1 / 67

INTERNAL CONTROL SYSTEM

INTERNAL CONTROL SYSTEM. Prepared by CA Vinay Sehgal. What are Internal Control?. Simple Definition. Internal control is what we do to see that the things we want to happen will happen …. And the things we don’t want to happen won’t happen. Internal Controls Are C ommon Sense.

emily
Télécharger la présentation

INTERNAL CONTROL SYSTEM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INTERNAL CONTROL SYSTEM Prepared by CA Vinay Sehgal

  2. What are Internal Control?

  3. Simple Definition • Internal control is what we do to see that the things we want to happen will happen … • And the things we don’t want to happen won’t happen.

  4. Internal Controls Are Common Sense What do you worry about going wrong? What steps have been taken to assure it doesn’t? How do you know things are under control?

  5. You exercise internal control principles in your personal life when you: • Lock-up valuable belongings • Keep copies of your tax returns • Balance your checkbook • Keep your ATM/debit card PIN number separate from your card • Make travel plans

  6. Meaning of Internal Control Internal Control is a process designed to provide reasonable assurance regarding the achievement of objectives in relation to the following: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations

  7. Identifying Key Controls Risk of Weak Internal Control • Financial misstatements • Business loss • Loss of funds or materials • Incorrect or untimely management information • Fraud or collusion • Tarnished reputation with the public • Program Sustainability compromised • Missed goals

  8. Identifying Key Controls Determining Where Controls are Needed • First, must … • Document the process! • Pick a method that suits the process: Flowchart or Narrative • Identify process owner and activity owners • Identify the key inputs, activities, outputs, and risk points • Identify policies that impact the process • Identify standards that may specify mandatory controls

  9. Identifying Key Controls Identifying Key Control Activities • Identify and document all controls associated with key processes • Identify the characteristics of controls that, when functioning as intended, would provide the evaluator with a ‘level of comfort’ to conclude that the control is effective with respect to a given risk • Consider control effectiveness by focusing on: • Directness and clarity of the control technique • Frequency with which the control technique is applied • Experience of personnel performing the control • Procedures followed when a control identifies an exception condition

  10. Identifying Key Controls Understanding Control Design • Good Controls are: • Focused • Integrated • Accurate • Simple • Accepted • Cost Effective

  11. Why are Internal Controls Important? • Compliance with applicable laws and regulations. • Accomplishment of the entity’s mission. • Relevant and reliable financial reporting. • Effective and efficient operations. • Safeguarding of assets.

  12. Components of Internal Control

  13. Updated COSO (Committee of Sponsoring Organizations) Framework Along the 3 main objectives At all levels of the organization The COSO “cube” 5 integrated components

  14. COSO cube – 5 Integrated Components • 1. Control Environment • The set of standards, processes, and structures that provide the basis for carrying out internal control • Comprises integrity and ethical values of the organization • The Board and Senior Management - and you! • Establish tone at the top • Establish expected standards of conduct and reinforce expectations • Parameters enable the Board to carry out its governance oversight responsibilities

  15. COSO cube – 5 Integrated Components Control Environment for Financial Reporting

  16. COSO cube – 5 Integrated Components • The Control Environment should ensure controls are in place, covering areas such as: • Hiring practices • Training programs • Whistleblower policies • Code of Ethics • Clear lines of responsibility and authority • Etc. As part of our regular business processes, we should continually monitor and update the Control Environment for dynamic changes

  17. COSO cube – 5 Integrated Components Difference between Compliance v. Integrity Strategy: A ‘Compliance Strategy’ tries to prevent violations of regulations and self-interested behavior by employees by imposing standards of conduct that are intended to compel acceptable behavior. An ‘Integrity Strategy’ seeks to create conditions that support right action by communicating the values and vision of the organization, aligning the standards of employees with those of the organization, and relying on the whole management team, not just lawyers and compliance officers.

  18. COSO cube – 5 Integrated Components • The Control Environment should be documented: • Process documentation/ controls • Determine extent of existing documentation; leverage this • Create new if no documentation exists • Update for changes in operations • Types of documentation that can be used: • Process Narratives • Organizational charts • Flowcharts • Questionnaires • Memorandums • Checklists

  19. COSO cube – 5 Integrated Components • 2. Risk Assessment • Involves a dynamic and iterative process for identifying and assessing risks • Risk: the possibility that an event will occur and adversely affect the achievement of objectives. • The Board and Senior Management (and you!) • Establish objectives linked at different levels of the entity • Must take holistic approach – look at the full organization • Apply internal control to achieve multiple objectives • Prevent domino effects, e.g., weakness in financial reporting that jeopardizes operations • Establish risk tolerances • Increasingly important when resources are constrained

  20. COSO cube – 5 Integrated Components Risk Management A process applied in a strategic setting and across the entity, designed to identify and manage risks to stay within risk appetite/tolerance level, to provide reasonable assurance about achieving entity goals and objectives. Risk Assessment An element of internal control within the risk management process that enables management to identify and assess key risks to achieving its objectives; this forms the basis on which control activities are determined.

  21. Four Primary Factors Grading Filter • 1. Materiality of the amounts • Large dollars/transaction • High volume of transactions • Significant impact on key ratios or disclosures • 2. Complexity of the process • Limited internal skills • Multiple data handoffs • Highly technical in nature • 3. History of accounting adjustments • Accounting errors • Valuation adjustments, etc. • 4. Propensity for change in • Business processes or controls • Related accounting Process-levelRisk Assessment High Risk Assessment Medium Low COSO cube – 5 Integrated Components Risk assessment should occur at the business process level as well as the entity level.

  22. COSO cube – 5 Integrated Components Risk Strategies

  23. COSO cube – 5 Integrated Components • 3. Control Activities • The actions established through policies and procedures that help ensure management’s directives to mitigate risks are carried out. • Performed at all levels within the entity • Types: • Preventive and detective and corrective • Compensating • Manual and automated • Examples: • Approvals & Authorizations • Embedded verifications • Reconciliations • Independent Reviews • Asset security • Segregation of duties

  24. COSO cube – 5 Integrated Components Preventive Control Prevents the occurrence of a negative event in a proactive manner • Examples: • Approval for purchase > 50,000 • Passwords for access to Banner • Petty cash held in lockbox • Security and surveillance systems • Pre-numbered checks • Detective Control • Detect the occurrence of a negative event after the fact in a reactive manner • Examples: • Supervisor review & approval • Report run showing user activity • Reconcile petty cash • Physical inventory count • Review missing/voided checks

  25. COSO cube – 5 Integrated Components Control Activities • If a weakness or limitation exists within the control environment, a compensatingcontrol may be relied upon to mitigate the risk • Can be preventive ordetective • Example: A unit does not have the staff resources to establish an adequate segregation of duties. Potential compensating controls could include: • Automation of certain transaction data that cannot be altered by the staff • Manager review of detailed summary reports of the transactions initiated by the staff • Peer staff and/or manager selects a sample of transactions and vouches back to supporting documentation

  26. COSO cube – 5 Integrated Components Control Activities • Require action to be taken by employees, e.g., • Obtain supervisor’s approval for overtime • Reconcile bank accounts • Match receiving to POs • Built into network infrastructure and software applications, e.g., • Passwords • Data entry validation checks • Batch controls

  27. COSO cube – 5 Integrated Components • 4. Information and Communication • Information is necessary to carry out internal control responsibilities to support achievement of objectives • Communication: the continual, iterative process of providing, sharing, and obtaining necessary information • Internal and external • Information should be timely, accessible, and allow for successful control actions Key: To communicate the right information to the right people at the right time

  28. COSO cube – 5 Integrated Components • Information & Communication • Things to communicate: • Initiatives • Goals • Changes • Opportunities • Feedback • Questions • Answers • Policies • Procedures • Standards • Expectations

  29. COSO cube – 5 Integrated Components • 5. Monitoring Activities • Evaluations used to ascertain whether components of internal control are present and functioning • Ongoing evaluations: • Built into business processes • Provide timely information • Separate evaluations: • Conducted periodically • Vary in scope and frequency • Dependent on assessment of risks, effectiveness of ongoing evaluations, other management considerations Findings are evaluated against relevant criteria Deficiencies are communicated to the Board and Senior Management

  30. COSO cube – 5 Integrated Components • Testing Control Processes • Identify • transactions to be tested • key controls • applicable standards to test the transactions (i.e., criteria to judge compliance effectiveness) • Determine • appropriate type of testing • extent of testing • Create test plan • Conduct tests for effectiveness • Document testing and results • Assess test results • Communicatefindings, recommendations

  31. COSO cube – 5 Integrated Components • Monitoring/Validating Controls • Deficiency in Design – A critical control is not properly designed, i.e., even if the control operates as designed, the control objective is not always met. • When validating control design (determining effectiveness): • Consider various factors (how control is performed, who performs the control, what data/reports used in performing control, what physical evidence is produced from the control) • Work off of process narratives, flowcharts, and any other relevant material obtained and/or completed in the documentation stage • Be aware that application controls are either programmed control procedures (e.g., edits, matching, reconciliation routines) or computer processes (e.g., calculations, on-line entries, automatic system interfaces).

  32. COSO cube – 5 Integrated Components Monitoring/Validating Controls Deficiency in Operation – A properly designed control does not operate as intended, or the person performing the control does not possess the necessary authority or qualification to perform the control effectively. • Testing operating effectiveness includes, in part: • Reviewing supporting documentation for proper authorization, • Reviewing the results of periodic reconciliations, and • Reviewing policies and procedures to determine if they are being followed. • Use appropriate sampling techniques as necessary.

  33. COSO cube – 5 Integrated Components Monitoring/Validating Controls • Documentation should be maintained for: • The evaluation of internal control at the entity and process levels • What testing has been performed • Identified deficiencies • Documentation must contain sufficient information to: • Identify who performed the work and when • Enable understanding of the nature, timing, extent, and results of the procedures performed • Enable understanding of the evidence obtained • Support the conclusions reached

  34. The Importance of Internal Control and Risk Management Sound internal control and risk management supplement entrepreneurship, they do not replace it The role of internal control is to manage risk rather than to eliminate it. It is important that risk management and control are not seen as a burden on business, rather the means by which business opportunities are maximized and potential losses associated with unwanted events reduced. Internal control is one of the principal means by which risk is managed. Other devices used to manage risk include the transfer of risk to third parties, sharing risks, contingency planning and the withdrawal from unacceptably risky activities.

  35. The Importance of Internal Control and Risk Management A successful system of internal control must be responsive to changes - enabling adaptation quicker than its competitors. Effective risk management and internal control is therefore reliant on a regular evaluation of the nature and extent of risks.

  36. Implementing Internal Control and Risk Management • Framework & Scope of Internal Control • Internal control is fundamental to the successful operation and day-to-day running of a business and it assists the company in achieving its business objectives. • The scope of internal control is very broad. It encompasses all controls incorporated into the strategic, governance and management processes, covering the company’s entire range of activities and operations, and not just those directly related to financial operations and reporting. Its scope is not confined to those aspects of a business that could broadly be defined as compliance matters, but extends also to the performance aspects of a business • Internal controls needs to be responsive to the specific nature and needs of the business. Hence, they should seek to reflect sound business practice, remain relevant over time in the continuously evolving business environment and enable the company to respond to the specific needs of the business or industry.

  37. Implementing Internal Control and Risk Management • Framework & Scope of Internal Control • Control should not be seen as a burden on business but, rather, the means by which business opportunities are maximized and potential losses associated with unwanted events reduced. • Successful companies should not allow themselves to become complacent or blinded by their own success. There are numerous examples of companies whose success has been jeopardized by a lack of, or deficiencies in, internal controls.

  38. Implementing Internal Control and Risk Management • Functions of Internal Control • A sound and well designed system of internal control reduces, but cannot eliminate, the possibility of poor judgments in decision-making; human error or mistake; control activities and processes being deliberately circumvented by the collusion of employees or others; management overriding controls; and the occurrence of unforeseeable circumstances. • A sound system of internal control helps to provide reasonable, but not absolute, assurance that a company will avoid being hindered in achieving its business objectives, or in the orderly and legitimate conduct of its business, by circumstances that may reasonably be foreseen. • A system of internal control cannot, however, provide protection with certainty • against a company failing to meet its business objectives or against all material errors, losses, fraud, or breaches of laws or regulations.

  39. Implementing Internal Control and Risk Management • Functions of Internal Control • No two companies will, or should, have identical internal control systems. Companies and their control differ by industry, size and organisational structure, and by culture and management philosophy. Therefore, while all companies need each of the components to ensure adequate control over their activities, each will have a unique internal control system tailored to meet its own circumstances. • The management will have to exercise its judgment, driven by the particular needs of the company, to determine the nature of the controls that should be in place and whether they are functioning effectively in achieving the company’s objectives.

  40. Elements of a Sound System of Internal Control • Internal control can be analysed into five inter-related components, which also serve as criteria for the effectiveness of the internal control system in supporting the achievement of the separate but overlapping operational, financial reporting and compliance objectives. • The components are: • Control environment – the foundation for the other components of internal control, which also provides discipline and structure. Factors include ethical values and competence (quality) of personnel, direction provided by the board and effectiveness of management. • Risk assessment – identification and analysis of risks underlying the achievement of objectives, including risks relating to the changing regulatory and operating environment, as a basis for determining how such risks should be mitigated and managed. • Control activities – a diverse range of policies and procedures that help to ensure management directives are carried out and any actions that may be needed to address risks to achieving company objectives are taken.

  41. Elements of a Sound System of Internal Control • Information and communication – effective processes and systems that identify, capture and report operational, financial and compliance-related information in a form and timeframe that enable people to carry out their responsibilities. • Monitoring – a process that assesses the adequacy and quality of the internal control system’s performance over time. Deficiencies in internal controls should be reported to the appropriate level upstream, which may be, for example, senior management, the audit committee, or the board.

  42. Principles of Internal Control • Establish Responsibilities. • Maintain adequate records. • Insure Assets and bond employees. • Separate recordkeeping and custody over assets. • Divide responsibility for related transactions. • Apply technological controls. • Perform regular and independent reviews.

  43. Limitations of Internal Control • Human errors. • Misunderstandings. • Mistakes in judgment. • Carelessness. • Distractions. • Fatigue. • Collusion. • Dishonesty. • Change in conditions.

  44. Risk Management • The process of risk management involves: • understanding organisational objectives; • identifying the risks associated with achieving or not achieving them and assessing the likelihood and potential impact of particular risks; • developing programmes to address the identified risks; and • monitoring and evaluating the risks and the arrangements in place to address them. • Risk may affect many areas of activity, such as strategy, operations, finance, technology and environment. In terms of specifics it may include, for example, loss of key staff, substantial reductions in financial and other resources, severe disruptions to the flow of information and communications, fires or other physical disasters, leading to interruptions of business and/or loss of records. More generally, risk also encompasses issues such as fraud, waste, abuse and • mismanagement.

  45. Types of Risks • Business risks • Wrong business strategy • Competitive pressure on price / market share • General / regional economic problems • Industry sector in decline • Political risks • Adverse government policy • Inattention to information technology (IT) aspects of strategy and implementation • Obsolescence of technology • Substitute products • Takeover target • Inability to obtain further capital • Bad acquisition • Too slow to innovate and reengineering • Too slow to respond to demands from market and customers

  46. Types of Risks • Financial risks • Market risk • Credit risk • Interest risk • Currency risk • Treasury risk • Liquidity risk • Overtrading • High cost of capital • Misuse of financial resources • Going concern problems • Occurrence of types of fraud to which the business is susceptible • Misstatement risk related to published financial information • Breakdown of accounting system • Unreliable accounting records • Unrecorded liabilities • Penetration and attack of IT systems by hackers • Decisions based on incomplete or faulty information • Too much data and not enough analysis • Unfulfilled promises/pledges to investors

  47. Types of Risks • Compliance risks • Breach of Listing Rules • Breach of financial regulations • Breach of Companies Ordinance requirements • Breach of competition regulations • Breach of other regulations and laws • Litigation risk • Tax problems • Health and safety risks • Environmental problems

  48. Types of Risks • Operational and other risks • Inefficient / ineffective management process • Loss of entrepreneurial spirit • Missed or ignored business opportunities • Other issues giving rise to reputational problems • Poor brand management • Failure of major change initiative • Inability to implement change • Stock-out of raw materials • Skills shortage • Physical disasters (e.g., fire and explosion) • Computer viruses or other system malfunctions • Failure to create and exploit intangible assets • Loss of intangible assets • Loss of physical assets • Loss of key people • Loss of key contracts • Lack of orders • Lack of business continuity • Succession problems

  49. Types of Risks • Operational and other risks • Inability to reduce cost base • Over-reliance on key suppliers or customers • Onerous contract obligations imposed by major customers • Failure of new products or services • Failure to satisfy customers • Poor service levels • Quality problems • Product liability • Failure of major projects • Failure of big technology related projects • Failure of outsource providers to deliver • Lack of employee motivation or efficiency • Industrial action • Problems arising from exploiting employees in developing countries • Inefficient / ineffective processing of documents • Breach of confidentiality • *this list should not be regarded as exhaustive and it is not industry specific

More Related