F. Organisational control and audit

Organisational Control and Audit

• Internal auditors play a critical role in ensuring that an organization operates efficiently and adheres to guiding principles.

• Their work helps organizations identify deficiencies and areas for improvement, ensuring that resources are utilized effectively and risks are mitigated.

• Internal auditors are responsible for assessing the effectiveness of:

  • Internal Control (IC)

  • Financial operation

  • Compliance

  • Risk management

Features of Effective Internal Control Systems

• Determination of effectiveness based on two models:

  1. Turnbull's Commission Framework

  2. Commission of Sponsoring Organisation

Components of a Sound System of Internal Control

Turnbull Report Highlights:

• Essential components include:

  • Communication process

  • Monitoring

  • Control environment

  • Control activities

• Adequate controls must be established based on:

  • Company size and nature

  • Frequency of reporting to management for prompt corrective actions

  • Implementation of whistle-blower arrangements to report malpractices

  • Management and staff attitudes towards controls

Control Activities

• Internal controls address:

  • Financial operations

  • Compliance requirements

  • Risk management

• Important procedures include timely reporting of control findings and establishing whistle-blowing arrangements.

Monitoring

• In absence of internal audit, the board is responsible for monitoring the effectiveness of internal controls to address risks rapidly.

Control Environment

• Emphasis on establishing a positive corporate culture and management style to support control procedures.

Importance of Sound Internal Control

• Compliance with legal and regulatory requirements through effective internal controls:

  1. Control activities

  2. Communication

  3. Monitoring

  4. Control environment

• Risk management activities focus on:

  • Identification, assessment, management, and communication of risks.

Objectives of Internal Controls

• Internal controls are essential for:

  • Managing significant business risks

  • Ensuring operational efficiency

  • Ensuring reliability in reporting (internal and external)

  • Facilitating compliance with laws and internal policies

Benefits of Internal Controls

• Enhance timely and reliable financial information

• Prevent unnecessary exposure to financial risks

• Safeguard assets against fraud

Types of Internal Control

Categories:

1. Financial: Ensures reporting reliability, safeguards assets, prevents fraud.

2. Operational: Facilitates efficient operations to achieve organizational goals.

3. Compliance: Ensures adherence to laws and internal policies.

4. Risk Management: Involves managing significant risks effectively to fulfill objectives.

Financial Internal Controls

Key Elements:

• SPAMSOAP mnemonic:

  • Personnel: Quality and competency of staff.

  • Authorization and approval: Require authorization for transactions.

  • Physical: Safety measures for assets.

  • Arithmetic and accounting: Procedures for accuracy in records.

  • Management: Regular review of performance.

  • Organization: Clear responsibilities and lines of authority.

  • Supervision: Daily oversight of employee work.

  • Segregation of duties: Spreading responsibilities across multiple individuals.

Operational Internal Controls

• Focus on:

  • Economical acquisition of materials

  • Effectiveness in achieving company objectives

  • Efficiency to minimize resource wastage

Limitations of Internal Controls

• A sound system cannot guarantee complete protection against:

  • Poor judgment, human error, or intentional circumvention of processes.

  • Management overriding controls or unanticipated events impacting effectiveness.

Information Flows to Management

• Emphasizes the importance of communication in effective internal control systems.

Internal Control Reporting Requirements

• The UK Corporate Governance Code requires:

  • Annual reviews of control systems by the board.

  • Disclosure of internal control policies and effectiveness.

• Benefits include:

  • Reducing capital costs through improved investor confidence.

  • Alleviating information asymmetry between shareholders and management.

Contents of Internal Control Reports

• Must cover:

  • Ongoing risk identification processes

  • Board responsibility acknowledgement

  • Nature of risks and actions taken for remediation.

  • Monitoring practices and significant weaknesses identified.

Monitoring Internal Controls

Key Questions for the Board:

• Does the corporate culture support business objectives and risk management?

• Are management actions aligned with promoting an atmosphere of trust?

• Are strategies in place for significant risks?

The Role of Internal Audit

• Internal auditing is defined as a discipline aimed at adding value and improving operations through:

  • Independent assurance and consulting activities

  • Systematic evaluation of risk management and control processes

Tasks Undertaken by Internal Auditors

• Verify accuracy of financial reports.

• Conduct investigations on allegations.

• Review compliance with laws and regulations.

• Assess organization’s risk management procedures and practices.

Factors Influencing the Need for Internal Audit

• Scale of operation: More transactions increase error likelihood.

• Diversity and complexity of activities: Complicates operations and error potential.

• Number of employees: Higher potential for fraudulent behavior.

Auditor Independence

• The auditor's independence is crucial; should report to the board or audit committee for objectivity.

• Threats to independence include:

  • relationships with auditees

  • involvement in operational responsibilities

External Reporting on Internal Control

Arguments For:

• Enhances accountability and transparency of internal control systems.

• Builds shareholder confidence and mitigates fears of fraud.

Arguments Against:

• Disclosure burdens may be excessively costly for small firms.

• Small companies may not require extensive disclosure due to lower complexity.

• High costs of compliance could stifle growth and impede entrepreneurship.

Internal Auditors' Responsibilities

Internal auditors play a critical role in ensuring that an organization operates efficiently and adheres to guiding principles. They are responsible for assessing the effectiveness of internal controls, financial operations, compliance with laws and regulations, and the organization's risk management strategies. Their work helps organizations identify deficiencies and areas for improvement, ensuring that resources are utilized effectively and risks are mitigated.

Features of Effective Internal Control Systems

The effectiveness of an internal control system is often evaluated based on two primary models: Turnbull's Commission Framework and the concept of sound internal control practices. These models provide a structured approach to assess the system's robustness and adaptability.

Components of a Sound System of Internal Control

The Turnbull Report highlights essential components that constitute a sound system of internal control:

• Communication Process: Effective communication channels must be established to ensure that information regarding risks and internal controls flows effectively across the organization.

• Monitoring: Continuous monitoring is critical for assessing the performance of internal control systems and making necessary adjustments.

• Control Environment: An organizational culture that promotes ethical behavior and supports adherence to controls is essential for an effective control environment.

• Control Activities: Routine operations and control activities must be in place to mitigate identified risks and achieve compliance.

Adequate internal controls should be customized based on:

• The size and nature of the company.

• The frequency of reporting to management for prompt corrective actions.

• The implementation of whistle-blowing arrangements to allow reporting of malpractices without fear of retaliation.

• The organizational attitude towards controls, which should encourage compliance at all levels.

Control Activities

Control activities are specific policies and procedures that help ensure management directives are carried out, covering financial operations, compliance with regulations, and effective risk management. Key procedures include:

• Timely reporting of control findings to drive accountability.

• Establishing robust whistle-blowing mechanisms to identify and report fraud or unethical practices.

Monitoring

In organizations lacking an internal audit function, the board of directors is tasked with monitoring the effectiveness of the internal control framework to address risks swiftly. The board should engage in discussions about the effectiveness of controls and challenge management where necessary.

Control Environment

A solid control environment emphasizes the establishment of a positive corporate culture and a management style that aligns with control procedures. This foundational component is critical as it shapes how employees perceive their roles in compliance and risk management.

Importance of Sound Internal Control

Effective internal controls are essential for:

1. Compliance with Legal and Regulatory Requirements: Ensuring adherence to laws and regulations protects the organization from legal penalties and reputational damage.

2. Risk Management Activities: This includes the identification, assessment, management, and communication of risks across the organization.

Objectives of Internal Controls

Internal controls are vital for:

• Managing significant business risks to safeguard resources.

• Ensuring operational efficiency to achieve organizational goals.

• Providing reliability in internal and external reporting.

• Facilitating compliance with applicable laws and internal policies.

Benefits of Internal Controls

Implementing sound internal controls can lead to substantial advantages, including:

• Enhancing the timeliness and reliability of financial information, which can bolster strategic decision-making.

• Preventing unnecessary exposure to financial risks by identifying and mitigating vulnerabilities.

• Safeguarding assets against fraud, ensuring the integrity of financial assets and operational processes.

Types of Internal Controls

Internal controls can be categorized into four main areas:

1. Financial: Ensures reliability in reporting, protects assets, and prevents fraudulent activities.

2. Operational: Streamlines operations to facilitate attainment of business objectives efficiently.

3. Compliance: Ensures adherence to legal standards and internal policies, minimizing the risk of legal violations.

4. Risk Management: Focuses on effectively managing significant risks to fulfill the organization’s objectives.

Financial Internal Controls

Key elements include:

• PAPAMOSS Mnemonic:

  • Personnel: Ensuring quality and competency of staff in executing their roles.

  • Authorization and Approval: Establishing requirements for transaction approvals.

  • Physical: Implementing safety measures to protect organizational assets.

  • Arithmetic and Accounting: Maintaining accuracy in financial records through rigorous accounting practices.

  • Management: Conducting regular performance reviews and evaluations.

  • Organization: Clearly defining responsibilities and authority structures within the organization.

  • Supervision: Providing daily oversight to enhance accountability and diligence.

  • Segregation of Duties: Distributing responsibilities to limit risks of collusion and fraud.

Operational Internal Controls

These controls focus on:

• Economical Acquisition of Materials: Ensuring the organization obtains materials and services efficiently to avoid waste.

• Effectiveness: Achieving organizational objectives to maintain a competitive edge.

• Efficiency: Minimizing resource wastage in all operations through careful management practices.

Limitations of Internal Controls

It is vital to acknowledge that a well-designed system of internal controls cannot provide absolute assurance against specific risks:

• Poor judgment or unintentional human error.

• Intentional circumvention of controls by those with malicious intent.

• Management overriding established controls leading to ineffective enforcement.

• Unexpected events that may disrupt the efficacy of the internal control system.

Information Flows to Management

Communication plays a pivotal role in the successful implementation of internal controls. Effective information flows ensure timely updates about control measures, risks, and operational effectiveness.

Internal Control Reporting Requirements

The UK Corporate Governance Code mandates:

• Annual reviews by the board regarding the organization's internal control systems.

• Disclosure of internal control policies and their effectiveness to stakeholders.

The benefits of stringent reporting include:

• Lowering capital costs due to enhanced investor confidence in the organization's governance structures.

• Reducing information asymmetry between shareholders and management, facilitating better decision-making.

Contents of Internal Control Reports

Reports should address:

• Processes for ongoing risk identification.

• Acknowledgment of board responsibilities.

• Nature of identified risks and remediation efforts taken.

• A summary of monitoring practices and significant weaknesses detected.

Monitoring Internal Controls

Key questions for the board to consider include:

• Does the corporate culture actively support business objectives and risk management initiatives?

• Are management's actions reflective of a commitment to create a trustworthy environment?

• Are there strategic plans in place to mitigate significant risks effectively?

The Role of Internal Audit

Internal auditing is an essential discipline aimed at adding value and improving operational efficiency through:

• Independent assurance and consulting activities that provide insights into organizational practices.

• Systematic evaluation of risk management processes and control practices.

Tasks Undertaken by Internal Auditors

Internal auditors undertake various critical tasks including:

• Verifying the accuracy of financial reports for stakeholders.

• Conducting thorough investigations into allegations of misconduct or unethical behavior.

• Reviewing compliance with existing laws and regulations to ensure adherence.

• Assessing the effectiveness of the organization's risk management procedures and practices to identify areas for enhancement.

Factors Influencing the Need for Internal Audit

Several factors contribute to the necessity of an internal audit function:

• The scale of operations increases transaction volume and the potential for errors.

• Diversity and complexity of organizational activities raise the likelihood of operational challenges.

• A larger workforce can lead to increased opportunities for fraudulent actions.

Auditor Independence

Upholding auditor independence is essential for objectivity; independent auditors should report their findings directly to the board or audit committee. Potential threats to independence include:

• Close relationships with auditees that may lead to compromised objectivity.

• Involvement in operational tasks that may bias their assessments.

External Reporting on Internal Control

Arguments For:

• Enhances accountability and transparency regarding internal control systems, fostering trust among stakeholders and the public.

• Builds shareholder confidence by mitigating fears related to financial malfeasance and fraud.

Arguments Against:

• Disclosure requirements may impose excessive financial burdens on smaller firms, which may lack the resources to comply fully.

• Smaller companies may not necessitate extensive reporting due to lower operational complexity, potentially stifling their growth and innovation.