Unit 8_ Internal control

Strategic risk and operating risk

Recall
Strategic risks are risks that arise in the business
environment and markets in which a company
operates. This risk will occur without the
intervention of the directors and management as it
is related to market.
Operating risks are risks that arise within an
organisation because of weaknesses in its
systems, procedures, management or
personnel(direct faults on internal matters)
Internal control
Unless there are controls to deal with them,
operating risks can lead to losses because of
operational failures, errors or fraud.
The controls for these risks are ‘internal controls’
and internal controls are applied within an internal
control system.
Internal control systems
are concerned with the management of business
risks other than strategic risks.
These are risks which can be controlled by
measures taken internally by the organisation.
Holistic approach
Internal control is a process, effected by an
entity’s board of directors, management and
other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives in the following
categories:
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with applicable laws and regulations.’
Categories of risk
The risks that are managed by an internal control
system can be categorised into three broad types
Financial
Operational
Compliance
Financial risk
These are risks of errors or fraud in accounting systems, and
in accounting and finance activities. Errors or fraud could lead
to losses for the organisation, or to incorrect financial
statements. Weak controls may also mean that financial
assets are not properly protected. Examples of financial risks
include the risk of:
– failure to record financial transactions in the book-keeping
system;
– failure to collect money owed by customers;
– failure to protect cash;
– financial transactions (such as payments) occurring without
proper authorisation; and
– mis-reporting (deliberate or unintentional) in the financial
statements.
Operational risk
Operational risk is ‘the risk of losses resulting from
inadequate or failed internal processes, people and
systems, or external events’.
Operational risks include:
– the risk of a breakdown in a system due to machine
failures or software errors;
– the risk of losing information from computer files or having
confidential information stolen;
– the risk of a terrorist attack;
– losses arising from mistakes or omissions by staff; and
– inefficient or ineffective use of resources.
Compliance risk
These are risks that important laws or regulations
will not be complied with properly.
Failure to comply with the law could result in legal
action against the company and/or fines.
The purpose of an internal control system and
internal controls
An internal control system is the system that an organisation
has for identifying operational, financial and compliance risks,
applying controls to reduce the risk of losses from these risks
and taking corrective action when losses occur.
Internal controls can be classified into three main types:
Preventive controls. These are controls that are intended to
prevent an adverse risk event from occurring; for example to
prevent opportunities for fraud by employees.
Detective controls. These are controls for detecting risk events
when they occur, so that the appropriate person is alerted
and corrective measures taken.
Corrective controls. These are measures for dealing with risk
events that have occurred, and their consequences.
Financial controls- SPAMSOAP
Financial controls are internal accounting controls that are
sufficient to provide reasonable assurance that:
transactions are made only in accordance with the general or specific
authorisation of management;
transactions are recorded so that financial statements can be
prepared in accordance with accounting standards and generally
accepted accounting principles;
transactions are recorded so that assets can be accounted for;
access to assets is only allowed in accordance with the general or
specific authorisation of management;
the accounting records for assets are compared with actual assets at
reasonable intervals of time; and
appropriate action is taken whenever there are found to be
differences.
(…)Financial controls
The maintenance of proper accounting records is an
important element of internal control.
Effective financial controls should ensure:
the quality of external and internal financial reporting, so that
there are no material errors in the accounting records and
financial statements;
that no fraud is committed (or that fraud is detected when it
occurs); an
that the financial assets of the company are not stolen,
lost or needlessly damaged, or that these risks are
reduced.
Operational controls
Operational controls are controls that help to reduce operational risks, or
identify failures in operational systems when these occur. They are
designed to prevent failures in operational procedures, or to detect and
correct operational failures if they do occur. Operational failures may be
caused by:
machine breakdowns;
human error;
failures in IT systems;
failures in the performance of systems (possibly due to human error);
weaknesses in procedures; and
poor management.
Operational controls are measures designed to prevent these failures from
happening, or identifying and correcting problems that do occur. Regular
equipment maintenance, better training of staff, automation of standard
procedures, and reporting systems that make managers accountable for
their actions are all examples of operational controls.
Compliance controls
Compliance controls are concerned with making sure
that an entity complies with all the requirements of
relevant legislation and regulations.
The potential consequences of failure to comply with
laws and regulations vary according to the nature of the
industry and the regulations.
For a manufacturer of food products, for example, food
hygiene regulations are important. For a bank,
regulations to protect consumers against mis-selling and
regulations for detecting and reporting suspicions of
money laundering are important.
Internal control risks
Internal control risks’ are risks that internal controls will fail to
achieve their intended purpose, and will fail to prevent, detect
or correct adverse risk events.
These risks can occur because:
they are badly designed, and so not capable of achieving their
purpose as a control; or
they are well-designed, but are not applied properly, due to human
error or oversight, or deliberately ignoring or circumvention of the
control (a form of operational risk event).
An internal control system needs to have procedures for
identifying weak or ineffective internal controls. This is one of
the functions of monitoring the effectiveness of the internal
control system.
Elements of an internal control system
Internal controls are an essential part of an internal
control system, but an internal control system
should also have other elements in order to be
effective and achieve its objectives.
The Committee Of Sponsoring Organisation
Framework for an internal control system (which is
consistent with COSO’s Enterprise Risk
Management system) identifies five elements to a
system of internal control.
The five elements of the COSO framework
1. A control environment
2. Risk identification and assessment
3. Internal controls
4. Information and communication
5. Monitoring
Control environment
control environment describes the awareness of (and attitude to) internal
controls in the organisation, shown by the directors, management and
employees generally. It therefore encompasses corporate culture,
management style and employee attitudes to control procedures.
The control environment is determined by the example given by the
company’s leaders to control and their expectations that employees should
also be risk-conscious. Factors in the control environment include:
– integrity and ethical values within the organisation, such as the existence of a
code of ethics;
– a commitment to competence in performance;
– the commitment of the board of directors and the audit committee to
monitoring management and their independence from management; and
– human resources policies and practices, such as the company’s policies on
performance evaluation and rewarding employees for performance.
Risk identification and assessment
There should be a system or procedures for
identifying the risks facing the company (and how
these are changing) and assessing their
significance.
Controls or management initiatives should be
devised to deal with significant risks.
Internal control risks can be categorised as
financial risks, operational risks and compliance
risks.
Internal controls
Controls should be devised and implemented to
eliminate, reduce or control risks. Internal controls
can be categorised as financial controls,
operational controls and compliance controls, to
deal respectively with financial risks, operational
risks and compliance risks.
Information and communication
All employees who are responsible for the management
of risks should receive information that enables them to
fulfil this task. More generally, there should be a system
of information provision and communication within the
organization so that individuals are aware of what is
expected of them. It can be described as providing the
right people in sufficient detail and on time with
information to let them do their job well. Communication
within an internal control system also includes the
existence and use of a whistleblowing procedure.
Monitoring
The effectiveness of the internal control system
should be monitored regularly.
Internal audit is one method of monitoring the
internal control system.
Internal controls are also monitored by executive
management and (as part of their annual audit) by
the external auditors.
The board of directors also has a responsibility to
review the effectiveness of the system.
The Mauritius corporate governance framework
forinternal control
Principle 5: Risk Governance and Internal Control
The Board should be responsible for risk
governance and should ensure that the
organisation develops and executes a
comprehensive and robust system of risk
management.
The Board should ensure the maintenance of a
sound internal control system.
NCCG 2016 on internal control
Internal control is one of the mechanisms used to reduce risk to an acceptable level.
Internal control should be operated by the organisation’s Board, its management
and staff and should be embedded in the daily activities of the organisation. Internal
controls should apply to the holding Company, intermediate holding companies and
subsidiaries.
Management should be responsible for the design, implementation and monitoring
of the internal control system. Senior management’s role should be to oversee the
establishment, administration and assessment of the system and processes.
The Board should monitor the internal control systems and, at least annually, carry
out a review of their effectiveness and report on that review in the annual report.
The monitoring and review should cover all material controls, including financial,
operational and compliance.
The Board should satisfy itself that the system of internal control is functioning
effectively. The Board should be apprised of the assessment of internal control
deficiencies, the management actions to mitigate such deficiencies and how
management assesses the effectiveness of the organisation’s system of internal
controls.
Recommended disclosure –NCCG 2016
Statement that the Board is responsible for the governance of
risk and for determining the nature and extent of the principal
risks it is willing to take in achieving its strategic objectives.
Outline of the structures and processes in place for
identifying and managing risk.
Description of the methods by which the directors derive
assurance that the risk management processes are in place
and are effective.
Description of each of the principal risks and uncertainties
faced by the organisation and the way in which each is
managed.
Identification and discussion of the risks that threaten the
business model, future performance, solvency and liquidity of
the organisation.
(…)Recommended disclosure –NCCG 2016
Affirmation that the Board or an appropriate Board committee has monitored
and evaluated the organisation’s strategic, financial, operational and
compliance risk.
Assurance that by direction of the Board or an appropriate Board committee
management has developed and implemented appropriate frameworks and
effective processes for the sound management of risk.
Outline of the systems and processes in place for implementing, maintaining
and monitoring the internal controls.
Description of the process by which the Board derives assurance that the
internal control systems are effective.
Identification of any significant areas not covered by the internal controls.
Acknowledgement of any risks or deficiencies in the organisation’s system
of internal controls.
Report on whistle-blowing rules and procedures; possible protections could
include confidential hotlines, access to a confidential and independent
person or office, safe harbours and rewards, or immunity to whistle blowers.
Verify your charter- audit committee

STUDENTS ARE REQUIRED TO

VERIFY ROLE OF AUDIT COMMITTEE
WRT INTERNAL CONTROLS
Internal audit
Internal audit is considered under principle 7 of
NCCG 2016
‘In the absence of an internal audit function,
management needs to apply other monitoring
processes in order to assure itself, the audit
committee and the board that the system of internal
control is functioning as intended. In these
circumstances, the audit committee will need to
assess whether such processes provide sufficient
and objective assurance.’
Function and scope of internal audit
Internal audit is defined as ‘an independent
appraisal activity established within an organization
as a service to it. It is a control, which functions by
examining and evaluating the adequacy and
effectiveness of other controls’ (Chartered Institute
of Management Accountants (CIMA) official
terminology).
(…)Function and scope of internal audit
Reviewing the internal control system. (5 elements)
Traditionally, an internal audit department has
carried out independent checks on the financial
controls in an organisation, or in a particular
process or system.
The checks would be to establish whether suitable
financial controls exist, and if so, whether they are
applied properly and are effective. It is not the
function of internal auditors to manage risks, only to
monitor and report them, and to check that risk
controls are efficient and cost-effective.
(…)Function and scope of internal audit
Special investigations. Internal auditors might conduct special investigations
into particular aspects of the organisation’s operations (systems and
procedures), to check the effectiveness of operational controls.
Examination of financial and operating information. Internal auditors might
be asked to investigate the timeliness of reporting and the accuracy of the
information in reports.
VFM audits. This is an investigation into an operation or activity to establish
whether it is economical, efficient and effective.
Reviewing compliance by the organisation with particular laws or
regulations. This is an investigation into the effectiveness of compliance
controls.
Risk assessment. Internal auditors might be asked to investigate aspects of
risk management, and in particular the adequacy of the mechanisms for
identifying, assessing and controlling significant risks to the organisation,
from both internal and external sources.
Investigation of internal financial controls
Whether the controls are manual or automated. Automated controls are by
no means error-proof or fraud-proof, but may be more reliable than similar
manual controls.
Whether controls are discretionary or non-discretionary. Non-discretionary
controls are checks and procedures that must be carried out. Discretionary
controls are those that do not have to be applied, either because they are
voluntary or because an individual can choose to disapply them. Risks can
infiltrate a system, for example, when senior management chooses to
disapply controls and allow unauthorised or unchecked procedures to occur.
Whether the control can be circumvented easily, because an activity can be
carried out in a different way where similar controls do not apply.
Whether the controls are effective in achieving their purpose. Are they
extensive enough or carried out frequently enough? Are the controls applied
rigorously? For example, is a supervisor doing their job properly?
Disaster recovery plans
As its name suggests, a disaster recovery plan is a plan
of what to do in the event of a disaster that is
unconnected with the company’s business and outside
the control of management.
Disaster recovery planning goes beyond procedures that
should be taken in an emergency, such as a fire or
explosion in a building. It is intended to establish what
should be done in the event of an extreme disaster that
threatens the ability of the company to maintain its
operations.
Examples of disasters are natural disasters, such as
major fires or flooding or storm damage to key
installations or offices, and major terrorist attacks.
(…)Disaster recovery plans
Specify which operations are essential, and must be kept
going.
Where operations rely on IT systems, identify the
computers or networks to which the system can be
transferred in the event of damage to the main system.
Specify where operations should be transferred to, if they
cannot continue in their normal location.
Identify key personnel who are needed to maintain the
system in operation.
Identify who should be responsible for keeping the public
informed about the impact of the disaster and the
recovery measures that are being taken.
Whistleblowing procedures
A whistleblower is an employee who provides information about
their company that they reasonably believes provides evidence
of:
fraud;
a serious violation of a law or regulation by the company or by
directors, managers or employees within the company;
a miscarriage of justice;
offering or taking bribes;
price-fixing;
a danger to public health or safety, such as dumping toxic
waste in the environment or supplying food that is unfit for
consumption;
neglect of people in care; or in the public sector, gross waste or
misuse of public funds.
WHISTLEBLOWER_ACF Position Paper 6.pdf