Fundamentals of Controls in New Age

Hardik Dhruva

Hardik Dhruva

Views expressed herein are personal views of the author

Definition of Internal Control

Internal control is broadly defined as a process, effected by an

entity's board of directors, management, and other personnel,

designed to provide reasonable assurance regarding the

achievement of objectives in the following categories:

Hardik Dhruva

a. Effectiveness and efficiency of operations;

b. Reliability of financial reporting; and

c. Compliance with laws and regulations.

• Internal control is a process. It is a means to an end, not an end in itself.

• Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.

• Internal control can be expected to provide only reasonable assurance, not

Hardik Dhruva

provide only reasonable assurance, not absolute assurance, to an entity’s management and board.

• Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

COSO – Components of Internal Control

Control Environment

Risk assessmentCOSOCOSOCOSOCOSO

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), was

formed in 1985 to improve the quality of financial reporting through business ethics,

effective internal controls and corporate governance. Based on these principles, they

developed and published the COSO framework as a foundation for establishing internal

control systems and determining their effectiveness.

Hardik Dhruva

Control activities

Information and communication

Monitoring

COSOCOSO

Rating criteriaRating criteria

COSOCOSO

Rating criteriaRating criteria

Internal Control – the 5 key components

5.

Hardik Dhruva

5

4.

3.

2.

1.

Control Environment

• Sets the tone of the organization.

• The foundation for all other components.

• It includes the integrity,ethical values and competence of the

people.

• Management’s operating style and independent review

Hardik Dhruva

• Management’s operating style and independent review

• Organisation structure, Responsibility and authority levels

• Reflects: management’s philosophy & operating style,the way

management assigns authority and responsibility and

organizes and develops its people, and the attention and

direction provided by the board of directors.

Control Environment Consists of:

• Management philosophy and operating style

– Tone at the top

• Organization structure

– Separation of duties

– Fiscal officer reporting lines

Hardik Dhruva

– Fiscal officer reporting lines

• Assignment of authority and responsibility

– Does everyone understand their role?

– Responsibility without authority

Risk Assessment

• Every entity faces internal & external risks.

• Every entity sets objectives.

• Risk assessment is the identification and

Hardik Dhruva

• Risk assessment is the identification and

analysis of relevant risks to achievements of

the objectives.

Design a Control System

• Identify RISKS in your environment

– Mission - Compliance

– Transactional - Assets

• Identify control points

Hardik Dhruva

• Identify control points

• Analyze potential EXPOSURES

• Design system to mitigate RISKS

Control Activities

• The policies and procedures that help ensure

management directives are carried out.

• They help ensure that necessary actions are taken to

address risks.

Hardik Dhruva

• Control activities occur throughout the entity at all

levels and in all functions.

• They include activities such as approvals ,

authorization,reconciliations and segregation of

duties.

Information & Communication

• Relevant information must be identified , captured

and communicated in a form & timeframe that

enables people to carry out their responsibilities.

• Information systems produce reports containing

Hardik Dhruva

• Information systems produce reports containing

operational, financial and compliance –related

information that make it possible to run and control

the business.

• Effective communication must occur in a broader

sense, flowing down, across and up the organization.

Monitoring

• Internal control systems need to be monitored.

• Types of monitoring:

- ongoing during the course of operations.

Hardik Dhruva

- ongoing during the course of operations.

- evaluation for which the scope and frequency will

depend primarily on an assessment of risks and the

effectiveness of ongoing monitoring procedures.

Internal Control – the 5 key components

Monitoring

• Assessment of a control system’s

performance over time.

• Combination of ongoing and

separate evaluation.

• Management and supervisory

activities.

• Internal audit activities.

Control Activities

• Policies/procedures that ensure

management directives are carried

out.

• Range of activities including

approvals, authorizations,

verifications, recommendations,

performance reviews, asset security

and segregation of duties.

Hardik Dhruva13

Information and Communication

• Pertinent information identified,

captured and communicated in a

timely manner.

• Access to internal and externally

generated information.

• Flow of information that allows for

successful control actions from

instructions on responsibilities to

summary of findings for management

action.

and segregation of duties.

Risk Assessment

• Risk assessment is the identification

and analysis of relevant risks to

achieving the entity’s objectives –

forming the basis for determining

control activities.

Control Environment

• Sets tone of organization –

influencing control consciousness of

its people.

• Factors include integrity, ethical

values, competence, authority,

responsibility.

• Foundation for all other components

of control.

All five components must be in

place for a control to be effective.

Responsibilities

Who is responsible for internal control ?

Everyone !

Hardik Dhruva

Board of Directors :Governance,guidance & oversight

Management : CEO is the owner

Internal Auditors: evaluate & monitor

Other personnel :information and communication

What Internal Control Can Do

• It can help achieve performance & profitability

targets.

• It can help prevent loss of resources.

• It can help ensure reliable financial reporting.

Hardik Dhruva

• It can help ensure reliable financial reporting.

• It can help ensure compliance with laws.

It can help an entity get to where it wants to go, and avoid pitfalls and surprises along the way.

What Internal Control Cannot Do

• It cannot ensure success.

• It cannot ensure the reliability of financial reporting.

• It cannot ensure compliance with laws and

regulations.

Hardik Dhruva

regulations.

Internal controls ,no matter how well designed and

operated,can provide only reasonable assurance to

management regarding achievements of an entity’s

objectives.

Limitations of Internal Control

• Judgement.

• Breakdowns.

• Management override.

• Collusion.

Hardik Dhruva

• Collusion.

• Costs Versus Benefits.

Boundaries of control

Line of business

Hardik Dhruva

Governance and internal audit

Regulators and external audits

Control functions

Redefining the control focus

The new approach to controlling business risks may be characterized by the “new rules” of

“prevent and monitor” and “build in quality” as opposed to the “old rules” of “detect and correct”

and “inspect in quality.” This means a paradigm shift in the traditional viewpoint of control as

illustrated in the following table:

Old Paradigm New Paradigm

• Only AUDITORS and TREASURY

are concerned about risks and

controls

• EVERYONE, including operations, is

concerned about managing business

risks

Control Focus

Hardik Dhruva

controls risks

• FRAGMENTATION – Every function

and department does its own thing

(“SILO MANAGEMENT”)

• Business risk assessment and control

are FOCUSED and COORDINATED

with senior level OVERSIGHT

• NO BUSINESS RISK CONTROL

POLICY

• FORMAL BUSINESS RISK CONTROL

POLICY approved by management and

the board

• INSPECT for and DETECT business

risk and REACT to it

• ANTICIPATE and PREVENT business

risk at the source and MONITOR

business risk controls continuously

• Ineffective PEOPLE are the primary

source of business risk

• Ineffective PROCESSES are the

primary source of business risk

CONTROL TECHNIQUES

Prevention techniques are designed to provide reasonable assurance that only valid

transactions are recognized, approved and submitted for processing. Therefore, many of the

preventive techniques are applied before the processing activity occurs. In most situations,

preventive techniques are likely to be more effective in a strong control environment, when

management authorization criteria are well-defined and properly communicated.

Control type definitions:

Preventive - Manual

Preventive - System

Control Techniques

Hardik Dhruva

Preventive - System

Examples of preventive controls include:

• Segregation of duties (Preventive-Manual)

• Business systems integrity and continuity controls, e.g., application design standards,

change controls, security controls, systems backup and recovery (Preventive –

System)

• Physical safeguard and access restriction controls (human, financial, physical and

information assets) (Preventive-Manual)

• Effective planning/budgeting process (Preventive-Manual)

• Effective "whistle blowing" processes (Preventive-Manual)

CONTROL TYPES

Detection techniques are designed to provide reasonable assurance that errors and irregularities

are discovered and corrected on a timely basis. Detection techniques normally are performed

after processing has been completed. They are particularly important in an environment that has

relatively weak preventive techniques. That is, when front-end approval and processing

techniques do not provide reasonable assurance that unacceptable transactions are prevented

from being processed or do not assure that all approved transactions are processed accurately. In

this case, after-the-fact techniques become more important in detecting and correcting processing

errors.

Control type definitions:

Control Techniques

Hardik Dhruva

Control type definitions:

Detective - Manual

Detective - System

Examples of detection techniques include:

• Reconciliation of batch balance reports to control logs maintained by originating departments.

(Detective – Manual)

• Reconciliation of cycle inventory counts with perpetual records. (Detective – Manual)

• Review and approval of reference file maintenance (“was-is”) reports. (Detective – Manual)

• Comparison of reported results with plans and budgets. (Detective – Manual)

• Reconciliation of subsidiary ledger balances with the general ledger. (Detective – Manual)

• Reconciliation of interface amounts exiting one system and entering another. (Detective –

System)

• Review of on-line access and transaction logs. (Detective – System)

Role of Internal audit and management in defining internal

controls

Hardik Dhruva

Responsibilities - Management

• It is management's responsibility to establish internal control.

Internal control includes the whole system of controls and

methods, both financial and operational, which are

established to minimise risks and their impact, safeguard

assets, ensure efficiency and to encourage adherence to

Hardik Dhruva

assets, ensure efficiency and to encourage adherence to

policies and directives.

Responsibilities- Internal audit

• It is Internal Audit's role to carry out an independent appraisal

and evaluation of the effectiveness of these controls. Audit is

not part of line management. Internal Audit does not develop

and install procedures, prepare records or engage in any

activity which could compromise its independence.

• The emphasis on independence in no way diminishes the

Hardik Dhruva

• The emphasis on independence in no way diminishes the

close working relationship and need for communication

between Internal Audit and other functions. This

communication is particularly important, as the role includes

appraising and advising on the controls to be included in new

or revised systems, both automated and manual, before they

are introduced.

The evolution of internal auditingValue to the Business

Value-based

auditing

Hardik Dhruva

Value to the Business

Observing & Checking

Traditional

Risk Based Auditing

Empowered

Review of Internal Controls

ABCDCopyright © KPMG 1999 all rights reserved

Internal Audit’s value proposition is to assist the business in establishing the right balance of risk and control

Maximised

Value

Hardik Dhruva

….thus increasing the confidence that the organisation will achieve its business objectives

Control deficiency Optimised control Control obsessed© KPMG

Role of internal audit and management in monitoring

internal controls

Hardik Dhruva

Internal Audit: Monitoring control environment

Internal audit

function

Hardik Dhruva

Audit Reports Audit CommitteesManagement

Reporting

Risk based auditsSpecial reviews

Formal communicationOral discussions

Preventive riskControl breakdownsIssues resolution

Audit Committee reporting

The IIA’s The Audit Committee: A Holistic View of Risk advises internal auditors to report

significant risk exposures and control issues, corporate governance issues, and other requested

information to the audit committee. To this end, CAEs and audit committees should meet

regularly without management and the presence of external auditors. This will enable audit

committee members to:

•Know the extent to which management has established effective ERM.

•Be aware of and concur with the organization’s risk appetite.

Hardik Dhruva

•Be aware of and concur with the organization’s risk appetite.

•Learn who is responsible for risk identification, assessment, and management throughout the

organization, and meet periodically with those individuals.

•Understand the role of internal auditors and areas of planned coverage, and meet periodically

with the CAE to discuss risk management.

•Review financial reporting risks, weigh them against the organization’s risk appetite, and discuss

with management how effective the controls in place are in mitigating those risks.

•Ensure audit committee members are receiving the information needed in the appropriate

format so an effective evaluation of the risk management process can be made.

Audit Committee reporting

Inherent risk Control risk Overall risk

Area 1

- Risk 1

- Risk 2

- Risk 3

………

Med High Med - high

Area 2

- Risk 1

- Risk 2

Audit Committee Heat Map

-Provide internal audit view of

risks

-Provide underlying basis of

Hardik Dhruva

- Risk 2

- Risk 3

………

Low Med Med - low

Area 3

- Risk 1

- Risk 2

- Risk 3

………

High Low Med - high

Area 4

- Risk 1

- Risk 2

- Risk 3

………

High High High

ratings

-Ratings drive the frequency of

audits

Explained above is a generic model – sophisticated scoring

techniques could be used to arrive at ratings

Internal Audit: Monitoring control environment

Internal audit

function

Hardik Dhruva

Audit Reports Audit CommitteesManagement

Reporting

Risk based auditsSpecial reviews

Formal communicationOral discussions

Preventive riskControl breakdownsIssues resolution

Hardik Dhruva