Internal controls

Presentation at: NESPAK Lahore

Presenter:
Rana M Usman Khan, FCA
Senior Manager
A F Ferguson & Co., Lahore
 To begin with……….Definition
Institute of Internal Auditors defines

 Action taken by management to enhance

likelihood that established objectives and
goals will be achieved
 Management plans, organizes and directs
the performance of sufficient actions to
provide reasonable assurance that
objectives and goals will be achieved
 Thus control is the result of proper planning,
organizing and directing by management
 Internal control frameworks/models
 Committee of Sponsoring Organizations of
the Treadway Commission (COSO)
 CICA report…..Criteria of Control (CoCo)
 Institute of Internal Auditors Research
Foundation…Systems Auditability and
Control (SAC)
 Information Systems Audit and Control
Foundation….Control Objectives for
Information and Related Technology
(COBIT)
Components of an Internal control
model

 Control environment
 Risk assessment and response
process
 Control activities
 Information and communication
 Monitoring
 Control environment

Factors:
 Philosophy and operating style
 Culture
 Organizational structure
 Methods of imposing controls
 Integrity, ethical values and
competence
Control environment
Elements: (UK Turnbull report)
 Clear strategies
 Culture, code of conduct, human resource policies
and performance reward systems
 Commitment to competence, integrity and
fostering a climate of trust
 Clear definition of authority, responsibility and
accountability
 Communication
 Knowledge, skills and tools
Control environment…..Tips
 Effective human resource
policies…..strengthens the environment: areas:
– Hiring
– Orientation
– Training
– Evaluations
– Counseling
– Promotions
– Compensation
– Disciplinary actions
 Risk assessment and management
Components
– Determination of goals and objectives
– Identify risk to achieving the goals
– Risk analysis
– Risk management……integration with
control activities
– Linkage or integration may be
complex
 Risk identification…Few Questions
 What could go wrong?
 How could we fail?
 What must go right for us to succeed?
 Where are we vulnerable?
 What assets do we need to protect?
 Do we have liquid assets or assets with
alternative uses?
 How could someone steal from the
department?
 Risk identification…Few Questions
Cont’d
 How could someone disrupt our operations?
 How do we know whether we are achieving our
objectives?
 On what information do we most rely?
 On what do we spend the most money?
 How do we bill and collect our revenue?
 What decisions require the most judgment?
 What activities are most complex?
 What activities are regulated?
 What is our greatest legal exposure?
Risk identification…What’s next
Relate identified risks to activities or process to
identify high risk transactions/activities
– Operating Fixed Assets
– Cash Receipts
– Travel Expenditures
– Payroll (rates, changes, terminations)
– Equipment
– Equipment Moved Off-Location
– Intellectual Property
– Confidential Information
 Control procedures/activities

UK Auditing Practice Board

“Those policies and
procedures in addition to the
control environment
established to achieve the
entity’s specific objectives.”
 Classification of Control procedures
 Prevent, detect and correct
– Prevent (designed to prevent errors) e.g:
 Checking invoices with goods received
 Checking of delivery notes with invoices
 Signing of documents (delivery notes, credit
notes)
– Detect (to detect errors once they have occurred):
 Bank reconciliations
– Correct (to minimize or negate the effect of errors):
 Back ups

 Storing of data at different place

Types of procedures
 SPAMSOAP
– Segregation of duties (Preventive)
– Physical (Preventive & Detective)
– Authorization and approval (Preventive)
– Management (Preventive)
– Supervision (Preventive & Detective)
– Organization (Preventive)
– Arithmetical and accounting (Detective)
– Personnel (Preventive)
 Classification of Control procedures
 Corporate, management, business process
and transaction:
– Corporate (general policy, core culture
values)
– Management (planning, performance,
accountability, risk evaluation)
– Business process (authorization limits,
validation of input, reconciliations)
– Transaction (accuracy and completeness
checks, compliance with prescribed
procedures)
 Classification of Control procedures
 Financial and non-financial controls
– Financial: Focus on key transaction areas with emphasis
on:
– Safeguarding of assets
– Maintenance of proper accounting records
– Reliable financial information
– Non-financial: Concentrate on wider performance issues:
– Performance indicators
– Balanced scorecard
– Activity based management
– Organizational structure
– Rules and regulations
 Classification of Control procedures
 Administrative and accounting controls
– Administrative (achieving objectives of the
organization with implementation of policies):
 Establishing suitable organization structure
 Division of managerial authority
 Reporting responsibilities
 Channels of communication
– Accounting (accuracy of accounting records)
 Recording of transactions
 Responsibilities of records, transactions and
assets
 Classification of Control procedures
 Discretionary and non-discretionary controls
– Discretionary (subject to human discretion) e.g:
 No dispatch of goods to customers with overdue
balance
– Non-discretionary (provided by the system and cannot
be by-passed) e.g:
 Inputting PIN number when using a cash dispensing
machine
 Voluntary and mandated controls
– Voluntary (chosen by the organization) e.g:
 Approval of certain key transaction
– Mandated (required by law/external authorities)
 Classification of Control procedures

 Manual and automated controls

– Manual:
Human functions
– Automated
Programmed

 General and application controls

– Used to reduce the risk associated with computer
environment:
General (relate to environment)
Application (prevent, detect, correct errors
 Information and communications
 Information and communication are
essential to effecting control
 information be communicated up, down, and
across an organization about:
– Organization's plans
– Control environment
– Risks
– Control activities
– Performance
 Monitoring
 Monitoring is the assessment of internal
control performance over time
 It is accomplished by ongoing monitoring
activities and by separate evaluations of
internal control such as:
– Self-assessments
– Peer reviews
– Internal audits
Costs and benefits of internal
controls

Benefits
 Reasonable assurance of progress
towards objectives
 Safeguarding of assets
 Compliance with laws and regulations
 Enabling external auditor to do less
work and charging low fee
 Costs and benefits of internal
controls

Costs
 Visible – salary of security officer
 Opportunity costs – less time given to
operations by managers more to supervision
 General costs – reduced:
– Flexibility
– Responsiveness
– Creativity
 Limitations of internal controls

 Cost vs benefits
 Potential for human error and fraud
 Collusion between employees
 Possibility of by-passing
 Routine and non-routine transactions
 Method of data processing
(manual/computerized)
 Rules and Responsibilities

 Following have specific roles and

responsibilities in design and
implementation:
– Board of directors
– Management
– Internal auditors
– External auditors
Rules and Responsibilities…
Board, Management, Audit committee

 Leadership
 Design
 Implementation
 Monitoring
 Evaluation
 Reporting
 Rules and Responsibilities…
Internal auditor

 Ensuring:
– the adequacy of the system of internal control
– the reliability of data
– the efficient use of the organization's
resources
 Identify control problems and develop solutions for
improving and strengthening
 Are concerned with the entire range of an
organization's internal controls, including
operational, financial, and compliance controls.
 Rules and Responsibilities…
External auditor
 External auditors assess the effectiveness of
internal control within an organization to plan
the financial statement audit
 External auditors focus primarily on controls
that affect financial reporting
 Have a responsibility to report internal
control weaknesses (as well as reportable
conditions about internal control) to the audit
committee of the board of directors
 Financial Controls…little more
 Objectives
– Safeguarding of assets (embezzlements/misuse)
– Maintenance of proper accounting records
– Reliable financial information
 Controls
– Separation of functions and responsibilities
(checks and balances)
– Authorizations and approvals
– Books and records
 Billing and receivables…examples
of financial controls
 Evaluating credit worthiness of customers
 Sales/service agreement or contract
 Review of invoices or adjustments
 Timely processing of invoices upon delivery of
goods/services
 Approval of invoices and checking with supporting
documents prior to approval
 Timely review of overdue receivables
 Review of transactions
 Maintenance and retention of proper records
 Few more examples of financial
controls…cash/fund handling
 Issuance of cash receipts for cash
collections
 Maintenance of cash book or similar
records
 Maintenance of safe custody for cash
collected
 Timely deposit of cash collected into bank
 Double signatures on cheques