Chapter 8: Internal Control Systems
COSO
- Committee of Sponsoring Organizations - US standard approach to internal controls which supports RORCS
advantages of COSO
- alignment of risk appetite and strategy - links growth, risk and return - chooses best risk response - minimise surprises and losses - identify and manage risks across organisation - provide responses to multiple risks - seize opportunities - rationalise capital
financial controls essentials
- assets and transactions are recorded completely and accurately in the accounting records - entries are posted correctly within the accounting records - cut-off is applied correctly, so that transactions are recorded in the correct year - the accounting system can provide the necessary data to prepare the annual report and accounts - accounting system does provide the data as required, that the system is organised to supply on time and in a usable format the data that underpins the accounts and the other content of the annual report
voluntary controls
- chosen by the organisation to support the management of the business - authorisation controls, certain key transactions requiring approval by a senior manager, are voluntary controls
non-discretionary controls
- controls that are provided automatically by the system and cannot be bypassed, ignored or overridden - eg. checking the signature on a PO is discretionary, whereas inputting a PIN number when using a cash dispensing machine is a non-discretionary control
discretionary controls
- controls that are subject to human discretion - eg. a control that goods are not dispatched to a customer with an overdue account may be discretionary as the customer could have a good previous payment record or be an important customer
financial controls
- focus on key transaction areas - emphasis on safeguarding assets and maintenance of proper accounting records and reliable financial info
Quantitative non-financial controls
- numeric techniques (like performance indicators) - balanced scorecard - activity-based management
RORCS
- objectives of any system of internal control 1. Risk Management 2. Operations 3. Reporting 4. Compliance 5. Safeguarding assets
Qualitative non-financial controls
- organisational structures - rules and guidelines - strategic plans - HR policies
mandatory controls
- required by law and imposed by external authorities - a financial services organisation may be subject to the control that only people authorised by the financial services regulatory body may give investment advice
levels of info
- strategic info - tactical info - operational info
non-financial controls
- tend to focus on a wider performance issues - two types: 1. Quantitative non-financial controls 2. Qualitative non-financial controls
qualities of good info
1. Accurate 2. Complete 3. Cost-beneficial 4. User Targeted 5. Relevant 6. Authoritative - expert opinions 7. Timely 8. Easy to use - clearly presented
elements of COSO framework of internal control
1. control environment - culture, infrastructure, architecture of control and attitude of directors and managers towards control 2. risk assessment 3. control activities - detailed controls in place in an organisation 4. information and communication - essential for ensuring the board and others in a position of authority can make informed decisions 5. monitoring activities - ensures whether remedial action needs to be taken
categories of control
1. corporate controls - general policy statements, established core culture and values and overall monitoring procedures such as the audit committee 2. Management controls - planning and performance monitoring, system of accountabilities to superiors and risk evaluation 3. Business process controls - authorisation limits, validation of inputs, reconciliation of different sources of info 4. Transaction controls - complying with prescribed procedures and accuracy and completeness checks
types of info to monitor
1. external info - info about competitors, suppliers, impact of future economic and social trends 2. financial info - important for internal purposes and to fulfil legal requirements for true and fair external reporting 3. non-financial info - quality reports, customer complaints, human resource data
disadvantages of COSO
1. internal focus - ignores the external environment and the risks they pose 2. risk identification - prioritises sudden events over more gradual risks that evolve over time 3. risk assessment - makes the process appear too simplistic and thus too easy 4. stakeholders' involvement in risk management often tends to get ignored
Turnbull
UK standard approach to internal controls which supports RORCS
administrative controls
concerned with achieving the objectives of the organisation and with implementing policies. Controls relate to: - establishing a suitable organisation structure - division of managerial authority - reporting responsibilities - channels of communication
detect controls
controls designed to detect errors once they have occurred
correct controls
controls designed to minimise or negate the effect of errors
prevent controls
controls designed to prevent errors from happening
accounting controls
controls that aim to provide accurate accounting records and to achieve accountability, which apply to the following: - recording of transactions - establishing responsibilities for records, transactions and assets
direct controls
direct activities of staff towards a desired outcome
APIPS
most common forms of control activity 1. authorisation 2. performance reviews 3. information processing 4. physical controls 5. segregation of duties
inherent limitations of internal control
they provide reasonable assurance but nothing more because: - costs of control not outweighing their benefits - poor judgement in decision making - potential for human error or fraud - collusion between employees - possibility of controls being bypassed or overridden by management or employees - controls only being designed to cope with routine and not non-routine transactions - controls being unable to cope with unforeseen circumstances - controls depending on the method of data processing - controls not being updated over time
tactical info
used to decide how the resources of the business should be employed, and to monitor how they are being, and have been, employed - mainly generated internally - summarised at a lower level - relevant to short and medium term - concerned with activities and departments - routinely and regularly prepared - based on quantitative measures
operational info
used to ensure that specific operational tasks are planned and carried out as intended - derived from internal sources such as transaction recording methods - detailed - relevant to the immediate term - task-specific - prepared very frequently - largely quantitative
strategic info
used to plan the objectives of the organisation and to assess whether the objectives are being met in practice - derived from both internal and external sources - summarised at a high level - relevant to the long term - concerned with the whole organisation - often prepared on an ad hoc basis - both qualitative and quantitative - often uncertain, as the future cannot be acccurately predicted
general and application controls
used to reduce the risks associated with the computer environment 1. general controls - controls that relate to the environment in which the application system is operated 2. application controls - controls that prevent, detect, and correct errors and irregularities as transactions flow through the business system
