8. Internal control systems

Question 1

Define internal control?

What are the objectives of internal control

Answer 1

Internal control:‘Is a process effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives, reporting and compliance.’

2 main sources of guidance:

1. COSO
2. Turnbull

Objectives of Internal Control R.O.R.C.S

• A system of internal control has a key role in the management of risks
• Effectiveness and efficiency of operations.
• Ensure the reliability of internal and external reporting.
• Assist compliance with laws and regulations.
• Safeguard the shareholders’ investment and the company’s assets.

Question 2

What are the objectives of internal control?

and

What are the benefits?

Answer 2

Objectives of Internal Control R.O.R.C.S

• A system of internal control has a key role in the management of Risks
• Effectiveness and efficiency of operations.
• Ensure the reliability of internal and external reporting.
• Assist compliance with laws and regulations.
• Safeguard the shareholders’ investment and the company’s assets.

Three Main Benefits (COSO)

1. • Effectiveness and efficiency of operations
2. • Reliable financial reporting
3. • Compliance with laws and regs

Question 3

What are the limitations of internal controls?

Answer 3

• Costs of controls outweigh the benefits
• Poor Judgement of Management in decision making
• Human error or fraud
• Collusion between employees
• Possibility controls being bypassed or overridden
• Control are in place for only routine transactions
• Unable to cope with unforeseen circumstances
• Not being updated over time
• Poor method of data processing

Question 4

Evaluate the importance of Internal Controls to shareholders

Answer 4

Investors - Want to ensure their investments are protected,

• Reduce the risk of fraud
• Manage risks to the company
• Want to make sure there is cost vs benefit balance when implementing controls

Debt Providers - Want to protect their capital

• To make sure they get there repayments
• May not care so much if they have secured debt

Employees - Concerned about there Job security

• want to make sure the future of the company is protected
• they will also have to operate the controls and don’t want them to overburden them in there a role

Governments - want to ensure sufficient controls in place to make sure adequate controls exist to cover statutory compliance. e.g Tax Audit of VAT or PAYE compliance, or response when there is a breach of health and safety laws.

Customers - they want their dealings to be hassle-free, That controls are not overly intrusive when returning goods, or there is long term aftercare support if needed, may also want to know they are dealing with an ethical company.

Question 5

What are the 3 principals of a sound system of internal Control

Answer 5

1. I.C system embedded within structures, procedures and culture, everyone is responsible for controlling risk and following policies and it is not a stand-alone task.
2. Systems should be able to respond to evolving internal and external risks, as business grow and change so do risks. Slowness to respond makes the business more vulnerable.
3. Information channels need to be complete, honest, timely in the reporting of control failures or weaknesses to appropriate levels of management, who are enabled to carry out an appropriate response.

Question 6

What are the overall responsibilities of different staff members regarding the internal controls?

Answer 6

Question 7

What are the responsibilities of the Board of Directors regarding Internal controls?

Answer 7

Question 8

What are the Elements of an Effective Internal Controls?

Answer 8

Question 9

What is the Control Environment of an I.C System?

Answer 9

Referred to as the ‘tone at the top’ of the organisation. It describes ethics and culture, which provide a framework for other aspects of internal control operations.

The tone of management, its philosophy and management style, the way in which authority is delegated, the way in which staff are organised and developed, and the commitment of the board of directors.

The control environment includes the following elements:

• – Management’s philosophy and operating style.
• – Organisational structure.
• – Assignment of authority and responsibility.
• – Human resource policies and practices.
• – Competence of personnel.

Question 10

What is the Risk Assessment Element of an I.C System?

Answer 10

There is a connection between the objectives of an organisation and the risks to which it is exposed.

Having established the objectives, the risks involved in achieving those objectives should be identified and assessed, and this assessment should form the basis for deciding how the
risks should be managed.

The risk assessment should be conducted for each business within the organisation, and should consider, for example:

• *– internal factors,** such as the complexity of the organisation, organisational changes, staff turnover levels, and the quality of staff
• *– external factors**, such as changes in the industry and economic conditions, technological changes, and so on.

The risk assessment process should also distinguish between:

• *– risks that are controllable**: management should decide whether to accept the risk or to take measures to control or reduce the risk
• *– risks that are not controllable:** management should decide whether to accept the risk, or whether to withdraw partially or entirely from the business activity, so as to avoid the risk.

Risks assessment should include Quantitative and Qualitative methodologies.

And Risk assessment should be Dynamic.

Question 11

What are the commonly used control procedures/activities?

Answer 11

Control procedures: The activities that make up any system of internal control

3 Main groups-

1. Organisational structure setting responsibilities and setting segregation of duties

2. Controls in the operations, physical, authorisation and approval, recording transactions accounting and rhythmic.

3. Personel supervision and management.

SPAMSOAP

• Segregation of duties
• Physical
• Authorisation and approval
• Management - top-level review on performance in reaching goals or activity level
• Supervision - supervisor reviewing the work of juniors
• Organisation - department and lines of responsibility
• Arithmetic and accounting
• Personnel - Selection and training

APIPS: The most common forms of control activity:

• Authorisation;
• Performance reviews;
• Information processing;
• Physical controls;
• Segregation of duties

Question 12

4 Types of controls

Answer 12

1. Prevent
2. Detect
3. Correct
4. Direct

Question 13

Explain the information and communication element of internal control?

Answer 13

Information

• • Types of different information
• • Levels of information
• • Qualities of good information
• • Sources of Good information
• Effective channels of communication and information flow.
• • Timely
• • Relevant
• Provided and reviewed regularly in terms of
• • efficiency
• • effectiveness in achieving a target
• • economy
• • quality
• Both internal and external so management can make effective decisions

Question 14

Name the different types of information systems and there uses?
and
What types of information do different levels of the organisation need?

Answer 14

• Executive Information System (EIS): used for total business modelling. It monitors reality and facilitates actions that improve business results.
• Management Information System (MIS): converts data from internal and external sources to communicate info in an appropriate form to managers at all levels and areas for quick and effective decisions.
• Decision Support System (DSS): a computer-based system which enables managers to confront ill-structured problems by direct interaction with data and problem-solving programs.
• Transaction Processing System (TPS): a system that routinely captures, processes, stores and outputs low-level transaction data.

- Strategic Level managers - directors want information which helps their strategic control of the business.

• • It is highly summarised.
• • It does not need to be as accurate as operational information.
• • It will often be used in making poorly-structured, non-programmable decisions.
• • The information will often be forward-looking.
• • Non-routine information and reports will often be required.
• • It will contain a high amount of probabilistic information (estimates).

- Operational level Management information- use to ensure operational tasks are performed as required.

• • Details of stock levels
• • Performance of lower-level staff
• • Work in progress
• • Quality Controls
• • Based on a high level of detail
• • Variance reports
• • Changes in regulation requirements
• • Customer complaints and demands
• • Staff performance, training and absentees

Question 15

What is the information flows for management?

Answer 15

Different Levels of business need different information

• • Strategic level
• • Tactical Level
• • Operation Level

there are 2 key areas for managment activities:-

• • Planning
• • Control

Question 16

What are the Qualities of good information?

Answer 16

2.1.3 Qualities of good information: ACCURATE

• Accurate
• Complete
• Cost beneficial
• User targeted
• Relevant
• Authoritative
• Timely
• Easy to use

Question 17

Explain the monitoring element of Internal Controls?

Answer 17

Monitoring the application of internal control and risk management policies.

Monitoring processes include:

• - Internal audit reviews and reports
• - Annual review of risks and control processes
• - Formal ‘control self-assessments’ by management
• - Confirmation by Staff of compliance with policies and codes of conduct
• - Other management reviews.

Reports on the monitoring of internal control should be provided to management on a regular basis, and management should report to the board of directors.

The monitoring systems might identify the need for improvements or changes in controls when existing controls are not sufficiently effective.

Question 18

Disclosure of internal control weaknesses?

Answer 18

When a stock market company discovers a weakness in its system of internal control, the board should consider whether it has a duty to notify investors immediately.

Regulations about transparency and reporting require companies to make public any information about weaknesses in internal control or risk management that have had a material impact on the company’s financial performance or financial position.

Question 19

Discuss a fraud risk management strategy?

Answer 19

1- Fraud Prevention

• • anti-fraud culture
• • Risk Awareness
• • Whistleblowing
• • Sound Internal control systems

2- Fraud Detection

• • Regular reconciliation of data from multiple sources
• • Watch out for red flags
• -Internal control failures
• -Lack of information provided to auditors
• -Unusual Behaviour
• -Accounting Difficulties
• Whistleblowers

3- Fraud Response

Fraud response plan sets outs procedures on dealing with suspected cases, Procedures for evidence-gathering, which aid in decision making and proof for legal action.

Response plans include:-

• • Internal disciplinary action
• • Civil litigation
• • Criminal prosecution

All together provide Fraud deterrence.