F.

Organisational control and audit

Key components or features of effective
internal control systems
 Components of a Sound System of Internal Control

The Turnbull Report describes a sound system of internal control

as comprises of:

Communication Control
Control Activities Monitoring
Process Environment
Components of a Sound System of Internal Control

Internal controls put in place by the

Control Activities company in the areas of financial,
operational, compliance and risk
management

Procedures for timely reporting of

control findings to management and
Communication
establishment of whistle blowing
Process
arrangement to enable malpractices
involving senior management to be
reported.
Components of a Sound System of Internal Control

In the absence of internal audit function, the

board should assume the responsibility of
Monitoring monitoring the continued effectiveness of
the internal control system so as to be
capable of responding quickly to changes in
the risks.

Establishment of a positive corporate

Control culture, management style and employee
Environment attitudes to control procedures.
Importance of sound internal control and
compliance with legal and regulatory
requirements
Importance of internal controls

• UK Corporate Governance Code

‘The directors should, at least annually, conduct a review of

the effectiveness of the group’s system of internal control and should
report to shareholders that they have done so. The review should
cover all controls, including financial, operational and compliance
controls and risk management.’
Importance of internal controls

• Objectives
– Devised and enforced to ensure, as far as practicable in the given
circumstances, the orderly and efficient conduct of the business by:
• managing risks that are significant to the fulfillment of a
company’s business objectives
• facilitating the effectiveness and efficiency of operations
• helping ensure the reliability of internal and external reporting
• assisting compliance with laws and regulations and also with
internal policies with respect to the conduct of business
Importance of internal controls

• Objectives
– Devised and enforced to ensure, as far as practicable in the given
circumstances, the orderly and efficient conduct of the business by:
• preparing timely reliable financial information
• helping ensure that the company is not unnecessarily exposed to
avoidable financial risks and that financial information used within
the business and for publication is reliable; and
• safeguarding the assets, including the prevention and detection of
fraud.
 Types of Internal Control

Risk
Financial Operational Compliance
Management
Helps ensure Allows the
Facilitates the Assists
the reliability company to
economical compliance
of internal take risks
and efficiency with laws and
and external knowingly by
of operations regulations
reporting, managing risks
thereby helping and also with
safeguard the that are
the company to internal
assets significant to
achieve its policies with
including the the fulfilment of
goals and respect to the
prevention a company’s
objectives conduct of
and detection business
(effectiveness). business.
of fraud. objectives.
Financial internal controls
• Nature
A useful method of categorizing financial internal controls is by using the
mnemonic PAPAMOSS found in the old guideline of the UK Auditing
Practices Board.
– Personnel
• The quality of the individuals working in the organization, and
personnel selected to do a job.
– Authorization and approval
• All financial transactions should require the authorization or
approval of an appropriate responsible person, and there should
be an authorization limit to how much spending each responsible
person can approve.
Financial internal controls
• Nature
– Physical
• Measures to ensure the physical safety of assets, such as putting
cash in a safe and preventing unauthorized access to computer
systems through the use of passwords and internet firewalls.
– Arithmetic and accounting
• Procedures in an accounts office to check the accuracy of the
records and the numbers. They include the use of control totals
and reconciliations.
– Management
• Reviewing of management accounts, monitoring of the actual
performance against the budget etc. by the management .
Financial internal controls
• Nature
– Organization
• Every one should be fully aware of his or her responsibilities and
lines of authority, lines of reporting and levels of responsibility
should be clear.
– Supervision
• Supervising of the day-to-day work of employees by their superior.
– Segregation of duties
• Where possible, duties should be split between two or more
people, so that the work done by one person acts as a check on
the work done by another.
Operational internal controls
• Nature
– Economical
• The organisation’s ability to acquire high quality raw materials at
the most competitive cost for the production of its product.
– Effectiveness
• The organisation’s ability to meet its objectives with all available
resources.
– Efficiency
• The oganisation’s ability to maximise output with every single unit
of resources which requires that there is no or minimal wastage
from the usage of the resources.
Limitations of internal controls
• Control risk
A sound system of internal controls cannot provide protection with
certainty against a company suffering losses or breaches of laws or
regulations or failing to meet its business objectives due to:
– the possibility of ‘poor judgment in decision-making
– human error
– control processes being deliberately circumvented by employees
– management overriding controls
– collaboration between two or more parties
– incompetency or negligence of the staff concerned
– occurrence of unforeseen circumstances.
Information flows to management for the
purposes of managing internal control and risk
Internal control and reporting
• UK Corporate Governance Code
– requires the board to conduct a review of the effectiveness of the
group’s system of internal controls at least annually and report to
shareholders that they have done so.
– suggested that the disclosure of internal control would lead to
improvements in the communication links between investors and their
investee companies.
• Benefits
– reduce the cost of capital by raising confidence in the market through
communication of risk management policies
– reducing information asymmetry between companies and their
shareholders thereby lessening the agency problem inherent in
corporate governance.
Contents of the report on internal control
• Turnbull Guidance on Internal Controls
Requires that the board’s statement on internal control disclose the
following information:
– Presence of an ongoing process for identifying, evaluating and
managing the significant risks faced by the company
– An acknowledgement by the board that it is responsible for the
company’s system of internal control and for reviewing its
effectiveness
– A reminder that such a system is designed to manage rather than
eliminate the risk of failure to achieve business objectives, and
can only provide reasonable and not absolute assurance against
material misstatement or loss
– Summarization of the process the board has applied in reviewing
the effectiveness of the system of internal control
Contents of the report on internal control
• Turnbull Guidance on Internal Controls
– The changes since the last annual assessment in the nature and
extent of significant risks, and the company’s ability to respond to
changes in its business and the external environment
– The scope and quality of management’s ongoing monitoring of
risks and of the system of internal control
– The extent and frequency of the communication of the results of
the monitoring to the board (or board committee)
– The incidence of significant control failings or weaknesses that
have been identified during the period and the extent to which
they have resulted in unforeseen outcomes or contingencies
– The necessary actions that have been or are being taken to
remedy the significant failings or weaknesses identified.
Monitoring of internal controls
• Turnbull guidance on internal control
The following questions may be considered by the board and discussed
with management when reviewing reports on internal control and when
carrying out its annual assessment.
– Control environment
• Do the company’s culture, code of conduct, human resource
policies and performance reward systems support the business
objectives and risk management and internal control system?
• Does senior management demonstrate, through its action as well
as its policies, the necessary commitment to competence,
integrity and fostering a climate of trust within the company?
Monitoring of internal controls
• Turnbull guidance on internal control
– Control activities
• Does the board have clear strategies for dealing with the
significant risks that have been identified?
• Are authority, responsibility and accountability defined clearly
such that decisions are made and actions taken by the
appropriate people? Does the company communicate to its
employees what is expected of them and the scope of their
freedom to act?
• Do people in the company have the knowledge, skills and tools to
support the achievement of the company’s objectives and to
manage effectively risks to their achievement?
• How are processes/controls adjusted to reflect new or changing
risks, or operational deficiencies?
Monitoring of internal controls
• Turnbull guidance on internal control
– Control activities
• Does the company have clear objectives and have they been
communicated so as to provide effective direction to
employees on risk assessment and control issues?
• Are the significant internal and external operational, financial,
compliance and other risks identified and assessed on an
ongoing basis?
• Is there a clear understanding by management and others
within the company of what risks are acceptable to the
board?
Monitoring of internal controls
• Turnbull guidance on internal control
– Information and communication
• Do management and the board receive timely, relevant and
reliable reports on progress against business objectives and the
related risks needed for decision-making and management
review purposes?
• Are information needs and related information systems
reassessed as objectives and related risks change or as reporting
deficiencies are identified?
• Are periodic reporting procedures, including half-yearly and
annual reporting, effective in communicating a balanced and
understandable account of the company’s position and prospect?
• Are there established channels of communication for individuals
to report suspected breaches of law or regulations or other
improprieties?
Monitoring of internal controls
• Turnbull guidance on internal control
– Monitoring
• Are there ongoing processes embedded within the company’s
overall business operations, and addressed by senior
management, which monitor the effective application of the
policies, processes and activities related to internal control and
risk management?
• Do these processes monitor the company’s ability to re-evaluate
risks and adjust controls effectively in response to changes in its
objectives, its business, and its external environment?
• Are there effective follow-up procedures to ensure that
appropriate change or action occurs in response to changes in
risk and control assessment?
Monitoring of internal controls
• Turnbull guidance on internal control
– Monitoring
• Is there appropriate communication to the board (or board
committees) on the effectiveness of the ongoing monitoring
processes on risk and control matters?
• Are there specific arrangements for management monitoring and
reporting to the board on risk and control matters of particular
importance?
The need for an internal audit function in the
light of regulatory and organisational
requirements
 Role of Internal Audit

The Institute of Internal Auditors defined internal auditing as:

• An independent, objective assurance and consulting activity

designed to add value and improve an organization's
operations.

• Helping an organization accomplish its objectives by bringing a

systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance
processes.
To achieve the said objectives, the following tasks are
undertaken by internal auditors:
• Carry out checks on the financial controls possibly in
collaboration with the external auditors.
• Undertake special investigation following allegations made
by whistle-blower
• Examine financial and operating information for timeliness
and accuracy of reporting.
• Investigate into an operation or activity to determine
whether it is economical, efficient and effective.
• Review compliance by an organisation with particular
laws and regulations.
• Investigate an organisation’s risk management
procedures in terms of:
• comprehensiveness of the risks identified
• reasonableness of the assessment of risks
• appropriateness of the measures taken to address
the risks
Factors to Consider in Determining the Need for
Internal Audit

• Scale of operation
 The higher volume of transactions increases the likelihood of
errors.
• Diversity and complexity of the company’s activities
 Diversity complicates the company’s operation and thus increases
the chances of errors.
• Number of employees
 Increase in employees’ number makes close monitoring of them
difficult and higher chances of recruiting a potential fraudster.
• Cost/benefits considerations
 Decision should also take account of the qualitative nature of the
costs and benefits such as the morale of the staff and prevention
of fraud respectively besides the quantitative factors.
The importance of auditor independence in all
client-auditor situations
Factors that determine the internal auditors’
independence

1) The level from which the department derives its responsibilities (also
known as organisational status)

Internal auditor should report to the highest authority i.e. the

board or its designated audit committee to command the
respect and cooperation from the auditees.
2) The personality of the senior management and head of department

Internal auditors should possess an independent mental

attitude that requires them not to be placed in situations where
their objective professional judgements will be threatened.
Threats to Internal
Auditors’ Independence

• Undertake assignments where relationship with the auditees

exist
• Assume operational and management responsibilities in the
company
• Failure to observe a reasonable period of cooling for staff
who has been transferred to or temporary engaged by the
department.
• Involve in designing, installing and operating systems as
well as drafting procedures for them
Reporting on internal controls to shareholders
External reporting on internal control and risk
• Arguments for
– Demonstration of accountability
• The disclosure made internal control failures and business
probity risks more transparent which allows investors to
scrutinise the existing board before events deteriorated.
– Enhance shareholders’ confidence and satisfaction
• Shareholders’ confidence will be boosted due to the exercise of
greater rigour by the board in the internal control function as
well as the alleviation of the fear of fraud that can lead to share
price collapses and the ultimate failure of the company.
– Avoidance of reporting
• Unlike comply-or-explain approach, companies with poor
internal controls will not be able to get away and avoid
reporting on them.
External reporting on internal control and risk
• Arguments against
– Small companies in many cases having the owners being managers
which mean that shareholders may not need or want the full levels
of disclosure of such monitoring compared to larger companies
with more distributed share ownership and a greater ‘distance’
between ownership and management.
– Small companies generally exist in less complicated environments
than larger companies and are consequently less exposed than
larger companies to some losses.
– The preparation and publication of the report can be
disproportionately expensive for a small company because of the
fixed costs of report preparation which apply regardless of the
variable costs of volumes actually produced.
External reporting on internal control and risk
• Arguments against
– The costs of compliance could be a barrier to growth for smaller
companies and a disincentive to entrepreneurship which mean that
affected companies do not grow as quickly as they might and lower
profits are made thereby creating fewer jobs.