INTERNAL CONTROL SYSTEM

INTERNAL CONTROL SYSTEM
Prepared by CA Vinay Sehgal

What are Internal Control?

Simple Definition Internal control is what we do to see that the things we want to happen will happen … And the things we don’t want to happen won’t happen.

Internal Controls Are Common Sense
What do you worry about going wrong? What steps have been taken to assure it doesn’t? How do you know things are under control?

You exercise internal control principles in your personal life when you:
Lock-up valuable belongings Keep copies of your tax returns Balance your checkbook Keep your ATM/debit card PIN number separate from your card Make travel plans

Meaning of Internal Control
Internal Control is a process designed to provide reasonable assurance regarding the achievement of objectives in relation to the following: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Operations Reporting Compliance Effectiveness Efficiency Safeguarding assets Reliability Timeliness Transparency With regulatory environment

Identifying Key Controls
Risk of Weak Internal Control Financial misstatements Business loss Loss of funds or materials Incorrect or untimely management information Fraud or collusion Tarnished reputation with the public Program Sustainability compromised Missed goals

Determining Where Controls are Needed First, must … Document the process! Pick a method that suits the process: Flowchart or Narrative Identify process owner and activity owners Identify the key inputs, activities, outputs, and risk points Identify policies that impact the process Identify standards that may specify mandatory controls

Identifying Key Control Activities Identify and document all controls associated with key processes Identify the characteristics of controls that, when functioning as intended, would provide the evaluator with a ‘level of comfort’ to conclude that the control is effective with respect to a given risk Consider control effectiveness by focusing on: Directness and clarity of the control technique Frequency with which the control technique is applied Experience of personnel performing the control Procedures followed when a control identifies an exception condition

Understanding Control Design Good Controls are: Focused Integrated Accurate Simple Accepted Cost Effective Finally, a few characteristics of good controls are that they are: Focused on critical points of operations Integrated into established processes (should not be burdensome but part of the actual process) Accurate, in that they provide factual information that is useful, reliable, valid, and consistent Simple and easy to understand Accepted by employees Cost effective; controls should not cost more than the risks they mitigate

Why are Internal Controls Important?
Compliance with applicable laws and regulations. Accomplishment of the entity’s mission. Relevant and reliable financial reporting. Effective and efficient operations. Safeguarding of assets.

Components of Internal Control

Updated COSO (Committee of Sponsoring Organizations) Framework
Along the 3 main objectives At all levels of the organization The COSO “cube” 5 integrated components

COSO cube – 5 Integrated Components
1. Control Environment The set of standards, processes, and structures that provide the basis for carrying out internal control Comprises integrity and ethical values of the organization The Board and Senior Management - and you! Establish tone at the top Establish expected standards of conduct and reinforce expectations Parameters enable the Board to carry out its governance oversight responsibilities The first component of the internal control framework is the Control Environment, a set of standards, processes, and structures that provide the basis for carrying out internal control. The control environment comprises the integrity and ethical values of an organization, as well as: Management’s philosophy and operating style Organizational structure How management assigns authority and responsibility (both along functional and administrative reporting lines) The competence of the entity’s people Personnel development (including training and support) As part of the control environment, the board of trustees and senior management must establish tone at the top. What exactly is tone at the top? One definition is: a visible willingness by senior management to let values drive decisions, to prioritize those values above other factors – including financial results – and to expect all others in the organization to do the same. This tone helps to establish expected standards of conduct and reinforce expectations of employees. This, in turn, establishes parameters that enable the Board to carry out its governance oversight responsibilities. [cut to NC GS] For example, North Carolina General Statute 138A is the State Government Ethics Act. This, arguably, helps set a tone at the top for the State, setting expectations for state employees and others acting in service to the state, and also allowing the state to address any violations of these standards. As another example, University Policy 804, Standards of Ethical Conduct, was approved in October of 2013 and sets forth UNC Charlotte’s commitment to ethical, legal, and professional behavior for all members of the University community. [cut back] In the same way, all leaders at the University are responsible for setting the tone at the top of their departments and units. This “tone” should match that set by senior management but can be tailored to specific needs of business units.

Control Environment for Financial Reporting This is one diagram depicting the control environment as it relates to financial reporting. As you can see, the control environment serves as an umbrella for the entity’s internal control framework. Good internal controls will not be effective without a sound control environment. Or another way to look at it is, a really good control environment is the foundation for really good internal controls. If you could truly inculcate a culture where no theft occurred, would you even need locks on the doors?

The Control Environment should ensure controls are in place, covering areas such as: Hiring practices Training programs Whistleblower policies Code of Ethics Clear lines of responsibility and authority Etc. As part of our regular business processes, we should continually monitor and update the Control Environment for dynamic changes As we said, the board and senior management are in charge of setting the stage for the entity-wide control environment. However, departmental managers should establish departmental policies as necessary in light of their unique objectives and risk factors in the absence of any central policies. Listed are some specific areas that the control environment should cover. In addition, as part of your regular business processes, you should continually monitor and update your Control Environment for dynamic changes.

Difference between Compliance v. Integrity Strategy: A ‘Compliance Strategy’ tries to prevent violations of regulations and self-interested behavior by employees by imposing standards of conduct that are intended to compel acceptable behavior. An ‘Integrity Strategy’ seeks to create conditions that support right action by communicating the values and vision of the organization, aligning the standards of employees with those of the organization, and relying on the whole management team, not just lawyers and compliance officers. One other thing to keep in mind when designing your control environment is the difference between a compliance v. an integrity strategy: A Compliance Strategy tries to prevent violations of regulations and self-interested behavior by employees by imposing standards of conduct that are intended to compel acceptable behavior. A compliance strategy relies more on lawyers and compliance officers. An ‘integrity strategy’ seeks to create conditions that support right action by communicating the values and vision of the organization, aligning the standards of employees with those of the organization, and relying on the whole management team, not just lawyers and compliance officers. So, in summary, a compliance strategy focuses more on preventing wrong while an integrity strategy focuses more on fostering right. Sometimes a combination of both may be warranted.

The Control Environment should be documented: Process documentation/ controls Determine extent of existing documentation; leverage this Create new if no documentation exists Update for changes in operations Types of documentation that can be used: Process Narratives Organizational charts Flowcharts Questionnaires Memorandums Checklists Finally, in order for the control environment to be effective, it must be documented. The first step in ensuring proper internal control is to ensure business processes are properly identified and documented. Types of documentation that can be used include Process Narratives Organizational charts Flowcharts Questionnaires Memorandums Checklists

2. Risk Assessment Involves a dynamic and iterative process for identifying and assessing risks Risk: the possibility that an event will occur and adversely affect the achievement of objectives. The Board and Senior Management (and you!) Establish objectives linked at different levels of the entity Must take holistic approach – look at the full organization Apply internal control to achieve multiple objectives Prevent domino effects, e.g., weakness in financial reporting that jeopardizes operations Establish risk tolerances Increasingly important when resources are constrained The second component of the internal control framework is Risk Assessment, which involves a dynamic and iterative process for identifying and assessing risks. A Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risks can be introduced by changes – for instance, new leaders and managers, new markets and products, growth, and emerging technologies. One way to categorize risk is along 4 key risk areas: Strategic – including Political risk, talent and succession planning risk, and risk from dependencies on other organizations Financial – including risk of audit findings and other things that would undermine reporting integrity Compliance – including Fraud and non-compliance with fair employment practices Operational – including the risk that Programs fail to meet their objectives, natural disasters, and lack of technology availability The board of trustees and senior management must establish objectives linked at different levels of the entity, as we’ve already discussed, and then determine the risks to those objectives. By taking a holistic view of the organization's objectives, management should then be able to apply internal control to achieve multiple objectives and prevent domino effects, for example, a weakness in financial reporting that jeopardizes ongoing operations. Risk assessment is especially important when resources are constrained, since risk assessment allows for a more strategic use of resources.

Risk Management A process applied in a strategic setting and across the entity, designed to identify and manage risks to stay within risk appetite/tolerance level, to provide reasonable assurance about achieving entity goals and objectives. Risk Assessment An element of internal control within the risk management process that enables management to identify and assess key risks to achieving its objectives; this forms the basis on which control activities are determined. One thing to note is the difference between risk management and risk assessment. Risk Management is A process applied in a strategic setting and across the entity, designed to identify and manage risks to stay within a risk appetite or tolerance level, to provide reasonable assurance about achieving entity goals and objectives. Risk Assessment is An element of internal control within the risk management process that enables management to identify and assess key risks to achieving its objectives; this assessment forms the basis on which control activities are determined.

Risk assessment should occur at the business process level as well as the entity level. Process-level Risk Assessment Low Medium High Risk Assessment 1. Materiality of the amounts Large dollars/transaction High volume of transactions Significant impact on key ratios or disclosures 2. Complexity of the process Limited internal skills Multiple data handoffs Highly technical in nature 3. History of accounting adjustments Accounting errors Valuation adjustments, etc. 4. Propensity for change in Business processes or controls Related accounting Grading Filter Four Primary Factors As we’ve noted, risk assessment should occur at the business process level as well as the entity level. Once you have identified your objectives, apply these four risk assessment factors: Materiality of the amounts in question Complexity of the process History of accounting adjustments Propensity for change in the processes or controls This should help us to assess risk for the process in question in terms of likelihood and impact. Internal considerations to assess risk: Use of qualitative/quantitative methods Change in management responsibilities Weak or unresponsive tone at the top Human capital – quality of personnel hired/retained Employee sabotage System security weaknesses Rapid growth Changes in processes or access to assets External considerations: Technological advancements (more tools available, as well as existing tools we are using are outdated) Changing/evolving client/constituent needs or expectations Changing legislative requirements and new laws/regulations Decentralized organization operations Natural disasters Impact of program, political, and economic changes

Risk Strategies Avoidance Do not proceed! Mitigation Improve controls to reduce likelihood/impact Transfer Shift responsibility to an external party Acceptance Accept the risk! Creation Seek risk activities strategically to maximize opportunities Once a risk assessment is completed, and the impact and likelihood are determined, we can then determine which strategy to choose to deal with the risk. The first is avoidance, which means that the process in question would not be pursued. This would be a likely option to choose if the risk likelihood was found to be very high, and the impact to be catastrophic, in other words, risks that fall within the red area of the risk tolerance map we just looked at. The second strategy is mitigation, where we would improve controls to reduce the likelihood and impact of the process. This is where many control activities will be done. The third strategy is transfer, where responsibility is shifted to an external party. Another strategy is acceptance, where the organization simply accepts the risk. This would make sense if the risk likelihood was found to be remote, and the impact to be marginal. In general, we should accept risks only if in green area of the risk tolerance map. The final strategy listed is creation, where risk activities are strategically sought to maximize opportunities. These types of decisions should lie with senior management only. We must be cautious when choosing these strategies. For example, Transferring too much responsibility to third parties is a risk in itself. This should only be done if it is known that the organization would introduce more risk by taking on the task itself.

3. Control Activities The actions established through policies and procedures that help ensure management’s directives to mitigate risks are carried out. Performed at all levels within the entity Types: Preventive and detective and corrective Compensating Manual and automated Examples: Approvals & Authorizations Embedded verifications Reconciliations Independent Reviews Asset security Segregation of duties The third component of the internal control framework is Control Activities, which are the actions established through policies and procedures that help ensure management’s directives to mitigate risks are carried out. These activities are performed at all levels of the entity. There are certain types of control activities, including preventive, detective, and corrective; compensating; and manual and automated. We will go over the difference between these control types. Control activities are exactly what they sound like– the activity part of the internal control framework. While the control environment and risk assessment set the stage for good controls, the control activities are where the meat of the control work is done. Examples of control activities include: Approvals & Authorizations Embedded verifications Reconciliations Independent Reviews Asset security Segregation of duties

Preventive Control Prevents the occurrence of a negative event in a proactive manner Examples: Approval for purchase > 50,000 Passwords for access to Banner Petty cash held in lockbox Security and surveillance systems Pre-numbered checks Detective Control Detect the occurrence of a negative event after the fact in a reactive manner Examples: Supervisor review & approval Report run showing user activity Reconcile petty cash Physical inventory count Review missing/voided checks The first way we can categorize control activities is between preventive and detective controls. Preventive Controls prevent the occurrence of a negative event in a proactive manner. [click] Examples here at UNC Charlotte include: Approval required for purchases greater than $5,000 Passwords required for access to Banner Petty cash that must be held in a lockbox Security and surveillance systems in high-risk areas, and Pre-numbered checks Detective Controls Detect the occurrence of a negative event after the fact in a reactive manner Supervisor review & approval Reports that are run showing user activity Reconciliation of petty cash Annual Physical inventory counts, and Review of missing and voided checks Preventive controls are stronger that detective controls. It is more effective and less costly to prevent something from happening rather than to attack it on the back end; sometimes it is hard to stop something that is already in motion, similar to a snowball effect. This chart also shows corrective controls, but really I would deem these more as corrective ‘actions’, since the correction isn’t really a control itself.

Control Activities If a weakness or limitation exists within the control environment, a compensating control may be relied upon to mitigate the risk Can be preventive or detective Example: A unit does not have the staff resources to establish an adequate segregation of duties. Potential compensating controls could include: Automation of certain transaction data that cannot be altered by the staff Manager review of detailed summary reports of the transactions initiated by the staff Peer staff and/or manager selects a sample of transactions and vouches back to supporting documentation There are also compensating controls, which may be relied upon to mitigate existing risks if a control activity that should otherwise be in place is not in place. Compensating controls can be either preventive or detective. One common scenario is when a department or unit does not have the staff resources to establish an adequate segregation of duties. Potential compensating controls could include: Automation of certain transaction data that then cannot be altered by the staff, that is, removing humans from the process altogether Manager review of detailed summary reports of the transactions initiated by the staff. So, if one staff member is a requester in 49er Mart, and her supervisor is the approver, then the overall manager of that area should, on a periodic basis – say, monthly – separately review summary reports of these transactions. Another option would be for Peer staff and/or a manager – someone separate from the personnel involved with making the transaction - to select a sample of transactions and vouch back to supporting documentation In all these ways, we are compensating for the fact that the advisable control activity – segregation of duties – is not possible with current resources.

Control Activities Automated Control Manual Control Require action to be taken by employees, e.g., Obtain supervisor’s approval for overtime Reconcile bank accounts Match receiving to POs Built into network infrastructure and software applications, e.g., Passwords Data entry validation checks Batch controls The final category of controls we’ll go over is manual v. automated controls. Manual controls Require action to be taken by employees. Examples include Obtaining a supervisor’s approval for overtime Reconciling bank accounts, and Matching receiving to Purchase Orders Automated controls are Built into the network infrastructure and software applications. Examples include Passwords Data entry validation checks, and Batch controls Automated controls are more reliable and cost effective than manual controls

4. Information and Communication Information is necessary to carry out internal control responsibilities to support achievement of objectives Communication: the continual, iterative process of providing, sharing, and obtaining necessary information Internal and external Information should be timely, accessible, and allow for successful control actions The fourth component of the internal control framework is Information and Communication. This component is pretty straightforward but is also very important in ensuring a cohesive, sustainable framework. Accurate, timely information is necessary to properly carry out internal control responsibilities in support of the achievement of an organization’s objectives. And communication is the continual, iterative process of providing, sharing, and obtaining that necessary information. Management and employees must be able to obtain information from both internal and external sources as necessary, and communication paths must be viable to both internal and external parties. Information should be timely, accessible, and allow for successful control actions. Obviously, that is a very high-level statement that is harder to do than say, but the key is to try to keep communicating the right information to the right people at the right time. Key: To communicate the right information to the right people at the right time

Information & Communication Things to communicate: Initiatives Goals Changes Opportunities Feedback Questions Answers Policies Procedures Standards Expectations Even with so many ways to communicate these days – , text messaging, Twitter, Facebook, apps, the cloud, FedEx, mail, phone calls, or EVEN face-to-face - sometimes it is difficult to find ways to communicate effectively and with impact. Just keep in mind what you are trying to communicate and to whom. Remember that more communication is not always better, but more well thought-out, directed communication is essential to all operations, including internal controls.

5. Monitoring Activities Evaluations used to ascertain whether components of internal control are present and functioning Ongoing evaluations: Built into business processes Provide timely information Separate evaluations: Conducted periodically Vary in scope and frequency Dependent on assessment of risks, effectiveness of ongoing evaluations, other management considerations Findings are evaluated against relevant criteria The fifth and final component of the internal control framework is Monitoring. Monitoring activities are evaluations used to ascertain whether components of internal control are present and functioning. These evaluations can be split into two categories: Ongoing evaluations are built into business processes and provide timely information on the underlying controls. Separate evaluations are conducted periodically and vary in scope and frequency based on prior assessments of risk, the effectiveness of ongoing evaluations, and other management considerations such as resource prioritization. Separate evaluations include Internal Audit activities. In other words, when we monitor an activity, we are assessing the performance of an internal control system over a period of time, helping to validate that the internal control system is operating as expected. Any findings that result from monitoring activities should be evaluated against relevant criteria, for example, how long has the control been compromised, and how high are the risks? Any deficiencies that are found, which are more pernicious to the control system than findings, should be communicated to the Board and Senior Management. It confirms that the findings of audits and other reviews are promptly resolved so that internal controls are not compromised. Monitoring should be directed at both internal and external risks to the organization. Monitoring also consists of supervisory review and sign off to help ensure proper checks and balances. Your organization should have a strategy for effective ongoing monitoring. Deficiencies are communicated to the Board and Senior Management

Testing Control Processes Identify transactions to be tested key controls applicable standards to test the transactions (i.e., criteria to judge compliance effectiveness) Determine appropriate type of testing extent of testing Create test plan Conduct tests for effectiveness Document testing and results Assess test results Communicate findings, recommendations Monitoring activities should be designed to test an adequate number of key controls to ensure an entity can make all relevant financial assertions related to significant accounts. Risk-based testing includes identification of key processes and controls and developing test procedures and sampling that is appropriate for the related risk to the organization. To test control processes, we should first identify the key controls, transactions to be tested, and applicable standards against which to test the transactions. We would then determine the appropriate type of testing, e.g., ongoing or separate evaluations, and the extent of testing, e.g., determining how often to test or the sample size needed. From there, we would create a test plan, conduct tests for effectiveness, document testing and results, assess those results, and communicate findings and recommendations to the appropriate people.

Monitoring/Validating Controls Deficiency in Design – A critical control is not properly designed, i.e., even if the control operates as designed, the control objective is not always met. When validating control design (determining effectiveness): Consider various factors (how control is performed, who performs the control, what data/reports used in performing control, what physical evidence is produced from the control) Work off of process narratives, flowcharts, and any other relevant material obtained and/or completed in the documentation stage Be aware that application controls are either programmed control procedures (e.g., edits, matching, reconciliation routines) or computer processes (e.g., calculations, on-line entries, automatic system interfaces). When monitoring activities have been completed, the results must then be analyzed and reported. If deficiencies in controls are found, they should be categorized as either deficiencies in design or deficiencies in operations. A deficiency in design occurs when a critical control is not properly designed; that is, even when the control operates as designed, the control objective is not always met. Remember that a critical control is one that is critical to the organization’s ability to meet its control objectives. The picture on this slide shows a train that has derailed due to a design deficiency. Per the news reports, this accident was caused by "serious deficiency" in the design of the cantilever arm and the fact that the concrete did not have adequate strength likely due to lack of its adequate curing. Thus, when validating control design (that is, determining the control’s effectiveness), we should consider various factors. In this case, how is the train usually kept from derailing, who ensures that this control is in place, and what data/reports and physical evidence were or could be used in monitoring the control? This information could be evaluated using process narratives, flowcharts, and any other documentation.

Monitoring/Validating Controls Deficiency in Operation – A properly designed control does not operate as intended, or the person performing the control does not possess the necessary authority or qualification to perform the control effectively. The other type of control deficiencies is a deficiency in operation. These occur when a properly designed control does not operate as intended, or when the person performing the control does not possess the necessary authority or qualification to perform the control effectively. The picture on this slide shows a clip from the movie Gravity, where Sandra Bullock plays an astronaut that is stranded in space. Here, she is in a foreign space station where, even though controls have likely been properly designed, the astronaut does not possess the necessary qualifications to operate the controls effectively. Testing for operating effectiveness (down here on Earth) can include: Reviews of supporting documentation for proper authorization, Reviews of periodic reconciliations, and Reviews of policies and procedures to determine if they are being followed All of these reviews can be performed on a sample basis. Testing operating effectiveness includes, in part: Reviewing supporting documentation for proper authorization, Reviewing the results of periodic reconciliations, and Reviewing policies and procedures to determine if they are being followed. Use appropriate sampling techniques as necessary.

Monitoring/Validating Controls Documentation should be maintained for: The evaluation of internal control at the entity and process levels What testing has been performed Identified deficiencies Documentation must contain sufficient information to: Identify who performed the work and when Enable understanding of the nature, timing, extent, and results of the procedures performed Enable understanding of the evidence obtained Support the conclusions reached Finally, when monitoring and validating controls, several key items should be documented, including: The evaluation of internal control at the entity and process levels What testing has been performed, and Identified deficiencies Documentation must contain sufficient information to: Identify who performed the work and when Enable understanding of the nature, timing, extent, and results of the procedures performed Enable understanding of the evidence obtained, and Support any conclusions reached Remember that documentation is key to both establishing controls and monitoring them. Without clear documentation, controls become uncontrollable!

The Importance of Internal Control
and Risk Management Sound internal control and risk management supplement entrepreneurship, they do not replace it The role of internal control is to manage risk rather than to eliminate it. It is important that risk management and control are not seen as a burden on business, rather the means by which business opportunities are maximized and potential losses associated with unwanted events reduced. Internal control is one of the principal means by which risk is managed. Other devices used to manage risk include the transfer of risk to third parties, sharing risks, contingency planning and the withdrawal from unacceptably risky activities.

The Importance of Internal Control
and Risk Management A successful system of internal control must be responsive to changes - enabling adaptation quicker than its competitors. Effective risk management and internal control is therefore reliant on a regular evaluation of the nature and extent of risks.

Implementing Internal Control
and Risk Management Framework & Scope of Internal Control Internal control is fundamental to the successful operation and day-to-day running of a business and it assists the company in achieving its business objectives. The scope of internal control is very broad. It encompasses all controls incorporated into the strategic, governance and management processes, covering the company’s entire range of activities and operations, and not just those directly related to financial operations and reporting. Its scope is not confined to those aspects of a business that could broadly be defined as compliance matters, but extends also to the performance aspects of a business Internal controls needs to be responsive to the specific nature and needs of the business. Hence, they should seek to reflect sound business practice, remain relevant over time in the continuously evolving business environment and enable the company to respond to the specific needs of the business or industry.

and Risk Management Framework & Scope of Internal Control Control should not be seen as a burden on business but, rather, the means by which business opportunities are maximized and potential losses associated with unwanted events reduced. Successful companies should not allow themselves to become complacent or blinded by their own success. There are numerous examples of companies whose success has been jeopardized by a lack of, or deficiencies in, internal controls.

and Risk Management Functions of Internal Control A sound and well designed system of internal control reduces, but cannot eliminate, the possibility of poor judgments in decision-making; human error or mistake; control activities and processes being deliberately circumvented by the collusion of employees or others; management overriding controls; and the occurrence of unforeseeable circumstances. A sound system of internal control helps to provide reasonable, but not absolute, assurance that a company will avoid being hindered in achieving its business objectives, or in the orderly and legitimate conduct of its business, by circumstances that may reasonably be foreseen. A system of internal control cannot, however, provide protection with certainty against a company failing to meet its business objectives or against all material errors, losses, fraud, or breaches of laws or regulations.

and Risk Management Functions of Internal Control No two companies will, or should, have identical internal control systems. Companies and their control differ by industry, size and organisational structure, and by culture and management philosophy. Therefore, while all companies need each of the components to ensure adequate control over their activities, each will have a unique internal control system tailored to meet its own circumstances. The management will have to exercise its judgment, driven by the particular needs of the company, to determine the nature of the controls that should be in place and whether they are functioning effectively in achieving the company’s objectives.

Elements of a Sound System of Internal Control
Internal control can be analysed into five inter-related components, which also serve as criteria for the effectiveness of the internal control system in supporting the achievement of the separate but overlapping operational, financial reporting and compliance objectives. The components are: Control environment – the foundation for the other components of internal control, which also provides discipline and structure. Factors include ethical values and competence (quality) of personnel, direction provided by the board and effectiveness of management. Risk assessment – identification and analysis of risks underlying the achievement of objectives, including risks relating to the changing regulatory and operating environment, as a basis for determining how such risks should be mitigated and managed. Control activities – a diverse range of policies and procedures that help to ensure management directives are carried out and any actions that may be needed to address risks to achieving company objectives are taken.

Elements of a Sound System of Internal Control
Information and communication – effective processes and systems that identify, capture and report operational, financial and compliance-related information in a form and timeframe that enable people to carry out their responsibilities. Monitoring – a process that assesses the adequacy and quality of the internal control system’s performance over time. Deficiencies in internal controls should be reported to the appropriate level upstream, which may be, for example, senior management, the audit committee, or the board.

Principles of Internal Control
Establish Responsibilities. Maintain adequate records. Insure Assets and bond employees. Separate recordkeeping and custody over assets. Divide responsibility for related transactions. Apply technological controls. Perform regular and independent reviews.

Limitations of Internal Control
Human errors. Misunderstandings. Mistakes in judgment. Carelessness. Distractions. Fatigue. Collusion. Dishonesty. Change in conditions.

Risk Management The process of risk management involves:
understanding organisational objectives; identifying the risks associated with achieving or not achieving them and assessing the likelihood and potential impact of particular risks; developing programmes to address the identified risks; and monitoring and evaluating the risks and the arrangements in place to address them. Risk may affect many areas of activity, such as strategy, operations, finance, technology and environment. In terms of specifics it may include, for example, loss of key staff, substantial reductions in financial and other resources, severe disruptions to the flow of information and communications, fires or other physical disasters, leading to interruptions of business and/or loss of records. More generally, risk also encompasses issues such as fraud, waste, abuse and mismanagement.

Types of Risks Business risks Wrong business strategy
Competitive pressure on price / market share General / regional economic problems Industry sector in decline Political risks Adverse government policy Inattention to information technology (IT) aspects of strategy and implementation Obsolescence of technology Substitute products Takeover target Inability to obtain further capital Bad acquisition Too slow to innovate and reengineering Too slow to respond to demands from market and customers

Types of Risks Financial risks Market risk Credit risk Interest risk
Currency risk Treasury risk Liquidity risk Overtrading High cost of capital Misuse of financial resources Going concern problems Occurrence of types of fraud to which the business is susceptible Misstatement risk related to published financial information Breakdown of accounting system Unreliable accounting records Unrecorded liabilities Penetration and attack of IT systems by hackers Decisions based on incomplete or faulty information Too much data and not enough analysis Unfulfilled promises/pledges to investors

Types of Risks Compliance risks Breach of Listing Rules
Breach of financial regulations Breach of Companies Ordinance requirements Breach of competition regulations Breach of other regulations and laws Litigation risk Tax problems Health and safety risks Environmental problems

Types of Risks Operational and other risks
Inefficient / ineffective management process Loss of entrepreneurial spirit Missed or ignored business opportunities Other issues giving rise to reputational problems Poor brand management Failure of major change initiative Inability to implement change Stock-out of raw materials Skills shortage Physical disasters (e.g., fire and explosion) Computer viruses or other system malfunctions Failure to create and exploit intangible assets Loss of intangible assets Loss of physical assets Loss of key people Loss of key contracts Lack of orders Lack of business continuity Succession problems

Types of Risks Operational and other risks
Inability to reduce cost base Over-reliance on key suppliers or customers Onerous contract obligations imposed by major customers Failure of new products or services Failure to satisfy customers Poor service levels Quality problems Product liability Failure of major projects Failure of big technology related projects Failure of outsource providers to deliver Lack of employee motivation or efficiency Industrial action Problems arising from exploiting employees in developing countries Inefficient / ineffective processing of documents Breach of confidentiality *this list should not be regarded as exhaustive and it is not industry specific

Risk Identification A strategic approach to risk assessment depends on identifying risks against key organisational objectives. Risks relevant to those objectives are then considered and evaluated, resulting in a small number of key risks. Identifying key risks is not only important in order to identify the most important areas to which resources in risk assessment should be allocated, but also in order to allocate responsibility for management of these risks.

Internal Financial Control
Effective financial controls are a vital element of internal control. They help in identifying and managing liabilities to ensure that the company is not unnecessarily exposed to avoidable financial risks (e.g., losses from derivatives and financial instruments) and that financial information used within the business and for publication is reliable. They also contribute to the safeguarding of assets from inappropriate use or loss, including the prevention and detection of fraud. Internal financial control is also a key part of the fundamentals of good risk management that should underpin the wider aspects of business risk. It is needed to provide the board and senior management with information of sufficient quality to make good business decisions and meet their regulatory obligations. Important areas include the maintenance of proper financial records in support of financial budgets, projections, other management information (e.g., monthly management accounts and reports, comparison of budgetary versus actual performance) and reliable interim and year-end reporting.

Factors Determining Internal Control System
The nature and size of the business conducted, The number of administrative staff involved. The materiality of transactions concerned The importance placed upon the internal control system by the management. The Management style of the entity, particularly the trust placed on the integrity of the key person and the latter's ability to supervise and control his/her subordinate staff.

Internal Control and Statutory Audit
With the complexity in business environment, internal control forms the basis of modern auditing as it is neither desirable nor reasonable for an auditor to carry out hundred percent checks of all the transactions entered into by a client during the course of the financial period. The internal control system in an organization (with its strengths and weaknesses) provides the auditor with reasonable number of evidence which enables him express an opinion on the client’s financial statement after its proper evaluation. Otherwise, the work of an auditor will be so boring, uninteresting and quite discouraging with the attendant heavy burden on the client. While it is the responsibility of management to set up and maintain the internal control system, it should be clearly stated that the annual audit exercise is not a substitute for effective management control.

Reports to Management on Internal Control Systems
It is the management's responsibility to prepare financial statements and institute control systems in operation to forestall the occurrence of frauds and errors. It is the auditor's responsibility to assess the effectiveness of a client's control system so as to determine the extent of reliance to place on the controls. During the course of an audit, the auditor may come across weaknesses in the client's system which may undermine the completeness, accuracy and validity of the client's transactions. In this regard, the auditor has a professional duty to provide constructive criticisms of the client's system in a formal report to the client's management known as the Management Letter (ML) or Letter of Control Weaknesses (LCW) or Domestic Report (DR). This letter should not only highlight the weaknesses that come to the auditors' attention during the audit, it should also highlight the likely consequences of such weaknesses and the: auditor's recommendations to improve the system in the future.

Internal Check Internal check is part of the internal control system. It has been defined to mean those routine day-to-day controls over transactions which are designed to minimize the risk of errors and irregularities. Internal check includes: 1. Controls designed to ensure that the duties of authorization, execution, recording and custody are not done by one employee. 2. Supervisory controls exercised by middle and lower level management over the work of subordinates. 3. Arithmetical and accounting controls designed to ensure the accuracy, completeness and correctness of records and especially those controls to ensure that the work of one person is independently proven by that of another in the normal course of his work.

Features of Internal Control System
A whole system: Internal control can be seen as single procedures or as a whole system. The whole system is more than the sum of the parts Established by the management: Internal control systems are established by the management directly or by means of external consultants, internal audit, or accounting personnel. Ensure adherence to management policies: An effective internal control system will enable an organization to implement its plans and policies as laid down by the management Safeguarding the assets of an organization: An effective internal control system guards and protects the resources of an organization. It ensures that the financial resources of an organization are not misappropriated or embezzled, and also ensures that the physical assets of an organization are not misused.

Features of Internal Control System
Accuracy of the records: An internal control system enables the records of the organization to be complete and accurate. It also ensures that the books of account are not tampered with by unauthorized persons. Financial and other controls: Internal control makes use of financial control such as the use of control accounts. It also makes use of other control measures such as physical access restriction to computer terminals.

Categories of Internal Control
Internal Control activities may be preventive, detective, and/or corrective Preventive Internal Control: A preventive internal control is designed to discourage noncompliance with the Reliability Standards. They are proactive internal controls that help ensure the management objective of compliance with Reliability Standards. Example: a documented process that requires a training schedule be developed and maintained that includes all required training and the scheduling of training to ensure it is completed prior to the dates required by the applicable Reliability Standard requirements. This may be implemented by assigning training classes in a training tracking tool that notifies the individual of scheduled training, reminds individuals to complete the training, and notifies management that training has not taken place prior to the training deadline so management can take appropriate action.

Internal Control activities may be preventive, detective, and/or corrective Detective Internal Control: A detective internal control is designed to find errors or irregularities and support effective compliance. Example: a documented process that requires a periodic review conducted to identify required training that was not completed as scheduled and training that was not completed per the Reliability Standard requirements. An example would be a quarterly review of completed training records to identify individuals that have not completed training by the required deadline.

Internal Control activities may be preventive, detective, and/or corrective Corrective Internal Control: A corrective internal control is designed to assess instances of noncompliance and return an activity to a state of compliance. Example: a corrective internal control is automation of an Automatic Voltage Regulator (AVR) status indication so that an alarm occurs in the Transmission Operator’s Control Center indicating an AVR status change from Automatic to Manual of a particular generating unit .

Five Key Internal Control Activities
1. Separation of Duties Divide responsibilities between different employees so one individual doesn’t control all aspects of a transaction. Reduce the opportunity for an employee to commit and conceal errors (intentional or unintentional) or perpetrate fraud. 2. Documentation Document & preserve evidence to substantiate: Critical decisions and significant events...typically involving the use, commitment, or transfer of resources. Transactions…enables a transaction to be traced from its inception to completion. Policies & Procedures…documents which set forth the fundamental principles and methods that employees rely on to do their jobs.

3. Authorization & Approvals Management documents and communicates which activities require approval, and by whom, based on the level of risk to the organization. Ensure that transactions are approved and executed only by employees acting within the scope of their authority granted by management. 4. Security of Assets Secure and restrict access to equipment, cash, inventory, confidential information, etc. to reduce the risk of loss or unauthorized use. Perform periodic physical inventories to verify existence, quantities, location, condition, and utilization. Base the level of security on the vulnerability of items being secured, the likelihood of loss, and the potential impact should a loss occur.

5. Reconciliation & Review Examine transactions, information, and events to verify accuracy, completeness, appropriateness, and compliance. Base level of review on materiality, risk, and overall importance to organization’s objectives. Ensure frequency is adequate enough to detect and act upon questionable activities in a timely manner.

Positive Consequences of Good Internal Controls
Good communication Well-written documentation not only gets your message across, but also builds a picture of the culture and processes that have been established to ensure the firm meets its aims. Education The existence of internal controls help new employees learn the right way to do their job and the correct procedures needed to fulfil a task. Error reduction Good and clear internal controls procedures minimise errors and save time and money. It helps ensure business information is correct and that staff are accountable for their actions. For example, staff should know how to check their own work to ensure it is accurate.

Positive Consequences of Good Internal Controls
Protection and authorisation Internal controls give comfort to staff that they have protection if they have acted in the way prescribed by the internal controls and within their authorisation limits. The business cannot blame you if you have acted in good faith and within the guidelines specified. Perceptions of detection The existence of internal controls act as a deterrent for those considering fraud increasing the risk they will be detected.

Thank You

INTERNAL CONTROL SYSTEM

Similar presentations

Presentation on theme: "INTERNAL CONTROL SYSTEM"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

INTERNAL CONTROL SYSTEM

Similar presentations

Presentation on theme: "INTERNAL CONTROL SYSTEM"— Presentation transcript:

Similar presentations

About project

Feedback