Professional Documents
Culture Documents
INTERNAL CONTROL
• Control Environment sets the tone for the organization, influencing the
control consciousness of its people. It is the foundation for all other
components of internal control.
• Risk Assessment is the identification and analysis of relevant risks to the
achievement of objectives, forming a basis for how the risks should be
managed.
FIVE COMPONENTS OF INTERNAL CONTROL
• Management
The Chief Executive Officer (the top manager) of the organization has overall
responsibility for designing and implementing effective internal control. More than
any other individual, the chief executive sets the "tone at the top" that affects
integrity and ethics and other factors of a positive control environment.
ROLES AND RESPONSIBILITIES IN INTERNAL
CONTROL
• Board of Directors
Management is accountable to the board of directors, which provides
governance, guidance and oversight. Effective board members are objective,
capable and inquisitive. They also have knowledge of the entity's activities and
environment, and commit the time necessary to fulfil their board responsibilities.
A strong, active board, particularly when coupled with effective upward
communications channels and capable financial, legal and internal audit
functions, is often best able to identify and correct such a problem.
ROLES AND RESPONSIBILITIES IN INTERNAL
CONTROL
• Auditors
The internal auditors and external auditors of the organization also measure
the effectiveness of internal control through their efforts. They assess whether the
controls are properly designed, implemented and working effectively, and make
recommendations on how to improve internal control. To provide reasonable
assurance that internal controls involved in the financial reporting process are
effective, they are tested by the external auditor (the organization's public
accountants), who are required to opine on the internal controls of the company
and the reliability of its financial reporting.
ROLES AND RESPONSIBILITIES IN INTERNAL
CONTROL
• Audit Committee
• The role and the responsibilities of the audit committee are to:
• Discuss with management, internal and external auditors and major stakeholders
the quality and adequacy of the organization’s internal controls system and risk
management process.
• Review and discuss with management and the external auditors and approve the
audited financial statements of the organization and make a recommendation
regarding inclusion of those financial statements in any public filing.
• Review and discuss with management the types of information to be disclosed and
the types of presentations to be made with respect to the Company's earnings.
ROLES AND RESPONSIBILITIES IN INTERNAL
CONTROL
• Audit Committee
The role and the responsibilities of the audit committee are to:
• Confirm the scope of audits to be performed by the external and internal auditors.
• Manage complaints concerning accounting, internal accounting controls or
auditing matters.
• Receive regular reports from the regarding deficiencies in the design or operation
of internal controls and any fraud that involves management or other employees
with a significant role in internal controls.
• Support management in resolving conflicts of interest.
ROLES AND RESPONSIBILITIES IN INTERNAL
CONTROL
• Operating Staff
All staff members should be responsible for reporting problems of operations,
monitoring and improving their performance, and monitoring non-compliance with
the corporate policies and various professional codes, or violations of policies,
standards, practices and procedures.
Staff and junior managers may be involved in evaluating the controls within
their own organizational unit using a control self-assessment.
PRINCIPLES OF INTERNAL CONTROL
• Establish Responsibilities
Assigning specific responsibilities to individuals ensures they understand
what their part is in maintaining internal control.
• Perform regular and independent reviews
Companies must review their internal control systems regularly that should
be done by an individual who did not perform any of the work being
checked.
PRINCIPLES OF INTERNAL CONTROL
• Fraud Detection
Under the Sarbanes-Oxley Act, companies are required to perform a fraud
risk assessment and assess related controls. This typically involves
identifying scenarios in which theft or loss could occur and determining if
the existing internal controls procedures effectively manages the risk to an
acceptable level.
IMPORTANCE OF INTERNAL CONTROL
• Process Improvement
Controls can be evaluated and improved to make a business operation run
more effectively and efficiently. Internal controls can also be used to
systematically improve businesses, particularly in regard to effectiveness
and efficiency.
IMPORTANCE OF INTERNAL CONTROL
• Controls Monitoring
Advances in technology and data analysis have led to the development of
numerous tools which can automatically evaluate the effectiveness of
internal controls. Used in conjunction with continuous auditing, continuous
controls monitoring provides assurance on financial information flowing
through the business processes.
LIMITATIONS OF INTERNAL CONTROL
• Judgement
Poor judgment can also be a critical limitation of internal controls. Usually, the management of a company makes
decisions based on the information provided to them. However, if the information is not adequate, it may end up in
the wrong decisions from the management. Judgment is a vital part of internal control systems.
• Breakdowns
Sometimes even well-designed internal controls break down. Whether it’s a result of employees misunderstanding
instructions or simply making mistakes, errors will inevitably occur at some point.
• Management Override
Management override occurs when high level personnel or privileged user accounts override prescribed policies
and procedures for personal gain, advantage, or convenience.
LIMITATIONS OF INTERNAL CONTROL
• Collusion
Many internal control systems can be circumvented by employee collusion: several internal
actors working together against the organization, usually to alter financial data or other
management information in ways that can’t be identified by control systems.
1. It is good practice when designing ICQs to state, as a brief introduction, a list of control objectives
which each sub-system under consideration should seek to achieve and any business considerations
specific to the enterprise under review which should be taken into account. The reason for this is
essentially to highlight for the audit staff key areas for their consideration to the audit staff.
2. The questions in an ICQ should be designed to ascertain whether the control objectives are being
achieved and should therefore cover such aspects as: (a) instructions given to staff in the
performance of their duties (b) authorization procedures (c) documents and procedures used to
originate transactions (d) recording procedures (e) sequence of procedures (f) custody procedures (g)
relative independence of the persons involved at each stage of a transaction (i.e. segregation of
duties).
CONSTRUCTION OF ICQ
3. The questions should be framed such that a Yes/No answer is given, with a No answer
usually indicating a control weakness.
4. An ICQ should carry such basic information as: (a) the name of the document (ICQ)
(b) the system to which it relates (e.g. purchasing cycle) (c) the client to whom it relates
(d) the accounting period under review (e) evidence of who has prepared and reviewed
the document (f) the provision of columns for: Yes and No answers, comments where
neither Yes or No are applicable, indicating the significance or otherwise of apparent
weaknesses, references to audit programs and references to Management Letters.