FINANCIAL

CONTROLLERSHIP
 Financial Controllership

Financial Controllership is a
management function that supervises
the accounting and financial reporting
of an organization. It is responsible in
the implementation and monitoring of
internal controls.

Page  2
 What are Risks?

For all businesses there are risks that exist and that need to be identified
and addressed in order to prevent or minimize losses.

Risk is the threat that an event, action, or non-action will

adversely affect an organization’s ability to achieve its business
objectives and execute its strategies successfully. Risk is
measured in terms of consequences and likelihood.

The following process is used for assessing risks: identifying risks, sourcing
risks and measuring risks. Overall, you should focus on the high risks
affecting your operations.

Identifying Sourcing
Sourcing Prioritizing
Risks Business
Risks Risks Risks

Page  3
 Risk Considerations

Considerations

• Evaluate the nature and types of errors and omissions that could occur, i.e.,
“what can go wrong”

• Consider significant risks (errors and omissions) that are common in the
industry or have been experienced in prior years

• Information Technology risks (i.e. - access, backups, security, data integrity)

• Volume, size, complexity and homogeneity of the individual transactions

processed through a given account or group of accounts (revenue,
receivables)

• Susceptibility to error or omission as well as manipulation or loss

• Robustness versus subjectiveness of the processes for determining

significant estimates

• Extent of change in the business and its expected effect

• Other risks extending beyond potential material errors or omissions in the

Page  4 financial statements
 What are Internal Controls?
Management must control identified risks to help the Company:

• achieve its performance and profitability targets,

• prevent loss of resources,
• ensure reliable financial reporting, and
• ensure compliance with laws and regulations, avoiding damage to its
reputation and other consequences.

In summary, internal controls can help our company get where it wants to go,
and avoid pitfalls and surprises along the way.

DEFINITION OF INTERNAL CONTROL

Internal control is a process, effected by an entity’s board of

directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:

• Effectiveness and efficiency of operations

• Reliability of financial reporting
• Compliance with applicable laws and regulations

Page  5
 Concepts and Objectives

Control definition reflects certain fundamental concepts:

 Internal control is a process. It's a means to an end, not an end

in itself.
 Internal control is effected by people. It's not merely policy
manuals and forms, but people at every level of an
organization.
 Internal control can be expected to provide only reasonable
assurance, not absolute assurance, to an entity's management
Objectives
and board. of Internal Control

Internal controls are established to further strengthen:

 The reliability and integrity of information.

 Compliance with policies, plans, procedures, laws and regulations.
 The safeguarding of assets.
 The economical and efficient use of resources.
 The accomplishment of established objectives and goals for operations or
programs.

Page  6
 Internal Control Myths and Facts
MYTHS:
Internal control starts with a
strong set of policies and
procedures.
Internal control: That’s why we have
internal auditors!
Internal control is a finance
thing.
Internal controls are essentially
negative, like a list of “thou-shalt-
nots.”
Internal controls take time away
from
Page  7 our core activities of
making products, selling, and
FACTS:
Internal control starts with a
strong control environment.
While internal auditors play a key role
in the system of control, management
is the primary owner of internal
control.
Internal control is integral to
every aspect of business.
Internal control makes the right things
happen the first time.
Internal controls should be built
“into,” not “onto” business
processes.
Source: Institute of Internal Auditors, 2003
 Control Focus

Redefining the control focus

The new approach to controlling business risks may be characterized by the “new
rules” of “prevent and monitor” and “build in quality” as opposed to the “old rules”
of “detect and correct” and “inspect in quality.” This means a paradigm shift in the
traditional viewpoint of control as illustrated in the following table:

Old Paradigm New Paradigm

 Only AUDITORS and TREASURY  EVERYONE, including operations, is

are concerned about risks and
controls
 FRAGMENTATION – Every function
and department does its own thing
(“SILO MANAGEMENT”)
 NO BUSINESS RISK CONTROL
POLICY
 INSPECT for and DETECT business
risk and REACT to it
 Ineffective PEOPLE are the primary
source of business risk
concerned about managing business
risks
 Business risk assessment and control
are FOCUSED and COORDINATED
with senior level OVERSIGHT
 FORMAL BUSINESS RISK CONTROL
POLICY approved by management and
the board
 ANTICIPATE and PREVENT business
risk at the source and MONITOR
business risk controls continuously
 Ineffective PROCESSES are the
primary source of business risk

Page  8
 Internal Control Structure

In many cases, you perform Monitoring:

• Monthly reviews of performance
controls and interact with the reports
control structure every day, • Internal audit function
perhaps without even realizing
MONITORING
it. Information &
Communication:
INFORMATION AND • Vision and values survey
COMMUNICATION • Issue resolution calls
• Reporting
Control Activities: • Corporate communications
• Purchasing limits CONTROL ACTIVITIES
(e-mail, meetings)
• Approvals
• Security Risk Assessment:
• Reconciliations RISK ASSESSMENT • Monthly Risk Control
• Specific policies meetings
• Internal audit risk
CONTROL ENVIRONMENT assessment

Control
Environment:
• Tone from the top
• Corporate Policies
• Organizational
authority
An internal control structure is simply a different way of viewing the
business – a perspective that focuses on doing the right things in the
Page  9 right way.
 COSO Components Defined
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), was formed
in 1985 to improve the quality of financial reporting through business ethics, effective internal
controls and corporate governance. Based on these principles, they developed and published
the COSO framework in 1992 as a foundation for establishing internal control systems and
determining their effectiveness.

Control Environment
• The control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for all other components of internal
control, providing discipline and structure. Control environment factors include the
integrity, ethical values and competence of the entity's people; management's philosophy
and operating style; the way management assigns authority and responsibility
and organizes and develops its people; and the attention and direction provided by the
board of directors.
Risk Assessment
• Every entity faces a variety of risks from external and internal sources that must be
assessed. A precondition to risk assessment is establishment of objectives, linked at
different levels and internally consistent. Risk assessment is the identification and analysis
of relevant risks to achievement of the objectives, forming a basis for determining how the
risks should be managed. Because economic, industry, regulatory and operating conditions
will continue to change, mechanisms are needed to identify and deal with the special risks
associated with change.
Control Activities
 Control activities are the policies and procedures that help ensure management directives
Pageare
 10 carried
out. They help ensure that necessary actions are taken to address risks to
achievement of the entity's objectives. Control activities occur throughout the
 COSO Components Defined
Information and Communication
• Pertinent information must be identified, captured and communicated in a form and
timeframe that enables people to carry out their responsibilities. Information systems
produce reports, containing operational, financial and compliance-related information,
that make it possible to run and control the business. They deal not only with
internally generated data, but also information about external events, activities and
conditions necessary to informed business decision-making and external reporting.
Effective communication also must occur in a broader sense, flowing down, across and
up the organization. All personnel must receive a clear message from top
management that control responsibilities must be taken seriously. They must
understand their own role in the internal control system, as well as how individual
activities relate to the work of others. They must have a means of communicating
significant information upstream. There also needs to be effective communication
with external parties, such as customers, suppliers, regulators and shareholders.
Monitoring
• Internal control systems need to be monitored -- a process that assesses the quality of
the system's performance over time. This is accomplished through ongoing
monitoring activities, separate evaluations or a combination of the two. Ongoing
monitoring occurs in the course of operations. It includes regular management and
supervisory activities, and other actions personnel take in performing their duties.
The scope and frequency of separate evaluations will depend primarily on an
assessment of risks and the effectiveness of ongoing monitoring procedures. Internal
control deficiencies should be reported upstream, with serious matters reported to top
management and the board.
Page  11
 Control Techniques

Prevention techniques are designed to provide reasonable assurance that only

valid transactions are recognized, approved and submitted for processing.
Therefore, many of the preventive techniques are applied before the processing
activity occurs. In most situations, preventive techniques are likely to be more
effective in a strong control environment, when management authorization
criteria are well-defined and properly communicated.

Control type definitions:

Preventive - Manual
Preventive - System

Examples of preventive controls include:

• Segregation of duties
• Business systems integrity and continuity controls, e.g., application design
standards, change controls, security controls, systems backup and recovery
• Physical safeguard and access restriction controls (human, financial, physical
and information assets)
• Effective planning/budgeting process
• Effective "whistle blowing" processes

Page  12
 Control Techniques

Detection techniques are designed to provide reasonable assurance that errors and
irregularities are discovered and corrected on a timely basis. Detection techniques
normally are performed after processing has been completed. They are particularly
important in an environment that has relatively weak preventive techniques. That is,
when front-end approval and processing techniques do not provide reasonable
assurance that unacceptable transactions are prevented from being processed or do
not assure that all approved transactions are processed accurately. In this case, after-
the-fact techniques become more important in detecting and correcting processing
errors.

Control type definitions:

Detective - Manual
Detective - System

Examples of detection techniques include:

• Reconciliation of batch balance reports to control logs maintained by originating
departments.
• Reconciliation of cycle inventory counts with perpetual records.
• Review and approval of reference file maintenance (“was-is”) reports.
• Comparison of reported results with plans and budgets.
• Reconciliation of subsidiary ledger balances with the general ledger.
• Reconciliation of interface amounts exiting one system and entering another.
 13
•PageReview of on-line access and transaction logs.
 Cash and bank accounts
• Do not allow a single employee to handle a cash
transaction from beginning to end.
• The cash handling function should be separated from
the function of recording cash transactions.
• Bank reconciliations should be performed on a timely
basis at the end of each month.
• Employees not involved with cash processing should
prepare bank reconciliations.

Page  14
 Cash activities
Cash receipts
The receipt of cash should be centralized and customers
should obtain a receipt at the conclusion of each sale.
Cash receipts should be deposited to the bank intact
on a daily basis.

Cash disbursements
All cash disbursements should be made by check and
petty cash fund system should be maintained for
minimal operating expenses.

Page  15
 Sales and receivables
• Check sales figures from their individual source (e.g.
invoices)
• If sales staff work on commission ensure that their
sales figures are valid and commissions are not paid
until customer’s accounts are settled
• Reconcile sales register with takings and credit card
receipts
• Make sure that goods are sent COD or with a tax
invoice and obtain evidence of delivery

Page  16
Sales and receivables
• Ensure credit and collection policies are in writing
• Conduct credit checks on new credit customers
• Regularly age accounts and have an independent
review and follow-up on individual accounts on a
monthly basis
• Ensure credit purchases are recorded as soon as the
transaction occurs
• Establish an accurate accounting system that
maintains agreement between the subsidiary and the
general ledgers
• adequate segregation of duties on the following
functions
 credit authorization
 collection (cash receipts)
Page  17  write-off of accounts
 Inventories
Reconciling inventory to general ledger
Implement an inventory system that tracks all
information so that returns, damaged items, sales,
and purchases would each be accounted for and
currently recorded.

Inventory count
Document the procedures for performing its physical
inventory counts. These instructions should include
specific tasks to be performed by personnel.
(e.g. completion of tags and control sheets)

Page  18
 Inventories
Valuation of inventory
Establish a capitalization policy on all inventoriable
items and determine their unit cost, monitor sales
activity and profitability and then analyze slow-
moving or obsolete items.

Disposal of obsolete items

Establish a policy on the disposal of obsolete items since
storage cost are still being incurred if these are
maintained

Page  19
 Property and equipment
• A subsidiary ledger or schedule that records important
identifying information for individual fixed asset
components.
• Authorizations for approvals for the acquisition of new
fixed assets from senior management.
• Periodic physical inventory of all fixed assets and
reconciliation with the subsidiary ledger.
• A written policy regarding capitalization of fixed assets
and expensing.
• Authorizations for approvals of dispositions of fixed
assets.

Page  20
 Disbursements and payables
• Document purchasing and accounts payable
procedures
• Ensure payments are on original invoices only – not
copies or faxes otherwise they may be paid more than
once
• After payment is made, stamp or perforate the original
invoice to prevent reuse
• Put in place controls to check for identical payments
• Ensure refund checks from suppliers are handled by
someone other than the person processing the invoices

Page  21
 Disbursements and payables
• Ensure the person who approves new vendors is
different from the person responsible for the payment
process
• Check rapidly increasing purchases from one vendor
• Check vendors billings more than once a month
• Look out for large billings broken into multiple smaller
invoices each of which is for an amount that would not
attract attention
• Once a month select a type of vendor and review each
line total and number of invoices for each vendor
• Check out the competitors' prices if you rely heavily
on
one supplier

Page  22
 Your Role as Process Owner

 General Expectations
• Acknowledge your responsibility for the design, implementation and
maintenance of the control structure within your business processes
• Contribute direction to identify, prioritize and review risks and controls
• Remove obstacles for compliance; remedy control deficiencies
• Continue or begin a program of self-assessment and testing to monitor
the controls within your processes

Page  23
Pam’s parable
After graduating from high school, Pam got a job
at a car
wash station in the parking lot at a small mall.
After two
weeks of sitting alone in her small booth it
occurred to
Pam that no one was watching her. Since she was
a little
short of money she took $10. The next day she
took $20.
Several weeks went by and Pam continued to filch
small
amounts of money.

Then one day the firm's part-time accountant

showed up
at the booth unannounced. By counting her cash,
the
Page  24
accountant quickly found Pam had stolen more
 Payment twice
How often do you overpay a supplier or pay an invoice twice?
Office Supplies Pty. Ltd is a fast growing new business. The
owner Bob signs all cheques and keeps a tight reign on all
parts of the business. He believes nothing could get past him!

Anita is the accounts payable person, receptionist and office

manager all rolled into one. There are also several sales staff,
but they are usually on the road doing the deals.

One week a number of suppliers started ringing up wanting

their money as their accounts were overdue and Bob told Anita
to stall them, as there wasn't enough cash in the bank.

After another week went by and three important suppliers

were getting insistent so Anita tried to get their invoices
processed and give them to Bob to sign. But she could not find
them anywhere. So she asked them to fax in another copy.
They faxed in statements of outstanding.
Page  25
 Payment twice
Bob finally agreed to sign them as some cash had arrived in the
bank account. Then at the end of the following week Bob turned
up with a file of invoices that he had been sitting on. Anita madly
processed then to get them out by the end of the month.

Anita ended up double paying the suppliers. The amounts didn't

match because the statements were larger than the invoice
accounts so a simple check on similar amounts didn't match up.

Did the suppliers return the difference?

And if they did, did reliable Anita bank the cheques into the
business's bank amount or did she get them endorsed over to her
account?
And what would stop Anita adding in another invoice?

Page  26
 Payment twice
She could take a copy of an invoice for a small amount of money
and send it through the system twice and pocket the refund when
sent back from the supplier. Anita has an inordinate amount of
responsibility in the business. She is under great pressure to
handle all her duties and consequently is not as thorough as she
might think she is or would like to be.

Page  27