Internal Control

What is an Internal Control System?

An Internal Control System (ICS) is a framework of policies, procedures, and practices that safeguards assets, ensures accurate and reliable financial reporting, promotes operational efficiency, and guarantees compliance with laws and regulations

Objectives of an Internal Control System

1. Reliability of Financial Reporting

• Financial statements are accurate

• Free from material misstatement

• Numbers can be trusted by users

2. Efficiency & Effectiveness of Operations

• Assets are safeguarded

• Operations run smoothly

• No waste, fraud, or inefficiency

3. Compliance with Laws & Regulations

• Comply with tax laws

• Comply with employment laws

• Comply with listing & banking regulations

What happens if internal controls are weak?

(A) Business Risks

1. Financial risks

• Unable to pay debts

• Cash flow problems

2. Operational risks

• Loss of inventory

• Cost overruns

• Inefficient processes

3. Regulatory risks

• Penalties

• Non-compliance with statutory rules

(B) Financial Statement Risks

• Revenue overstated

• Liabilities understated

• Expenses omitted

• Wrong tax deductions

What are the 5 components of COSO Framework

It has 5 components:

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information & communication

5. Monitoring

Control Environment

The overall tone of the organization regarding integrity and control.

• Commitment to ethical values

• Organization structure

• Authority & responsibility

• Competence of employees

• Accountability

Risk Assessment

The process of identifying and analyzing risks that threaten objectives.

Includes:

• Financial risk

• Operational risks

• Compliance risks

• Fraud risks

Control Activities

Control Activities

These are policies and procedures that reduce risk.

1. Authorization

• Transactions approved by appropriate personnel

2. Segregation of duties

Different people should:

• Authorize

• Process

• Record

• Safeguard assets

3. Records & Documents

• Pre-numbered documents

• Complete documentation before entry

• Proper audit trail

4. Security

• Physical security (locks, CCTV)

• Data security (passwords, encryption)

5. Independent Checks & Reconciliation

• Bank reconciliation

• Comparing documents

• Reviewing ledgers

Information & Communication

Relevant information must be:

• Identified

• Captured

• Communicated

• On time

Internally:

• Mangers receive reports

Externally:

• Government agencies receive tax fillings

Monitoring

Checking whether controls:

• Still exist

• Still works

• Need improvement

Includes:

• Ongoing monitoring

• Periodic views

• Reporting deficiencies

Example:

• Internal audit

• System reviews

Internal Control in a Computerized Environment

(A) General Controls

Apply to entire system.

Examples:

• Data center security

• Access control

• Passwords

• Firewalls

• Backups & disaster recovery

 these protect the overall IT environment.

(B) Application Controls

Apply to specific applications (sales,payroll,etc.)

These are 3 types:

1. Input controls

• Ensure data entered is valid & complete

2. Processing controls

• Ensure data is processes correctly

• Maintain audit trail

3. Output controls

• Ensure reports are accurate

• Sensitive outputs go to authorized users