Definition of internal control systems
The whole system of controls, financial and otherwise, established by the management in order to carry out the business of the enterprise in an orderly and efficient manner, ensure adherence to management policies, safeguard assets, prevent and detect fraud and error and secure as far as possible the completeness and accuracy of the records.
The importance of internal control and risk management
- A company’s system of internal control has a key role in the management of risks that are significant to the fulfilment of its business objectives. A sound system of internal control contributes to safeguarding the shareholders’ investment and the company’s assets.
- Internal control facilitates the effectiveness and efficiency of operations, helps ensure the reliability of internal and external reporting and assists compliance with laws and regulations.
- Effective financial controls, including the maintenance of proper accounting records, are an important element of internal control. They help ensure that financial information used within the business and for publication is reliable. They also contribute to the safeguarding of assets, including the prevention and detection of fraud.
- A company’s objectives, its internal organisation and the environment in which it operates are continually evolving and, as a result, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the nature and extent of the risks to which the company is exposed. Since profits are, in part, the reward for successful risk-taking in business, the purpose of internal control is to help manage and control risk appropriately rather than to eliminate it.
How board of directors is responsible for internal controls?
The board of directors is responsible for the company’s system of internal control. It should set appropriate policies on internal control and seek regular reassurance that will enable it to satisfy itself that the system is functioning effectively. The board must further ensure that the system of internal control is effective in managing those risks in the manner which it has approved.
Elements of sound internal control system. An internal control system encompasses the policies, processes, tasks, behaviours and other aspects of a company, that, taken together…
- facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operations, financial, compliance and other risks to achieving the company’s objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed;
- help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation;
- help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business.
A company’s system of internal control will reflect its control environment which encompasses its organisation structure. What does the system include? What it should be capable of doing?
It should include:
- control activities;
- information and communications processes; and
- processes for monitoring the continuing effectiveness of the system of internal control.
It should:
- be embedded in operations of the company and form part of its culture;
- be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment; and
- include procedures for reporting immediately to appropriate levels of management any significant control failings or weaknesses that are identified together with details of corrective action being undertaken
A sound system of internal control reduces, but does not eliminate…?
It does not eliminate possibility of poor judgement in decision-making; human error; control processes being deliberately circumvented by employees and others; management overriding controls; and the occurrence of unforeseeable circumstances.
In 1992 COSO (Committee of Sponsoring Organisations) stated that effective internal control system consist of five integrated elements. List them.
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
What is control environment? and how management can summarise their commitment?
The control environment can be thought of as management’s attitude, actions and awareness of the need for internal controls. If senior management do not care about internal controls and feel that is it not worthwhile introducing controls then the control system will be weak.
Management can try to summarise their commitment to controls in a number of ways:
- behave with integrity and ethics
- maintain an appropriate culture in the organisation
- set up a good structure - for example, an independent internal audit function, and have segregation of duties
- set proper authorisation limits
- employ appropriately qualified staff and conduct staff training
When auditors assess the control systems of business for the audit, if the environment is poor, they will place no reliance on any detailed control procedures.
What risk assessment should identify when performed?
- controllable risks - for these risks internal control procedures can be established
- uncontrollable risks - for these risks the company may be able to minimise the risk in other ways outside the internal control environment. Uncontrollable risks could be risks that are caused by external environment that the company operates in.
What are the typical processes that could be used in establishing the control activities?
- having a defined organisation structure. All staff need to understand how their role fits in with the rest of the organisation to aid their understanding of the job. They need to know who to report to on a daily basis and also points of contact when they need to deal with other departments or divisions;
- having contracts of employment with individuals at all levels. Contracts of employment guide an employees behaviours. Typically they include working hours, job title, salary and pension entitlements, holiday, data protection rules through to codes of dress. A major control within the contract of employment is the section of disciplinary action where it is outlined what constitutes a disciplinary procedures and the resulting event which will usually include dismissal;
- establishing policies, and subsequently procedures to ensure the policies are followed. Organisations typically have policies on health and safety, travel expenses, dignity at work, etc. Procedures might include the setting up of an audit department to ensure that the policies are adhered to;
- Setting up a suitable discipline and a reward system. Discipline has already been mentioned, however, rewards can also control an individuals behaviour. If an employee knows that there is a month-end bonus for meeting a particular sales target then most if not all of their actions will be focusses on that outcome. The objective is performance and conformance. However, if rewards are not structured correctly they can lead to dysfunctional behaviour;
- ensuring a system of performance appraisal and feedback. Appraisals are usually at least an annual event (perhaps more often whilst an employee is being trained). During the appraisal the manager and employee should have an opportunity to discuss whether the job is being performed satisfactorily, whether previous objectives have been met, and what any future objectives are. An employees behaviour is controlled via an appraisal since they know that their manager will be watching their work in order that a discussion can be held. It is an opportunity for the manager and employee to feedback on any issues that concern them or activities which may have been performed well.
The information provided to managers must be:
- Timely
- Accurate (and therefore reliable)
- Understandable
- Relevant to the actions being taken
Why monitoring is important?
The internal audit function is often the key monitor of the internal control system. Internal auditors will examine the controls and control system, identify where controls have failed so that the failures can be rectified, and also make recommendations to management for new and improved systems.
COSO identify five elements of an effective control system. What are they?
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
What is control environment and what does it include?
This is sometimes referred to as the ‘tone at the top’ of the organisation. It describes the ethics and culture of the organisation, which provide a framework within which other aspects of internal control operate. it includes following elements:
- management’s philosophy and operating style
- Organisational structure
- assignment of authority and responsibility
- human resource policies and practices
- competence of personnel
What is risk assessment and what it should consider?
There is a connection between the objectives of an organisation and the risks to which it is exposed. In order to make an assessment of risks, objectives for the organisation must be established. The risk assessment should be conducted for each business within the organisation and should consider, for example:
- internal factors, such as the complexity of the organisation, organisational changes, staff turnover levels, and the quality of staff
- external factors, such as changes in the industry and economic conditions, and so on.
The risk assessment should also distinguish between:
- risks that are controllable: management should decide whether to accept the risk, or to take measures to control or reduce the risk
- risks that are uncontrollable: management should decide whether to accept the risk, or whether to withdraw partially or entirely from the business activity, so as to avoid the risk.
What is control activities?
There are policies and procedures that ensure that the decisions and instructions of management are carried out. Control activities occur at all levels within an organisation, and include authorisations, verifications, reconciliations, approvals, segregation of duties, performance reviews and asset security measures. These control activities are commonly referred to as internal controls.
What is information and communication?
An organisation must gather information and communicate it to the right people so that they can carry out their responsibilities. Managers need both internal and external information to make informed business decisions and to report externally. The quality of information systems is a key factor in this aspect of internal control.
What is monitoring?
The internal control system must be monitored. This element of an internal control system is associated with internal audit, as well as general supervision. It is important that deficiencies in the internal control system should be identified and reported up to senior management and the board of directors.
List elements in COSO model applied to fraud prevention
- Control environment
- Risk recognition and assessment
- Assess the scale of the risk
- Control activities and procedures
- Information: monitoring and reporting
- Monitoring activities and correcting deficiencies
-
Chapter 1 - Risk16
-
Chapter 2 - Risk management45
-
Chapter 3 - Internal control19
-
Chapter 4 - Risk and control of information systems24
-
Chapter 5 - Information Strategy31
-
Chapter 644
-
Chapter 7 - Fraud17
-
Chapter 8 - Ethics8
-
Chapter 9 - Corporate Governance46
-
Chapter 10 - Audit50
-
Chapter 11 - Financial risk7
-
Chapter 12 - Currency risk managment58
-
Chapter 13 - Interest rate risk management33
-
Chapter 140
-
Chapter 15 - Investment implementation and review43
