Upload
dangduong
View
215
Download
1
Embed Size (px)
Citation preview
Fundamentals of Controls in New Age
Hardik Dhruva
Hardik Dhruva
Views expressed herein are personal views of the author
Definition of Internal Control
Internal control is broadly defined as a process, effected by an
entity's board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
Hardik Dhruva
a. Effectiveness and efficiency of operations;
b. Reliability of financial reporting; and
c. Compliance with laws and regulations.
• Internal control is a process. It is a means to an end, not an end in itself.
• Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
• Internal control can be expected to provide only reasonable assurance, not
Hardik Dhruva
provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
• Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
COSO – Components of Internal Control
Control Environment
Risk assessmentCOSOCOSOCOSOCOSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), was
formed in 1985 to improve the quality of financial reporting through business ethics,
effective internal controls and corporate governance. Based on these principles, they
developed and published the COSO framework as a foundation for establishing internal
control systems and determining their effectiveness.
Hardik Dhruva
Control activities
Information and communication
Monitoring
COSOCOSO
Rating criteriaRating criteria
COSOCOSO
Rating criteriaRating criteria
Internal Control – the 5 key components
5.
Hardik Dhruva
5
4.
3.
2.
1.
Control Environment
• Sets the tone of the organization.
• The foundation for all other components.
• It includes the integrity,ethical values and competence of the
people.
• Management’s operating style and independent review
Hardik Dhruva
• Management’s operating style and independent review
• Organisation structure, Responsibility and authority levels
• Reflects: management’s philosophy & operating style,the way
management assigns authority and responsibility and
organizes and develops its people, and the attention and
direction provided by the board of directors.
Control Environment Consists of:
• Management philosophy and operating style
– Tone at the top
• Organization structure
– Separation of duties
– Fiscal officer reporting lines
Hardik Dhruva
– Fiscal officer reporting lines
• Assignment of authority and responsibility
– Does everyone understand their role?
– Responsibility without authority
Risk Assessment
• Every entity faces internal & external risks.
• Every entity sets objectives.
• Risk assessment is the identification and
Hardik Dhruva
• Risk assessment is the identification and
analysis of relevant risks to achievements of
the objectives.
Design a Control System
• Identify RISKS in your environment
– Mission - Compliance
– Transactional - Assets
• Identify control points
Hardik Dhruva
• Identify control points
• Analyze potential EXPOSURES
• Design system to mitigate RISKS
Control Activities
• The policies and procedures that help ensure
management directives are carried out.
• They help ensure that necessary actions are taken to
address risks.
Hardik Dhruva
• Control activities occur throughout the entity at all
levels and in all functions.
• They include activities such as approvals ,
authorization,reconciliations and segregation of
duties.
Information & Communication
• Relevant information must be identified , captured
and communicated in a form & timeframe that
enables people to carry out their responsibilities.
• Information systems produce reports containing
Hardik Dhruva
• Information systems produce reports containing
operational, financial and compliance –related
information that make it possible to run and control
the business.
• Effective communication must occur in a broader
sense, flowing down, across and up the organization.
Monitoring
• Internal control systems need to be monitored.
• Types of monitoring:
- ongoing during the course of operations.
Hardik Dhruva
- ongoing during the course of operations.
- evaluation for which the scope and frequency will
depend primarily on an assessment of risks and the
effectiveness of ongoing monitoring procedures.
Internal Control – the 5 key components
Monitoring
• Assessment of a control system’s
performance over time.
• Combination of ongoing and
separate evaluation.
• Management and supervisory
activities.
• Internal audit activities.
Control Activities
• Policies/procedures that ensure
management directives are carried
out.
• Range of activities including
approvals, authorizations,
verifications, recommendations,
performance reviews, asset security
and segregation of duties.
Hardik Dhruva13
Information and Communication
• Pertinent information identified,
captured and communicated in a
timely manner.
• Access to internal and externally
generated information.
• Flow of information that allows for
successful control actions from
instructions on responsibilities to
summary of findings for management
action.
and segregation of duties.
Risk Assessment
• Risk assessment is the identification
and analysis of relevant risks to
achieving the entity’s objectives –
forming the basis for determining
control activities.
Control Environment
• Sets tone of organization –
influencing control consciousness of
its people.
• Factors include integrity, ethical
values, competence, authority,
responsibility.
• Foundation for all other components
of control.
All five components must be in
place for a control to be effective.
Responsibilities
Who is responsible for internal control ?
Everyone !
Hardik Dhruva
Board of Directors :Governance,guidance & oversight
Management : CEO is the owner
Internal Auditors: evaluate & monitor
Other personnel :information and communication
What Internal Control Can Do
• It can help achieve performance & profitability
targets.
• It can help prevent loss of resources.
• It can help ensure reliable financial reporting.
Hardik Dhruva
• It can help ensure reliable financial reporting.
• It can help ensure compliance with laws.
It can help an entity get to where it wants to go, and avoid pitfalls and surprises along the way.
What Internal Control Cannot Do
• It cannot ensure success.
• It cannot ensure the reliability of financial reporting.
• It cannot ensure compliance with laws and
regulations.
Hardik Dhruva
regulations.
Internal controls ,no matter how well designed and
operated,can provide only reasonable assurance to
management regarding achievements of an entity’s
objectives.
Limitations of Internal Control
• Judgement.
• Breakdowns.
• Management override.
• Collusion.
Hardik Dhruva
• Collusion.
• Costs Versus Benefits.
Boundaries of control
Line of business
Hardik Dhruva
Governance and internal audit
Regulators and external audits
Control functions
Redefining the control focus
The new approach to controlling business risks may be characterized by the “new rules” of
“prevent and monitor” and “build in quality” as opposed to the “old rules” of “detect and correct”
and “inspect in quality.” This means a paradigm shift in the traditional viewpoint of control as
illustrated in the following table:
Old Paradigm New Paradigm
• Only AUDITORS and TREASURY
are concerned about risks and
controls
• EVERYONE, including operations, is
concerned about managing business
risks
Control Focus
Hardik Dhruva
controls risks
• FRAGMENTATION – Every function
and department does its own thing
(“SILO MANAGEMENT”)
• Business risk assessment and control
are FOCUSED and COORDINATED
with senior level OVERSIGHT
• NO BUSINESS RISK CONTROL
POLICY
• FORMAL BUSINESS RISK CONTROL
POLICY approved by management and
the board
• INSPECT for and DETECT business
risk and REACT to it
• ANTICIPATE and PREVENT business
risk at the source and MONITOR
business risk controls continuously
• Ineffective PEOPLE are the primary
source of business risk
• Ineffective PROCESSES are the
primary source of business risk
CONTROL TECHNIQUES
Prevention techniques are designed to provide reasonable assurance that only valid
transactions are recognized, approved and submitted for processing. Therefore, many of the
preventive techniques are applied before the processing activity occurs. In most situations,
preventive techniques are likely to be more effective in a strong control environment, when
management authorization criteria are well-defined and properly communicated.
Control type definitions:
Preventive - Manual
Preventive - System
Control Techniques
Hardik Dhruva
Preventive - System
Examples of preventive controls include:
• Segregation of duties (Preventive-Manual)
• Business systems integrity and continuity controls, e.g., application design standards,
change controls, security controls, systems backup and recovery (Preventive –
System)
• Physical safeguard and access restriction controls (human, financial, physical and
information assets) (Preventive-Manual)
• Effective planning/budgeting process (Preventive-Manual)
• Effective "whistle blowing" processes (Preventive-Manual)
CONTROL TYPES
Detection techniques are designed to provide reasonable assurance that errors and irregularities
are discovered and corrected on a timely basis. Detection techniques normally are performed
after processing has been completed. They are particularly important in an environment that has
relatively weak preventive techniques. That is, when front-end approval and processing
techniques do not provide reasonable assurance that unacceptable transactions are prevented
from being processed or do not assure that all approved transactions are processed accurately. In
this case, after-the-fact techniques become more important in detecting and correcting processing
errors.
Control type definitions:
Control Techniques
Hardik Dhruva
Control type definitions:
Detective - Manual
Detective - System
Examples of detection techniques include:
• Reconciliation of batch balance reports to control logs maintained by originating departments.
(Detective – Manual)
• Reconciliation of cycle inventory counts with perpetual records. (Detective – Manual)
• Review and approval of reference file maintenance (“was-is”) reports. (Detective – Manual)
• Comparison of reported results with plans and budgets. (Detective – Manual)
• Reconciliation of subsidiary ledger balances with the general ledger. (Detective – Manual)
• Reconciliation of interface amounts exiting one system and entering another. (Detective –
System)
• Review of on-line access and transaction logs. (Detective – System)
Role of Internal audit and management in defining internal
controls
Hardik Dhruva
Responsibilities - Management
• It is management's responsibility to establish internal control.
Internal control includes the whole system of controls and
methods, both financial and operational, which are
established to minimise risks and their impact, safeguard
assets, ensure efficiency and to encourage adherence to
Hardik Dhruva
assets, ensure efficiency and to encourage adherence to
policies and directives.
Responsibilities- Internal audit
• It is Internal Audit's role to carry out an independent appraisal
and evaluation of the effectiveness of these controls. Audit is
not part of line management. Internal Audit does not develop
and install procedures, prepare records or engage in any
activity which could compromise its independence.
• The emphasis on independence in no way diminishes the
Hardik Dhruva
• The emphasis on independence in no way diminishes the
close working relationship and need for communication
between Internal Audit and other functions. This
communication is particularly important, as the role includes
appraising and advising on the controls to be included in new
or revised systems, both automated and manual, before they
are introduced.
The evolution of internal auditingValue to the Business
Value-based
auditing
Hardik Dhruva
Value to the Business
Observing & Checking
Traditional
Risk Based Auditing
Empowered
Review of Internal Controls
ABCDCopyright © KPMG 1999 all rights reserved
Internal Audit’s value proposition is to assist the business in establishing the right balance of risk and control
Maximised
Value
Hardik Dhruva
….thus increasing the confidence that the organisation will achieve its business objectives
Control deficiency Optimised control Control obsessed© KPMG
Role of internal audit and management in monitoring
internal controls
Hardik Dhruva
Internal Audit: Monitoring control environment
Internal audit
function
Hardik Dhruva
Audit Reports Audit CommitteesManagement
Reporting
Risk based auditsSpecial reviews
Formal communicationOral discussions
Preventive riskControl breakdownsIssues resolution
Audit Committee reporting
The IIA’s The Audit Committee: A Holistic View of Risk advises internal auditors to report
significant risk exposures and control issues, corporate governance issues, and other requested
information to the audit committee. To this end, CAEs and audit committees should meet
regularly without management and the presence of external auditors. This will enable audit
committee members to:
•Know the extent to which management has established effective ERM.
•Be aware of and concur with the organization’s risk appetite.
Hardik Dhruva
•Be aware of and concur with the organization’s risk appetite.
•Learn who is responsible for risk identification, assessment, and management throughout the
organization, and meet periodically with those individuals.
•Understand the role of internal auditors and areas of planned coverage, and meet periodically
with the CAE to discuss risk management.
•Review financial reporting risks, weigh them against the organization’s risk appetite, and discuss
with management how effective the controls in place are in mitigating those risks.
•Ensure audit committee members are receiving the information needed in the appropriate
format so an effective evaluation of the risk management process can be made.
Audit Committee reporting
Inherent risk Control risk Overall risk
Area 1
- Risk 1
- Risk 2
- Risk 3
………
Med High Med - high
Area 2
- Risk 1
- Risk 2
Audit Committee Heat Map
-Provide internal audit view of
risks
-Provide underlying basis of
Hardik Dhruva
- Risk 2
- Risk 3
………
Low Med Med - low
Area 3
- Risk 1
- Risk 2
- Risk 3
………
High Low Med - high
Area 4
- Risk 1
- Risk 2
- Risk 3
………
High High High
ratings
-Ratings drive the frequency of
audits
Explained above is a generic model – sophisticated scoring
techniques could be used to arrive at ratings
Internal Audit: Monitoring control environment
Internal audit
function
Hardik Dhruva
Audit Reports Audit CommitteesManagement
Reporting
Risk based auditsSpecial reviews
Formal communicationOral discussions
Preventive riskControl breakdownsIssues resolution
Hardik Dhruva