Embed Size (px)
Citation preview
INTERNAL CONTROLS
GEETALI TARE IAAS
Internal Control Defined
Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting• Compliance with applicable laws and
regulations
Some key points
• People at every level of an organization affect internal control.
• Internal control is, to some degree, everyone's responsibility.
Effective internal control helps an organization achieve its objectives.
• It is a built-in part of the management process (i.e., plan, organize, direct and control).
• It keeps an organization on course toward its objectives and the achievement of its mission, and minimizes surprises along the way.
• Internal control promotes effectiveness and efficiency of operations, reduces the risk of asset loss, and helps to ensure compliance with laws and regulations.
• It also ensures the reliability of financial reporting (i.e., all transactions are recorded and that all recorded transactions are real, properly valued, recorded on a timely basis, properly classified, and correctly summarized and posted).
Internal control can provide only reasonable assurance
• Effective internal control helps an organization achieve its objectives; it does not ensure success.
• There are several reasons why internal control cannot provide absolute assurance that objectives will be achieved: – Cost/benefit realities, – Collusion among employees, and – External events beyond an organization's
control.
Internal Control Process
This process consists of 5 interrelated components:
• Control (or Operating) environment• Risk assessment• Control activities• Information and communication• Monitoring
All internal control components must be present to conclude that internal control
is effective.
Control Environment
• The control environment is the control consciousness of an organization;
• It is the atmosphere in which people conduct their activities and carry out their control responsibilities.
• An effective control environment is an environment where competent people: – understand their responsibilities, – the limits to their authority, and – are knowledgeable, mindful, and
committed to doing what is right and doing it the right way.
• The control environment is greatly influenced by the extent to which individuals recognize that they will be held accountable.
Components of control environment
1. Integrity and Ethical Values
2. Commitment to competence
3. Management‘s Philosophy and Operating Style
4. Organisational structure
5. Assignment of Authority and Responsibility
6. Oversight groups
Integrity and Ethical Values
• Formal codes of conduct & policies communicating appropriate ethical and moral behavioral standards and addressing acceptable operational practices and conflicts of interest.
• Management appropriately addresses intervention or overriding internal control.
Commitment to competence
• Management has identified and defined the tasks required to accomplish particular jobs and fill the various positions.
• Formal job descriptions & training needs’ analysis.
Management’s Philosophy and Operating Style
• Has an appropriate attitude toward risk-taking.
• Endorses the use of performance-based management.
• There has not been excessive personnel turnover in key functions, such as operations and program management, accounting, or internal audit.
Organisational structure
• The agency’s organizational structure is appropriate for its size and the nature of its operations.
• Balancing the degree of centralization versus decentralization.
• Key areas of authority and responsibility are defined & communicated throughout the organization.
• Clear reporting relationships.
Human Resource Policies and Practices
• Policies and procedures are in place for hiring, orienting, training, evaluating, counseling, promoting, compensating, disciplining, and terminating employees.
Oversight Groups
• Within the organisation, there are mechanisms in place to monitor and review operations and programs.
• The agency has an audit committee or senior management council consisting of high-level line and staff executives that review the internal audit work and coordinate closely with the external auditors.
• The internal audit operation it reports to the entity’s head.
• Internal audit reviews that unit’s activities and systems and provides information, analyses, appraisals, recommendations, and counsel to management.
Risk Assessment
The central theme of internal control is (1) to identify risks to the achievement
of anorganization's objectives and
(2) to do what is necessary to manage those risks. Thus, setting
goals and objectives is a precondition to internal controls.
Setting organisational objectives
• Operational objectives: achievement of the basic mission(s) of a department and the effectiveness and efficiency of its operations, including performance standards and safeguarding resources against loss.
• Financial reporting objectives: preparation of reliable financial reports, including the prevention of fraudulent public financial reporting.
• Compliance objectives: adherence to applicable laws and regulations.
• Risk assessment is the identification and analysis of risks associated with the achievement of operations, financial reporting, and compliance goals and objectives.
• This, in turn, forms a basis for determining how those risks should be managed.
Identify Risks after Determining Goals
• A risk is anything that could jeopardize the achievement of an objective.– What could go wrong?– How could we fail?– What must go right for us to succeed?– Where are we vulnerable?– What assets do we need to protect?– Do we have liquid assets or assets with
alternative uses?– How could someone steal from the
department?
– How could someone disrupt our operations?
– How do we know whether we are achieving our objectives?
– On what information do we most rely?– On what do we spend the most money?– How do we bill and collect our revenue?– What decisions require the most
judgment?– What activities are most complex?– What activities are regulated?– What is our greatest legal exposure?
The costs of risks
• When evaluating the potential impact of risk, both quantitative and qualitative & qualitative costs need to be addressed.
• Quantitative costs: cost of property, equipment, or inventory, cash dollar loss, damage and repair costs, cost of defending a lawsuit, etc.
• Qualitative costs: Loss of public trust, violation of laws, default on a project, bad publicity.
Risk analysis
• Management has established a formal process to analyze risks, and that process may include informal analysis based on day-to-day management activities.
• Criteria have been established for determining low,
• medium, and high risks.• Appropriate levels of management and
employees are• involved in the risk analysis.• The risks identified and analyzed are relevant
to the corresponding activity objective.
Managing Risk During Change
• Management must give special attention to risks presented by changes:– the hiring of new personnel to occupy key
positions– introduction of new or changed
information systems– rapid growth and expansion or rapid
downsizing. – the production or provision of new outputs
or services.– establishment of operations in a new
geographical area.
Control Activities
Control activities are actions, supported by policies and
procedures that, when carried out
properly and in a timely manner, manage or reduce
risks.
Preventive Controls
• Preventive controls attempt to deter or prevent undesirable events from occurring.
• They are proactive controls that help to prevent a loss.
• Examples: separation of duties, proper authorization, adequate documentation, and physical control over assets.
Detective Controls
• Detective controls attempt to detect undesirable acts.
• They provide evidence that a loss has occurred but do not prevent a loss from occurring.
• Examples: reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.
Some Control Activities
• Approvals, Authorizations, and Verifications (Preventive).
• Reconciliations (Detective).• Reviews of Performance (Detective).• Security of Assets (Preventive and
Detective).• Segregation of Duties (Preventive).• Controls over Information Systems
(Preventive and Detective).
Approvals
• Written policies and procedures• Limits to authority• Supporting documentation• Question unusual items• No “rubber stamps”• No blank signed forms
Reconciliation
• A reconciliation is a comparison of different sets of data to one another, identifying and investigating differences, AND taking corrective action, when necessary.
• A critical element of the reconciliation process is to resolve differences.
• It does no good to note differences and do nothing about it. Differences should be identified, investigated, and explained --corrective action must be taken.
Reviews
• Budget to actual comparison• Current to prior period comparison• Performance indicators• Follow-up on unexpected results or
unusual items
Asset security
• Security of physical and intellectual assets
• Physical safeguards• Perpetual records are maintained• Periodic counts/physical inventories• Compare counts to perpetual
records• Investigate/correct differences
Segregation of duties
• No one person should...> Initiate the transaction> Approve the transaction> Record the transaction> Reconcile balances> Handle assets> Review reports
• At least two sets of “eyes”.
Information systems
(1) General Controls and (2) Application Controls.
General Controls
• General controls apply to entire information systems and to all the applications that reside on the systems. Examples:
• Access Security, Data & Program Security, Physical Security
• Software Development & Program Change Controls
• Data Center Operations• Disaster Recovery.
Application Controls
• Input Controls (Data Entry) complete and accurate recording of authorized transactions-Authorization-Validation-Error Notification and Correction
• Processing Controls: complete and accurate processing of authorized transactions.
• Output Controls: complete and accurate audit trail of the results of processing.
Information & Communications
• For an organisation to run and control its operations, it must have relevant, reliable information, both financial and non-financial, relating to external as well as internal events.
• That information should be recorded and communicated to management and others within the agency who need it and in a form and within a time frame that enables them to carry out their internal control and operational responsibilities.
• Internally generated information critical to achieving the organisation’s objectives, including information relative to critical success factors, is identified and regularly reported to management.
• Pertinent information is identified, captured, and distributed to the right people in sufficient detail, in the right form, and at the appropriate time to enable them to carry out their duties and responsibilities efficiently and effectively.
Forms & means of communication
• policy and procedures manuals,• management directives, • memoranda, • bulletin board notices, • internet and intranet web pages, • Videotaped messages, • e-mail, and • speeches.
Monitoring
Assessing thequality of performance over
time and ensure that the findings of audits and other
reviews arepromptly resolved.
Ongoing monitoring
• Management’s strategy provides for routine feedback and monitoring of performance and control objectives.
• Operating reports are integrated or reconciled with financial and budgetary reporting system data and used to manage operations on an ongoing basis.
• Communications from external parties corroborates internally generated data or indicate problems with internal control.
• Data recorded by information and financial systems are periodically compared with physical assets and discrepancies are examined.
Separate Evaluations
• Consideration is given to the risk assessment results and the effectiveness of ongoing monitoring when determining the scope and frequency of separate evaluations.
• Separate evaluations are often prompted by events such as major changes in management plans or strategies, major expansion or downsizing of the agency, or significant changes in operations or processing of financial or budgetary information.
• Separate evaluations are conducted by personnel with the required skills that may include the agency’s external auditor.
Audit resolution
• The organisation should have a mechanism to ensure the prompt resolution of findings from audits and other reviews.
• The organisation should take appropriate follow-up actions with regard to findings and recommendations of audits and other reviews.
Internal Control Structures & Policies
Relevant To Audit
Control EnvironmentAccounting SystemControl Procedures
1. CONTROL ENVIRONMENT:
1. Management philosophy & operating style: supportive attitude towards control
2. Organisational structure: clear lines of accountability
3. Audit committees: monitor control structure4. Personnel policies & procedures: people
properly matched with tasks5. Communication of authority & responsibility:
performance reporting, meetings, conferences as effective communication devices.
6. Internal audit: effective control by identifying problems & suggesting solutions.
2. ACCOUNTING SYSTEM
1. Chart of accounts, accounting manuals & other records: complete & accurate recording of transactions & events.
2. Transaction documentation: effective “audit trail” for recording of transactions & events.
3. Transaction review: prevention of unauthorised transactions & detection of errors in transaction processing & recording.
4. EDP controls: input editing & other programmed controls to compensate for lack of traditional controls.
3. CONTROL PROCEDURES
1. Job descriptions, training programmes, hiring policies: competence of personnel.
2. Policy & procedure manuals: adherence to policy.
3. Planning, budgeting & performance reporting: to establish long-range goals & plans to achieve them; to monitor & correct performance.
4. Asset safeguards: asset management, limited access & accountability controls.
5. Periodic inventories, cash counts & securities counts: monitor access & accountability controls.
