulent activities
Increased bank cost
Duplication of bank services
Loss of control
Inefficient cash management
16 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review
 Appendix I: Internal Control Assessment
The matrix below and on the following pages lists process controls that should be present within a well controlled business
environment. An evaluation of the company’s process is noted in each instance. Controls were evaluated as follows:

Good Controls – controls are present to mitigate process/business risk, and are operating effectively and efficiently.
 Moderate Controls – controls are present to mitigate most process/business risk, but management should evaluate opportunities to
enhance existing controls.
 Limited Controls – Existing controls may not mitigate process/business risk, and management should consider implementing a stronger
control structure.

Where possible improvement can be made in the control structure, a reference has been made to the Issues and
Observations sections, where management’s change implementation plan is described along with the responsible party and
estimated implementation timing.

Manage Cash Flow Evaluation Issue Reference

Ensure all debt and investment transactions are accurately processed and recorded on a
1.  #8
timely basis.

Ensure investing, borrowing, disbursement and other financial transactions are properly
2.  # 5, 7, 10
authorized.

Maintain lines of credit that are adequate to meet recurring and unexpected funding
3.
requirements.

4. Protect the integrity of systems, databases and records. 

5. Safeguard cash, investments and other financial assets and segregate duties.  #10

17 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review

 Appendix I: Internal Control Assessment (Continued)
Manage Financial Risk Evaluation Issue Reference

Management segregates incompatible duties and protects integrity of application

1.  #10
systems, key records and documents used to process transactions.

2. Risk management activity and derivatives transactions are properly authorized  #11

3. All foreign exposure transactions are accurately processed and reported.

4. Exposures are frequently measured and evaluated. 

5. A process for financial risk monitoring and control exists. 

Good Controls  Moderate Controls  Limited Controls

18 Source: www.knowledgeleader.com Sample Audit Report - Treasury Review