INTERNAL CONTROL AND

REVIEW

Management
control systems Factors to consider
in Assessing the
 Turnbull effectiveness of IC
Guidance system
INTERNAL
AUDITORS take note

take note for exam

IC system - Role of IA
- Factors to consider
the need for IA
- Importance of
Purposes of IC &
Auditor
their importance to
Independence
the company
- Threats to
Auditor's
Independence
 elements of a
sound IC system

characteristics of a
sound IC system
AUDIT COMMITEE
never tested - some attn
- General role
inherent limitations - Overseeing IA
of IC function
- Relationship with
EA
higher chances tested

PAPAMOSS [finl ICs]

Risk Management
and CG

1
 IC SYSTEM

Control environment Control procedures

- Refer to the attitude, awareness
and style of mgnt towards the
importance of ICs i.e. are they ctrl
conscious or not
- Refer to ICs/policies and procedures implemented by the
company
- FOCR
- Financial – ensure F/S prepared are free of errors and fraud
- Operational – ensure co’s operation will be efficient and
economical and thereby achieving co’s obj (effective)
- Compliance – relevant to co in regulated industry to comply with
laws & reg. (fail - withdrawal of operating license)
- Risk mgnt – allows company to take risk knowingly & thus survive
any possible crisis

PURPOSES OF IC & THEIR IMPORTANCE TO THE COMPANY

Financial

- ensure reliability of internal & external reporting

- timely preparation of reliable financial info
- safeguard assets
- prevent and detect fraud

Operational

- ensure operations are efficient, economical and effective (3Es) – max returns to S/H

Compliance

- assist compliance with laws & reg, internal policies

Risk Mgnt

- manage risks – significant to achievement of co’s biz objectives

- ensure company not unnecessarily exposed to avoidable financial risks

2
 Exam : Evaluate soundness of ICs / Evaluate ICs
ELEMENTS OF A SOUND (effective) IC SYSTEM 
evalute – strengths & weaknesses
Turnbull Report highlights 3 elements of sound system of IC :

1. control activities
- focuses on the ADEQUACY of FOCR
- adequacy depends on nature of biz, event taken place

2. monitoring (ensure ICs applied as prescribed)

- focuses on the EXISTENCE of
(a) internal audit function – examine controls that have been put in place
(b) monitoring by the board – effective operation of ICs

3. communication
- focuses on the EXISTENCE of
(a) timely communication of info to the board – facilitate sound decision making
(b) whistle blowing arrangement – enable staff to report any known or suspected malpractices involving
their superior to designated personnel (AC) without any fear of reprisal
[in the past – accuse staffs leak co’s confidential info – fail to observe confidentiality – removal – whistle
blowing ACT – curb white collar crimes – protect staff]

Turnbull Report also highlights 3 characteristics of sound system of IC :

1. control activities – embedded in company operations – form part of its culture

culture refers to taken-for-granted assumptions collectively practiced by all members in an orgz

2. regular monitoring – capable of responding quickly to changes and biz risks as they emerge and develop

3. communication – immediate reporting to mgnt – any control failings identified and any corrective action
undertaken – require company establishing policy on the type of matters that require immediate reporting
to the board

Turnbull Report emphasizes that a sound IC system can only provide reasonable assurance
and cannot provide protection with certainty against company suffering losses, fail to meet its biz obj
or breaches of laws or reg.
due to the inherent limitations of IC :
1. collaboration among several staff or with 3rd parties - resulted intended ctrls not taking place
[seg of duties – checks and balances]
2. mgnt overriding ctrls – staff responsible for exercising ctrls did not stop the fraudulent transactions due to
the seniority of fraudsters involved – fear of reprisal
3. human error - staffs overseeing ctrls – not competent – careless – allows fraudulent transactions escape
detection – overlooked
4. loopholes within IC system not known to mgnt

3
PAPAMOSS [Financial IC]

Personnel
- focuses on
(a) stringent recruitment policy - right personal quality
(b) ongoing training programme – keep staff up to date
aimed at ensuring staffs are competent

Authorization and approval

- all financial transactions shud be authorized/approved by appropriate responsible person – designated
person
- authorization limit to how much spending each responsible person can approve
- to prevent payment of fictitious transaction and entering into contractual arrangement which are not
favourable to the company

Physical
- ensure asset of portable, valuable and exchangeable (prone to misappropriation) are properly safeguarded –
avoid pilferage
- Eg put cash in a safe, bank cash receipts immediately, prevent unauthorized access to computer systems
thru the use of PWs and internet firewalls

Arithmetic and Accounting

- aimed at ensuring completeness and accuracy of recording such as
(a) use of pre-numbering
(b) performing recon btw 2 or more doc/records

Management
- undertaken by highest authority within an orgz
- carried out on ad-hoc basis
- eg budgets, variance analysis, review monthly mgnt A/Cs

Organization
- focuses on ensuring staffs aware of their responsibilities and to whom they are reporting to
by using job description and organizational chart (clear abt responsibilities, lines of authority, lines of
reporting)
- fraud and errors much more likely if uncertain who responsible for what, who should report to who

Supervision
- undertaken by staff’s immediate superior
- day-to-day basis
- day-to-day work of e’yees properly supervised – reduce likelihood of fraud or errors

Segregation of duties
- aimed at creating checks and balances by having diff staffs carry out diff functions – minimized chances of
covering up
- difficult for fraud to take place – several individuals have to collude in the fraud
- difficult for accidental errors to occur – several ppl involved in a task – act as check on each other

4
RISK MANAGEMENT

- take risks knowingly – survive crisis

- preventive ctrl - anticipated risk, bottleneck – ready solutions
- risk appetite = materiality lvl

Nature of risk
(a) unexpected
(b) negative effect of risk – downside risk – purpose of risk mgnt is to identify these downside risks in
advance so that ready solutions can be put in place to address them should the risk occur
(c) positive effect of risk – upside of the risk – provide opportunities as well
(d) identify upside and downside of the risk – cost vs. benefit – appropriate response

RM as IC
- a form of preventive control – risks continually changing – thorough and regular evaluation of nature and
extent of risks – safeguard S/H’s investment and co’s assets
- Cadbury committee – RM as process by which executive mgnt, under board supervision, identifies risks
arising from the biz and establishes priorities for control and particular objectives
- Combined Code provision – directors – annual review of effectiveness of group’s IC system –
should report to S/Hs that they have done so in Sttm on IC
- Ultimate responsibility for ICs and risk mgnt lies with the board ; task of detailed oversight might be
delegated to AC – oversee FR & IC within the company
- Some prefer to delegate task of monitoring risk mgnt to separate committee – risk mgnt committee

RM and CG
- Take risks knowingly – survive any possible crisis – safeguard S/H interest – protect value of S/Hs’ investment
- Board ensure adequate risks measures are taken – manage them well – without causing any undue waste of
company assets and finances – will result in maximization of returns to S/H

Board’s Role in RM (those charged with governance) top-down

- Turnbull Report – the board shud set appropriate policies on IC and seek regular assurance via IA to satisfy
itself that the system of IC is functioning effectively – effective in managing risks
- Turnbull Report – effective monitoring on a continuous basis by
(a) Regularly receive and review reports on IC (IA report)
(b) Undertake annual assessment for the purpose of making public its sttm on IC

Board effectiveness Effectiveness of IC

Unlike SOX, the board is not req’d to make a sttm that the ctrl are effective –
merely report that such a review have been carried out

Management’s Role in RM (operating mgnt) bottom-up

- Implement board policies on risk and control
- Identify and evaluate risks faced by company for consideration by the board
- Reports to board – balanced assessment of significant risks and effectiveness of IC system in managing those
risks – include significant control failings or weaknesses identified, impact and actions taken to rectify

Top down and bottom up – coordination