SIR SHAIKH BILAL HAQUE

Chapter 9
Organizational Control & Audit
.

Internal Control Systems

Internal Control System
An internal control system comprises the whole network of systems established in an organisation to provide
reasonable assurance that organisational objectives will be achieved and the assets will be safeguarded.
Furthermore, internal controls are critical for risk management, as it helps in mitigating the various risks which
organization faces. Strong internal controls cover all aspects of business, including operations, finance, HR, IT,
data, regulatory compliance, financial reporting, frauds and errors, etc.

Purpose / Importance / Advantages of Internal Control System

 Achievement of organization’s objective
 Orderly and effective conduct of business
 Assurance to board in discharge of their corporate governance responsibilities
 Mitigates risks faced by the organization
 Safeguarding of assets
 Completeness and accuracy of accounting records
 Accurate and timely financial reporting, both external and internal
 Prevention of fraud and error
 Compliance with regulatory laws and standards
 Provides reliable information to board to enable key decision making

Five Elements of Sound Internal Control System (as per COSO ERM Framework)

 Control environment
 Tone at the top (Board)
 Overall attitude by Board and Management
 Create a culture of strong internal controls

Chp 9 – Org Control & Audit….. Page 1

 SIR SHAIKH BILAL HAQUE

 Risk assessment
 Identify all risks
 Prioritize based on impact and probability

 Control activities
 Design formal policies, procedures & systems  Implement internal controls across all functions 

Some key internal control includes:

Authorization and approvals
Segregation of duties

Supervision
System checks and validations built into the software
Screening and training of personnel

 Information and communication

 Staff training

 Monitoring
 Regular reviews by management
 Internal and external audits

Why Internal Control System Fails Sometimes

 Controls could be insufficient / weak

 Deliberate circumvent by employees (e.g. collusion)
 Misuse of authority by Senior personnel
 Some unforeseen events / risks were not considered while designing internal controls
 Internal controls may become obsolete or redundant due to changing environment
 Human error or negligence
 It is impossible to cover 100% risks through internal controls (inherent risks)

Chp 9 – Org Control & Audit….. Page 2

 SIR SHAIKH BILAL HAQUE

Role of Internal Controls in Regulatory / Financial Reporting

It is critical that effective internal controls system are in place to ensure that the information being reported is
accurate, complete, reliable and timely. Non-compliance with regulations have serious consequence, including
threat to going concern of the organization. Effective internal controls relating to regulatory reporting includes:

 Formal allocation of responsibility to specific persons and departments

 Controls to generate and collect accurate, complete, reliable and timely information
 Controls to detect or highlight any non-compliance or exception
 Have formal review and approval process before the information is published / reported
 Information is collected consistently in same manner year on year in order for prior year comparisons
 Internal audit to review the entire process and key controls

Need for Information Flow to Management relating to Internal Controls

i.e. why Board needs assurance that internal controls are working adequately?

 Board is responsible to manage risks, hence they need to know that whether internal controls are working
properly or not
 Board makes decisions based on ‘information’, and strong internal controls will generate reliable
information
 All reporting to shareholders, external, regulatory and internal reporting is based on internal control
system
 Internal and external auditors use information in order to perform their tasks

Internal Audit
& Compliance

Chp 9 – Org Control & Audit….. Page 3

 SIR SHAIKH BILAL HAQUE

Internal Audit
Internal audit is an independent, objective assurance function established within the organization, with the aim
of ensuring that governance process, risk management and internal controls are working effectively. It may be a
statutory requirement to have an internal audit or it may be strongly recommended under codes of corporate
governance. The primary objective of internal audit is to assist other functions in the effective discharge of their
responsibilities. The work of internal audit is quite varied and includes financial / internal controls review,
compliance, operational audits, fraud investigations, etc.

Roles / Importance of Internal Audit

 Evaluating internal control system
 Reviewing accounting controls and financial information
 Reviewing operational effectiveness and efficiency
 Reviewing compliance with laws and regulations
 Reviewing risk management procedures including identification of significant risks  Special
investigations or assignments (e.g. fraud investigation)

Factors To Decide Whether Org Needs An Internal Audit

 Any mandatory requirement by regulations / code of corporate governance / regulated industry
 Size, complexity and growth of organization
 Number of employees
 Geographical dispersion (i.e. multiple / overseas locations)  Centralized or decentralized set-up?
 Cost benefit considerations
 Key risks facing the organizations / risk level
 Quality of current systems and internal controls
 Increased frequency of breaches or unacceptable events

Independence of Internal Audit

Internal audit has to be independent and objective, otherwise it will not be able to give accurate picture to the
Board whether internal control systems are working effectively throughout the organization. If internal audit is
not independent, then there is a risk that they might fail to report breaches, turn a blind eye to unethical
practices, ignore discrepancies, accept explanations without checking, become sympathetic to fellow
employees, etc.

Independence is assured through following measures:

 Having appropriate structure within internal audit works:

Chp 9 – Org Control & Audit….. Page 4

 SIR SHAIKH BILAL HAQUE

 Internal auditor should not be involved in operational activities or systems they are auditing
 Internal Auditor should be appointed by Audit Committee (and not by Exec Management)
 Internal Auditor to report directly to Audit Committee
 Internal Auditor to have direct access to Chairman of the Board
 All remuneration, promotion, bonus to be decided by Audit Committee (and not by Exec
Management)

 Internal auditor following principles of professional ethics:

 Threats: self-interest, self-review, advocacy, familiarity, intimidation
 Principles of professional ethics: Integrity, objectivity, professional competence & due care,
confidentiality, professional behavior

Importance of Internal Audit in Highly Regulated Industry

Internal audit is generally considered to be more important in highly regulated industries because there is a need
to ensure compliance with regulatory requirements. The organization has to provide confirmation and
information to the regulator regarding compliance. This requires implementing systems for collecting
information and producing reports to demonstrate the levels of compliance. Also, the Board needs assurance
of compliance. Hence it is important that the auditor is independent of those being audited and, for this reason,
a formal internal audit function is more necessary.

Internal Audit Recommendations

When suggesting recommendations, internal audit department must ensure that the recommendations are:

 Practical
 Cost effective
 Reduces risks to a tolerable level

The internal auditor should also conduct a post-implementation review to ensure that the recommendations
have been actioned by the management

Audit Committee

Chp 9 – Org Control & Audit….. Page 5

 SIR SHAIKH BILAL HAQUE

Introduction to Audit Committee

The Audit Committee is responsible to ensure that auditors remain independent and financial reporting is
accurate and reliable. All members are NEDs with atleast one NED having recent expertise in financial reporting
and audit. This is to ensure that shareholders receive independent and accurate financial information of the
company.

Roles of the Audit Committee

 Financial statements and reporting:

 Ensuring accuracy and integrity of financial statements and regulatory filings
 Review accounting policies
 Review internal controls relating to financial reporting
 Compliance with relevant laws and regulations

 Monitoring internal audit function:

 Ensure independence and objectivity of internal audit
 Appoint internal auditor and monitor his/her performance
 Approve annual internal audit plan
 Ensure effectiveness and efficiency of internal audit function  Ensure that internal audit
recommendations are implemented timely

 Managing External Auditors:

 Recommendation appointment, re-appointment or removal of external auditor
 Approve terms of engagement / audit scope
 Approve auditor’s remuneration
 Ensuring independence and objectivity of external auditor
 Review any non-audit services provided by external auditors (e.g. tax consultancy)
 Audit closure meetings, including discussing issues and weaknesses identified during audit

 Provide Whistleblowing arrangements to prevent fraud and mis-reporting

Chp 9 – Org Control & Audit….. Page 6

 SIR SHAIKH BILAL HAQUE

Report on Internal Controls

Report on Internal Controls to Shareholders
The board should conduct an annual review of the effectiveness of the company’s internal control systems, which
should then be formally reported to shareholders. The review covers all material controls relating to finance,
operations, risk management, compliance, etc. The review is generally conducted against the COSO Framework
elements.

Contents of a report on internal control system includes:

 Formal declaration by directors acknowledging their responsibility for ensuring sound internal controls
 Reference to COSO framework for sound internal controls
 Overview of the internal control system in place
 Summarize how the board ensured effectiveness of internal controls
 Any material control weakness identified
 Corrective and preventive actions taken to address weaknesses

Advantages / Importance of Report on Internal Controls to Shareholders

 Directors will work more responsibly when an activity needs to be reported to shareholders
 Shareholders will be fully updated

 Provides assurance to shareholders and other stakeholders hence increasing their confidence  May

attracts investment at a lower cost of capital

Practice Questions
P1 – Jun 2013 Q2: Imp of Int Audit in Regulated Ind | Audit Comm | Regulatory Rep (Bulp Co)
P1 – Dec 2014 Q4: Need for Int Audit | Why Int Ctrl Fails | CPD (Loho Co)

Chp 9 – Org Control & Audit….. Page 7