Basic Concepts of Internal Control PDF 2024

Basic Concepts of Internal Control Auditing and Internal Control 2024 Semester 2 – Learning Unit 1 Learning Outcomes Learning outcomes of this unit 1. Define what an internal control is 2. Understand the purpose of an internal control (Objectives) 3. Know and understand the different types of controls that exist 4. Know and understand the 5 components of internal controls 5. Know and understand the limitations of internal controls Prescribed textbook: Chapter 5 3 Definition of an Internal Control Definition of Internal Control An Internal Control is: a process designed, implemented and maintained by the company’s board of directors, management and personnel and is designed to provide reasonable assurance regarding the achievement of the objectives with regard to: 5 Definition of Internal Control (continued) 1. The reliability of the entity’s financial reporting (without proper controls like user-names, passwords, validate functions for Pastel, there is a high risk that financial statements will have errors) 2.The effectiveness and efficiency of its operations, and (if a manufacturing company like Coca Cola does not have proper controls over production, errors like bad quality final products or wastages in production will occur) 6 Definition of Internal Control (continued) 3. Compliance with applicable laws and regulations. (eg. Each Bank in South Africa has strict policies to ensure that the laws that apply to bank are adhered to. The policies include good training of employees about the relevant laws, not allowing certain transactions from occurring until an employee confirms that legal aspects of the transaction were performed, etc) Look at the 6 aspects of internal control as identified from the definition (what we learn from internal controls) on page 5/3 Prescribed textbook: Chapter 5 (page 5/3) 7 Always remember… Risks create internal controls Internal controls exist because there is a risk that the entity faces which threaten the entity’s ability to achieve its objectives listed above: 1. The reliability of the entity’s financial reporting 2. The effectiveness and efficiency of its operations, and 3. Compliance with applicable laws and regulations Prescribed textbook: Chapter 5 (page 5/1 to 5/3) for introduction 8 Internal Control Objectives (What are internal controls trying to achieve? Internal Control Objectives (ICO) The Management of every entity has the responsibility of running the entity in totality (as a whole) and does this by putting in place policies and procedures (your university Management policies Protecting assets policy, rules governing the exams) to achieve this. 1.Adherence to management policies for all the aspects of the business. (eg. UJ management has a policy that students and staff cannot access gambling websites. An electronic control is in place to block such websites) 2. Safeguarding of assets against damage/ theft, e.g. stock, equipment. (eg. If UJ does not have a good student card and finger print access system, strangers may access campus and steal assets) 10 Internal Control Objectives (ICO) 3.Prevention and detection of fraud and errors. (eg. If monthly bank recons are not done in a business, the is a risk that errors or even fraud may not be detected) Fraud detection Fraud detection 4. Accuracy and completeness of the accounting records. (without proper controls like user-names, passwords, validate functions for Pastel, there is a high risk that financial statements will have errors). 11 Internal Control Objectives (ICO) 5. The timely preparation of reliable financial statements and other information necessary to run the business. Recommended Additional Reading (Auditing Fundamentals): “What is Internal Control? “ (section 4.3.1, chapter 4). 12 Summary – Internal Control Definition and Objectives Internal Controls Internal Controls Objectives 1. Definition 1. Meaning: What is the 2. Ensure that: purpose/aim of an internal a. Reliable information control b. Effective and efficient 2. # of ICOs - 5 operations 3. List of ICOs c. Compliance with a. Management policies laws b. Safeguarding of assets 3. Risks create internal c. Prevention and controls detection of fraud and errors d. Accuracy and completeness of financial information e. Timely preparation of financial information 13 Limitations of Internal Controls Limitations of Internal Controls “Always remember that internal controls provide reasonable assurance and not absolute assurance”. This means that even if internal controls are designed and implemented successfully there will always be an element of risks involved. Prescribed textbook: Chapter 5 (pages 5/3 to 5/4) 15 Limitations of Internal Controls 1. Limitations due to human judgement in decision making and human error:  Errors in the design of a control  Errors due to the person implementing or reviewing the control not understanding the control  Failure to take appropriate action Example Management choosing to implement controls based on available resources and make judgment to cut costs. 16 Limitations of Internal Controls Example Management designs controls to address certain risks identified. Management may decide to direct controls mainly onto routine transactions. The potential of human error due to carelessness, distraction, mistakes of judgement and misunderstanding of instructions The possibility that control may become inadequate. due to changes in conditions and, therefore, that compliance with procedures may deteriorate 17 Limitations of Internal Controls 2. Circumvention of controls:  It includes a breakdown in controls due to collusion between two parties or due to management override. Example The possibility of circumvention on internal controls through the collusion of a member of management or an employee with parties outside or inside the company. The possibility that a person responsible for exercising an internal control could abuse that responsibility. 18 Components of Internal Controls (CIC) Components of Internal Control (CIC) Prescribed textbook: Chapter 5 (page 5/5 to 5/14) 1. The control environment 2. The entity’s risk assessment process 3. The entity’s process to monitor the system of internal control 4. The information system and communication 5. Control activities 26 1. CIC – The Control Environment Controls set from the top Integrity and ethics a) How management’s responsibilities are carried out Control consciousness of the entity created by those at a higher level within the organisation. (the “tone at the top”; when directors and other senior personnel are serious about controls and ethics then the rest of the organisation will follow) Communication Atmosphere is created by seniors within the entity to ensure that controls work. Communication and enforcement of integrity and ethical values 21 1. CIC – The Control Environment b) How those charged with governance demonstrate independence from management senior management through their actions should demonstrate commitment to ethical behaviour and adhere to internal control processes. (“tone at the top”) Management should always set good example of what the entity is aimed at. Those charged with governance identify and accept their responsibilities to oversee the system of internal control. 22 1. CIC – The Control Environment c) Assignment of authority and responsibility Controls work properly where employees know exactly the authority they have and know when to exercise it. Organisational Strucuture Authority and Responsibility It should be ensured that personnel understand the entity’s objectives and how their actions interrelate and contribute to them. Management assigning authority to appropriate individuals according to their function, status in the entity and competence. 30. 1. CIC – The Control Environment d) How the entity attracts, develops, and retains competent individuals Controls work properly in an organisation where policies and procedures are in place in recruitment, training of employees, fair remuneration, counselling exist. (incompetent employees are likely to commit errors; unhappy / disgruntled employees likely to commit fraud) The entity should have the following in place: I. Standards for recruiting the most qualified individuals II. Training policies that communicate prospective roles and responsibilities III. Performance appraisals linked to promotions to demonstrate the commitment of the entity.. 31 1. CIC – The Control Environment e) How the entity holds individuals accountable Individuals should know and understand for what and how they will be held accountable. Holding individuals accountable can be accomplished through: i. Communication and implementation of necessary corrective actions ii. Performance measures linked to incentives/ rewards for those responsible for the system of internal control. Prescribed textbook: Chapter 5 (page 5/5 to 5/6) 25 2. CIC – Entity’s Risk Assessment Process General Controls work properly where the entity knows how to assess risks that are faced and how to address these risks. Assessing risk involves likelihood and frequency of risk assessment Prescribed textbook: Chapter 5 (page 5/7 to 5/8) 26 2. CIC – Entity’s Risk Assessment Process (RAP) RAP: when a company evaluates the risks that face it Steps for RAP: 1. Identify the risk Operational risk Financial reporting risk Compliance risk 2. Assess the likelihood (chance) and frequency (occurrence) of the risks identified 3. Estimate the significance (potential impact) if the risk 27 3. CIC – The entity’s process to monitor the system of internal control Monitoring of internal control involves assessing the performance of internal control over time. Once controls are implemented, management should continuously assess whether these controls work as intended. (eg. From time to time management have to actually test the controls of the organization to ensure that they are still working properly) Recommended Additional Reading (Auditing Fundamentals): Chapter 4: sections 4.3.2 Prescribed textbook: Chapter 5 (page 5/8 to 5/9) 28 4. CIC – Information Systems & Communication Objective/aim: Produce valid information That is accurate and complete Controls work better in an entity where these procedures are clearly defined, eliminating opportunities for fraud a) Procedures and records to deal with transactions Initiating e.g. receipt of a customer’s order Recording e.g. enter customer’s order details on an internal sales order Processing e.g. picking goods ordered from warehouse and dispatching them Posting e.g. recording the invoice in the sales journal, general ledger Prescribed textbook: Chapter 5 (page 5/9 to 5/10) 29 4. CIC – Information Systems & Communication b) Books and documents All of the actions described above will be supported by ledgers, journals, records and documents specific to the type of transaction. c) Document design Pre-printed: this helps to have the minimum amount of information to be manually filled in Pre-numbered or sequentially numbered to identify missing or duplicate documents Multiple copies: one for a customer and the company Logical and simple to complete Contain blank blocks for authorizing or approving 30 4. CIC – Information Systems & Communication d) Events and conditions other than transactions Vast majority of an entity’s activity are reflected in transactions. There are other events and conditions which must be reflected in the financial statements with account headings. E.g depreciation or bad debt allowances. e) Journal entries They change balances in the general ledger RISK: Manipulate financial information or hide fraud May be routine or once off Always need to balance Internal control: authorization by senior employee 31 5. CIC – Control Activities These are actions supported by policies and procedures which need to be carried out to reduce risks in an organization. Type of control activity – Description A a) Approval and authorisation – management approves employees to perform certain functions, not allowing everybody to do everything. (eg. An employee must be clear that he / she cannot sign cheques above a certain amount or that they don’t have the power to do certain tasks, etc) 32 5. CIC – Control Activities b)Segregation of duties – various actions or procedures within a transaction should be divided! (tasks need to be distributed among many employees, having one employee doing a lot is a recipe for fraud). c)Isolation of responsibility – for controls to work employees involved in transactions must be fully aware of their responsibilities and be accountable for their performance. Employees acknowledge what they have done by signing, e.g. documents, forms etc. (we must always be able to trace a particular action to the specific employee that performed that action) 33 5. CIC – Control d)Activities Physical and logical controls Involves protection of assets. Controls work better where there are policies and procedures in place to protect assets, e.g. security guards, cameras, etc. Access/custody controls are designed to: i. Prevent damage to, and deterioration of, physical assets ii. Prevent deterioration of certain “non-physical” assets iii. Prevent unauthorised use, theft or loss of physical assets iv. Prevent unauthorised use, theft or loss of non-physical assets. 34 5. CIC – Control Activities e) Reconciliation Comparison Reconciliation compares two different sets of recorded information (data elements) or of recorded information and physical assets. Reconciliation Controls work better where frequent reconciliations are done on any sets of recorded information. (the bank recons, debtors recos, creditors recons you learnt in FAC are so so importnant!) 35 5. CIC – Control Activities f) Verification Comparison Verification compares two or more items with each other. It may include a review of: Reconciliation i. Performance against budgets, forecasts, departmental targets. ii. Key performance indicators, ratios e.t.c iii. Current to prior period, financial and operating information. 36 5. CIC – Control Activities f) Performance reviews Controls will work properly where reviews are done on continuous basis, these reviews will show areas of weaknesses, unusual conditions etc. E.g. performance of the entity against budgets, forecasts etc. (this is where we compare actual performance, like the profit in a month or the number of units produced in a year, to what was budgeted. This exercise gives us an opportunity to identify areas of weaknesses, unusual conditions etc.) Prescribed textbook: Chapter 5 (page 5/10 to 5/14) 37 Types of Controls - Description B Preventative Detective 1. Preventative controls – prevent/stop errors/risks from happening 2. Detective controls – identify or pick up errors, theft, risks that happened Corrective 3. Corrective controls – implemented to resolve or fix errors and risks identified by detective controls. Prescribed textbook: Chapter 5 (page 5/15 to 5/15) 38 Types of Controls - Examples 1. Preventative control Preventative Detective Burglar gate and door at your house – stops or prevents criminals from entering 2. Detective control Alarm system – picks up or detects when a criminal has entered Corrective 3. Corrective control Guards from the security company – react to alarm and come correct or fix the situation 39 General and application control activities – Description C Two broad groupings of information systems control activities are: i. Automated application controls – Are controls that are specific to a particular task. ii. General controls – Establish an overall framework of control for a computerised for a computerised environment at large. This will be clear to you when you do it in 3 rd year. 40 Recap of the content covered 1. Define what an internal control is 2. Understand the purpose of an internal control (Objectives) 3. Know and understand the limitations of internal controls 4. Know and understand the 5 components of internal controls 5. Know and understand the different types of controls that exist 41

Basic Concepts of Internal Control PDF 2024

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue