The Internal Control Framework

Transcription

1 The Internal Control Framework CA. Rajkumar S Adukia B.Com(Hons.) FCA, ACS,MBA, AICWA, LLB,Dip In IFRS(UK) rajkumarfca@gmail.com / To receive regular updates kindly send test to rajkumarfca-subscribe@yahoogropups.com 1

2 What Is Internal Control? A process effected by an entity s board of directors,management and other personnel,designed to provide reasonable assurance regarding the achievements of objectives in the following categories: Effectiveness & efficiency of operations. Reliability of financial reporting. Compliance with applicable laws and regulations. 2

3 What is External Control? Various measures that affect a company's operations, which are not enacted by the company but rather by the government or other organizations. External control includes any rule or regulation which has an effect on the actions of the company, and can include tax laws enacted by the government which affect the flow of money, a lease which restricts what a company can or can not do with their office space, and laws which prevent discrimination in the company's hiring procedure. 3

4 Evolution of Internal Control Chanakya 300 BC English Audit Specialist - Lawrence Dicksee 1905 COSO 1992 SOX

5 Today s organizations are concerned about: Risk Management Governance Control Assurance (and Consulting) 5

6 Why Internal Control? Management and control of risks Safeguarding the assets of the company Achievement of overall objectives of the organisation Effective and efficient operations Reliable and correct financial information (internal as well as external) Prevention and detection of fraud and errors 6

7 Internal control is a process. It is a means to an end, not an end in itself. Internal control is effected by people. It s not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity s management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. 7

8 The System of internal control The control environment Risk assessment The control activities and procedures Accounting, information and communication Monitoring and self assessment 8

9 Components Of Internal Control Control Environment. Risk Assessment. Control Activities. Information & Communication. Monitoring. 9

10 Limitations of Internal Control Judgement. Breakdowns. Management override. Collusion. Costs Versus Benefits. 10

11 11

12 What Internal Control Can Do It can help achieve performance & profitability targets. help prevent loss of resources. help ensure reliable financial reporting. help ensure compliance with laws. It can help an entity get to where it wants to go,and avoid pitfalls and surprises along the way. 12

13 What Internal Control Cannot Do It cannot ensure success. ensure the reliability of financial reporting. ensure compliance with laws and regulations. Internal controls,no matter how well designed and operated,can provide only reasonable assurance to management regarding achievements of an entity s objectives. 13

14 Internal control and internal audit Internal audit is a part of internal control Internal audit provides an objective, independent review of the organisation s activities, internal controls, and management information systems to help the board and management monitor and evaluate internal control adequacy and effectiveness. 14

15 Who is accountable for assurance that appropriate internal controls are in place? Management!!!! 15

16 Who s responsible for the performance of internal control activities? Everyone!!!!!! 16

17 Types of Internal Controls Directive Controls encourage good behavior, it s the right thing to do Incentive plans Recognition awards Training Policies and Procedures Promotions 17

18 Types of Internal Controls Preventative Controls prevent undesirable events from occurring Knowledge that someone is reviewing your work Segregation of duties Limited access Levels of authorization Security badges Business rule set-up in automated systems 18

19 Types of Internal Controls Detective Controls detect and correct undesirable events after they occur. Reconciliations Auditing Confirmations Exception reports Reviews done on a regular basis 19

20 Types of Internal Control Mitigating Controls Mitigate for the lack of an expected control. Cash handling lack of adequate staff for proper segregation of duties sharing with another area Software security/access regular monitoring of access for certain employees when software security is not adequate because of functional constraints. 20

21 IT Access Limitation Controls To create a record To change a record To approve a transaction By allowing read-only By requiring passwords Requiring time out limits By installing firewalls 21

22 Control Tools (Partial Listing) Formal Compliance programs Checklists Inspections Exception reports (i.e. Performance appraisals not completed, excessive overtime, duplicate payments etc.) Forms control (pre-numbered documents, filing by and verifying integrity of numerical sequence) Performance standards Physical safeguards (safes, locks, access cards, dual control over sensitive assets, cameras, alarms, guards, ID badges etc.) Simulated disaster recovery drills 22

23 Which of the following are examples of an internal control? Segregation of duties Passwords Bonus plans Reconciliations Staff Meetings Training on a new system Training in group dynamics Directions on how to complete expense reports Requiring original receipts for expense reports Managers being scrupulous in completing their own expense reports Managers telling employees to be scrupulous in completing their expense reports Standard price lists, with sales people allowed a maximum of 10% variance for negotiation 23

24 What happens when internal controls are not in place or break down? 24

25 FRAUD!!! 25

26 Internal Control Framework - Many models to choose from. COSO COCO Cadbury Report Deming Award TQM 12 Attributes Deep Learning Framework ISO 9000 Kings Report Treadway Commission 26

27 Internal Control Frameworks and Codes International Scenario Foreign Corrupt Practices Act (1977), Report of the National Commission on Fraudulent Financial Reporting (Treadway Commission Report, 1987); The Report on Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), in 1992 Internal control frameworks presented by the Cadbury Committee Report (Cadbury Report, UK); 27

28 Internal Control Frameworks and Codes International Scenario Internal Control: Guidance for Directors on the Combined Code (1999) The Criteria of Control Committee (CoCo Report, Canada) The King Committee (King Report, South Africa) The Report on Enterprise Risk Management Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), in

29 Who Developed Models? COSO: The major accounting and audit professional organizations issued COSO in Criteria: The Canadian Comprehensive Auditing Foundation published Effectiveness Reporting and Auditing in the Public Sector in COCO: In November 1995, The Canadian Institute of Chartered Accountants (CICA) published Guidance on Control. ISO 9000 developed by the International Organization for Standardization (ISO) 29

30 Different Frameworks: Same Goals Frameworks provide a way of understanding our organizations. By having different groupings, each highlights some aspects of control more than others. The criteria in the frameworks provide a basis for understanding control in an organization and for making judgment about the effectiveness of control. 30

31 Different Frameworks: Same Goals Frameworks provide a systematic step by step method of evaluating and addressing the adequacy of controls in multiple dimensions of a business. Frameworks provide a standard review process. Frameworks provide a tool that helps management and audtiors evaluate the adequacy of controls in multiple dimensions of the business. It helps give a picture of how well all of the controls in all of the dimensions are working. 31

32 Using These Frameworks Gives a picture that focuses on what is important to users, that keeps things in perspective, and that is sensitive to shades of gray. Flexibility is allowed and creativity is required. Nothing magical about them--but they can allow you to have seemingly magical insights. 32

33 One More Tool in the Tool box CSA (Controlled Self Assessment) Questionnaires Unobtrusive Measures Structure Interviews Document Reviews Regression Analysis Integrated Control Frameworks And many more! 33

34 COSO Monitoring Activities Information and Communication Risk Assessment Environment 34

35 Coso ERM Framework OH

36 COSO - Cadbury COSO Control Environment Risk Assessment Control Activities Information and Communication Monitoring Cadbury Control Environment Identification of Risks, Control Priorities and Objectives Control Activities Monitoring and Corrective Action 36

37 Control Environment Provides an atmosphere in which people conduct their activities and carry out their control responsibilities. It serves as the foundation for the other components (COSO) Management must send a clear message to all personnel that control responsibilities are to be taken seriously, that each personal has a particular role in the control system and that each role relates to the role of others. (Cadbury) 37

38 Risk Assessment Management must assess risks to the achievement of specified objectives. (COSO) Is the process by which executive management identifies the risks arising from the organization s business and, since resources are always limited, establishes the priorities for control and particular control objectives. (Cadbury) 38

39 Control Activities Are implemented to help ensure that management directives to address the risks are carried out. (COSO) Are the detailed polices and procedures designed to achieve the company s control objectives and to provide management with reasonable assurance that their priorities for internal control are being addressed. They operate throughout the organization, potentially covering all levels. (Cadbury) 39

40 Key Control Activities Monitoring Control Environment Control Over Assets & Information Systems Segregation of Duties Authorization, Approvals, Verifications 40

41 Information & Communication Relevant information must be identified, captured and communicated in a form & timeframe that enables people to carry out their responsibilities. Information systems produce reports containing operational,financial and compliance related information that make it possible to run and control the business. Effective communication must occur in a broader sense,flowing down,across and up the organization. 41

42 Monitoring The entire process is monitored and modified as conditions warrant. (COSO) Monitoring and corrective action should produce sufficient evidence that the financial control system for which they are responsible is effective in practice. Monitoring is performed at a higher level than the routine checks built into the day-to-day routine and involves a greater degree of independence from those who operate the procedures. (Cadbury) 42

43 CRIME Control Activity Risks Information Monitoring Environment 43

44 COSO Matrix Control Environment Risk Operations Financial Reporting Compliance With Laws and Regulations Control Activities Information and Communication Monitoring 44

45 COCO Purpose A sense of direction. What are we here for? Monitoring and Learning A sense of evolution. What Progress? What Next? Commitment A sense of identity and values. Do we want to do a good job? ACTION Capability A sense of competence. What action do we need to take? 45

46 COCO Criteria: Purpose Objectives should be established and communicated. The significant internal and external risks faced by an organization in the achievement of its objectives should be identified and assessed. Policies designed to support the achievement of an organization s objectives and the management of its risks should be established, communicated and practiced so that people understand what is expected of them and the scope of their freedom to act. Plans to guide efforts in achieving the organization s objectives should be established and communicated. Objectives and related plans should include measurable performance targets and indicators. 46

47 COCO Criteria: Commitment Shared ethical values, including integrity, should be established, communicated and practiced throughout the organization. Human resource policies and practices should be consistent with an organization s ethical values and with the achievement of its objectives. Authority, responsibility, and accountability should be clearly defined and consistent with an organization s objectives so that decisions and actions are taken by the appropriate people. An atmosphere of mutual trust should be fostered to support the flow of information between people and their effective performance toward achieving the organization s objectives. 47

48 COCO Criteria: Capability People should have the necessary knowledge, skills and tools to support the achievement of the organization s objectives. Communication processes should support the organization s values and the achievement of its objectives. Sufficient and relevant information should be identified and communicated in a timely manner to enable people to perform their assigned responsibilities. The decisions and actions of different parts of the organization should be coordinated. Control activities should be designed as an integral part of the organization, taking into consideration its objectives, the risks to their achievement, the inter-relatedness of control elements. 48

49 COCO Criteria: Monitoring and Learning Environment should be monitored to obtain information that may signal a need to re-evaluate the organization s objectives or controls Performance should be monitored against the targets and indicators identified in the organization s objectives and plans. The assumptions behind an organization s objectives should be periodically challenged. Information needs and related information systems should be reassessed as objectives change or as reporting deficiencies are identified. Follow-up procedures should be established and performed to ensure appropriate change or action occurs. Management should periodically assess the effectiveness of control in its organization and communicate the results to those to whom it is accountable. 49

50 COCO: Sample Assessment Questions Purpose Do we understand our objectives? Are our plans responsive and adequate to change? Commitment Are critical decisions made by people with the necessary expertise, knowledge and authority? Capability Is there adequate information to allow us to perform our tasks? Monitoring and Learning Do we challenge the assumptions behind our objectives? 50

51 COSO and COCO s Definition of Internal Control Per COSO, Internal Control is: a process, effected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives. Per COCO, Internal Control is those elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the objectives. 51

52 Objectives of Internal Controls Per COSO, organization s effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations. Per COCO effectiveness and efficiency of operations reliability of internal and external reporting; and compliance with applicable laws and regulations and internal policies. 52

53 Key COSO and COCO Concepts Internal Control is a process. Internal Control is effected by people. Internal Control can be expected to provide only reasonable assurance. Internal Control is geared to the achievement of objectives. 53

54 Hard Controls - Soft Controls Policy and Procedures Organizational Structure Bureaucracy Restrictive formal processes Competence Trust Shared Values Leadership Expectations Commitment 54

55 What s More Important? Segregation of duties or ethical employees? Well written and thorough policy and procedures manuals or competent employees? Clear delineation of roles and responsibilities or a group of employees dedicated to accomplishing the organization s mission? 55

56 Soft Controls In the past, auditors have focused exclusively on the hard controls. As the Savings and Loan crises demonstrated, this has meant that auditors have often missed the really important issues that will dictate whether an organization succeeds and is operating at the most efficient and effective manner. COSO, COCO, Cadbury and the other control models highlight the need to examine soft controls and provide the analytical tools to do so. 56

57 Soft Factors lntegrity and ethical values Commitment to competence Management's philosophy and operating style Managing change Communication 57

58 Soft Control a useful, though not precisely definable term best explained with common characteristics and examples 58

59 Common Characteristics Hard controls tend to be: formal objective Quantitatively measurable the 'map" Soft controls tend to be: informal subjective intangible the real terrain 59

60 Examples Hard Controls Policy/procedure Organizational structure Bureaucracy Restrictive formal processes Soft Controls Competence Trust Shared Values Strong Leadership High expectations Openness Centralized decision making High ethical standards 60

61 CARO provisions Point 4 matters to be included in auditor s report (iv) is there an adequate internal control procedure commensurate with the size of the company and the nature of its business, for the purchase of inventory and fixed assets and for the sale of goods. Whether there is a continuing failure to correct major weaknesses in internal control. 61

62 The regulations Clause 49 of the Listing Agreement in India Sarbanes Oxley Act 2002 in US The Combined Code on Corporate Governance 2003 in UK Guidance for Directors on the Combined Code, Turnbull Committee (C.2 and C.3) 62

63 Clause 49 Corporate Governance Board of Directors Audit Committee Subsidiary Companies Disclosure of Contingent Liabilities Disclosures CEO/CFO certification Report on Corporate Governance Compliance 63

64 SOX Focus only on Financial reporting Information filed with SEC Section 404 Section 302 Setting up of independent audit committees Codes of conduct, whistle blowing procedures Greater involvement of the Board and the audit committees in control activities 64

65 SOX Section 404 Rules for reporting the evaluation of the internal controls relating to financial reporting Focus on compliance and accountability Standard for attestation engagements issued by Public Company Accounting Oversight Board (PCAOB) Audit standard 2 of June 2004, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements 65

66 SOX - Section 302 Responsibility for financial reports filed with SEC on signing officers Various certifications to be given by the signing officers 66

67 The Combined Code Maintain a sound system of internal control to safeguard shareholders investment and the company s assets. (Principle C.2) 67

68 Provision C.2.1 At least annual review of the effectiveness of the system of internal control Report to shareholders that review has been done. Review to cover all material controls, including financial, operational and compliance controls and risk management systems. 68

69 C.3 The board should establish formal and transparent arrangements for considering how they should apply the financial reporting and internal control principles and for maintaining an appropriate relationship with the company s auditors. 69

70 C.3.2 Main Role of the Audit Committee Review the internal financial controls unless expressly addressed by a separate board committee C.3.5 The audit committee should monitor and review the effectiveness of the internal audit activities. Where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the board, and the reasons for the absence of such a function should be explained in the relevant section of the annual report. 70

71 Guidance for Directors on Combined Code The Turnbull Guidance Helps the directors to: assess how the Company has applied Code principle C.2 implement the requirements of Code provisions C.2.1 and C.3.5 report these matters to the shareholders in the annual report and accounts 71

72 The European framework The European Economic Reform White Paper of 2002 defines internal controls as creating standards for five key control elements: Control environment Performance and risk management Information and communication Control activities Audit and evaluation 72

73 The COSO framework of internal control The control environment Risk assessment The control activities Information and communication Monitoring 73

74 Questions/ Suggestions/ Comments??? 74

75 75