Date post: | 15-Dec-2015 |
Category: |
Documents |
Upload: | jacel-anne-agcaoili |
View: | 25 times |
Download: | 4 times |
What Is Internal Control ?
A process effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievements of objectives in the following categories:
• Effectiveness & efficiency of operations. • Reliability of financial reporting.
• Compliance with applicable laws and regulations. • Safeguarding of assets • Adherence to managerial policies
� When you leave your house, did you check if all lights are off and doors lock?
� Do you keep your ATM PIN (passwords) only to yourself? Maintain a back-up known only to you?
� Do you require receipts for all your purchases? � Do you monitor your finances?
Consider your own personal internal control system:
An integral process • A series of actions throughout the operations on an
ongoing basis • Built in rather built on; embedded with the management
processes of planning, organizing, budgeting, staffing, implementing, and monitoring
• Not stand alone or separate specialized systems within an agency
• Interwoven into and made an integral part of each system that management uses to regulate and guide its operations
Internal Control
Which also means: Internal control is a process. It is a means to an end, not an end itself. � Internal control is effected by people.
It’s not merely policy manuals and forms, but people functioning at every level of the organization.
� Internal control is geared to the achievement of objectives in several overlapping categories.
� Internal control only provides reasonable assurance to an institution’s leaders regarding achievement of operational, financial reporting and compliance objectives.
The policies, procedures and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept.
Control Processes
ISPPIA Definition
Examples: • Proper procedures for authorization • Adequate separation of duties • Adequate documents and records • Physical control over assets and records • Independent checks on performances • Accountability • Flow of financial information
Internal Control System (ICS) • Encompasses the policies, processes, tasks, behaviour
and other aspects of a company that taken together: Ø Facilitate its effective and efficient operation by enabling
it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company’s objectives;
Ø Help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation;
The IA Handbook, third edition by KHS Pickett
Internal Control System (ICS)
Ø Help ensure compliance with applicable laws and
regulations, and also with internal policies with respect to the conduct of business
The IA Handbook, third edition by KHS Pickett
Control – any action taken by management, the board, and other
parties to manage risk and increase the likelihood that established objectives and goals will be achieved.
- management plans, organizes, and directs the performance
of sufficient actions to provide reasonable assurance that objectives and goals will be achieved
ISPPIA Definition
Planning - Process of determining how the organization can get
where it wants to go and what the organization will do to accomplish its objectives
- Concerned with organizational success in the near future (short term) as well as in the more distant future
IIA-P
The Four Functions of Management
Organizing - Process of establishing orderly uses for all resources
within the management system by assigning tasks developed under the planning function to various individual or groups within the organization
- Creates a mechanism to put plans into action
IIA-P
The Four Functions of Management
Influencing - Process of guiding the activities of organization
members in appropriate directions - Concerned primarily with people within organization - Ultimate purpose is to increase productivity - Motivating, leading, directing, or actuating
IIA-P
The Four Functions of Management
Controlling - Process managers go through to control - Systematic effort to compare performance to
predetermined standards, plans or objectives to determine whether performance is in line with those standards or needs to be corrected
IIA-P
The Four Functions of Management
Management’s responsibility on ICS
• Determine the need for controls • Design suitable controls • Implement these controls • Check that these controls are being applied correctly • Maintain and update the controls
The IA Handbook, third edition by KHS Pickett
IA’s role in ICS
2100 – Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. 2130 – Control The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
IIA-P
IA’s role in ICS
2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: • Achievement of the organization’s strategic objectives; • Reliability and integrity of financial and operational
information; • Effectiveness and efficiency of operations and programs; • Safeguarding of assets; and • Compliance with laws, regulations, policies, procedures,
and contracts. 2130.C1 – Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization’s control processes.
IIA-P
IA Role on ICS
• Assessing those areas that are most at risk in terms of key control objectives
• Defining and undertaking a programme for reviewing
reviewing high profile systems that attract the most risk • Reviewing each of these systems by examining and
evaluating their associated ICS to determine the extent to which the five key control objectives are being met
IIA-P
IA Role on ICS
• Advising management whether or not controls are operating adequately and effectively so as to promote the achievement of the system’s/control objectives
• Recommending any necessary improvements to
strengthen controls where appropriate, while making clear the risks involved for failing to effect these recommended changes
• Following up audit work so as to discover whether
management has actioned agreed audit recommendations
IIA-P
The Three Lines of Defense
First – functions that own and manage risk Second – functions that oversee risks Third - the functions that provide independent assurance
IIA-P
The Three Lines of Defense
First Operational Management • responsible for maintaining effective internal controls
and for executing risk and control procedures on a day-to-day basis
• Responsible for implementing corrective actions to address process and control objectives
• Operational managers OWN and MANAGE risks
IIA-P
The Three Lines of Defense
Second Management oversight functions • Pertains to the various risk control and compliance
oversight functions established by management such as:
IIA-P
ü Risk management ü Compliance ü Controllership ü Quality
ü Inspection ü Security ü Legal ü Environmental
The Three Lines of Defense
Second: Responsibilities • Supporting management policies, defining roles and
responsibilities, and setting goals for implementation • Providing risk management framework • Identifying known and emerging issues • Identifying shifts in the organization’s implicit risk
appetite
IIA-P
The Three Lines of Defense
Second: Responsibilities • Assisting management in developing processes and
controls to manage risks and issues • Facilitating and monitoring implementation of effective
risk management principles by operational management
• Monitoring the adequacy and effectiveness of internal controls, accuracy and completeness of reporting, compliance with laws and regulations, and timely remediation of deficiencies
IIA-P
The Three Lines of Defense
Third Internal Audit Internal Auditors provide the Board of Directors and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization
IIA-P
Types of Management Control Techniques
1. Direct Supervision and Observation 2. Financial Statements 3. Budgetary Control 4. Break Even Analysis 5. Return on Investment 6. Management Audit 7. Management Information System 8. PERT and CPM Techniques 9. Self-Control 10. Management by Objectives
IIA-P
Direct Supervision and Observation
• Oldest technique of controlling. The supervisor himself
observes the employees and their work. This brings him in direct contact with the workers. So, many problems are solved during supervision.
• The supervisor gets first hand information, and he has
better understanding with the workers. This technique is most suitable for a small-sized business.
http://kalyan-city.blogspot.com/2011/05/control-techniques-10-types-of.html
• Collection of reports about an organization's financial results, financial condition, and cash flows.
They are useful for the following reasons:
ü To determine the ability of a business to generate cash, and the sources and uses of that cash.
ü To determine whether a business has the capability to pay back its debts.
ü To track financial results on a trend line to spot any looming profitability issues.
ü To derive financial ratios from the statements that can indicate the condition of the business.
ü To investigate the details of certain business transactions, as outlined in the disclosures that accompany the statements.
http://www.accountingtools.com
Financial Statements
Budgetary Control
A budget is a set of interlinked plans that quantitatively describe an entity's projected future operations. It is used as a yardstick against which to measure actual operating results, for the allocation of funding, and as a plan for future operations. A planning and controlling device; budgetary control is done for all aspects of a business such as income, expenditure, production, capital and revenue.
http://www.accountingtools.com http://kalyan-city.blogspot.com/2011/05/control-techniques-10-types-of.html
The breakeven point is the sales volume at which a business earns exactly no money. The breakeven point is useful in the following situations: • To determine the amount of remaining capacity after the
breakeven point is reached, which tells you the maximum amount of profit that can be generated.
• To determine the impact on profit if automation (a fixed cost) replaces labor (a variable cost)
• To determine the change in profits if product prices are altered • To determine the amount of losses that could be sustained if the
business suffers a sales downturn
http://www.accountingtools.com
Break Even Analysis
Return on Investment
A performance measure used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments. To calculate ROI, the benefit (return) of an investment is divided by the cost of the investment; the result is expressed as a percentage or a ratio. The return on investment formula:
http://www.investopedia.com
• Uses organizational objectives as the primary means of managing organizations
Basic parts: ü all individuals in an organization are assigned a
specialized set of objectives (mutually agreed upon by the individuals and their managers) within a normal operating period
ü Performance review s are conducted periodically to determine the progress of attainment of objectives
ü Rewards are given to individuals on the basis of how close they come to reaching their goals
IIA-P
Management by Objectives
• A systematic examination of decisions and actions of the management to analyse the performance.
• Involves the review of managerial aspects like organizational objective, policies, procedures, structure, control and system in order to check the efficiency or performance of the management over the activities of the Company.
https://en.wikipedia.org/wiki/Management_auditing
Management Audit
Program Evaluation and Review Technique (PERT) A statistical tool, used in project management which was designed to analyze and represent the tasks involved in completing a given project Most commonly used methods for project management. Critical Path Method (CPM) • A method of project planning consisting of a number of well defined
and clearly recognizable activities.
• An algorithm for scheduling a set or project activities
http://civilengineersforum.com/pert-cpm/ https://en.wikipedia.org/wiki/
PERT and CPM Techniques
PERT
PERT chart for a project with five milestones (10 through 50) and six activities (A through F). Using CPM: The project has two critical paths: activities B and C, or A, D, and F – giving a minimum project time of 7 months with fast tracking.
https://en.wikipedia.org/wiki/
• A computerized database of financial information organized and programmed in such a way that it produces regular reports on operations for every level of management in a company. It is usually also possible to obtain special reports from the system easily.
• The main purpose of the MIS is to give managers feedback about their own performance; top management can monitor the company as a whole. Information displayed by the MIS typically shows "actual" data over against "planned" results and results from a year before; thus it measures progress against goals.
http://www.inc.com/encyclopedia/management-information-systems-MIS.html
Management Information System (MIS)
• Self-directed control; a person is given freedom to set his own targets, evaluate his own performance and take corrective measures as and when required
• Self-control is commonly required for top level managers
• The superiors must control the important activities of the subordinates.
Self-Control
http://kalyan-city.blogspot.com
Control Categories
SGV & Co Materials
• Key and significant control Minimum set of controls that can provide reasonable assurance that the risk is mitigated, provided that the controls are designed properly, operating as intended and are demonstrable.
• Secondary control Any other controls not defined as key or significant. These are supplemental controls frequently used to improve the timeliness of detection of issues or backlog controls used as emergency “catch-alls”.
Types of Controls
IIA-P Materials
Preventive
Corrective
Directive Detective
• designed to limit the possibility of an undesirable outcome being realized
• attempt to stop a risk from occurring
• designed to limit the scope for loss and reduce any undesirable outcomes which have been realized
• may also provide a route of recourse to achieve some recovery against loss or damage
• designed to ensure that a particular outcome is achieved • attempt to avoid risks by providing specific ways to do things
• designed to identify occasions of undesirable outcomes having been realized
• their effect is, by definition, “after the event” so they are only appropriate when it is possible to accept that the loss or damage has incurred
• attempt to determine if a risk has occurred
� General - relate to the overall information-processing environment.
� Application - ensure the completeness and accuracy
of transaction processing, authorization, and validity.
Automated Controls classified as:
General Controls � Entity wide security program planning and
management; � Access controls limit or detect access to computer
resources for both physical and logical controls; � Controls on the development, maintenance and
change of application software � System software controls � Segregation of duties � Service continuity controls
Application controls 1. Data Capture Controls – ensures that all transactions are
recorded in the application system, transactions are recorded only once, and rejected transactions are identified, controlled, corrected, and reentered into the system.
2. Data Validation Controls – ensures that all transactions are properly valued.
3. Processing Controls – ensures the proper processing of transactions.
4. Output Controls – ensures that computer output is not distributed or displayed to unauthorized users.
5. Error Controls – ensures that errors are corrected and resubmitted to the application system at the correct point in processing.
Controls vs. Cost
IIA-P Materials
Systems-Based, Preventive Control
People-Based, Preventive Control
Systems-Based, Detective Control
People-Based, Detective Control
More Reliable/ Desirable
Less Reliable/ Desirable
Economical – able to perform functions/tasks using the least amount of resources within a specified timeframe Efficient – “doing things right” given the available resources and within a specified timeframe - Delivering a given quantity and quality of outputs with minimum inputs
or maximizing outputs with a given quantity and quality of inputs - Prioritization and leveraging of resources Effective – “doing the right things”, able to deliver major final outputs and outcomes and able to contribute to the attainment of goals and objectives
Economical, Efficient, and Effective Operations
Characteristics of an Effective Control
• Addresses root cause • Considers cost • Simple • Leaves tracks • Embedded • Combination of “soft” and “hard” controls • Covers adequately the Internal Control components and
objectives
Benefits of Internal Control
� help prevent errors and irregularities � if they occur, help ensure they are detected timely � encourage adherence to prescribed policies and
procedures � protect employees:
1) by clearly outlining tasks and responsibilities, 2) by providing checks and balances, and 3) from being accused of misappropriations, errors or irregularities. (Source: Internal Controls, Office of the Internal Auditor, Washington State University http://
internalaudit.wsu.edu/internalcontrols.html
What Internal Control Can Do
• It can help achieve performance & profitability targets. • It can help prevent loss of resources. • It can help ensure reliable financial reporting. • It can help ensure compliance with laws. • It can help an entity get to where it wants to go and
avoid pitfalls and surprises along the way.
What Internal Control Cannot Do
• It cannot ensure success. • It cannot ensure the reliability of financial reporting. • It cannot ensure compliance with laws and regulations.
“Internal controls, no matter how well designed and operated, can provide only reasonable
assurance to management regarding achievements of an entity’s objectives.”