STRATEGIC BUSINESS LEADER (SBL)

Strategic Modules

Part F: Organizational Control and Audit

Chapter 11- Internal Control Systems

Khor Seng Cheong
 Page |2

LEARNING OUTCOME

After completion of this lesson, you will learn the following:

Internal Control System & Audit

A)Evaluate the key components or features of effective internal control systems.[3]
B)Assess the need for adequate information flows to management for the purposes of the
management of internal control and risk.[3]
C)Evaluate the effectiveness and potential weaknesses of internal control systems.[3]
D)Discuss and advise on the importance of sound internal control and compliance with legal and
regulatory requirements and the consequences to an organisation of poor control and non-
compliance.[2]
E)Recommend new internal control systems or changes to the components of existing systems to
help prevent fraud, error or waste.[2]

Audit and compliance

A)Examine the need for an internal audit function in the light of regulatory and organisational
requirements.[3]
B)Justify the importance of auditor independence in all client-auditor situations (including internal
audit) and the role of internal audit in compliance.[3]
C)Justify the importance of having an effective internal audit committee overseeing the internal
audit function.[2]
D)Assess the appropriate responses to auditors’ recommendations.[3]

Internal control and management reporting

A)Justify the need for reports on internal controls to shareholders.[3]
B)Discuss the typical contents of a report on internal control and audit.[2]
C)Assess how internal controls underpin and provide information for reliable financial reporting.

Khor Seng Cheong |017-4999056 Page 2

 Page |3

The purposes of Internal Control System

UK TURNBULL REPORT GUIDELINES

PURPOSES OF INTERNAL CONTROL SYSTEM

1. It is to facilitate the achievement of the organization’s objectives

through effective and efficient control of its business, operation,
financial and compliance and risk.
2. It helps to ensure the quality of internal and external reporting. This
includes proper recording and disclosure of information
3. It is to safeguard the assets and shareholders’ values.
4. It helps to ensure compliance with application of internal policy, laws
and regulations.

CHARACTERISTICS OF GOOD INTERNAL CONTROL SYSTEM

1. They should be embedded in the operations of the company and

form part of its culture
2. They should be capable of responding quickly to evolving risk within
the business.
3. They should include procedures for reporting immediately to
management significant control failings and weaknesses together with
control action being taken.
4. They should able to reduce (not totally eliminating) the risk of
mistakes, errors, fraud, or unforeseeable circumstances. Thus, good
internal control system will provide reasonable assurance towards
achieving the organization objectives.

Khor Seng Cheong |017-4999056 Page 3

 Page |4

Internal control framework

The COSO framework

The Committee of Sponsoring Organization (COSO) of the Treadway Commission has

developed this framework to deal with risk. The COSO framework stresses on: strategic
development, operations, reporting and compliance. Each component is briefly presented
here: RIME CORP

Component Explanation
Internal or control This covers how the organizations view and addresses risk
environment (E) including its values and environment they operate

Objective setting (O) The objectives of control should align with the entity’s
mission and be consistent with its risk profile

Event identification (E) Risks and opportunities should be clearly distinguished.

Both the internal and external events (risks and
opportunities) that affect the achievement of organization
objectives should be identified.

Risk management (R) Risks should be analyzed, considering the likelihood of

occurrence and the impact.

Risk response (R) Management should formulate the respond plans (eg.
Avoidance, reduction, transfer or acceptance) for the risks
identified.

Procedures or control Policies and procedures are set and implemented to help
activities (P) ensure the risk responses are effectively carried out.

Information & Relevant information concerning risks should be timely

communication (I) and accurately disseminated to relevant persons

Khor Seng Cheong |017-4999056 Page 4

 Page |5

Monitoring (M) Risk management processes are monitored and

modifications are made if needed.

The Control Environment

What is control environment?

Control environment is the overall attitude, awareness and actions of directors and
management regarding internal controls and their importance in the entity. The control
environment provides the background for various controls underlying.

Factors that influence the control environment are:

• Management’ attitude towards control that include the philosophy and operating
style of the directors and management as well as entity’s culture.
• The organizational structure that includes the methods of assigning authority and
responsibility
• The ethical value, integrity and competence of directors and staff.
• The abilities of employees to implement controls that include the methods of
imposing control such as internal audit function, policies and procedures.

What make a good control environment? The UK Turnbull stresses the following:

• There should have clear strategies for dealing with risks

• The company’s culture, code of conduct, HR policies and performance reward
systems should support the organization objectives, risk management & internal
control systems.
• Senior management should demonstrate strong commitment to competence,
integrity and fostering a climate of trust within the company
• There is a clear definition of authority, responsibility and accountability.
• There is free flow of communication
• Employees of the company should have skills, knowledge and tools to perform their
duties.

The Control Procedures

MAIN POINT

Control procedures are those policies and procedures in addition to the control
environment established to achieve the entity’s specific objectives

Khor Seng Cheong |017-4999056 Page 5

 Page |6

Corporate, management, biz process &

transaction controls

Administrative controls & Accounting controls

Prevent, detect & correct controls

Discretionary & non discretionary controls

Control can be classified into

Voluntary & mandated controls

Manual & automated controls

General & application controls

Financial & non financial controls

Corporate, management, business process & transaction controls.

Corporate

Controls

Management Controls

Business Process Control

Transaction Controls

Khor Seng Cheong |017-4999056 Page 6

 Page |7

Administrative controls and accounting controls. Administrative controls are controls

designed to help organization to achieve its objectives in respect of organization structure,
authority & responsibility and communication channel. Accounting controls concern the
recording and reporting the accurate and timely information.

Prevent, detect and correct controls. Prevention controls are controls that are designed to
prevent errors from happening. Detection controls are controls that are designed to detect
errors once they have happened. Corrective controls are controls that are designed to
minimize the negative effects of errors.

Discretionary and non discretionary controls. Discretionary controls are controls that
subject to human judgment such as discretionary approval to exceed the credit limit. Non
discretionary controls are provided automatically by the system and cannot be bypassed.

Voluntary and mandated controls. Voluntary controls are chosen by the organization to
support the management of the business. Mandated controls are required by laws.

Manual and automated controls. Manual controls relate to human functions of processing
system. Automated controls are programmed procedures designed to prevent, detect and
correct errors.

General and application controls. General controls are related to the computing
environment in which the application system is operated. Application controls prevent,
detect and correct errors & irregularities.

Financial and non financial controls. Financial controls focus on the key transaction areas.
Non financial controls focus on wider performance such as balanced scorecards,
performance indication.

Khor Seng Cheong |017-4999056 Page 7

 Page |8

Types of procedures

TYPES OF PROCEDURES.

Segregation Control of Authorizatio Management Supervision

of duties Physical n& control
access approval

Organization Arithmetical & Personnel

accounting

REVIEWING Internal Control

Turnbull Report states that

(i) Reviewing the effectiveness of internal control

Responsibilities
Reviewing the effectiveness of internal control is an essential part of the board’s
responsibilities. Management is accountable to the board for monitoring the system of
internal control and for providing assurance to the board that it has done so.

(ii) The process for reviewing effectiveness

Effective monitoring on a continuous basis is an essential component of a sound system of
internal control. The board cannot, however, rely solely on the embedded monitoring
processes within the company to discharge its responsibilities. It should regularly receive
and review reports on internal control.

In addition, the board should undertake an annual assessment for the purposes of making
its public statement on internal control to ensure that it has considered all significant
aspects of internal control for the company for the year under review and up to the date of
approval of the annual report and accounts.

Khor Seng Cheong |017-4999056 Page 8

 Page |9

When reviewing reports during the year, the board should:

• consider what are the significant risks and assess how they have been identified,
evaluated and managed;

• assess the effectiveness of the related system of internal control in managing the
significant risks, having regard, in particular, to any significant failings or weaknesses
in internal control that have been reported;

• consider whether necessary actions are being taken promptly to remedy any
significant failings or weaknesses; and

• consider whether the findings indicate a need for more extensive monitoring of the
system of internal control.

Additionally, the board should undertake an annual assessment for the purpose of making
its public statement on internal control. The board’s annual assessment should, in
particular, consider:

• the changes since the last annual assessment in the nature and extent of significant
risks, and the company’s ability to respond to changes in its business and the
external environment;

• the scope and quality of management’s ongoing monitoring of risks and of the
system of internal control, and, where applicable, the work of its internal audit
function and other providers of assurance;

• the incidence of significant control failings or weaknesses that have been identified
at any time during the period and the extent to which they have resulted in
unforeseen outcomes or contingencies that have had, could have had, or may in the
future have, a material impact on the company’s financial performance or condition;
and

• the effectiveness of the company’s public reporting processes.

Should the board become aware at any time of a significant failing or weakness in internal
control, it should determine how the failing or weakness arose and re-assess the
effectiveness of management’s ongoing processes for designing, operating and monitoring
the system of internal control.

(iii) The board’s statement on internal control

The board should disclose that there is an ongoing process for identifying, evaluating and
managing the significant risks faced by the company, that it has been in place for the year

Khor Seng Cheong |017-4999056 Page 9

 P a g e | 10

under review and up to the date of approval of the annual report and accounts, that it is
regularly reviewed by the board and accords with the guidance in this document.

The board may wish to provide additional information in the annual report and accounts to
assist understanding of the company’s risk management processes and system of internal
control.

The disclosures should include an acknowledgement by the board that it is responsible for
the company’s system of internal control and for reviewing its effectiveness. It should also
explain that such a system is designed to manage rather than eliminate the risk of failure to
achieve business objectives, and can only provide reasonable and not absolute assurance
against material misstatement or loss.

The board should ensure that its disclosures provide meaningful, high-level information and
do not give a misleading impression.

INTERNAL AUDIT
1) Internal control, audit and compliance in corporate governance

The role of internal audit will vary according to the organization’s objectives but is likely to
focus on the following areas:

Internal control system

Risk management
Legal compliance

Value for money

Describe the needs, functions and importance of internal audit.

Turnbull report states that the need for internal audit will depend on:- (Factors that are
considered when deciding to establish internal audit in an organization are: -)

i. The Scale, diversity and complexity of the company’s activities (S). The larger, the more
diverse and the more complex a range of activities is, the more there is to monitor

ii. The number of Employees.(E) The larger the number of employees signifies that larger
organizations which requires effective internal audit to underpin investor confidence.

Khor Seng Cheong |017-4999056 Page 10

 P a g e | 11

iii. Cost-benefit considerations (C). The benefits of establishing internal audit must
obviously been seen to outweigh the costs..

iv. Changes in the organizational structures, reporting processes or underlying

information systems (C). Any internal (or external) change is capable of changing the
complexity of operations and, accordingly, the risk.

v. Changes in key risks could be internal or external in nature (C). The introduction of a
new product, entering a new market, a change in any of the PEST factors or changes in the
industry might trigger the need for internal audit.

vi. Problems with existing internal control systems (P) Any problems with existing
systems clearly signify the need for a tightening of systems and increased monitoring.

v. An increased number of Unexplained or unacceptable events (U) System failures or

similar events are a clear demonstration of internal control weakness.

Review of accounting & internal control system

Examination of financial & operation information

Review of the economy, efficiency & effectiveness of operations

Roles/Object
ives/Benefits
of Internal Review of compliance with laws & regulations
Audit.

Review of the safeguarding of assets

Review of the implementation of corporate objectives

Conduct special investigation such as F&E

Identification of significant business & financial risk. Assessing

the risk management system

Khor Seng Cheong |017-4999056 Page 11

 P a g e | 12

What internal auditor does in risk management? Internal auditor assesses the following:

• The adequacy of the risk management & response processes for identifying,
assessing, managing and reporting on risk
• The risk management and control culture
• The internal control system to minimize the risks
• The operation & effectiveness of the risk management process.

b) Explain, and discuss the importance of internal auditor independence

• Auditors should be independent of the activities audited. It should be independent of

the line management

• Lack of independent means that internal auditors cannot out the tasks to the extent
and effectiveness desired.

• Lack of independent also means that internal auditors may not able to examine all
the areas they would like to and fear of upsetting powerful managers.

• If internal auditors are independent, they will be trusted more by managers and staff.
Thus, they are likely to receive sensitive information.

• Value of recommendations made by internal auditors will be higher due to

independence (not bias to anyone)

• Increased costs of internal audit (e.g. audit staff salaries) if their works are bias and
cannot be used.

• Line managers will be less willing to implement internal auditor’s recommendations

if they see auditors are bias against them.

8 Key Good Qualities of Independence by Spencer Pickett in the Internal Auditing

Handbook.

“Non Noises”

1. N=No Spying for Internal audit should cover the whole organization including the
management top management.

2. O= Objectivity Decisions are made in the absence of situational influence.

3.N= No no-go areas Internal auditor should have access to all areas in carrying their
duties. No one can undermine the auditor’s authority

4.N= No backing off Auditor must not allow aggressive mangers to deflect them
from doing the audit work and issuing the audit opinion.

Khor Seng Cheong |017-4999056 Page 12

 P a g e | 13

5. O= valid Opinion Audit opinion should be based on facts & evidences only.

6. I= Impartiality Not taking sides to any party.

7.SE=Sensitive areas Internal audit must have the ability and skills to audit complex
audited areas effectively.

8.S= Senior Internal audit must cover the management process and not just
management audited audit the operational areas.

Qualities and characteristics of information required in internal control and risk management
and monitoring [L3]

............the importance of the board and

COSO GUIDANCE management having good quality information for
STRESSES
decision making. (Dec 2009 Q1d)

A.C.C.U.R.A.T.E.

1.A = ACCURATE. No typos error, items should be allocated to the right caterogy, etc.

2.C = COMPLETE. Information should include everything that it needs to include.

3.C =COST-BENEFICIAL. It should not cost to much to obtain information than benefit
derived from having it.

4.U= USER TARGETED. The needs of the user should be borne in mind, for instance seniro
managers need strategic summaries, junior managers need detail.

5.R = RELEVANT. Information should be relevant to the task in hand.

6.A = AUTHORITATIVE. The source should be reliable.

7.T = TIMELY. Information should be available when needed.

8.E = EASY TO USE. Information should be clearly presented and meet the objective of
communication.

Khor Seng Cheong |017-4999056 Page 13

 P a g e | 14

Directors’ own site visit Report from subordinates

Whistleblowing Report from

channel of SOURCES OF
Internal auditor &
communication INFORMATION audit committee
FOR DIRECTORS

Operational reports Feedback from Exceptional report such as

customers variances, budget overrun

Need for adequate information flows to management for purposes of the management of
internal control and risk [L3]

Monitoring the performance

NEED TO HAVE
ADEQUATE Making informed decision.
INFORMATION

Fulfil the directors’ responsibilities to provide

information about risks and internal controls to
external stakeholders

⚫ The information provided enables the board to monitor the performance of the company on the
crucial issues in question. This includes compliance, performance against targets and the
effectiveness of existing controls.

⚫ The information is to enable the board of directors to make informed business decisions at the
strategic level. If information received is incomplete, defective or partial information then
directors will not be in full possession of the necessary facts to allocate resources in the most
effective and efficient way possible.

⚫ The board of directors have the responsibility to provide information about risks and internal
controls to external audiences. Best practice reporting means that they have to provide
information to shareholders and others,about the systems of controls, targets, levels of
compliance and improvement measures and they need quality information to enable them to
do this

Khor Seng Cheong |017-4999056 Page 14

 P a g e | 15

Khor Seng Cheong |017-4999056 Page 15