SlideShare a Scribd company logo

Internal control system

M
Madiha Hassan

The document discusses internal control systems and the COSO framework. It provides details on the following: 1. There are three main categories of internal controls - financial, operational, and compliance controls. The COSO framework defines internal control and its objectives. 2. The COSO framework has five main elements - control environment, risk assessment, control activities, information and communication, and monitoring. These elements work together to help ensure objectives are met. 3. Internal audit is an independent function that examines and evaluates internal controls to provide assurance on their effectiveness and efficiency. Internal auditors may review various areas including financial and operational controls, compliance, risk management, and value for money.

1 of 20
Downloaded 435 times
1
2
3
4
5
6
7
8
9
10
11
12
13
Most read
14
15
16
17
Most read
18
19
20
Most read
Internal Control System A High Level Perspective 1
Internal controls • There are several types of internal control, and each organisation will use some or all of these, to a greater or lesser extent. Some organisations have more extensive and more effective controls than others. • Internal controls are applied to prevent adverse events from happening or to detect failures in control when they occur. A useful and common method of categorising internal controls is to analyse them into three categories: 1. Financial controls. 2. Operational controls. 3. Compliance controls 2
Standard Internal control system • An internal control system consists of a ‘control environment’ and control procedures. • A useful definition of internal control was given by the US Committee Of Sponsoring Organizations (COSO). • The COSO Framework defines internal control as the achievement of objectives’ in the following three categories 1. Reliability of financial reporting (through financial controls). 2. Effectiveness and efficiency of operations (through operational controls). 3. Compliance with relevant laws and regulations (through compliance controls). 3
The COSO Framework elements -1 A control environment: • The control environment sets the tone of an organization, influencing the control consciousness of its people. • It is the foundation for all other components of internal control, providing discipline and structure. • Control environment factors include the integrity, ethical values and competence of the entity's people, management's philosophy and operating style, the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors. 4
The COSO Framework elements -2 Risk identification and assessment: • Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. • Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. • As economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change 5
The COSO Framework elements -3 Control Activities: • Policies and procedures that help ensure management directives are carried out. • These policies & procedures help ensure that necessary actions are taken to address risks towards achievement of the entity's objectives. • Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. . 6
The COSO Framework elements -4 Information and communication: • Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. • Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. • Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. • Effective communication with external parties, such as customers, suppliers, regulators and shareholders is required 7
The COSO Framework elements - 5 Monitoring: • Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. • Monitoring is accomplished through on-going monitoring activities, separate evaluations or a combination of the two. • On-going monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. • The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of on- going monitoring procedures. • Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board. 8
Fundamental Concepts 1. Internal Control is a process. It is a mean to an end not an end itself. 2. Internal control is not merely a policy manual and forms but it is the assurance of effective and efficient implementation of those manuals. 3. Internal control can be expected to provide only reasonable assurance not an absolute assurance of the implemented control. 4. Internal control is geared to the achievement of the objectives in one or more overlapping categories. 9
Financial controls • Financial controls relates to the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly • Financial controls are designed to ensure that: − There are no errors in the preparation of accounting records and financial statements. − No fraud is committed (there may be controls for detecting fraud when it occurs , as well as controls that try to prevent fraud from being able to occur). − Assets of the company are not stolen, lost or damaged. 10
Operational controls • Operational controls addresses the company 's basic business objectives, including performance and profitability goals and safeguarding of resources. • Operational controls are designed to prevent failures in operational procedures, or to detect and correct operational failures if they do occur. Operational failures may be caused by: − Program breakdowns (total breakdown or in certain function) − Failures in the performance of systems. − Weaknesses in procedures / process execution. − Poor management such as no planning, monitoring,… 11
Compliance controls • Compliance controls ensure that the company complies with the most significant laws, rules and regulations. • The most significant regulations for a company vary according to the nature of its business, (i.e. compliance with health and safety regulations, in the case of banks money laundering prevention regulations,….) 12
13 Compliance controls Regulations Who Needs to Comply Security Areas Covered Compliance Requirements HIPAA US healthcare organisations and partners all over the globe Creating, storing and transmitting electronic protected health information All major "Best Practice Safety " areas Sarbanes Oxley (SOX) & Accounting Standards US public companies and partners over the globe Defined to secure the public against corporate fraud and misrepresentation All major "Best Practice Financial " areas PCI DSS (Also Covered by Breach Laws) Merchants who take credit cards Privacy of Customer Financial Data Varies by size of merchant, requires Best Practices plus 3rd Party Quality Risk Assessments
Establishing internal control system – (1) • The board of directors is responsible for maintaining a sound system of internal control. • They should set appropriate policies on internal control & seek regular assurance to satisfy that the system is operating effectively. • In deciding the policies for internal control and assessing what constitutes an effective system of internal control, the board should consider the following factors: 1. The nature and extent of the risks facing the company; 2. The extent and categories of risks that the board regards as acceptable for the company to bear. 3. The likelihood that the risks will materialise. 4. The company’s ability to reduce the incidence and impact on the business of the risks that do materialise. 5. The costs of operating particular controls relative to the benefits to be obtained from managing the risks they control. 14
The internal control system should: 1. Be embedded in the operations of the company and form part of its culture. 2. Be capable of responding quickly to risks which the business may face as they emerge and develop. 3. Include procedures for reporting immediately to the management responsible of control failings and any corrective action that should be undertaken. 15 Establishing internal control system – (2)
Internal audit overview • Internal audit is defined as an independent appraisal activity established within an organisation as a service to it. It is a control which functions by examining and evaluating the adequacy and effectiveness of other controls. • If the board of directors and the audit committee do not have the time to carry out a detailed review themselves, and they can rely on information provided to them by internal auditors • Internal auditors may be full-time employees of the company or external professionals appointed by the company to carry out specific investigations. • There must be a system for monitoring and review by higher level management 16
The possible tasks of internal audit –(1) 1. Reviewing the internal control system. Traditionally, an internal audit department would carry out checks on the financial controls in an organisation. The checks would be to establish whether suitable financial controls exist and if so, whether they are applied properly and are effective. It is not the function of internal auditors to manage risks, only to monitor and report them, and to check that risk controls are efficient and cost-effective. 2. Special investigations. Internal auditors might conduct special investigations into particular aspects of the organisation’s operations (systems and procedures), to check the effectiveness of operational controls. 17
The possible tasks of internal audit –(2) 3. Examination of financial and operating information. Internal auditors might be asked to investigate the timeliness of reporting and the accuracy of the information in reports. 4. Value for money (VFM) audits. This is an investigation into an operation or activity to establish whether it is economical, efficient and effective. 5. Reviewing compliance by the organisation with particular laws or regulations. This is an investigation into the effectiveness of compliance controls.. 18
6. Risk assessment. Internal auditors might be asked to investigate aspects of risk management, and in particular the adequacy of the mechanisms for identifying, assessing and controlling significant risks to the organisation, from both internal and external sources. 7. Internal auditors might be involved in providing continuous support to the risk management process. If a company has established a risk oversight committee with responsibility for the oversight and reporting of risks, a senior internal auditor might be one of the committee members. The internal audit department might even have responsibility for coordinating risk management within the company, and reporting to the board or audit committee about risks on a company-wide basis. 19 The possible tasks of internal audit –(3)
Investigation of internal controls Internal auditors are commonly required to check the soundness of internal financial controls. In assessing the effectiveness of individual controls, and of an internal control system generally. • Factors to be considered: 1. Automated controls are by no means error- or fraud-proof, but may be more reliable than similar manual controls. 2. Non-discretionary controls are checks and procedures that must be carried out. Discretionary controls are those that do not have to be applied, either because they are voluntary or because an individual can choose to dis-apply them. 3. Finding if the controls extensive enough or carried out frequently enough ? Are the controls applied rigorously? For example, is a supervisor doing his job properly? (to check whether the controls are effective in achieving their purpose) 20

More Related Content

PPTX
Internal controls in auditing
Hardik Shah
 
PPTX
Internal check internal audit internal control
SriramPurnaKotla
 
PPTX
Internal audit ppt
Ibrahim Jimalle
 
PPTX
11. materiality and audit risk
Syed Osama Rizvi
 
PPTX
Internal Control
ravalhimani
 
PPTX
Audit report
Real Estate Services
 
PPTX
Indian financial system
Danta Thomas
 
PPTX
AUDIT-PLANNING.pptx
KennethNinalga
 
Internal controls in auditing
Hardik Shah
 
Internal check internal audit internal control
SriramPurnaKotla
 
Internal audit ppt
Ibrahim Jimalle
 
11. materiality and audit risk
Syed Osama Rizvi
 
Internal Control
ravalhimani
 
Audit report
Real Estate Services
 
Indian financial system
Danta Thomas
 
AUDIT-PLANNING.pptx
KennethNinalga
 

What's hot (20)

PPTX
Chapter 1.
Thane
 
PPTX
Audit report
CS S Dhanapal B.Com B.A.B.L F.C.S
 
PPTX
Audit Process, Audit Procedures, Audit Planning, Auditing
Advance Business Consulting
 
PPTX
Internal audit department
Popun
 
PDF
Proposal risk based internal audit 2013
Nidhi Gupta
 
PPT
Internal Process Audit
intellisenseit
 
PPT
Auditing And Assurance Standards
Augustin Bangalore
 
PPTX
Tax Planning Concept and tax planning with specific managerial decisions
Sundar B N
 
PPT
Risk Assessment For Internal Auditors
minkhollow
 
PPTX
LIQUIDATION OF COMPANIES
AdalineDharshini
 
PPTX
AUDIT PROGRAMME - PPT.pptx
HeldaMaryA
 
PPTX
Audit report
Minali Jain
 
PPT
Unit 3 internal control
Radhika Gohel
 
PPTX
DPA 3043(AUDITING)-CHAPTER 6:Materiality and Risk
norliza muhamad
 
PPTX
Dividend Policy and Dividend Decision Theories.pptx
anshikagoel52
 
PPTX
AUDIT REPORT [ AUDITING ]
Rakshit Porwal
 
PPTX
Internal control
iPleaders - Re-engineering Legal education, New Delhi
 
PPTX
Cash flow
Janki Pandya
 
PPTX
General principles-of-taxation.pptx-joni-2
jonipaloma
 
PPT
Inflation accounting
Unitedworld School Of Business
 
Chapter 1.
Thane
 
Audit report
CS S Dhanapal B.Com B.A.B.L F.C.S
 
Audit Process, Audit Procedures, Audit Planning, Auditing
Advance Business Consulting
 
Internal audit department
Popun
 
Proposal risk based internal audit 2013
Nidhi Gupta
 
Internal Process Audit
intellisenseit
 
Auditing And Assurance Standards
Augustin Bangalore
 
Tax Planning Concept and tax planning with specific managerial decisions
Sundar B N
 
Risk Assessment For Internal Auditors
minkhollow
 
LIQUIDATION OF COMPANIES
AdalineDharshini
 
AUDIT PROGRAMME - PPT.pptx
HeldaMaryA
 
Audit report
Minali Jain
 
Unit 3 internal control
Radhika Gohel
 
DPA 3043(AUDITING)-CHAPTER 6:Materiality and Risk
norliza muhamad
 
Dividend Policy and Dividend Decision Theories.pptx
anshikagoel52
 
AUDIT REPORT [ AUDITING ]
Rakshit Porwal
 
Internal control
iPleaders - Re-engineering Legal education, New Delhi
 
Cash flow
Janki Pandya
 
General principles-of-taxation.pptx-joni-2
jonipaloma
 
Inflation accounting
Unitedworld School Of Business
 
Ad

Viewers also liked (20)

PPTX
Audit programme
Kumandan
 
PPTX
Audit procedures
Darryl Woolley
 
DOC
Audit planning- Review Questionnaire.
Magnolia Raz
 
PPTX
BMC Remedy ITSM 8.0 What's New
BMC Software
 
PPT
04 Audit documentation
CA. (Dr.) Rajkumar Adukia
 
PPTX
Bmc presentation
Intel Security
 
PPTX
Topic 4 internal control system (ics)
sakura rena
 
PPT
Chapter 3
Nur Dalila Zamri
 
PPTX
Audit Programme: Concept, Types, Functions, Advantages & Disadvantages
Jagriti Gupta
 
PDF
Audit documentation
Venkatesan Murali
 
PPTX
Audit Documentation Presentation
Karim70
 
DOC
Type of auditing
Dharmik
 
DOCX
management letter
19970116
 
PDF
Workshop presentation on internal control and internal audit by Jose Viegas R...
Support for Improvement in Governance and Management SIGMA
 
DOC
Sap Access Risks Procedures
Inprise Group
 
PDF
The 7 Keys to an Effective Audit Programme
Craig Thornton
 
PPTX
Topic 2 objectives and scope of financial statement audit
sakura rena
 
PPT
Topic 6 audit documentation
sakura rena
 
PPT
audit sampling notes
student
 
PPT
Topik 8 Audit Sampling
Dania Johan
 
Audit programme
Kumandan
 
Audit procedures
Darryl Woolley
 
Audit planning- Review Questionnaire.
Magnolia Raz
 
BMC Remedy ITSM 8.0 What's New
BMC Software
 
04 Audit documentation
CA. (Dr.) Rajkumar Adukia
 
Bmc presentation
Intel Security
 
Topic 4 internal control system (ics)
sakura rena
 
Chapter 3
Nur Dalila Zamri
 
Audit Programme: Concept, Types, Functions, Advantages & Disadvantages
Jagriti Gupta
 
Audit documentation
Venkatesan Murali
 
Audit Documentation Presentation
Karim70
 
Type of auditing
Dharmik
 
management letter
19970116
 
Workshop presentation on internal control and internal audit by Jose Viegas R...
Support for Improvement in Governance and Management SIGMA
 
Sap Access Risks Procedures
Inprise Group
 
The 7 Keys to an Effective Audit Programme
Craig Thornton
 
Topic 2 objectives and scope of financial statement audit
sakura rena
 
Topic 6 audit documentation
sakura rena
 
audit sampling notes
student
 
Topik 8 Audit Sampling
Dania Johan
 
Ad

Similar to Internal control system (20)

PPTX
INTERNAL CONTROL-PPT.pptx
HeldaMaryA
 
PPT
FIN-Internal_Controls_Primer_Presentation.ppt
ssusere1a0f0
 
PPT
FIN-Internal_Controls_Primer_Presentation.ppt
bm6tkbry4q
 
PPT
Finance Internal_Controls presentation ppt
bm6tkbry4q
 
PPT
FIN-Internal_Controls_Primer_Presentation.ppt
KinhDoanhKhoaKinhTe
 
PPT
FIN-Internal_Controls_Primer_Presentation.ppt
Abdiansyah Prahasto
 
PPTX
Lecture 16 internal control - james a. hall book chapter 3
Habib Ullah Qamar
 
PPSX
Internal controls
Geetali Tare
 
PDF
Internal Control
Salih Islam
 
PPTX
2010 training English.for Agribusiness and value pptx
bojasenbeta28
 
PDF
Internal control
SALIH AHMED ISLAM
 
PPTX
Information system control and audit
Astri Stiawaty
 
PDF
Coso s internal_control_presentation
Catur Setiawan
 
PDF
Internal control and Control Self Assessment
Manoj Agarwal
 
PDF
WIRC-IFC.pdf
SmitVithalani4
 
PPTX
Week 4_Lecture_Internal Control_Student.pptx
Tfno
 
PPT
DECEMBER INTERNAL CONTROL FOR EFFICIENT AND EFFECTIVE SERVICE DELIVERY-1.ppt
1111964
 
PPTX
Richardson_AIS3e_CH13_PowerPoint.pptx
MohamedElmahgoub2
 
PPTX
topic 3 internal controls..audit.pptx
vailethmwaisanila
 
PPT
internal-controls (1) Sistem Informasi akuntansi.ppt
DoddychandraDoddy
 
INTERNAL CONTROL-PPT.pptx
HeldaMaryA
 
FIN-Internal_Controls_Primer_Presentation.ppt
ssusere1a0f0
 
FIN-Internal_Controls_Primer_Presentation.ppt
bm6tkbry4q
 
Finance Internal_Controls presentation ppt
bm6tkbry4q
 
FIN-Internal_Controls_Primer_Presentation.ppt
KinhDoanhKhoaKinhTe
 
FIN-Internal_Controls_Primer_Presentation.ppt
Abdiansyah Prahasto
 
Lecture 16 internal control - james a. hall book chapter 3
Habib Ullah Qamar
 
Internal controls
Geetali Tare
 
Internal Control
Salih Islam
 
2010 training English.for Agribusiness and value pptx
bojasenbeta28
 
Internal control
SALIH AHMED ISLAM
 
Information system control and audit
Astri Stiawaty
 
Coso s internal_control_presentation
Catur Setiawan
 
Internal control and Control Self Assessment
Manoj Agarwal
 
WIRC-IFC.pdf
SmitVithalani4
 
Week 4_Lecture_Internal Control_Student.pptx
Tfno
 
DECEMBER INTERNAL CONTROL FOR EFFICIENT AND EFFECTIVE SERVICE DELIVERY-1.ppt
1111964
 
Richardson_AIS3e_CH13_PowerPoint.pptx
MohamedElmahgoub2
 
topic 3 internal controls..audit.pptx
vailethmwaisanila
 
internal-controls (1) Sistem Informasi akuntansi.ppt
DoddychandraDoddy
 

Internal control system

  • 1. Internal Control System A High Level Perspective 1
  • 2. Internal controls • There are several types of internal control, and each organisation will use some or all of these, to a greater or lesser extent. Some organisations have more extensive and more effective controls than others. • Internal controls are applied to prevent adverse events from happening or to detect failures in control when they occur. A useful and common method of categorising internal controls is to analyse them into three categories: 1. Financial controls. 2. Operational controls. 3. Compliance controls 2
  • 3. Standard Internal control system • An internal control system consists of a ‘control environment’ and control procedures. • A useful definition of internal control was given by the US Committee Of Sponsoring Organizations (COSO). • The COSO Framework defines internal control as the achievement of objectives’ in the following three categories 1. Reliability of financial reporting (through financial controls). 2. Effectiveness and efficiency of operations (through operational controls). 3. Compliance with relevant laws and regulations (through compliance controls). 3
  • 4. The COSO Framework elements -1 A control environment: • The control environment sets the tone of an organization, influencing the control consciousness of its people. • It is the foundation for all other components of internal control, providing discipline and structure. • Control environment factors include the integrity, ethical values and competence of the entity's people, management's philosophy and operating style, the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors. 4
  • 5. The COSO Framework elements -2 Risk identification and assessment: • Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. • Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. • As economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change 5
  • 6. The COSO Framework elements -3 Control Activities: • Policies and procedures that help ensure management directives are carried out. • These policies & procedures help ensure that necessary actions are taken to address risks towards achievement of the entity's objectives. • Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. . 6
  • 7. The COSO Framework elements -4 Information and communication: • Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. • Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. • Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. • Effective communication with external parties, such as customers, suppliers, regulators and shareholders is required 7
  • 8. The COSO Framework elements - 5 Monitoring: • Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. • Monitoring is accomplished through on-going monitoring activities, separate evaluations or a combination of the two. • On-going monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. • The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of on- going monitoring procedures. • Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board. 8
  • 9. Fundamental Concepts 1. Internal Control is a process. It is a mean to an end not an end itself. 2. Internal control is not merely a policy manual and forms but it is the assurance of effective and efficient implementation of those manuals. 3. Internal control can be expected to provide only reasonable assurance not an absolute assurance of the implemented control. 4. Internal control is geared to the achievement of the objectives in one or more overlapping categories. 9
  • 10. Financial controls • Financial controls relates to the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly • Financial controls are designed to ensure that: − There are no errors in the preparation of accounting records and financial statements. − No fraud is committed (there may be controls for detecting fraud when it occurs , as well as controls that try to prevent fraud from being able to occur). − Assets of the company are not stolen, lost or damaged. 10
  • 11. Operational controls • Operational controls addresses the company 's basic business objectives, including performance and profitability goals and safeguarding of resources. • Operational controls are designed to prevent failures in operational procedures, or to detect and correct operational failures if they do occur. Operational failures may be caused by: − Program breakdowns (total breakdown or in certain function) − Failures in the performance of systems. − Weaknesses in procedures / process execution. − Poor management such as no planning, monitoring,… 11
  • 12. Compliance controls • Compliance controls ensure that the company complies with the most significant laws, rules and regulations. • The most significant regulations for a company vary according to the nature of its business, (i.e. compliance with health and safety regulations, in the case of banks money laundering prevention regulations,….) 12
  • 13. 13 Compliance controls Regulations Who Needs to Comply Security Areas Covered Compliance Requirements HIPAA US healthcare organisations and partners all over the globe Creating, storing and transmitting electronic protected health information All major "Best Practice Safety " areas Sarbanes Oxley (SOX) & Accounting Standards US public companies and partners over the globe Defined to secure the public against corporate fraud and misrepresentation All major "Best Practice Financial " areas PCI DSS (Also Covered by Breach Laws) Merchants who take credit cards Privacy of Customer Financial Data Varies by size of merchant, requires Best Practices plus 3rd Party Quality Risk Assessments
  • 14. Establishing internal control system – (1) • The board of directors is responsible for maintaining a sound system of internal control. • They should set appropriate policies on internal control & seek regular assurance to satisfy that the system is operating effectively. • In deciding the policies for internal control and assessing what constitutes an effective system of internal control, the board should consider the following factors: 1. The nature and extent of the risks facing the company; 2. The extent and categories of risks that the board regards as acceptable for the company to bear. 3. The likelihood that the risks will materialise. 4. The company’s ability to reduce the incidence and impact on the business of the risks that do materialise. 5. The costs of operating particular controls relative to the benefits to be obtained from managing the risks they control. 14
  • 15. The internal control system should: 1. Be embedded in the operations of the company and form part of its culture. 2. Be capable of responding quickly to risks which the business may face as they emerge and develop. 3. Include procedures for reporting immediately to the management responsible of control failings and any corrective action that should be undertaken. 15 Establishing internal control system – (2)
  • 16. Internal audit overview • Internal audit is defined as an independent appraisal activity established within an organisation as a service to it. It is a control which functions by examining and evaluating the adequacy and effectiveness of other controls. • If the board of directors and the audit committee do not have the time to carry out a detailed review themselves, and they can rely on information provided to them by internal auditors • Internal auditors may be full-time employees of the company or external professionals appointed by the company to carry out specific investigations. • There must be a system for monitoring and review by higher level management 16
  • 17. The possible tasks of internal audit –(1) 1. Reviewing the internal control system. Traditionally, an internal audit department would carry out checks on the financial controls in an organisation. The checks would be to establish whether suitable financial controls exist and if so, whether they are applied properly and are effective. It is not the function of internal auditors to manage risks, only to monitor and report them, and to check that risk controls are efficient and cost-effective. 2. Special investigations. Internal auditors might conduct special investigations into particular aspects of the organisation’s operations (systems and procedures), to check the effectiveness of operational controls. 17
  • 18. The possible tasks of internal audit –(2) 3. Examination of financial and operating information. Internal auditors might be asked to investigate the timeliness of reporting and the accuracy of the information in reports. 4. Value for money (VFM) audits. This is an investigation into an operation or activity to establish whether it is economical, efficient and effective. 5. Reviewing compliance by the organisation with particular laws or regulations. This is an investigation into the effectiveness of compliance controls.. 18
  • 19. 6. Risk assessment. Internal auditors might be asked to investigate aspects of risk management, and in particular the adequacy of the mechanisms for identifying, assessing and controlling significant risks to the organisation, from both internal and external sources. 7. Internal auditors might be involved in providing continuous support to the risk management process. If a company has established a risk oversight committee with responsibility for the oversight and reporting of risks, a senior internal auditor might be one of the committee members. The internal audit department might even have responsibility for coordinating risk management within the company, and reporting to the board or audit committee about risks on a company-wide basis. 19 The possible tasks of internal audit –(3)
  • 20. Investigation of internal controls Internal auditors are commonly required to check the soundness of internal financial controls. In assessing the effectiveness of individual controls, and of an internal control system generally. • Factors to be considered: 1. Automated controls are by no means error- or fraud-proof, but may be more reliable than similar manual controls. 2. Non-discretionary controls are checks and procedures that must be carried out. Discretionary controls are those that do not have to be applied, either because they are voluntary or because an individual can choose to dis-apply them. 3. Finding if the controls extensive enough or carried out frequently enough ? Are the controls applied rigorously? For example, is a supervisor doing his job properly? (to check whether the controls are effective in achieving their purpose) 20