420 likes | 441 Views
Evaluation of Internal control mechanism in Audit of Autonomous Bodies. What is Internal Control. Internal control is a process Internal control is effected by people Internal control is geared to the achievement of objectives
E N D
Evaluation of Internal control mechanism in Audit of Autonomous Bodies
What is Internal Control • Internal control is a process • Internal control is effected by people • Internal control is geared to the achievement of objectives • Internal control cannot be expected to provide absolute assurance of the achievement of objectives
As defined by Committee of Sponsoring Organisations (COSO), USA • Process effected by entities management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following three broad categories • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations
As defined by the Internal controls standards committee of INTOSAI • Integral process to provide reasonable assurance that the following general objectives are being achieved • Fulfilling accountability obligations • Complying with applicable laws and regulations • Executing orderly, ethical, economical, efficient and effective operations • Safeguarding resources against loss • Internal control is a dynamic integral process and management at all levels have to be involved to provide reasonable assurance of the achievement of its objectives
Components of internal controls • Control environment - Assignment of Authority and Responsibility • Risk assessment • Information and communication • Monitoring • Control activities
(1) Control Environment • It sets the tone of an organization, influencing the control consciousness of its staff • It is foundation for all other components of internal control. • It provides discipline and structure.
(1) Control Environment Elements of Control environment • Personnel and professional integrity and ethical values of management and staff. • Supportive attitude towards internal control at all times. • Commitment to competence. • The “ tone at the top” (Management’s philosophy and operating style) • Organization structure • Human resource policies and practices.
Elements of Control environment • Preferences and value standards of Management and staff as reflected in their standards of behaviour. • All should maintain and demonstrate personal and professional integrity and ethical values • All should exhibit a supportive attitude toward internal control at all times through out the organization
Elements of Control environment – contd… • Managers and employees have to comply with the applicable codes of conduct at all times. Eg. disclosure of personal financial interest, outside position and gift and reporting conflicts of interest • Public organization should make visible to the public, integrity and ethical values. • Behaviour of staff should be consistent with mission.
Elements of Control environment – contd… Commitment to competence • includes the level of knowledge and skill needed to help effective performance • includes good understanding of individual responsibilities with respect to internal control. • Managers and employees are to maintain a level of competence that allows them to understand the importance of developing and maintaining good internal control and to perform their duties in order to accomplish the general objectives.
Elements of Control environment – contd… Commitment to competence • Every one should be involved in internal control with his/her own specific responsibilities. • Managers and staff must therefore maintain and demonstrate a level of skill necessary to assess risk and help ensure effective and efficient performance.
Elements of Control environment – contd… Tone at the top • Management’s philosophy and operating style reflects: • a supportive attitude towards internal control at all times, independence, competence and leading by example; • a code of conduct set out by management and counseling performance appraisals that support the internal control objectives and that of ethical operations.
Elements of Control environment – contd… Tone at the top • If the top management believes that internal control is important, others in organization will sense that and will respond by conscientiously observing the controls established. • If organization feel’s that control is not important, it is certain that the organisation’s control objectives will not be achieved. • Demonstration of insistence on ethical conduct by management is of vital importance.
Elements of Control environment – contd… Organisational structure • Assignment of authority and responsibility • Empowerment and accountability • Appropriate lines of reporting • Alternate lines of reporting (whistleblower) • The organizational structure defines the entity’s key areas of authority and responsibility. • Internal Audit that reports to the top management
Elements of Control environment – contd… HR policies and practices • Hiring and staffing decisions should include assurance that individuals have the integrity and the proper education and experience to carry out their jobs and that necessary formal, on the job, and ethics training is provided. • Securing the openness of selection process by publishing both the recruitment rules and vacant positions also helps to realize ethical human resource management.
(2) Control Activities • Control activities are policies and procedures established to address risk and to achieve the entity’s objectives. • To be effective, control activities must be appropriate, at all levels and in all functions. They include a range of detective and preventive control activities.
(2) Control Activities (contd…) Detective and preventive control activities • Authorization and approval procedure • Segregation of duties (authorizing, processing, recording, reviewing) • Control over access to resources and records • Verifications • Reconciliation
(2) Control Activities (contd…) Detective and preventive control activities • Reviews of operating performance • Reviews of operations, processes and activities • Supervision (assigning, reviewing and approving, guidance and training.) • Entities should reach an adequate balance between detective and preventive control activities.
(3) Risk assessment • Precondition for risk assessment is that there is ‘clear and consistent agency objectives’ • Risk assessment is the identification and analysis of relevant risks associated with achieving the objectives and forming a basis for determining how risk should be managed.
(3) Risk assessment (contd…) • Four types of responses to risk must be considered : • Transfer • Tolerance • Treatment & • Termination • Of these, risk treatment is the most relevant to these guidelines because effective internal control is the major mechanism to treat the risk.
(4) Information and Communication • GAO standards on Internal Control’s guidance on ‘information and communication’ - “Information should be recorded, communicated to management and others within the entity who need it and in a form and within a time frame that enable them to carry out their internal control and other responsibilities”. • A Pre-condition for reliable and relevant information is the prompt recording and proper classification of transactions and events. • All transactions and significant events should be fully documented
(4) Information and Communication (contd…) • For an entity to run and control its operations, it must have relevant, reliable and timely communications relating to internal as well as external events. Information is needed throughout the agency to achieve all of its objectives. • Effective communication should occur in broad sense with information flowing down, across and up the organization.
(5) Monitoring Concept of monitoring • Internal control deteriorates over time if not properly maintained. • It is necessary to check the functioning of internal control through quality assurance unit and • Focus review of specific operational areas through management audit or performance audit. • Management(tone at the top) involvement in internal control is crucial for effectiveness.
(5) Monitoring (contd…) • Monitoring quality of internal control is accomplished through routine activities, separate evaluations or combination of both. • Ongoing monitoring of internal control is built in to the activity of entity. • Ongoing monitoring activities cover each of the internal control components and involve action against irregular, unethical, uneconomical, inefficient and ineffective control system. • Monitoring is aimed at ensuring that controls are operating as intended and are modified for changes in conditions.
Objectives of evaluation of Internal Controls • To check whether • Internal control systems have been prescribed and documented • Systems are adequate • Management implements these in the manner prescribed • Management periodically reviews them through internal audit and takes corrective measures
Evaluating Internal Controls – Control Environment • By looking and consulting organisational chart see that organisation has vertical and lateral channels of communication. • Auditor should examine the documentation regarding delegation of authority and plans of succession. • Auditor also should see the span of control.
Evaluating Internal Controls – Control Environment • Auditor should examine the number of vacancies in organisation’s management and how many persons are in acting capacity • It should also be seen that whether any arrangements for ensuring continuity of operations in case of temporary absence of top management.
Evaluating Internal Controls – Control Environment • To examine integrity and ethical values demonstrated by management see that it is free from any pressure • Adherence to the conduct rules may be seen • Previous reports may be examined to see above • Auditor may also see the kind of values reflected in the behaviour.
Evaluating Internal Controls – Control Environment • Management’s commitment to competence as well as its philosophy and operating style may examine with the help of managements approach towards human resource issues, way of decision making, way of problem solving and their active application. • For this purpose auditor may examine human resource policies.
Evaluating Internal Controls – Control Environment Following issues are also to be examined - • Employee turnover in organisation • Succession planning • Procedure of decision making • Use of inputs received from subordinates • Process of problem solving (Whether it is participative or directive or mixture of both)
Evaluating Internal Controls – Risk Assessment • See whether information supplied by branch offices of the organisation is reliable. • Also see whether the coordinating units evaluate data supplied • Examine the procedure for data verification. See whether procedures have been adhered to • Also see whether procedures exist to remedy if the data turned to be inaccurate.
Evaluating Internal Controls – Risk Assessment • See the factors which has impact on the program. • Examine the funding and see if the funds have been cut and what has been the impact on internal control. • See the risk factor in respect of funding. • See the controls instituted to ensure the appropriate use of funds.
Evaluating Internal Controls - Information • See that information available regarding management decision making is relevant, reliable and timely. • Is it reliable for external reporting purposes. • Examine the data use for decisions • Examine whether crosschecks of data was carried out. • See the documentary evidence for use of correct data and to see how it is used.
Evaluating Internal Controls - Communication • See that effective and reliable internal communication between management and stakeholder is available. • See whether organisation allow for easy flow of information back or forth. • See what is the process for notifying the management of the problems. Examine the procedure. Examine documents to see if stated procedure is adhered to . • Examine documentary evidence to see if the problem reported are considered and acted upon.
Evaluating Internal Controls – Control Activities • Examine design and implementation of policies and procedures for managing the programme. • See whether indices have been established to monitor performance of organisation. • See that performance measures were reviewed. See whether performance measures related to mission goals and objective.
Evaluating Internal Controls – Control Activities • See that performance data are continually monitored and analyzed. • Examine whether policies to safeguard assets are known to all • Examine whether the organisation has identified and ensured adequate protection for its critical issue operations
Evaluating Internal Controls – Control Activities • Are assets like cash, assets vulnerable to theft are adequately guarded. • See that stock verification procedures are adequate and are they adhered to. • Has the organisation adequate protection to funds.
Evaluating Internal Controls – Control Activities • See whether organisation established criteria for identifying the grantees for aid. See the criteria. • See whether risk assessments performed and documented when systems are changed. • See whether data sensitivity and integrity is considered in risk assessments
Evaluating Internal Controls – Control Activities • See whether wide security programme exists. • See whether access to information software code is suitably restricted. • See whether contingency plan for ensuring continuity of service exists. • See whether transactions are properly and promptly classified. Supporting records properly maintained.
Evaluating Internal Controls – Internal Control Questionnaire (ICQ) • ICQ is a great tool for evaluating and understanding an Internal Control system. It contains a series of pre-designed questions which the auditor may wish to ask. • Widely used.
Limitations of Internal Controls • Can provide only reasonable and not absolute assurance about the achievement of the entities objectives • As it depends on human factor, is subject to flaws in design, errors of judgment or interpretation, misunderstanding, collusion, fatigue etc. • Design of an internal control system faces resource constraints
Objectives of assessment of Internal Controls • To check whether • Internal control systems have been prescribed and documented • Systems are adequate • Management implements these in the manner prescribed • Management periodically reviews them through internal audit and takes corrective measures