Internal Control

The plan of organization and all the methods and procedures adopted by the management of an
entity to assist in achieving the management’s objective of ensuring, as far as practicable, the
orderly and efficient conduct of its business, including adherence to management policies, the
safeguarding of assets, prevention and detection of fraud and error, the accuracy and completeness
of the accounting records and the preparation of reliable financial information.

Objectives of Internal control

1.Transactions are executed in accordance with management’s general or specific authorizations.

2.Transactions are carried efficiently & effectively.

3.All transactions are promptly recorded so as to permit preparation of financial information within a
framework of recognized accounting policies and practices and relevant statutory requirement if
any, and to maintain accountability for assets.

4.Assets are safeguarded from unauthorized access, use or disposition.

Scope of Internal control

It extends beyond accounting controls. Basically, internal controls can be classified into two broad
categories:

(i) Accounting controls

(ii) Administrative controls

Accounting controls primarily aim at provision and timely preparation of reliable financial
information by strictly following the procedures and broad policies envisaged by the management.
Whereas administrative controls include all other managerial controls concerned with the decision
making process. e.g. Preparation and maintenance of approved /registered Vendors’ register.

Limitations of Internal control

1.The organizational structure of the entity may not be such as to have an effective system.

2.Lack of Management supervision, frequent follow-up measures and so on.

3.Management’s perception of cost related to internal control

4.Lack of integrity, interest on the part of the personnel bound to follow the systems.

5.Abuse of power, like a member of management overriding a control.

6.Control system may become redundant with passage of time.

7.Collusion between two or more persons may not be prevented.

8.Manipulation by management itself with respect to transactions or estimates, judgements in

preparation of financial statements.

9.The potential for human error.

Types of Internal Control

Detective: Designed to detect errors or irregularities that may have occurred.

Corrective: Designed to correct errors or irregularities that have been detected.

Preventive: Designed to keep errors irregularities from occurring in the first place.

Principle of Separation

Financial and accounting operations must be separated, i.e., handling of cash and the recording of
the movement thereof should be done by different persons.

Principle of Responsibility

Responsibility for the performance of the job must be clearly stated so that there may be no room
for doubt or confusion subsequently.

Principle of Skepticism

Too much confidence should not be pinned on one individual. Nearly all frauds have been
committed by trusted officials or employees.

Principle of Rotation

The rotation principle relating to the transfer of an employee from one job to another should be the
inflexible guiding rule.

Principle of Review

The work should be so arranged that work done by one employee should be promptly checked by
another independent employee.

Principle of Clarification

Clear and well-defined rules should be laid down and practically followed, relating to dealing with
cash, ordering, receiving and issuing goods, etc.

Principle of Documentation

The arrangement of the work should be in such a manner that a written record of the part played by
each employee should be maintained, and the work should pass through several hands in a well-
defined manner.
Role and Importance of Management and Auditor in Internal control

Management is responsible for establishing internal controls. In order to maintain effective internal
controls, management should:

1.Maintain adequate policies and procedures;

2.Communicate these policies and procedures; and

3.Monitor compliance with policies and practices.

Responsibilities of management include, planning, organizing, directing and controlling. Controlling,

including monitoring, is a process to ensure what is supposed to be done is being done. Control
activities are the policies and procedures, which help ensure that management directives are carried
out and include, but are not limited to the following:

Authorizations – Transactions must be authorized and executed in accordance with management’s

intent.

Segregation of Duties – Segregation of duties is adequate when no one person is in a position to

initiate and conceal errors and/or irregularities in the normal course of their duties.

Record Keeping – Adequate record keeping ensures that assets are properly controlled and
transactions are properly recorded as to account, amount and period.

Safeguarding – Limiting access to and controlling the use of assets and records are ways to safeguard
those assets and records.

Reconciliations – Reconciliations are independent verifications, which help to ensure that the other
four control activities are functioning as intended.

Duties of an auditor in internal control

1.Objectively assess a company’s IT and/or business processes

2.Assess the company’s risks and the efficacy of its risk management efforts

3.Ensure that the organization is complying with relevant laws and statutes

4.Evaluate internal control and make recommendations on how to improve

5.Identifying shortfalls or gaps in processes

6.Promote ethics and help identify improper conduct

7.Assure safeguards

8.Investigate fraud

9.Communicate the findings and recommendations

10.Provide an opinion (Unqualified, qualified, adverse, or disclaim)

Financial & Non-Financial Mandatory Disclosure
Five Components of Internal Control System:

1.Control Environment

The control environment of a company describes its culture and ethics that provide the framework
inside it to work effectively. While the control environment relates to the overall company, it mainly
refers to the behaviour of the top management of the company in implementing the controls in
place.

The control environment relates to the management’s style and the way it delegates authority,
organization of its staff, and their commitment to the internal control policies. The more important
the management places on the internal controls and systems of a company, the more likely it is that
the lower-level staff will also implement them. In the absence of a proper control environment, even
the best thought-out processes and procedures cannot succeed.

For example, a company has internal control systems in place for bank transactions. These may
come in the form of bank reconciliations or other procedures to control any deficiencies in the
banking process. However, the top management of the company disregards bank reconciliations and
does not perform these regularly. It sets the tone for other employees of the company to avoid the
process as well.

2.Risk Assessment

The next step, after the establishment of the control environment, is to assess the risks of a
company. By evaluating the risks of a company, it understands how these risks relate to its
objectives. Therefore, it can identify and implement controls against these risks. However, the risks
for every company differs based on several factors, such as its nature, objectives, industry, etc.
Therefore, to assess the risks of a particular company, it is critical to understand these factors as
well.

The goal of the risk assessment process is to identify risks, whether internal or external to the
company, which it faces due to its business. Both internal and external factors require attention
when it comes to risk assessment. However, external factors may require more analysis as these are
outside the control of the company. Similarly, based on whether risks are controllable or not,
companies can decide on how to tackle them.

For example, a company can look at its business and assess the risks associated with it. For
companies that deal with inventories, the risk may be physical damage, obsolesce, theft, decrease in
value, etc.

3.Control Activities

Control activities define all the processes or procedures that companies implement against the
identified risks. Based on the type of risk, there are various control activities that companies can
implement. Some commonly used control activities include authorizations, approvals, reviews,
physical and digital security measures, verifications, reconciliations, segregation of duties,
management, organization, etc.

For example, separation of duties is vital for internal control of accounts receivable and payable
balances. Similarly, for inventories, physical controls may be more critical as compared to the
separation of duties. With sales and purchases, authorizations, approvals, and verifications may also
be relevant. Therefore, the control activities for each item depends on the risk for each item.

4.Information and Communication.

It refers to the flow of information of the control activities to the relevant authorities or personnel so
that they can implement those activities. Similar to the control environment, the implementation of
control activities depends on communication with personnel. In the absence of communication,
control activities are futile. The quality of the information systems of a company also plays a role in
this component.

For example, a company should have proper and well-defined channels for communications through
which managers can send messages. Similarly, the system should provide regular updates to
managers so they can implement them promptly. This information should consist of both external
and internal factors. For each level of management, the level of information is going to vary.
Therefore, there should be proper channels for it.

5.Monitoring

While the above four components almost fulfill the objectives of the internal controls process of a
system, they are not complete. Once companies implement control activities and communicate
them with the management, they should have procedures in place to monitor the activities.
Therefore, every company should have a reviewing and monitoring process that it carries out
regularly. Monitoring can also help companies identify deficiencies in the control activities and find a
solution for them.

Related Party Transactions:

It’s not uncommon that every company in its day-to-day business enters into various transactions
with parties with whom they are related or have common interests. Although such transactions are
themselves legal, they may create conflicts of interest or impel other illegal situations and can
impact the financial position of the company. Therefore, in order to protect the interest of
stakeholders and maintain transparency in business such kind of transactions with Related Parties
are being regulated. Section 188 of the Companies Act, 2013 (the Act) specifically deals with Related
Party Transactions.

Here is a long list of persons and entities that are considered related parties by the law. These
include the company's directors, key managerial persons, and their relatives. Also, firms or private
companies in which such directors, managers, or their relatives are partners or directors fall under
the ambit of related parties. So also, are holding companies, subsidiaries and associate companies —
among others that can exercise influence on the company. The Companies Act, 2013 (“Act“) states
that a related party with reference to a company, means:

1.A director or a key managerial personnel or their relatives;

2.a firm, in which a director, manager or his relative is a partner;

3.a private company in which a director or manager or his relative is a member or director;

4. public company in which a director or manager is a director and holds along with his relatives,
more than two per cent of its paid-up share capital;

5.anybody corporate whose Board of Directors, managing director or manager is accustomed to act
in accordance with the advice, directions or instructions of a director or manager;

6.any person on whose advice, directions or instructions a director or manager is accustomed to act:

Provided that nothing in sub-clauses (v) and (vi) shall apply to the advice, directions or instructions
given in a professional capacity.
Role of Board of Directors in Internal Control:

Here are ten important roles that board members should keep in mind when it comes to internal
control oversight. The Board should

1.Be made up of individuals who have sufficient independence from management—in action, in
appearance, and in actuality. Independence strengthens the board’s ability to enforce accountability
by management and helps to avoid the perception of conflict of interest, both by staff and by the
public.

2.Oversee the development and implementation of internal controls by the CEO or senior
management. Even the smallest non-profit organizations can implement some degree of internal
control, and it is the board’s responsibility to ensure that management is implementing and
enforcing them.

3.Monitor management’s response to accounting and reporting control deficiencies and

weaknesses. A control deficiency or weakness is a serious problem that has been identified by an
internal or external audit function. The Board is responsible for holding management accountable
for responding to and acting on these findings timely.

4.Work with management to establish standards of conduct and an ethically sound tone at the top.
The board should help to define expectations about financial reporting transparency, integrity, and
ethical values. The tone at the top trickles down through the organization and sets a consistent tone
and overall standard for conduct.

5.Maintain direct and open reporting lines, such as a whistle blower policy to report business
conduct issues or nefarious activity. Having a weak or inconsistent reporting policy can discourage
those who would otherwise report on internal control or conduct issues. According to the
Association of Certified Fraud Examiners ‘Report to the Nations’, an anonymous phone or email
“hotline” is the most frequently reported detection method in the initial finding of fraud. A hotline is
inexpensive and easy to set up for any organization, regardless of size.

6.Define and evaluate the skills and expertise needed among its members to be able to understand
and identify issues affecting the organization. For example, the treasurer should have a strong
understanding of finance and accounting to perform his or her duties successfully.

7.Engage in “constructive challenge” conversations with management. The ability to identify and
verbalize focused questions allows board members—who have limited time—to leverage their
experience and maximize their benefit to the non-profit organization. The board should require
follow-up and corrective action for all issues identified through this process.

8.Create oversight structures, such as committees to focus on specialized topics. For example, an
audit committee should be created to oversee internal controls and promote transparency over the
organization’s financial reporting.

9.Consider the organization’s internal and external risks and challenge management’s assessment of
those risks. Identifying an organization’s potential risks is a key component in creating controls that
will help the organization reach its goals. Risks should be considered on a continual basis as the
organization or business environment changes or grows.

10.Exercise its fiduciary responsibilities to stakeholders and practice due care in oversight, which
includes preparing for and attending meetings, reading the financials, attending board training if
needed, and other various duties that promote the organization’s success and well-being.

What is the COSO Framework?

The COSO Framework is a system used to establish internal controls to be integrated into business
processes. Collectively, these controls provide reasonable assurance that the organization is
operating ethically, transparently and in accordance with established industry standards.

COSO is an acronym for the Committee of Sponsoring Organizations. The committee created the
framework in 1992, led by Executive Vice President and General Counsel, James Treadway, along
with several private sector organizations, including the following:

*American Accounting Association

*Financial Executives International

*The Institute of Internal Auditors

*American Institute of Certified Public Accountants

*The Institute of Management Accountants (formerly the National Association of Cost Accountants)

The COSO framework was updated in 2013 to include the COSO cube, a 3-D diagram that
demonstrates how all elements of an internal control system are related.
In 2017, the committee introduced their COSO Enterprise Risk Management Framework. The COSO
ERM Framework aims to help organizations understand and prioritize risks and create a strong link
between risk, strategy and how a business performs.

The COSO framework divides internal control objectives into three categories: operations, reporting
and compliance.

1.Operations objectives, such as performance goals and securing the organization’s assets against
fraud, focus on the effectiveness and efficiency of your business operations.

2.Reporting objectives, including both internal and external financial reporting as well as non-
financial reporting, relate to transparency, timeliness and reliability of the organization’s reporting
habits.

3.Compliance objectives are internal control goals based around adhering to laws and regulations
that the organization must comply with.

What are the five components of the COSO Framework? (Almost same as the components of
internal control discussed earlier)

Control environment. The control environment seeks to make sure that all business processes are
based on the use of industry-standard practices. This can help ensure that the business is run in a
responsible way. It may also reduce an organization's legal exposure if the organization is able to
prove that its business processes are all based around industry standard practices. Additionally, the
control environment can help with making sure that an organization is adhering to regulatory
compliance requirements.

Risk assessment and management. Risk assessment and management -- which is sometimes referred
to as enterprise risk management -- is based on the idea that risk is an inherent part of doing
business. However, those same risks can sometimes cause a business to suffer adverse
consequences. As such, organizations commonly adopt risk management plans that help them to
identify risks and either reduce or eliminate risks deemed to pose a threat to the organization's well-
being.

Control activities. Control activities are also tied to the concept of risk management. They are
essentially internal controls that are put into place to make sure that business processes are
performed in a way that helps an organization to meet its business objectives without introducing
unnecessary risks into the process.

Information and communications. Communications rules are put in place to make sure that both
internal and external communications adhere to legal requirements, ethical values and standard
industry practices. For example, private sector organizations commonly adopt privacy policies
establishing how customer data can be used.

Monitoring. At a minimum, monitoring is performed by an internal auditor who makes sure that
employees are adhering to established internal controls. However, in the case of public companies,
it is relatively common for an outside auditor to evaluate the organization's regulatory compliance.
In either case, the audit results are usually reported to the board of directors.

How is the COSO Framework used?

The COSO Framework is heavily used by publicly traded companies and accounting and financial
firms. The framework seeks to put internal controls in place that formalize the way in which key
business processes are performed. This helps organizations to adhere to legal and ethical
requirements, while also focusing on risk assessment and management. In addition to integrating
such controls into key business processes, the framework places a heavy emphasis on monitoring
and reporting, especially as it relates to using internal auditors to monitor adherence to established
controls.

Internal Audit Planning Checklist

1. Initial Audit Planning

All internal audit projects should begin with the team clearly understanding why the project was put
on the audit plan. The following questions should be answered and approved before fieldwork
begins:

1.Why was the audit project approved to be on the internal audit plan?

2.How does the process support the organization in achieving its goals and objectives?

3.What enterprise risk(s) does the audit address?

4.Was this process audited in the past, and if so, what were the results of the previous audit(s)?

5.Have there been significant changes in the process recently or since the previous audit?

2. Risk and Process Subject Matter Expertise

Performing an audit based on internal company information is helpful to assess the operating
effectiveness of the process’s controls. However, for internal audit to keep pace with the business’s
changing landscape and to ensure key processes and controls are also designed correctly, seeking
out external expertise is increasingly becoming a best practice.
3. COSO’S 2013 Internal Control – Integrated Framework

Internal auditors can also leverage COSO’s 2013 Internal Control – Integrated Framework to create a
more comprehensive audit program. In addition to identifying and testing control activities, Internal
audit should seek to identify and test the other components of a well-controlled process.

4. Initial Document Request List

Requesting and obtaining documentation on how the process works is an obvious next step in
preparing for an audit. The following requests should be made before the start of audit planning in
order to gain an understanding of the process, relevant applications, and key reports:

a. All policies, procedure documents, and organization charts

b. Key reports used to manage the effectiveness, efficiency, and process success

c. Access to key applications used in the process

After gaining an understanding of the process to be audited through the initial document request,
you should request access to master data for the processes being audited to analyse for trends and
to aid in making detailed sampling selections.

5. Preparing for a Planning Meeting with Business Stakeholders

Before meeting with business stakeholders, internal audit should hold an internal meeting in order
to confirm the high-level understanding of the objectives of the process or department and the key
steps to the process. The following steps should be performed to prepare for a planning meeting
with business stakeholders:

Outline key process steps by narrative, flowchart, or both, highlighting information inflows, outflows,
and internal control components

Validate draft narratives and flowcharts with subject matter experts (if any)

Create an initial pre-planning questionnaire to facilitate a pre-planning meeting with key audit
customers

Preparing the questionnaire after performing the initial research sets a positive tone for the audit,
and illustrates that internal audit is informed and prepared. Once this research is completed,
internal audit should meet with their business stakeholders to confirm their understanding of the
process.

6. Preparing the Audit Program

Once internal audit has confirmed their understanding of the process and risks within the process,
they will be prepared to create an audit program. An audit program should detail the following
information:

Process Objectives

Control Attributes, including:

Is the control preventing or detecting a risk event?

Control frequency (e.g. daily, weekly, monthly, quarterly, etc.)

Does the control mitigate a fraud risk?

Is the control manually performed, performed by an application, or both?

An initial assessment of the risk event (e.g. high, medium, or low)

Testing Procedures for Controls to be Tested During the Audit, including:

Inquiry, or asking how the control is performed

Observation, or physically seeing the control be performed

Inspection, or reviewing documentation evidencing the control was performed

Re-performance, or independently performing the control to validate outcomes

7. Audit Program and Planning Review

Audit programs, especially those for processes that have never been audited before, should have
multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The
following individuals should review and approve the initial audit program and internal audit planning
procedures before the start of fieldwork:

*Internal Audit Manager or Senior Manager

*Chief Audit Executive

*Subject Matter Expert

OECD on corporate governance:

 In 1999, the Organization for Economic Cooperation and Development published Principles
of Corporate Governance and have since become a global benchmark for policymakers,
investors, firms, and other stakeholders.

 They've also been adopted as one of the Financial Stability Board's Key Standards for Sound
Financial Systems, and they're the foundation for the World Bank's Corporate Governance
Reports on the Observance of Standards and Codes

The six OECD Principles are:

 Ensuring the basis of an effective corporate governance framework

 The rights and equitable treatment of shareholders and key ownership functions
 Institutional investors, stock markets, and other intermediaries
 The role of stakeholders in corporate governance
 Disclosure and transparency
 The responsibilities of the board

1. Ensure the basis of an effective corporate governance framework

The corporate governance framework should promote transparent and efficient markets, be
consistent with the rule of law and clearly articulate the division of responsibilities among
different supervisory, regulatory and enforcement authorities.

2. The rights and equitable treatment of shareholders and key ownership function

‘The corporate governance framework should protect and facilitate the exercise of
shareholders’ rights and ensure the equitable treatment of all shareholders, including
minority and foreign shareholders. All shareholders should have the opportunity to obtain
effective redress for violation of their rights.’

Basic shareholder rights should include the right to:

1. Secure methods of ownership registration;

2. Convey or transfer shares;
3. Obtain relevant and material information on the corporation on a timely and regular
basis;
4. Participate and vote in general shareholder meetings;
5. Elect and remove members of the board; and
6. Share in the profits of the corporation.

3. The Institutional investors, stock markets, and other intermediaries

‘The corporate governance framework should provide sound incentives throughout the
investment chain and provide for stock markets to function in a way that contributes to
good corporate governance.’

 All shareholders of the same series of a class should be treated equally

 Insider trading and abusive self-dealing should be prohibited
 Members of the board and key executives should be required to disclose to the
board whether they, directly, indirectly or on behalf of third parties, have a material
interest in any transaction or matter directly affecting the corporation.

4. The role of stakeholders in corporate governance

The corporate governance framework should recognize the rights of stakeholders

established by law or through mutual agreements and encourage active co-operation
between corporations and stakeholders in creating wealth, jobs, and the sustainability of
financially sound enterprises.

5. Disclosure and transparency

The corporate governance framework should ensure that timely and accurate disclosure is
made on all material matters regarding the corporation, including the financial situation,
performance, ownership, and governance of the company.

6. The responsibilities of the board

The corporate governance framework should ensure the strategic guidance of the company,
the effective monitoring of management by the board, and the board’s accountability to the
company and the shareholders.