AUDITING ASSIGNMENT
ON
FEATURES OF INTERNAL CONTROL
AND RISK MANAGEMENT
IN PARTIAL FULFILLMENT FOR THE AWARD
OF MASTER DEGREE MS.C IN ACCOUNTING
Introduction
Internal controls are essential in any
business organizations handling of funds especially where money in the form of
cash, cheque or credit cards iazs used for the exchange of goods as well as
services. The main objective of internal controls in business organizations is
to make sure that the business entities receive all of their income without
part of it being siphoned off either by means of fraud, waste, untrustworthy
employees or even through mere carelessness. According to Kieso and Warfield
(2005), even business organizations that are healthy in all other aspects can
also be very vulnerable to internal failures as a result of lack of internal
controls. The set up of appropriate internal controls for any particular
business is therefore of great importance.
Internal control, as defined in accounting and auditing, is a process
for assuring achievement of an organization's objectives in operational
effectiveness and efficiency, reliable financial reporting, and compliance with
laws, regulations and policies. A broad concept, internal control involves
everything that controls risks to an organization. It is a means by which an
organization's resources are directed, monitored, and measured. It plays an
important role in detecting and preventing fraud and protecting the organization's
resources, both physical (e.g., machinery and property) and intangible (e.g.,
reputation or intellectual property such as trademarks).
Internal control is the process of by
which an entity’s board of directors, management and other personnel design to
provide reasonable assurance regarding the achievement of objective in three
categories
Internal control is an integral
process that is affected by an entity’s management and personnel and is
designed to address risks and to provide reasonable assurance that in pursuit
of the entity’s mission, the following general objectives are being achieved:
Executing orderly, ethical, economical, efficient and effective operations;
i. Fulfilling
accountability obligations;
ii. Complying with
applicable laws and regulations;
iii. Safeguarding resources
against loss, misuse and damage.
Internal control is a dynamic integral
process that is continuously adapting to the changes an organization is facing.
Management and personnel at all levels have to be involved in this process to
address risks and to provide reasonable assurance of the achievement of the
entity’s mission and general objectives.
An entity’s system of internal control consists of policies and
procedures designed to provide management with reasonable assurance that the
company achieves its objectives and goals including:
i.
Reliability of financial reporting
ii.
Compliance with applicable laws and
regulations
iii.
Effectiveness and efficiency of
operations
The concepts of internal control:
i.
Internal control is a process
integrated with all other processes within an agency.
ii.
Internal control is established,
maintained, and monitored by people at all levels within an agency.
iii.
Internal control increases the
possibility of an agency achieving its strategic goals and objectives.
iv. Internal control must
be cost effective and cost of August 2007 Internal Control - An Overview
implementation should not exceed the benefits derived from having the control
in place.
v. System of internal
control in an organization is the responsibility of all employees, from
management who design, implement, and maintain controls to staff that execute
various control activities.
Management control
Management controls are the heart of
budget and policy implementation. Moris (2005), defined management controls as
all the policies and procedures conceived and put in place by an entity's
management to ensure:
i.
The economical, efficient, and
effective achievement of the entity's objectives;
ii.
Adherence to external rules (laws,
regulations) and to management policies;
iii.
The safeguarding of assets and
information;
iv.
The prevention and detection of fraud
and error; and
v.
The quality of accounting records and
the timely production of reliable financial and management information.
Management controls can include a wide
variety of mechanisms designed to assure that budgetary and other policy
decisions are executed properly; that resources are used appropriately; that
waste, fraud, and mismanagement are minimized if not entirely availed; and that
reliable and timely information is obtained, maintained, and used for decision
making. While certain elements are common to most management control systems,
no single set of control devices is appropriate for all entities in all
circumstances.
Management controls are essential in managing any organization, whether
it is part of government or it is a privately owned business. In a government ministry or agency, for
example, it does little good to enact laws or regulations, to develop budgets,
or to establish administrative policies, if there can be no assurance that they
will be properly implemented. Management must also assure that the systems of
controls do not conflict with the overall management philosophy of the entity.
In general, therefore, management controls should be carefully balanced,
taking into consideration the related risks and the costs and benefits of the
safeguards to be introduced. Management must also recognize that circumstances
change. Controls that were needed and effective at one time may be rendered
unnecessary or ineffective by changes in the nature of operations or in the
external environment. It is essential that management periodically examine its
systems of management control, modify those systems as necessary to assure that
they remain effective, and eliminate or alter controls that are no longer
needed or have become unnecessarily burdensome.
Physical controls
These would include the security
procedures that are intended to control access.
For example, it may be desirable to control who will have access to
inventories of items that have high value or might be easily pilfered and
sold. It may also be necessary to
control the access to particular rooms or buildings where accounting and other
records are stored. This may be accomplished by locked doors, the keys to which
are held only by authorized persons, or may warrant full-time protection by a
security force, which permits entry only to those on an approved list. Physical
controls are measures and procedures to protect physical assets against theft
or unauthorized access and use. They include:
i.
Using a safe to hold cash and valuable
documents
ii.
Using secure entry systems to
buildings or areas of a building
iii.
iii. Dual custody of valuable assets, so
that two people are needed to obtain
access to certain assets
iv.
Periodic inventory checks
v.
Hiring security guards and using
closed circuit TV cameras.
Authorization
and approval
Authorization and approval controls
are established to ensure that a transaction must not proceed unless an
authorized individual has given his approval, possibly in writing. For spending
transactions, an organization might establish authorization limits, whereby an
individual manager is authorized to approve certain types of transaction up to
a certain maximum value.
Personnel controls
Controls should be applied to the selection and training of employees,
to make sure that: suitable individuals are appointed to positions within the
organization; individuals should have the appropriate personal qualities,
experience and qualifications where required; individuals are given suitable
induction and training, to ensure that they carry out their tasks efficiently
and effectively. Staff should also be given training in the purpose of controls
and the need to apply them. Specific training about controls should help to
increase employee awareness and understanding of the risks of failing to apply
them properly.
Segregation of duties
Most transactions can be broken down
into separate duties: the authorization or initiation of the transaction, the
handling of the asset that is the subject of the transaction, and the recording
of the transaction. This reduces the risk of fraud and may also reduce the risk
of error. For example, in the system for purchases and purchase accounting, the
same individual should not have responsibility for:
i.
Making a purchase
ii.
Making the payment, and recording the
purchase and the payment in the accounts.
If one individual did have
responsibility for more than one of these activities, there would be avenue for
fraud. The individual could record fictitious purchases (e.g. the purchase of
goods ordered for personal use) and pay for transactions that had not occurred.
Segregation of duties can also make it easier to spot unintentional
mistakes, and should not be seen simply as a control against fraud. At board of
director level, corporate governance codes state that the duties of the
chairman of the board and the CEO should be segregated, to prevent one
individual from acquiring a dominant position on the board. Although
segregating duties provides protection against fraud by one individual, it is
not effective against collusion to commit fraud by two or more individuals
Components of internal control
structure
There are five interrelated components
of an internal control structure, and that these apply to all agencies,
irrespective of size, though smaller agencies are likely to implement them in a
less formal manner. Additional information about these components is contained
in other Information Sheets, as referred to below. The components outlined are:
Control
environment
This sets the tone for the agency,
providing the foundation, discipline and structure upon which all other
components of internal control are built. It includes integrity, ethical values
and the competence of all officers and staff. The control environment includes
the following areas:
i.
Integrity and ethical behavior
ii.
Commitment to competence
iii.
Board of directors and audit committee
participation
iv.
Management philosophy and operating
style
v.
Organization structure
vi.
Assignment of authority and
responsibility
Policies
and procedures
Every entity faces a variety of risks
from external and internal sources that must be assessed. A precondition to
risk assessment is establishment of objectives, linked at different levels and
internally consistent. Risk assessment is the identification and analysis of
relevant risks to achievement of the objectives, forming a basis for
determining how the risks should be managed. Because economics, regulatory and
operating conditions will continue to change, mechanisms are needed to identify
and deal with the special risks associated with change.
Objectives must be established before administrators can identify and
take necessary steps to manage risks. Operations objectives relate to
effectiveness and efficiency of the operations, including performance and
financial goals and safeguarding resources against loss. Financial reporting
objectives pertain to the preparation of reliable published financial
statements, including prevention of fraudulent financial reporting. Compliance
objectives pertain to laws and regulations which establish minimum standards of
behavior.
Risk assessment
This is the identification and
analysis of relevant risks, internal and external, to the achievement of
government and organization goals. Its forms the basis for determining what
risks need to be controlled and the controls required to manage them.
Attention must be focused on risks at all levels and necessary actions
must be taken to manage risk. Risks can pertain to internal and external
factors. After risks have been identified they must be evaluated. Managing
change requires a constant assessment of risk and the impact on internal
controls. Economic, industry and regulatory environments change and entities'
activities evolve. Mechanisms are needed to identify and react to changing
conditions. Risk assessment is the process of identifying and analyzing
relevant risks to the achievement of the entity’s objectives and determining
the appropriate response. It implies:
Risk
identification
i.
Related to the objectives of the
entity;
ii. Comprehensive;
iii.
Includes risks due to external and
internal factors, at both the
iv.Entity and the
activity levels;
Risk
evaluation
1.
Estimating the significance of a risk;
2.
Assessing the likelihood of the risk occurrence;
3.
Assessment of the risk appetite
Development of responses:
They are four types of responses to
risk: transfer, tolerance, treatment or termination; of these, risk treatment
is the most relevant to these guidelines because effective internal control is
the major mechanism to treat risk;
The appropriate controls involved can be either detective or preventive.
As governmental, economic, industry, regulatory and operating conditions are in
constant change, risk assessment should be an ongoing iterative process. It
implies identifying and analyzing altered conditions and opportunities and
risks (risk assessment cycle) and modifying internal control to address
changing risk.
Identification and Management:
Internal control activities – these are the policies and procedures established
by an agency and documented in the financial management practice manual to
address the risks and help in the achievement of goals
Information and communication:
pertinent information must be identified, captured and communicated in a form
and timeframe that enables officers and staff to carry out their
responsibilities. Effective communication must occur in a broad sense, flowing
down, across and up the organization. All personnel must receive a clear
message from top management that control responsibilities must be taken
seriously. They must understand their own role in the internal control system,
as well as how individual activities relate to the work of others. They must
have a means of communicating significant information upstream.
Monitoring
Internal control systems need to be
monitored - a process that assesses the quality of the system's performance
over time. Ongoing monitoring occurs in the ordinary course of operations, and
includes regular management and supervisory activities, and other actions
personnel take in performing their duties that assess the quality of internal
control system performance.
The scope and frequency of separate evaluations depend primarily on an
assessment of risks and the effectiveness of ongoing monitoring procedures.
Internal control deficiencies should be reported upstream, with serious matters
reported immediately to top administration and governing boards.
Furthermore, circumstances for which the internal control system was
originally designed also may change. Because of changing conditions, management
needs to determine whether the internal control system continues to be relevant
and able to address new risks.
Control activities
Control activities are the policies
and procedures that help ensure management directives are carried out. They
help ensure that necessary actions are taken to address risks to achievement of
the entity's objectives. Control activities occur throughout the organization,
at all levels, and in all functions. They include a range of activities as
diverse as approvals, authorizations, verifications, reconciliations, reviews
of operating performance, security of assets and segregation of duties.
Control activities usually involve two elements: a policy establishing
what should be done and procedures to effect the policy. All policies must be
implemented thoughtfully, conscientiously and consistently. Controls have
various objectives and may be applied at various organizational and functional
levels.
i.
Preventive controls focus on
preventing an error or irregularity.
ii.
Detective controls focus on
identifying when an error or irregularity has occurred.
iii.
Corrective controls focus on
recovering from, repairing the damage from, or minimizing the cost of an error
or irregularity
Types
of internal controls
Agency internal controls have been
classified as financial internal controls and non-financial internal controls.
Financial internal controls (for
example, payment approvals and authorizations, financial delegations,
processing of remittances, banking requirements, and accounting
reconciliations) assist in ensuring that an agency’s financial transactions are
appropriately authorized, processed and recorded.
Non-financial controls include
controls and processes applicable to agency information systems and operational
requirements that are used to achieve agency objectives and delivery of agency
services, and include:
i.
Internal accounting controls, which
are guidelines and procedures related to the keeping of books and records, and
ii.
Administrative accounting controls,
which are those controls that ensure agency transactions, are processed in
accordance with management’s general or specific authorizations.
While this Information Sheet is
primarily concerned with financial controls and processes, many agency controls
and processes are unrelated to financial matters and would benefit from the
same compliance processes detailed in this Information Sheet.
Scope of internal control activities
Each agency is responsible for
developing a system of internal control processes that is specific to its
operations. This system of internal controls should include procedures or
mechanisms that:
i.
Review risk profiles on a regular
basis
ii. Ensure
compliance with internal policies and procedures
iii.
Ensure compliance with applicable
laws, regulations and accounting standards
iv.Reduce the
possibility of error, fraud or other irregularities through processes such as
delegations of authorities and segregation and rotation of duties, and
v. Ensure
that activities underpinning agency objectives are complete, correctly recorded
in the agency’s financial system and ultimately reflected in the agency’s
financial and performance reports.
Agencies are encouraged to draw on the
experience and expertise of other agencies as appropriate, including the
Queensland Audit Office, when establishing new processes or reviewing existing
systems.
Section 15 of the Standard provides
that each agency must establish systems to manage its financial resources.
Specific Information Sheets have been prepared to assist agencies in meeting
their obligations under this section of the Standard.
Management
responsibility
Management has an obligation to ensure
that internal control processes are cost-effective and consistent with agency
operational needs, and recognize changing operational requirements. To achieve
this goal, management should:
i.
Recruit staff with skills sufficient
to deliver agency objectives
ii. Provide
appropriate training to staff
iii.
Undertake regular reviews to ensure
that internal controls are continuing to achieve the stated objectives
cost-effectively
iv.Implement mechanisms
to review existing processes, or implement new processes, resulting from
ongoing operational and risk assessment reviews, and
v. Ensure
financial management practice manuals and other agency-specific documentation
is up to date and reflects current agency operations and objectives.
An
integral process
Internal control is not one event or
circumstance, but a series of actions that permeate an entity's activities.
These actions occur throughout an entity’s operations on an ongoing basis. They
are pervasive and inherent in the way management runs the organization.
Internal control is therefore different from the perspective of some observers
who view it as something added on to an entity's activities, or as a necessary
burden.
The internal control system is
intertwined with an entity's activities and is most effective when it is built
into the entity's infrastructure and is an integral part of the essence of the
organization.
Internal control should be built in
rather than built on. By building in internal control, it becomes part of an
integrated with the basic management processes of planning, executing and
monitoring. Built in internal control
also has important implications for cost containment.
Adding new control procedures that are separate from existing procedures
adds costs. By focusing on existing operations and their contribution to
effective internal control, and by integrating controls into basic operating
activities, an organization often can avoid unnecessary procedures and costs.
The Process of Developing a System of
Internal Controls
The process of developing an internal
control system is rather straightforward:
i.
Identify the organization's
objectives, processes, and risks and determine risk materiality.
ii. Identify
the internal control system ⎯ including rules, processes, and procedures⎯ to control material risks.
iii.
Develop, test, and implement the
internal control system.
iv.Monitor and refine
the system.
Conclusion
Accounting controls are the methods
and procedures a company uses to ensure the accuracy and validity of their
financial statements. They do not ensure law and regulatory compliance, but
they are designed to help the company comply. The internal controls protect the
company from abuse and fraud, and make sure all information is received in an
accurate and timely manner.
The control environment is the organizational structure and culture
created by management and employees to sustain organizational support for
effective internal control.” The most effective input for environmental control
comes from the human resources department. When management is pushing for a
high sales goal at all costs, employees will do the same and internal controls
will be ignored, which often leads to financial difficulties
REFERENCES
Arens L,
(2003) Audit: An integrated approach; New York: Harper & Row.
COSO, Internal Control –
Integrated Framework (1992)
COSO, Internal Control over
Financial Reporting – Guidance for Smaller Public Companies (June 2006)
Nwachukwu,
C .C (2008),
Internal control model in the state`s revenues administration. Onitsha: African Fep
Publishers Limited.
Obiajulu,S.
and Obikeze ,A. (2006), Financial
Audit – convergences between theory and practice. Onitsha: Book point Ltd.
Okoli,
F.C. (2004), Internal
Audit and Corporative Governance,
Enugu: John
Jacob‟s Classic Publisher’s ltd.
Onah,
F.O. (2008), Audit
and Financial Control Procedures, 2nd Edition, Enugu: John Jacob‟s Classic Publishers Ltd.
Obi, O
(2005), Internal
Audit Theory and Practice, Onitsha: Imprint & Partners Publishers.
Pollard D.,
(2011), Corporate Governance and the Global Financial Crisis: A Practical Handbook”
International Labour Organization, Geneva.
Skinner,
B.F (2005), Methodological
support for the internal control development in public entities: A Theoretical Analysis
New York: Appleton Century Crofts.
Ugwuede,
S. (2002), the efficiency of internal and external corporate controls
mechanism. Enugu: John Jacob‟s Classic Publishers Ltd.
