Internal control Flashcards
Why does management uses strategic plan?
As point of departure in developing organisational operational direction
Define structure
The way in which the organisation or elements thereof, is arranged
Define policy
Guideline or statement of position with respect to a given topic
Define process
Big picture of what must be done
Define procedure
A fixed, step by step sequences of activities or course of action
Define system
A tool(s) used to facilitate the procedures
Define law
National legal requirement
Define regulation
Additional guidance and rules - based documentation for a specific need
True or False
Internal auditors need a sound understanding of organisational structure term and application within the engagement client’s environment.
True
Who is responsible to ensure governance, risk management and control are established within the organisation to meet business and stakeholders needs.
Management
The performance standards describe which internal audit service?
The nature of work
What does the nature of work of internal audit work/service consist of?
- organisational terms
- standards (GRC)
- definition of control
- objectives of control
- COSO framework
- responsibility for internal control
- advantages and disadvantages
- controls in IT environment`
Explain 2100 Nature of work
The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. Internal audit credibility and value are enhances when auditors are proactive and their evaluations offer new insight and consider future impact.
The nature of work of IAA consists mainly of providing assurance and consulting services on governance, risk management and control processes, or related fields.
State 2110 Governance
The IAA must assess and make appropriate recommendations to improve the organization’s governance processes for:
- making strategic and operational decisions
- overseeing risk management and control
- promoting appropriate ethics and value within the organization
- ensuring effective organizational performance management and accountability
- communicating risk and control information to appropriate areas of the organization
- coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management
Disclose 2110. A1 Governance
The IAA must evaluate the design, implementation and effectiveness of the organization’s ethics-related objectives, programms, and activities
State 2110. A2
The IAA must assess whether the IT governance of the organization sustains and supports the organization’s strategies and objectives
State 2120 Risk management
The IAA must evaluate the effectiveness and contribute to the improvement of risk management processes.
How should 2120 risk management be interpretated?
Judgement results from assessment:
- organizational objectives support and align with the organization’s mission
- significant risks are identified and assessed
- appropriate risk responses are selected that align risks with the organization’s risk appetite
- relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities
How is risk management processes monitored according to 2120 risk management interpretation?
Through ongoing management activities, separate evaluations, or both
State 2120.A1
The IAA must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems, regarding the:
- achievement of the organization’s strategic objectives
- reliability and integrity of financial and operational information
- effectiveness and efficiency of operations and program
- safeguarding of assets
- compliance with laws, regulations, policies, procedures, and contracts
State 2120.A2
The IAA must evaluate the potential for the occurrence of fraud and how the organization manage fraud risk
Explain 2130 control
The IAA must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement
What is control aim according to 2130 control?
To support the organisation in the management of risks that threaten the achievement of its objectives and should amongst others, ensure:
- financial and operational information is reliable and possesses integrity
- operations are performed efficiently and achieve established objectives
- assets are safeguard
- actions and decisions of the organization are in compliance with laws, regulations and contracts
What is the CAE role according to 2130 control?
Should form an overall opinion on the adequacy and effectiveness of the control processes by considering whether significant discrepancies or weaknesses were discovered, corrections or improvement were made after the discoveries, and the discoveries and their potential consequences led to a conclusion that a pervasive condition exists resulting in an unacceptable level of risk.
The IA plan should make provisions for the evaluation of the adequacy and effectiveness of the organization’s control processes. The CAE should report at least once a year on the organization’s control processes to senior management and the board
What is internal control according to COSO?
Is a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance
What is internal control according to IPPF?
Any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goal will be achieved. Management plans, organises and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved
What is internal control according to SAICA?
Internal control measures are those methods and procedures which have been accepted by the management of an entity to help in the achievement of management’s goal to ensure that the business of the entity is properly conducted in an orderly and efficient manner.
What is the general assumption about internal control derived from all of regulatory bodies?
- Control is either a process or action taken
- Management is responsible for implementing internal control, but other parties may also be involved
- Controls are implemented to minimise risks, thus ensuring that an organization’s objectives are met. However, only reasonable assurance in the minimization of risks and the achievement of objectives can be provided by effective internal controls
What does COSO standard for?
Committee of Sponsoring Organizations
Explain the COSO framework?
The framework incorporates all the essential aspects that need to be present in order to implement an effective and efficient internal control structure
State the COSO control framework components
- Monitoring
- Information and communication
- Control activities
- Risk assessment
- Control environment
Which COSO control framework component is the foundation and provides the atmosphere in which people conduct their activities and carry out their control responsibilities in the organization?
The control environment
Disclose the various elements of control environment
- The philosophy and style of senior management
- The organizational structure (hierarchy)
- Methods used to communicate tasks and responsibilities to personnel
- Human resources management
What does the control environment represent?
The collective effect of various factors on establishing, enhancing, or mitigating the effectiveness of specific policies and procedures
Where does the control environment have direct influence?
The way activities are structured, objectives are established and risk is addressed, and therefore affects the control consciousness of people performing their day to day activities
Disclose the fundamental management principles of philosophy and style of senior management elements
- Planning
- Organising
- Directing
- Controlling
What does planning included according to the philosophy and style o senior management?
Establishing objectives, developing strategies, determining policies and procedures, etc
Explain organising in terms of philosophy and style of senior management
The coordination of people and plans in order to execute the planning.
What does organizing include according to the philosophy and style of senior management?
Responsibility, authority, delegation, decentralization, committees, and structure
Explain directing in terms of Phy and style of SM
The process of allocating resources to ensure objectives are met.
What does directing include in terms of phy and style of SM?
Elements of leadership, motivation and communication
Discuss controlling in relation to phy and style of SM/
The process of ensuring that the directed actions have been executed as planned to ensure that objectives are achieved
Which factors should internal auditors consider that might influence the risk with reference to the philosophy and operating style of management?
- a single person dominating the operating and financial decisions making process
- aggressive management in an environment of poor internal control activities
- a high turnover of management
- an unduly aggressive approach of management to financial reporting
- management having a poor reputation in the business community
- management placing excessive emphasis on obtaining profit forecasts
- a significant part of remuneration of management being based on operating results
- pressure on management
- future existence of the org resting on obtaining finance from outside sources
True or false
The integrity and ethical value of SM don’t play an important part in phy and style.
False
True or false
Understanding the concept of integrity and ethical standards might be easy as well as the application of the concept
False
Understanding the concept of integrity and ethical standards might be but the application of the concept can be complicated exercise
What is the most effective way to transmit a message of ethical behaviour?
By example, as a personnel are likely to develop the same attitudes about what is right and what is wrong as those shown by SM
True or false
Senior management should communicate the organization’s values and behavioural standards to personnel
True
True or false
Communicating ethical values by way of an impressive document does ensure that they are being followed
False
Communicating ethical values by way of an impressive document does not ensure that they are being followed
Management must act on violations of the code of conduct, as messages sent by their actions in these situations quickly becomes embodied in the organizational culture.
How is this achieved?
- Penalties for personnel who violate the code
- mechanisms to encourage personnel report suspected violations
- disciplinary actions against personnel who fail to report violations
What does the organization’s hierarchical structure overall framework provide?
Planning, organizing, directing and controlling operations
What factors should be taken into consideration when evaluating the organizational structure?
- The organizational structure should be suitable for the type of org
- ## grouping of activities
What should be considered when forming an organizational structure?
The form and nature of an organization’s business units, related management functions and reporting relationships
What are the ideal effect of the organizational structure?
The organizational structure should be able to provide the necessary information to the managers enable them to manage the organization
Explain grouping of activities
In the functional approach, the org is structured along the lines of the major functions such as production, marketing, personnel and finance.
The benefits of specialized concentration of authority that flows down through the various organizational values.
The disadvantage is that key decisions must be coordinated made at the top, restricting the possibility of more urgently needed responses at field level
State the factors that should be considered when discussing methods used to communicate tasks and responsibilities to personnel
- organizational policy regarding such matters as acceptable business practices, conflicts of interest and other code of conduct
- assignment of responsibility and delegation of authority to deal with such matters as organizational goals and objectives, operating functions and regulatory requirements
- job descriptions delineating specific duties, reporting relationships, and constraints
- computer system documentation indicating the procedures for authorising transactions and approving systems changes
Its important for internal auditors to realize that personnel can only execute their duties if they know what is expected of them.
State the methods to communicate these authorities and responsibilities.
- an organizational code of conduct
- memorandums from SM, setting out the importance of control related activities
- formal organizational and operational plans
- a manual on accounting policies and procedures
- an organizational chart
- job descriptions
- clear boundaries of authority
What does the human resources management affect?
The organization’s ability to appoint adequate, competent personnel in order for the organizations to achieve its objective
What does the humans resources management include?
The rules of the org regarding the appointment, training, evaluation, promotion and remuneration of personnel, and the supply of sufficient resources to the personnel which they may need in order to carry out their responsibilities
Personnel practices can be categorised how in terms of human resources management?
- The appointment and evaluation of personnel
- personnel scheduling
- regular rotation of duties, within limits
- career path possibilities
- the formalisation of personnel practices
- exercising psychological control by striving to maintain a high morale amongst personnel
Explain the appointment and evaluation of personnel in terms of human resources management
When appointing personnel, a formal evaluation process should be followed. Personnel should be evaluated periodically to determine their progress and to identify opportunities for further training
Explain personnel scheduling in terms of human resources
Regular scheduling of personnel in respect of task should take place. Also, he assignment of personnel’s tasks and duties should take the annual leave of personnel into consideration
Explain regular rotation of duties, within limits
- Combat fraud
- Allow for the alternation in tasks to be promoted, rotation of duties should be implemented
- Rotation of duties should be applied with great caution, as personnel must have the necessary level of training in order to perform the various tasks and not to create any further opportunity for fraud to take place
Explain career path possibilities
Clear career path possibilities must be made known to the personnel in order to create promotion possibilities
Explain the formalization of personnel practicess
Personnel practices should be contained in a formal document so that personnel are made aware of intolerable practices
Explain exercise psychological control by striving to maintain a high morale amongst personnel
Management may not be responsible for the psychological well being of every individual in the work place but the way personnel are treated, can all play an important role in the morale amongst personnel
Disclose the classifications of internal control activities
- Preventative controls
- Detective controls
- Corrective controls
Explain preventative controls
When built into a system, preventative controls forestall errors and thereby avoid the cost of correction.
Most cost-effective than other controls
What are included in preventative controls?
- trustworthy, competent people
- segregation of duties to prevent intentional wrongdoing
- proper authorization to prevent improper use of organizational resources
- adequate documentation and records as well as proper record keeping procedures to deter improper transactions
- a physical control over assets to prevent their improper conversion or use
Explain detective controls
- usual more expensive than preventative control
- measure the effectiveness of the preventative controls
- some errors cannot be effectively controlled through system of preventation, they must be detected when they occur.
- detection include reviews and comparisons
Explain corrective controls
- take over when improper outcomes occur and are detected
- documentation and reporting structures keep problems under management surveillance until they have been solved or the defect corrected
- correction close the lop that starts with prevention and passes through detection to correction
State the general types of internal control activities
- segregation of duties
- proper authorization of transactions and activities
- adequate documents and records
- safeguarding of assets and information
- independent checks
What is the principle purpose of segregation of duties?
To reduce the opportunities for an individual to make and then conceal errors or irregularities while performing a task.
How can segregation of duties be achieved?
*No individual should be responsible for more than one of the following?
- authorising the transactions
- recording the transactions
- executing the transactions or having custody of assets
True or false
An individual is less likely to attempt to commit an irregularity if they must obtain another personnel member’s consent
True
Why should the personnel responsible for recording transactions should not also have the responsibility for authorising the transactions?
The org wants yo ensure that only valid authorised transactions take place.
If the personnel member responsible for recording may authorise a transaction, they could create and authorise fake transactions, in order to balance the accounts
Why should personnel who have access to or control physical assets should not be able to authorise transactions?
The same person should not be able to authorise a payment to a supplier and sign the cheque, as the money in the bank is a form of asset
Should there be a segregation of custody of assets from the recording function?
Yes, to prevent the personnel member from disposing of asset for personal gain and then adjusting the records to cover the fraudulent action
True or false
Every transaction must be properly authorised and any transaction should be executed and recorded if controls are to be satisfactory
False
Every transaction must be properly authorised and only valid transaction should be executed and recorded if controls are to be satisfactory
Explain the distinction between authorization and approval
- General authorization : management establishes policies for the org to follow. The policies and procedures required for authorising transactions are often documented in a manual.
- Specific authorization has to do with individual transactions. These are normally more significant transactions and require authorization from a higher level of management
Discuss adequate documents and records
- Source documents should be:
- sequentially pre-numbered to facilitate control over completeness of recording, unused/ missing documents
- prepared at the time the transation takes place to increase the likelihood of accurately recording details of the transaction
- designed to obtain sufficient details, in certain order, to fulfil business and accounting needs
- sufficiently simple to complete to ensure that they are understood and accurately completed
- have space for signature(s) to identify responsibility for the preparation and/or authorization of the document
- be designed for multiple use, whenever possible, to minimise the number of forms and the times the information must be copied. Here multiple coloured copies work well
Explain safeguarding of assets and information
Asset, accounting records and other information and documentation must be physically protected and there should be limited access to these. The use of physical precautions has proved to be effective safeguarding for assets.
Providing off sufficient insurance is another form of safeguarding the assets.
Explain independent reviews
Is the careful and continuous review of the other 4 control activities by independent senior management and IA.
Personnel are likely to forget or intentionally fail to follow procedures, / become careless unless someone observes and evaluates their perfomance.
What is an essential characteristics of the person(s) performing internal verification activities? (Independent reviews)
Is independence from the individuals originally responsible for preparing the data
State the internal control responsibility of management
Management designs and implement control activities and is accountable to the board in this regard. Management has to keep in mind the objectives of internal control when designing an internal control structure.
What is the external auditors internal control responsibility?
To express an opinion on the reasonableness of financial statements. When performing a financial audit, they only exam these controls that relate to the financial statements, therefore, the focus is on the evaluation of financial records, accounting systems and related internal controls
What is the internal control responsibility of internal auditors?
- The internal audit activity should assist the organisation in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
- Internal auditing must identify what nay go wrong, preventing the org from achieving its objectives, and whether the controls in place will prevent these from occurring, before it can assess the effectiveness of the control implemented by management
State the advantages of internal control
- Internal control can assist an org to:
- achieve its goals for profitability and outputs
- prevent resource losses
- promote reliable financial reporting
- ensure compliance with legislation and regulation
- prevent the reputation of the org becoming tarnished and the related results
State the disadvantages/limitations of internal control
- Internal control cannot do either of the following:
- Ensure an org’s success
- Ensure the reliability of financial reporting and compliance with legislation and regulations
Why cannot internal controls ensure an org’s success?
Cannot change management from bad to good.
Factors such as government policy and economic factors are beyond the scope of internal control activities
Why cannot internal controls ensure the reliability of financial reporting and compliance with legislation and regulations
- Certain limitations are inherent to all structures of internal control, such as:
- faulty judgement being applied in the decision making process
- ordinary errors being made
- collusion between two or more persons invalidating the structure of internal control
- management having the ability to override the structure
- the design of a system of internal control being limited by available resources, so that the advantages arising from the control have to be compared to the cost
State the two divisions of IT control
- General controls
- Application controls
Define general controls (IT controls)
As having pervasive effects, meaning that they are weak or absent, they may negate the effects of the application controls.
These controls are not software specific, and control the environment in which system and application software operates
What does general controls include?
- organisational controls related to IT personnel
- standard operating procedures for systems
- system documentation controls
- system development and program change controls
- hardware and software controls
- security controls related to IT
Explain application controls (IT controls)
Relates to specific software programs and systems in the org.
These controls are designed to ensure completeness, accuracy, authorization and validity of data captured and processed.
Edit checks are checks (controls) programmed into a system or software program to ensure that errors in data will be detected.
Application controls are divided into input, processing and output controls.