Uploaded by jeshra404

unit 8- int. cont

Unit 8_ Internal control
Strategic risk and operating risk
 Strategic risks are risks that arise in the business
environment and markets in which a company operates.
 Operating risks are risks that arise within an organisation
because of weaknesses in its systems, procedures,
management or personnel.
Internal control
Unless there are controls to deal with them, operating
risks can lead to losses because of operational failures,
errors or fraud.
 The controls for these risks are ‘internal controls’ and
internal controls are applied within an internal control
Internal control systems
are concerned with the management of business risks
other than strategic risks. (strategic risk- risk mgt
 These are risks which can be controlled by measures
taken internally by the organisation.
Holistic approach
Internal control is a process, effected by an entity’s board
of directors, management and other personnel, designed
to provide reasonable assurance regarding the
achievement of objectives in the following categories:
◦ Effectiveness and efficiency of operations.
◦ Reliability of financial reporting.
◦ Compliance with applicable laws and regulations.’
Categories of risk
The risks that are managed by an internal control system
can be categorised into three broad types
◦ Financial
◦ Operational
◦ Compliance
Financial risk
These are risks of errors or fraud in accounting systems, and in
accounting and finance activities. Errors or fraud could lead to
losses for the organisation, or to incorrect financial statements.
Weak controls may also mean that financial assets are not properly
protected. Examples of financial risks include the risk of:
– failure to record financial transactions in the book-keeping system;
– failure to collect money owed by customers;
– failure to protect cash;
– financial transactions (such as payments) occurring without proper
authorisation; and
– mis-reporting (deliberate or unintentional) in the financial
Examples of internal controls (forms part of the
internal control system)
failure to record financial transactions in the book-keeping system;- proper
planning by reviewing work each time; schedule time properly to avoid
overloading of work; verify financial information and use a consistent
– failure to collect money owed by customers;- debt recovery agency,
solicitor to take legal actions by the use if mediation to settle debt dispute.
By going to court; perform credit checks; set a limit; written agreement
– failure to protect cash;- keep cash forecast accurate; micro manage cash
flow; better financial planning; coffre: keypads and locks, cameras; security
– financial transactions (such as payments) occurring without proper
authorisation; - privilege access to certain persons; segregation of duties,
verification by higher level managers.
Operational risk
Operational risk is ‘the risk of losses resulting from
inadequate or failed internal processes, people and systems,
or external events’.
 Operational risks include:
– the risk of a breakdown in a system due to machine failures
or software errors;
– the risk of losing information from computer files or having
confidential information stolen;
– the risk of a terrorist attack;
– losses arising from mistakes or omissions by staff; and
– inefficient or ineffective use of resources.
Compliance risk
These are risks that important laws or regulations will
not be complied with properly.
 Failure to comply with the law could result in legal action
against the company and/or fines.
The purpose of an internal control system
and internal controls
An internal control system is the system that an organisation has
for identifying operational, financial and compliance risks, applying
controls to reduce the risk of losses from these risks and taking
corrective action when losses occur.
 Internal controls can be classified into three main types:
 Preventive controls. These are controls that are intended to
prevent an adverse risk event from occurring; for example to
prevent opportunities for fraud by employees.
 Detective controls. These are controls for detecting risk events
when they occur, so that the appropriate person is alerted and
corrective measures taken.
 Corrective controls. These are measures for dealing with risk
events that have occurred, and their consequences.
Financial controls- SPAMSOAP
Financial controls are internal accounting controls that are sufficient
to provide reasonable assurance that:
◦ transactions are made only in accordance with the general or specific
authorisation of management;
◦ transactions are recorded so that financial statements can be prepared in
accordance with accounting standards and generally accepted accounting
◦ transactions are recorded so that assets can be accounted for;
◦ access to assets is only allowed in accordance with the general or specific
authorisation of management;
◦ the accounting records for assets are compared with actual assets at
reasonable intervals of time; and
◦ appropriate action is taken whenever there are found to be differences.
(…)Financial controls
The maintenance of proper accounting records is an
important element of internal control.
Effective financial controls should ensure:
◦ the quality of external and internal financial reporting, so that there
are no material errors in the accounting records and financial
◦ that no fraud is committed (or that fraud is detected when it
occurs); an
that the financial assets of the company are not stolen, lost
or needlessly damaged, or that these risks are reduced.
Operational controls
Operational controls are controls that help to reduce operational risks, or identify
failures in operational systems when these occur. They are designed to prevent
failures in operational procedures, or to detect and correct operational failures if
they do occur. Operational failures may be caused by:
machine breakdowns;
human error;
failures in IT systems;
failures in the performance of systems (possibly due to human error);
weaknesses in procedures; and
poor management.
Operational controls are measures designed to prevent these failures from
happening, or identifying and correcting problems that do occur. Regular equipment
maintenance, better training of staff, automation of standard procedures, and
reporting systems that make managers accountable for their actions are all
examples of operational controls.
Compliance controls
Compliance controls are concerned with making sure that
an entity complies with all the requirements of relevant
legislation and regulations.
 The potential consequences of failure to comply with laws
and regulations vary according to the nature of the industry
and the regulations.
 For a manufacturer of food products, for example, food
hygiene regulations are important. For a bank, regulations to
protect consumers against mis-selling and regulations for
detecting and reporting suspicions of money laundering are
Internal control risks
Internal control risks’ are risks that internal controls will fail to
achieve their intended purpose, and will fail to prevent, detect or
correct adverse risk events.
These risks can occur because:
◦ they are badly designed, and so not capable of achieving their purpose as a
control; or
◦ they are well-designed, but are not applied properly, due to human error
or oversight, or deliberately ignoring or circumvention of the control (a
form of operational risk event).
An internal control system needs to have procedures for identifying
weak or ineffective internal controls. This is one of the functions of
monitoring the effectiveness of the internal control system.
Elements of an internal control system
Internal controls are an essential part of an internal
control system, but an internal control system should
also have other elements in order to be effective and
achieve its objectives.
 The Committee Of Sponsoring Organisation Framework
for an internal control system (which is consistent with
COSO’s Enterprise Risk Management system) identifies
five elements to a system of internal control.
The five elements of the COSO framework
A control environment
Risk identification and assessment
Internal controls (detective, preventive,
corrective- financial, operational and compliance
Information and communication
Control environment
control environment describes the awareness of (and attitude to) internal controls
in the organisation, shown by the directors, management and employees generally.
It therefore encompasses corporate culture, management style and employee
attitudes to control procedures.
 The control environment is determined by the example given by the company’s
leaders to control and their expectations that employees should also be riskconscious. Factors in the control environment include:
– integrity and ethical values within the organisation, such as the existence of a code
of ethics;
– a commitment to competence in performance;
– the commitment of the board of directors and the audit committee to monitoring
management and their independence from management; and
– human resources policies and practices, such as the company’s policies on
performance evaluation and rewarding employees for performance.
How do we assess the effectiveness of the
control environment
Investigate; examine accounting info; evaluate quality of
 Employees are aware and follow policies; make sure
training program is available for employees and they are
regular; make sure that employees comply with the
 Must understand remit of responsibility; supervision of
the work; audit committee and internal audit department
work together, regular consultation between AC and
Risk identification and assessment
There should be a system or procedures for identifying
the risks facing the company (and how these are
changing) and assessing their significance.
 Controls or management initiatives should be devised to
deal with significant risks.
 Internal control risks can be categorised as financial risks,
operational risks and compliance risks.
Internal controls
Controls should be devised and implemented to
eliminate, reduce or control risks. Internal controls can
be categorised as financial controls, operational controls
and compliance controls, to deal respectively with
financial risks, operational risks and compliance risks.
Information and communication
All employees who are responsible for the management of
risks should receive information that enables them to fulfil
this task. More generally, there should be a system of
information provision and communication within the
organization so that individuals are aware of what is
expected of them. It can be described as providing the right
people in sufficient detail and on time with information to let
them do their job well. Communication within an internal
control system also includes the existence and use of a
whistleblowing procedure.
The effectiveness of the internal control system should
be monitored regularly.
 Internal audit is one method of monitoring the internal
control system.
 Internal controls are also monitored by executive
management and (as part of their annual audit) by the
external auditors.
 The board of directors also has a responsibility to review
the effectiveness of the system.
The Mauritius corporate governance framework for
internal control
Principle 5: Risk Governance and Internal Control
 The Board should be responsible for risk governance and
should ensure that the organisation develops and
executes a comprehensive and robust system of risk
 The Board should ensure the maintenance of a sound
internal control system.
NCCG 2016 on internal control
Internal control is one of the mechanisms used to reduce risk to an acceptable level.
Internal control should be operated by the organisation’s Board, its management and staff
and should be embedded in the daily activities of the organisation. Internal controls should
apply to the holding Company, intermediate holding companies and subsidiaries.
Management should be responsible for the design, implementation and monitoring of the
internal control system. Senior management’s role should be to oversee the establishment,
administration and assessment of the system and processes.
The Board should monitor the internal control systems and, at least annually, carry out a
review of their effectiveness and report on that review in the annual report.
The monitoring and review should cover all material controls, including financial, operational
and compliance.
The Board should satisfy itself that the system of internal control is functioning effectively.
The Board should be apprised of the assessment of internal control deficiencies, the
management actions to mitigate such deficiencies and how management assesses the
effectiveness of the organisation’s system of internal controls.
Recommended disclosure –NCCG 2016
Statement that the Board is responsible for the governance of risk
and for determining the nature and extent of the principal risks it is
willing to take in achieving its strategic objectives.
 Outline of the structures and processes in place for identifying and
managing risk.
 Description of the methods by which the directors derive
assurance that the risk management processes are in place and are
 Description of each of the principal risks and uncertainties faced by
the organisation and the way in which each is managed.
 Identification and discussion of the risks that threaten the business
model, future performance, solvency and liquidity of the
(…)Recommended disclosure –NCCG 2016
Affirmation that the Board or an appropriate Board committee has monitored and
evaluated the organisation’s strategic, financial, operational and compliance risk.
Assurance that by direction of the Board or an appropriate Board committee
management has developed and implemented appropriate frameworks and effective
processes for the sound management of risk.
Outline of the systems and processes in place for implementing, maintaining and
monitoring the internal controls.
Description of the process by which the Board derives assurance that the internal
control systems are effective.
Identification of any significant areas not covered by the internal controls.
Acknowledgement of any risks or deficiencies in the organisation’s system of
internal controls.
Report on whistle-blowing rules and procedures; possible protections could
include confidential hotlines, access to a confidential and independent person or
office, safe harbours and rewards, or immunity to whistle blowers.
Verify your charter- audit committee
Internal audit
Internal audit is considered under principle 7 of NCCG
 ‘In the absence of an internal audit function, management
needs to apply other monitoring processes in order to
assure itself, the audit committee and the board that the
system of internal control is functioning as intended. In
these circumstances, the audit committee will need to
assess whether such processes provide sufficient and
objective assurance.’
Function and scope of internal audit
Internal audit is defined as ‘an independent appraisal
activity established within an organization as a service to
it. It is a control, which functions by examining and
evaluating the adequacy and effectiveness of other
controls’ (Chartered Institute of Management
Accountants (CIMA) official terminology).
(…)Function and scope of internal audit
Reviewing the internal control system. (5 elements)
 Traditionally, an internal audit department has carried out
independent checks on the financial controls in an
organisation, or in a particular process or system.
 The checks would be to establish whether suitable
financial controls exist, and if so, whether they are
applied properly and are effective. It is not the function of
internal auditors to manage risks, only to monitor and
report them, and to check that risk controls are efficient
and cost-effective.
(…)Function and scope of internal audit
Special investigations. Internal auditors might conduct special investigations into
particular aspects of the organisation’s operations (systems and procedures), to
check the effectiveness of operational controls.
Examination of financial and operating information. Internal auditors might be asked
to investigate the timeliness of reporting and the accuracy of the information in
VFM audits. This is an investigation into an operation or activity to establish
whether it is economical, efficient and effective.
Reviewing compliance by the organisation with particular laws or regulations. This
is an investigation into the effectiveness of compliance controls.
Risk assessment. Internal auditors might be asked to investigate aspects of risk
management, and in particular the adequacy of the mechanisms for identifying,
assessing and controlling significant risks to the organisation, from both internal
and external sources.
Investigation of internal financial controls
Whether the controls are manual or automated. Automated controls are by no
means error-proof or fraud-proof, but may be more reliable than similar manual
 Whether controls are discretionary or non-discretionary. Non-discretionary
controls are checks and procedures that must be carried out. Discretionary
controls are those that do not have to be applied, either because they are
voluntary or because an individual can choose to disapply them. Risks can infiltrate
a system, for example, when senior management chooses to disapply controls and
allow unauthorised or unchecked procedures to occur.
 Whether the control can be circumvented easily, because an activity can be carried
out in a different way where similar controls do not apply.
 Whether the controls are effective in achieving their purpose. Are they extensive
enough or carried out frequently enough? Are the controls applied rigorously? For
example, is a supervisor doing their job properly?
Disaster recovery plans
As its name suggests, a disaster recovery plan is a plan of
what to do in the event of a disaster that is unconnected
with the company’s business and outside the control of
 Disaster recovery planning goes beyond procedures that
should be taken in an emergency, such as a fire or explosion
in a building. It is intended to establish what should be done
in the event of an extreme disaster that threatens the ability
of the company to maintain its operations.
 Examples of disasters are natural disasters, such as major
fires or flooding or storm damage to key installations or
offices, and major terrorist attacks.
(…)Disaster recovery plans
Specify which operations are essential, and must be kept
 Where operations rely on IT systems, identify the computers
or networks to which the system can be transferred in the
event of damage to the main system.
 Specify where operations should be transferred to, if they
cannot continue in their normal location.
 Identify key personnel who are needed to maintain the
system in operation.
 Identify who should be responsible for keeping the public
informed about the impact of the disaster and the recovery
measures that are being taken.
Whistleblowing procedures
A whistleblower is an employee who provides information about
their company that they reasonably believes provides evidence of:
 fraud;
 a serious violation of a law or regulation by the company or by
directors, managers or employees within the company;
 a miscarriage of justice;
 offering or taking bribes;
 price-fixing;
 a danger to public health or safety, such as dumping toxic waste in
the environment or supplying food that is unfit for consumption;
 neglect of people in care; or in the public sector, gross waste or
misuse of public funds.
WHISTLEBLOWER_ACF Position Paper 6.pdf