8. Internal control and internal audit 1 Meaning of internal control



Download 107,51 Kb.
Page1/3
Date conversion07.12.2017
Size107,51 Kb.
  1   2   3
8. Internal control and internal audit
8.1 Meaning of internal control
In the private sector, company directors are responsible for determining policy, monitoring performance and taking corrective action if either policy or its implementation is defective. Internal control provides a means of assurance that corporate objectives are being achieved. Thus the directors are responsible for internal control. The Institute of Internal Auditors defines internal control as follows:
a process within an organisation designed to provide reasonable assurance regarding the following primary corporate objectives:


  • the reliability and integrity of information




  • compliance with policies, plans, procedures, laws and regulations




  • the safeguarding of assets







  • the accomplishment of established objectives and goals of operations or programs

Internal control systems are therefore fundamental to the success and survival of organisations. They keep the organisation on the rails. But organisations sometimes go off the rails. This was the problem (US corporate failure) that resulted in the report of the Treadway Commission (on fraudulent financial reporting) and in the formation of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).


8. 2 COSO
COSO is a voluntary private sector organization established in USA. It is dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative. It is concerned with factors that can lead to fraudulent financial reporting. COSO has developed principles of internal control. It defines internal control as follows:
Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:


  • Effectiveness and efficiency of operations







  • Compliance with applicable laws and regulations

It identifies the key concepts of internal control as follows:




  • Internal control is a process. It is a means to an end, not an end in itself.




  • Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.




  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.




  • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

The type of thinking behind the model is as follows:




  • weak internal control systems lead to corporate losses and failure




  • internal control systems are the responsibility of directors. managers and employees




  • but they are the particular responsibility of the board of directors







  • some internal control systems are formal; others are informal (for instance, unwritten rules observed by members of a team)




  • both formal and informal systems are important. The latter may lead to a corporate environment which is either favourable or hostile to control




  • internal control is a moving target. It must be monitored and adapted to fit the circumstances. If it is neglected it will deteriorate, lose relevance or prove ineffective




  • directors need to report publicly on the status of their organisations' internal control systems in the annual corporate report issue to shareholders so that they and others are informed on this issue

8.3 Internal control in government
Ministries do not have boards of directors. Government-wide laws and regulations regulate their business affairs. Certain assets such as buildings and infrastructure may be outside the control of those who occupy them. Moreover government entities rarely if ever collapse due to internal control failures and do not need to report to shareholders. So what does internal control mean in a government context?
The average ministry has a number of responsibilities (committing funds, recruiting staff, contracting for supplies and services, approving actions, registering transactions and events, deploying resources and controlling, supervising and reporting on implementation of policies). If these responsibilities are fulfilled properly, the result will be effective control over resources, decisions and activities and the achievement of ministry objectives. If not, abuses will proliferate and efficiency decline.
Some ministries are well-controlled; others are not. Major factors in the health of internal controls are the quality of managers, their familiarity with internal control systems and their preparedness to distinguish between "complying with regulations" and "managing the entity". Government regulations do not provide a complete set of controls for each entity and compliance with regulations is not an absolute standard. The extent and quality of compliance varies from entity to entity. It is therefore logical to expect ministries and other government agencies to have their own internal control systems and to treat them as an important means of achieving their management objectives. The need for internal control systems in government entities, the duties of managers and auditors and a short checklist for managers are given in a recent INTOSAI publication (see sources, below).
One way of understanding the need for government systems of internal control, is to think of government entities as corporate bodies and to ask how systems of control used in large private sector entities are relevant to management improvements. This is the point of view of a recent IFAC publication (Corporate Governance in the Public Sector, 2000). The parallel between government and big business is not always perfect and business may also be able to learn a great deal from government. Nevertheless there are valuable insights from this type of approach. On internal control the paper suggest two principles:


  • Governing bodies of public sector entities need to ensure that a framework of control is established and operates in practice and that a statement on its effectiveness is included in the entity's annual report.




  • Governing bodies of public sector entities need to ensure that effective systems of risk management are established as part of the framework of internal control.

Risk management is about the assessment of relative risk and ensuring that controls are present and effective where risks are at their highest.



8.4 Definition of Internal audit
Internal auditing is an independent appraisal function established within an organization which examines and evaluates its activities as a service to the organization. The objective of internal auditing is to assist the organization, in particular managers and members of the board of directors, to discharge of their responsibilities effectively. To this end, internal auditing furnishes them with analyses, appraisals, recommendations, advice and information concerning the activities reviewed. The audit objective includes promoting effective control at reasonable cost. This is how the Institute of Internal Auditors defines internal auditing. It can also be regarded as the means by which management learns if its internal control systems are appropriately designed and in fact working.
8.5 Internal audit in government
Internal audit is essential for ensuring the operation and appropriateness of controls (therefore essential for good management), but frequently neglected especially in the public sector in developing countries.
It is unwise to be dogmatic about the detailed responsibilities of internal auditors, as these will vary a great deal between governments and entities and even through time for the same governments and entities. They might include:


  • Reviewing compliance with existing financial regulations, instructions, procedures

  • Evaluating the effectiveness of selected internal controls

  • Appraising the efficiency and effectiveness with which resources are used

  • Reviewing the reliability and integrity of record keeping and reporting

  • Verifying claims for reimbursement, expenses, revenues, goods received , etc.

  • Investigating irregularities

  • Ensuring that revenue is collected, deposited and correctly accounted for

  • Verifying inventory records and their relationship with physical inventory

The most significant problems encountered in internal audit are:




  • Management perception that internal auditors have little to offer




  • Low status of internal auditors (minor bean-counters)







  • Internal auditors being used primarily in pre-audit or in oft-repeated predictable routines




  • Absence of internal audit units at the level of ministries; internal audit units located in the ministry of finance (i.e. no longer internal to the entity)




  • Lack of risk assessment as a basis for planning audits and choosing audit topics




  • Internal auditors who are too much under the thumb of a single top manager (leading to conflict between carrying out professional responsibilities and keeping one's job)


8.6 INTOSAI internal control standards
General Standards
Reasonable Assurance: Internal control structures are to provide reasonable assurance that the aforementioned general objectives will be accomplished.
Supportive Attitude: Managers and employees are to maintain and demonstrate a positive and supportive attitude toward internal controls at all times.
Integrity and Competence: Managers and employees are to have personal and professional integrity and are to maintain a level of competence that allows them to understand the importance of developing, implementing, and maintaining good internal controls and to accomplish the general objectives of internal controls.
Control Objectives: Specific control objectives are to be identified or developed for each activity of the organization and are to be appropriate, comprehensive, reasonable, and

integrated into the overall organizational objectives.


Monitoring Controls: Managers are to continually monitor their operations and take prompt, responsive action on all findings of irregular, uneconomical, inefficient, and ineffective operations.
Detailed Standards
Documentation: The internal control structure and all transactions and significant events are to be clearly documented, and the documentation is to be readily available for examination.
Prompt and Proper Recording of Transactions and Events: Transactions and significant events are to be promptly recorded and properly classified.
Authorization and Execution of Transactions and Events: Transactions and significant events are to be authorized and executed only by persons acting within the scope of their

authority.


Separation of Duties: Key duties and responsibilities in authorizing, processing, recording, and reviewing transactions and events should be separated among individuals.
Supervision: Competent supervision is to be provided to ensure that internal control objectives are achieved.
Access to and Accountability for Resources and Records: Access to resources and records is to be limited to authorized individuals who are accountable for their custody or use. To ensure accountability, the resources are to be periodically compared with the recorded amounts to determine whether the two agree. The asset's vulnerability should determine the frequency of the comparison.
8.7 Other issues relevant to a government context


  • Who is in charge of internal auditing and what are their responsibilities? This concerns primarily the task of professional leadership (quality assurance, training, methodological improvement) but also includes mentoring.




  • What is the optimum relationship between external and internal auditors? The IIA suggests that internal auditors should share significant audit information with external auditors and that the two sets of auditors should co-ordinate their work.




  • How is the internal auditor to fulfil responsibilities to the management of the audited entity? What are the limits on instructions that management may give to the auditor? What audit reports documents should the internal auditor supply to management? What types of instruction from management significantly limit the independence and authority of the internal auditor and under what circumstances should the auditor inform outside authorities of limitations imposed? Who should the auditor inform in such circumstances?




  • Who should be the recipients of the internal auditor’s reports? Obviously management should receive them, but should the external auditors and MOF too?




  • What basic documents should the internal auditor produce? Should he produce an annual audit plan, an annual audit report, ad hoc audit reports?




  • Does government wish to follow the internal audit standards of the Institute of Internal Auditors or guidance from INTOSAI?


Sources
International Federation of Accountants, Corporate governance in the public sector: a governing body perspective, 2000
Institute of Internal Auditors (UK) Standards and guidelines for the professional practice of internal auditing, 1998.
International Organisation of Supreme Audit Institutions Guidelines for internal control standards, 1992.
International Organisation of Supreme Audit Institutions Internal control: providing a foundation for accountability in government, 2001
Annex
INTOSAI
Guidelines for Internal Control Standards
June 1992
Chapter I
Overview of Internal Control Concepts,
Objectives, and Standards
1. Internal control is a management tool used to provide reasonable assurance that management's objectives are being achieved. Therefore, responsibility for the adequacy and effectiveness of the internal control structure rests with management. The head of each governmental organization must ensure that a proper internal control structure is instituted, reviewed, and updated to keep it effective.
2. The Supreme Audit Institution also has a responsibility for ensuring adequate internal control. It should encourage and support:
-- the establishment of detailed organizational internal control structures for each governmental unit based on the standards presented in this document; and
-- a review of that structure to assure that the controls are working as intended and are adequate to achieve the desired results.
3. As they are ultimately responsible for the adequacy of the internal control structure and its implementation, it is important that managements of all organizational units within government understand the nature of the internal control structure and the objectives internal controls are to achieve. An internal control structure is defined as the plans of an organization, including management's attitude, methods, procedures, and other measures that provide reasonable assurance that the following general objectives are achieved:
-- promoting orderly, economical, efficient, and effective operations and quality products and services consistent with the organization's mission;
-- safeguarding resources against loss due to waste, abuse, mismanagement, errors, and fraud and other irregularities;
-- adhering to laws, regulations, and management directives; and
-- developing and maintaining reliable financial and management data and fairly disclosing that data in timely reports.
4. The following standards form the framework for an internal control structure and have been categorized as general standards and detailed standards:
General Standards
Reasonable Assurance: Internal control structures are to provide reasonable assurance that the aforementioned general objectives will be accomplished.
Supportive Attitude: Managers and employees are to maintain and demonstrate a positive and supportive attitude toward internal controls at all times.
Integrity and Competence: Managers and employees are to have personal and professional integrity and are to maintain a level of competence that allows them to understand the importance of developing, implementing, and maintaining good internal controls and to accomplish the general objectives of internal controls.
Control Objectives: Specific control objectives are to be identified or developed for each activity of the organization and are to be appropriate, comprehensive, reasonable, and

integrated into the overall organizational objectives.


Monitoring Controls: Managers are to continually monitor their operations and take prompt, responsive action on all findings of irregular, uneconomical, inefficient, and ineffective operations.

Detailed Standards
Documentation: The internal control structure and all transactions and significant events are to be clearly documented, and the documentation is to be readily available for examination.
Prompt and Proper Recording of Transactions and Events: Transactions and significant events are to be promptly recorded and properly classified.
Authorization and Execution of Transactions and Events: Transactions and significant events are to be authorized and executed only by persons acting within the scope of their

authority.


Separation of Duties: Key duties and responsibilities in authorizing, processing, recording, and reviewing transactions and events should be separated among individuals.
Supervision: Competent supervision is to be provided to ensure that internal control objectives are achieved.
Access to and Accountability for Resources and Records: Access to resources and records is to be limited to authorized individuals who are accountable for their custody or use. To ensure accountability, the resources are to be periodically compared with the recorded amounts to determine whether the two agree. The asset's vulnerability should determine the frequency of the comparison.
5. These standards would be applicable to all governmental organizational units. They can be viewed as the minimum acceptable standards that organizations follow when instituting internal controls and provide criteria for auditors when auditing the internal control structure.
6. The standards presented here are not new ideas. Many of them are currently incorporated in government operations. Their presentation as a framework, however, may be new. The remainder of this document discusses in greater detail the definition and limitations of internal control, the standards of internal control, the establishment of the framework for internal controls, and the implementation and monitoring of internal control structures.
Chapter II
Definition and Limitations of Internal Controls
Definition and Objectives
7. Internal control structures are defined as the plans of an organization, including management's attitude, methods, procedures, and measures that provide reasonable assurance that the objectives are being achieved. Those objectives are
-- promoting orderly, economical, efficient, and effective operations and quality products and services consistent with the organization's mission;
-- safeguarding resources against loss due to waste, abuse, mismanagement, errors, and fraud and irregularities;
-- adhering to laws, regulations, and management directives; and
--developing and maintaining reliable financial and management data and fairly disclosing that data in timely reports.
8. This definition of internal control structures and the objectives for them are intentionally broad in scope to cover all government operations. However, internal controls have been organized and defined in various other ways. The following descriptions have been provided as a point of reference.
9. When describing internal controls by their role in the organizational structure, they have often been organized into the broad categories of management, administrative, and accounting controls. Management controls are often viewed as encompassing all controls. They are the framework of the organization--all the plans, policies, procedures, and practices needed for employees to achieve the entity's objectives. Administrative controls are those procedures and records concerning the decision-making processes that lead employees to carry out authorized activities in achieving the organization's objectives. Accounting controls cover the procedures and documentation concerned with the safeguarding of assets and the reliability of financial records.
10. Internal controls have also been categorized by their intended purpose: to prevent errors (for example, by segregating duties and authorization requirements); to detect errors (for example, by establishing production standards to detect variances in actual results); to correct errors that have been detected (for example,by collecting an overpayment to a vendor); or to compensate for weak controls where the risk of loss is high and additional controls are needed.
11. In practice, the distinction among these categories and types is often difficult to recognize because an effective internal control structure requires elements of each. Even the descriptions of each category of control can vary among individuals. However, regardless of how internal controls are organized or defined, they should not be thought of as alternatives to each other. They should be complementary. Any one control has advantages and disadvantages, so an effective internal control structure uses a mix of controls to compensate for the particular disadvantages of individual controls.
12. To be effective, internal controls must satisfy three basic criteria:
-- They must be appropriate (that is, the right control in the right place and commensurate to the risk involved).
-- They must function consistently as planned throughout the period (that is, be complied with carefully by all employees involved and not bypassed when key personnel are away or the workload is heavy).
-- They must be cost effective (that is, the cost of implementing the control should not exceed the benefits derived).
  1   2   3


The database is protected by copyright ©sckool.org 2016
send message

    Main page