Unit 8_ Internal control 1 Strategic risk and operating risk Recall Strategic risks are risks that arise in the business environment and markets in which a company operates. Operating risks are risks that arise within an organisation because of weaknesses in its systems, procedures, management or personnel. 2 Internal control Unless there are controls to deal with them, operating risks can lead to losses because of operational failures, errors or fraud. The controls for these risks are ‘internal controls’ and internal controls are applied within an internal control system. 3 Internal control systems are concerned with the management of business risks other than strategic risks. (strategic risk- risk mgt framework) These are risks which can be controlled by measures taken internally by the organisation. 4 Holistic approach Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: ◦ Effectiveness and efficiency of operations. ◦ Reliability of financial reporting. ◦ Compliance with applicable laws and regulations.’ 5 Categories of risk The risks that are managed by an internal control system can be categorised into three broad types ◦ Financial ◦ Operational ◦ Compliance 6 Financial risk These are risks of errors or fraud in accounting systems, and in accounting and finance activities. Errors or fraud could lead to losses for the organisation, or to incorrect financial statements. Weak controls may also mean that financial assets are not properly protected. Examples of financial risks include the risk of: – failure to record financial transactions in the book-keeping system; – failure to collect money owed by customers; – failure to protect cash; – financial transactions (such as payments) occurring without proper authorisation; and – mis-reporting (deliberate or unintentional) in the financial statements. 7 Examples of internal controls (forms part of the internal control system) failure to record financial transactions in the book-keeping system;- proper planning by reviewing work each time; schedule time properly to avoid overloading of work; verify financial information and use a consistent method. – failure to collect money owed by customers;- debt recovery agency, solicitor to take legal actions by the use if mediation to settle debt dispute. By going to court; perform credit checks; set a limit; written agreement – failure to protect cash;- keep cash forecast accurate; micro manage cash flow; better financial planning; coffre: keypads and locks, cameras; security guards – financial transactions (such as payments) occurring without proper authorisation; - privilege access to certain persons; segregation of duties, verification by higher level managers. 8 Operational risk Operational risk is ‘the risk of losses resulting from inadequate or failed internal processes, people and systems, or external events’. Operational risks include: – the risk of a breakdown in a system due to machine failures or software errors; – the risk of losing information from computer files or having confidential information stolen; – the risk of a terrorist attack; – losses arising from mistakes or omissions by staff; and – inefficient or ineffective use of resources. 9 Compliance risk These are risks that important laws or regulations will not be complied with properly. Failure to comply with the law could result in legal action against the company and/or fines. 10 The purpose of an internal control system and internal controls An internal control system is the system that an organisation has for identifying operational, financial and compliance risks, applying controls to reduce the risk of losses from these risks and taking corrective action when losses occur. Internal controls can be classified into three main types: Preventive controls. These are controls that are intended to prevent an adverse risk event from occurring; for example to prevent opportunities for fraud by employees. Detective controls. These are controls for detecting risk events when they occur, so that the appropriate person is alerted and corrective measures taken. Corrective controls. These are measures for dealing with risk events that have occurred, and their consequences. 11 Financial controls- SPAMSOAP Financial controls are internal accounting controls that are sufficient to provide reasonable assurance that: ◦ transactions are made only in accordance with the general or specific authorisation of management; ◦ transactions are recorded so that financial statements can be prepared in accordance with accounting standards and generally accepted accounting principles; ◦ transactions are recorded so that assets can be accounted for; ◦ access to assets is only allowed in accordance with the general or specific authorisation of management; ◦ the accounting records for assets are compared with actual assets at reasonable intervals of time; and ◦ appropriate action is taken whenever there are found to be differences. 12 (…)Financial controls The maintenance of proper accounting records is an important element of internal control. Effective financial controls should ensure: ◦ the quality of external and internal financial reporting, so that there are no material errors in the accounting records and financial statements; ◦ that no fraud is committed (or that fraud is detected when it occurs); an that the financial assets of the company are not stolen, lost or needlessly damaged, or that these risks are reduced. 13 Operational controls Operational controls are controls that help to reduce operational risks, or identify failures in operational systems when these occur. They are designed to prevent failures in operational procedures, or to detect and correct operational failures if they do occur. Operational failures may be caused by: ◦ ◦ ◦ ◦ ◦ ◦ machine breakdowns; human error; failures in IT systems; failures in the performance of systems (possibly due to human error); weaknesses in procedures; and poor management. Operational controls are measures designed to prevent these failures from happening, or identifying and correcting problems that do occur. Regular equipment maintenance, better training of staff, automation of standard procedures, and reporting systems that make managers accountable for their actions are all examples of operational controls. 14 Compliance controls Compliance controls are concerned with making sure that an entity complies with all the requirements of relevant legislation and regulations. The potential consequences of failure to comply with laws and regulations vary according to the nature of the industry and the regulations. For a manufacturer of food products, for example, food hygiene regulations are important. For a bank, regulations to protect consumers against mis-selling and regulations for detecting and reporting suspicions of money laundering are important. 15 Internal control risks Internal control risks’ are risks that internal controls will fail to achieve their intended purpose, and will fail to prevent, detect or correct adverse risk events. These risks can occur because: ◦ they are badly designed, and so not capable of achieving their purpose as a control; or ◦ they are well-designed, but are not applied properly, due to human error or oversight, or deliberately ignoring or circumvention of the control (a form of operational risk event). An internal control system needs to have procedures for identifying weak or ineffective internal controls. This is one of the functions of monitoring the effectiveness of the internal control system. 16 Elements of an internal control system Internal controls are an essential part of an internal control system, but an internal control system should also have other elements in order to be effective and achieve its objectives. The Committee Of Sponsoring Organisation Framework for an internal control system (which is consistent with COSO’s Enterprise Risk Management system) identifies five elements to a system of internal control. 17 The five elements of the COSO framework 1. 2. 3. 4. 5. A control environment Risk identification and assessment Internal controls (detective, preventive, corrective- financial, operational and compliance risk) Information and communication Monitoring 18 Control environment control environment describes the awareness of (and attitude to) internal controls in the organisation, shown by the directors, management and employees generally. It therefore encompasses corporate culture, management style and employee attitudes to control procedures. The control environment is determined by the example given by the company’s leaders to control and their expectations that employees should also be riskconscious. Factors in the control environment include: – integrity and ethical values within the organisation, such as the existence of a code of ethics; – a commitment to competence in performance; – the commitment of the board of directors and the audit committee to monitoring management and their independence from management; and – human resources policies and practices, such as the company’s policies on performance evaluation and rewarding employees for performance. 19 How do we assess the effectiveness of the control environment Investigate; examine accounting info; evaluate quality of monitoring; Employees are aware and follow policies; make sure training program is available for employees and they are regular; make sure that employees comply with the policies; Must understand remit of responsibility; supervision of the work; audit committee and internal audit department work together, regular consultation between AC and IAD. 20 Risk identification and assessment There should be a system or procedures for identifying the risks facing the company (and how these are changing) and assessing their significance. Controls or management initiatives should be devised to deal with significant risks. Internal control risks can be categorised as financial risks, operational risks and compliance risks. 21 Internal controls Controls should be devised and implemented to eliminate, reduce or control risks. Internal controls can be categorised as financial controls, operational controls and compliance controls, to deal respectively with financial risks, operational risks and compliance risks. 22 Information and communication All employees who are responsible for the management of risks should receive information that enables them to fulfil this task. More generally, there should be a system of information provision and communication within the organization so that individuals are aware of what is expected of them. It can be described as providing the right people in sufficient detail and on time with information to let them do their job well. Communication within an internal control system also includes the existence and use of a whistleblowing procedure. 23 Monitoring The effectiveness of the internal control system should be monitored regularly. Internal audit is one method of monitoring the internal control system. Internal controls are also monitored by executive management and (as part of their annual audit) by the external auditors. The board of directors also has a responsibility to review the effectiveness of the system. 24 The Mauritius corporate governance framework for internal control Principle 5: Risk Governance and Internal Control The Board should be responsible for risk governance and should ensure that the organisation develops and executes a comprehensive and robust system of risk management. The Board should ensure the maintenance of a sound internal control system. 25 NCCG 2016 on internal control Internal control is one of the mechanisms used to reduce risk to an acceptable level. Internal control should be operated by the organisation’s Board, its management and staff and should be embedded in the daily activities of the organisation. Internal controls should apply to the holding Company, intermediate holding companies and subsidiaries. Management should be responsible for the design, implementation and monitoring of the internal control system. Senior management’s role should be to oversee the establishment, administration and assessment of the system and processes. The Board should monitor the internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance. The Board should satisfy itself that the system of internal control is functioning effectively. The Board should be apprised of the assessment of internal control deficiencies, the management actions to mitigate such deficiencies and how management assesses the effectiveness of the organisation’s system of internal controls. 26 Recommended disclosure –NCCG 2016 Statement that the Board is responsible for the governance of risk and for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. Outline of the structures and processes in place for identifying and managing risk. Description of the methods by which the directors derive assurance that the risk management processes are in place and are effective. Description of each of the principal risks and uncertainties faced by the organisation and the way in which each is managed. Identification and discussion of the risks that threaten the business model, future performance, solvency and liquidity of the organisation. 27 (…)Recommended disclosure –NCCG 2016 Affirmation that the Board or an appropriate Board committee has monitored and evaluated the organisation’s strategic, financial, operational and compliance risk. Assurance that by direction of the Board or an appropriate Board committee management has developed and implemented appropriate frameworks and effective processes for the sound management of risk. Outline of the systems and processes in place for implementing, maintaining and monitoring the internal controls. Description of the process by which the Board derives assurance that the internal control systems are effective. Identification of any significant areas not covered by the internal controls. Acknowledgement of any risks or deficiencies in the organisation’s system of internal controls. Report on whistle-blowing rules and procedures; possible protections could include confidential hotlines, access to a confidential and independent person or office, safe harbours and rewards, or immunity to whistle blowers. 28 Verify your charter- audit committee STUDENTS ARE REQUIRED TO VERIFY ROLE OF AUDIT COMMITTEE WRT INTERNAL CONTROLS 29 Internal audit Internal audit is considered under principle 7 of NCCG 2016 ‘In the absence of an internal audit function, management needs to apply other monitoring processes in order to assure itself, the audit committee and the board that the system of internal control is functioning as intended. In these circumstances, the audit committee will need to assess whether such processes provide sufficient and objective assurance.’ 30 Function and scope of internal audit Internal audit is defined as ‘an independent appraisal activity established within an organization as a service to it. It is a control, which functions by examining and evaluating the adequacy and effectiveness of other controls’ (Chartered Institute of Management Accountants (CIMA) official terminology). 31 (…)Function and scope of internal audit Reviewing the internal control system. (5 elements) Traditionally, an internal audit department has carried out independent checks on the financial controls in an organisation, or in a particular process or system. The checks would be to establish whether suitable financial controls exist, and if so, whether they are applied properly and are effective. It is not the function of internal auditors to manage risks, only to monitor and report them, and to check that risk controls are efficient and cost-effective. 32 (…)Function and scope of internal audit Special investigations. Internal auditors might conduct special investigations into particular aspects of the organisation’s operations (systems and procedures), to check the effectiveness of operational controls. Examination of financial and operating information. Internal auditors might be asked to investigate the timeliness of reporting and the accuracy of the information in reports. VFM audits. This is an investigation into an operation or activity to establish whether it is economical, efficient and effective. Reviewing compliance by the organisation with particular laws or regulations. This is an investigation into the effectiveness of compliance controls. Risk assessment. Internal auditors might be asked to investigate aspects of risk management, and in particular the adequacy of the mechanisms for identifying, assessing and controlling significant risks to the organisation, from both internal and external sources. 33 Investigation of internal financial controls Whether the controls are manual or automated. Automated controls are by no means error-proof or fraud-proof, but may be more reliable than similar manual controls. Whether controls are discretionary or non-discretionary. Non-discretionary controls are checks and procedures that must be carried out. Discretionary controls are those that do not have to be applied, either because they are voluntary or because an individual can choose to disapply them. Risks can infiltrate a system, for example, when senior management chooses to disapply controls and allow unauthorised or unchecked procedures to occur. Whether the control can be circumvented easily, because an activity can be carried out in a different way where similar controls do not apply. Whether the controls are effective in achieving their purpose. Are they extensive enough or carried out frequently enough? Are the controls applied rigorously? For example, is a supervisor doing their job properly? 34 Disaster recovery plans As its name suggests, a disaster recovery plan is a plan of what to do in the event of a disaster that is unconnected with the company’s business and outside the control of management. Disaster recovery planning goes beyond procedures that should be taken in an emergency, such as a fire or explosion in a building. It is intended to establish what should be done in the event of an extreme disaster that threatens the ability of the company to maintain its operations. Examples of disasters are natural disasters, such as major fires or flooding or storm damage to key installations or offices, and major terrorist attacks. 35 (…)Disaster recovery plans Specify which operations are essential, and must be kept going. Where operations rely on IT systems, identify the computers or networks to which the system can be transferred in the event of damage to the main system. Specify where operations should be transferred to, if they cannot continue in their normal location. Identify key personnel who are needed to maintain the system in operation. Identify who should be responsible for keeping the public informed about the impact of the disaster and the recovery measures that are being taken. 36 Whistleblowing procedures A whistleblower is an employee who provides information about their company that they reasonably believes provides evidence of: fraud; a serious violation of a law or regulation by the company or by directors, managers or employees within the company; a miscarriage of justice; offering or taking bribes; price-fixing; a danger to public health or safety, such as dumping toxic waste in the environment or supplying food that is unfit for consumption; neglect of people in care; or in the public sector, gross waste or misuse of public funds. 37 WHISTLEBLOWER_ACF Position Paper 6.pdf 38