evaluation of internal control mechanism in audit of autonomous bodies
TRANSCRIPT
Evaluation of Evaluation of Internal control Internal control
mechanism in Audit mechanism in Audit of Autonomous of Autonomous
BodiesBodies
What is Internal ControlWhat is Internal Control
Internal control is a processInternal control is a process Internal control is effected by peopleInternal control is effected by people Internal control is geared to the Internal control is geared to the
achievement of objectivesachievement of objectives Internal control cannot be expected Internal control cannot be expected
to provide absolute assurance of the to provide absolute assurance of the achievement of objectivesachievement of objectives
As defined by Committee of As defined by Committee of Sponsoring Organisations Sponsoring Organisations
(COSO), USA(COSO), USA Process effected by entities Process effected by entities
management and other personnel management and other personnel designed to provide reasonable designed to provide reasonable assurance regarding the achievement assurance regarding the achievement of objectives in the following three of objectives in the following three broad categoriesbroad categories Effectiveness and efficiency of operationsEffectiveness and efficiency of operations Reliability of financial reportingReliability of financial reporting Compliance with applicable laws and Compliance with applicable laws and
regulationsregulations
As defined by the Internal As defined by the Internal controls standards committee of controls standards committee of
INTOSAIINTOSAI Integral process to provide reasonable Integral process to provide reasonable
assurance that the following general assurance that the following general objectives are being achievedobjectives are being achieved Fulfilling accountability obligationsFulfilling accountability obligations Complying with applicable laws and regulationsComplying with applicable laws and regulations Executing orderly, ethical, economical, efficient and Executing orderly, ethical, economical, efficient and
effective operations effective operations Safeguarding resources against lossSafeguarding resources against loss
Internal control is a dynamic integral process Internal control is a dynamic integral process and management at all levels have to be and management at all levels have to be involved to provide reasonable assurance of involved to provide reasonable assurance of the achievement of its objectivesthe achievement of its objectives
Components of internal Components of internal controlscontrols
Control environment - Assignment of Control environment - Assignment of Authority and ResponsibilityAuthority and Responsibility
Risk assessmentRisk assessment Information and communicationInformation and communication MonitoringMonitoring Control activitiesControl activities
(1) Control Environment(1) Control Environment It sets the tone of an organization, It sets the tone of an organization,
influencing the control influencing the control consciousness of its staffconsciousness of its staff
It is foundation for all other It is foundation for all other components of internal control.components of internal control.
It provides discipline and structure.It provides discipline and structure.
(1) Control Environment(1) Control EnvironmentElements of Control environmentElements of Control environment
Personnel and professional integrity and Personnel and professional integrity and ethical values of management and staff.ethical values of management and staff.
Supportive attitude towards internal Supportive attitude towards internal control at all times.control at all times.
Commitment to competence.Commitment to competence. The “ tone at the top” (Management’s The “ tone at the top” (Management’s
philosophy and operating style)philosophy and operating style) Organization structureOrganization structure Human resource policies and practices.Human resource policies and practices.
Elements of Control Elements of Control environmentenvironment
Preferences and value standards of Preferences and value standards of Management and staff as reflected in Management and staff as reflected in their standards of behaviour.their standards of behaviour.
All should maintain and demonstrate All should maintain and demonstrate personal and professional integrity personal and professional integrity and ethical valuesand ethical values
All should exhibit a supportive All should exhibit a supportive attitude toward internal control at all attitude toward internal control at all times through out the organizationtimes through out the organization
Elements of Control Elements of Control environment – contd…environment – contd…
Managers and employees have to comply Managers and employees have to comply with the applicable codes of conduct at with the applicable codes of conduct at all times. Eg. disclosure of personal all times. Eg. disclosure of personal financial interest, outside position and financial interest, outside position and gift and reporting conflicts of interestgift and reporting conflicts of interest
Public organization should make visible Public organization should make visible to the public, integrity and ethical to the public, integrity and ethical values.values.
Behaviour of staff should be consistent Behaviour of staff should be consistent with mission.with mission.
Elements of Control Elements of Control environment – contd…environment – contd…Commitment to competenceCommitment to competence
includes the level of knowledge and skill includes the level of knowledge and skill needed to help effective performanceneeded to help effective performance
includes good understanding of individual includes good understanding of individual responsibilities with respect to internal responsibilities with respect to internal control.control.
Managers and employees are to maintain a Managers and employees are to maintain a level of competence that allows them to level of competence that allows them to understand the importance of developing understand the importance of developing and maintaining good internal control and and maintaining good internal control and to perform their duties in order to to perform their duties in order to accomplish the general objectives.accomplish the general objectives.
Elements of Control Elements of Control environment – contd…environment – contd…
Commitment to competenceCommitment to competence Every one should be involved in Every one should be involved in
internal control with his/her own internal control with his/her own specific responsibilities.specific responsibilities.
Managers and staff must therefore Managers and staff must therefore maintain and demonstrate a level of maintain and demonstrate a level of skill necessary to assess risk and skill necessary to assess risk and help ensure effective and efficient help ensure effective and efficient performance.performance.
Elements of Control Elements of Control environment – contd…environment – contd…
Tone at the topTone at the top Management’s philosophy and operating Management’s philosophy and operating
style reflects:style reflects: a supportive attitude towards internal a supportive attitude towards internal
control at all times, independence, control at all times, independence, competence and leading by example;competence and leading by example;
a code of conduct set out by a code of conduct set out by management and counseling management and counseling performance appraisals that support the performance appraisals that support the internal control objectives and that of internal control objectives and that of ethical operations.ethical operations.
Elements of Control Elements of Control environment – contd…environment – contd…
Tone at the topTone at the top If the top management believes that internal If the top management believes that internal
control is important, others in organization control is important, others in organization will sense that and will respond by will sense that and will respond by conscientiously observing the controls conscientiously observing the controls established.established.
If organization feel’s that control is not If organization feel’s that control is not important, it is certain that the organisation’s important, it is certain that the organisation’s control objectives will not be achieved.control objectives will not be achieved.
Demonstration of insistence on ethical Demonstration of insistence on ethical conduct by management is of vital conduct by management is of vital importance.importance.
Elements of Control Elements of Control environment – contd…environment – contd…
Organisational structureOrganisational structure Assignment of authority and responsibilityAssignment of authority and responsibility Empowerment and accountabilityEmpowerment and accountability Appropriate lines of reportingAppropriate lines of reporting Alternate lines of reporting Alternate lines of reporting
(whistleblower)(whistleblower) The organizational structure defines the The organizational structure defines the
entity’s key areas of authority and entity’s key areas of authority and responsibility.responsibility.
Internal Audit that reports to the top Internal Audit that reports to the top managementmanagement
Elements of Control Elements of Control environment – contd…environment – contd…
HR policies and practicesHR policies and practices Hiring and staffing decisions should Hiring and staffing decisions should
include assurance that individuals have the include assurance that individuals have the integrity and the proper education and integrity and the proper education and experience to carry out their jobs and that experience to carry out their jobs and that necessary formal, on the job, and ethics necessary formal, on the job, and ethics training is provided. training is provided.
Securing the openness of selection process Securing the openness of selection process by publishing both the recruitment rules by publishing both the recruitment rules and vacant positions also helps to realize and vacant positions also helps to realize ethical human resource management.ethical human resource management.
(2) Control Activities(2) Control Activities Control activities are policies and Control activities are policies and
procedures established to address procedures established to address risk and to achieve the entity’s risk and to achieve the entity’s objectives.objectives.
To be effective, control activities To be effective, control activities must be appropriate, at all levels must be appropriate, at all levels and in all functions. They include a and in all functions. They include a range of range of detectivedetective and and preventivepreventive control activities.control activities.
(2) Control Activities (2) Control Activities (contd…)(contd…)
Detective and preventive control Detective and preventive control activitiesactivities
Authorization and approval procedureAuthorization and approval procedure Segregation of duties (authorizing, Segregation of duties (authorizing,
processing, recording, reviewing)processing, recording, reviewing) Control over access to resources and Control over access to resources and
recordsrecords VerificationsVerifications ReconciliationReconciliation
(2) Control Activities (2) Control Activities (contd…)(contd…)
Detective and preventive control Detective and preventive control activitiesactivities
Reviews of operating performanceReviews of operating performance Reviews of operations, processes and Reviews of operations, processes and
activitiesactivities Supervision (assigning, reviewing and Supervision (assigning, reviewing and
approving, guidance and training.)approving, guidance and training.) Entities should reach an adequate Entities should reach an adequate
balance between detective and balance between detective and preventive control activities.preventive control activities.
(3) Risk assessment(3) Risk assessment Precondition for risk assessment is Precondition for risk assessment is
that there is ‘clear and consistent that there is ‘clear and consistent agency objectives’agency objectives’
Risk assessment is the identification Risk assessment is the identification and analysis of relevant risks and analysis of relevant risks associated with achieving the associated with achieving the objectives and forming a basis for objectives and forming a basis for determining how risk should be determining how risk should be managed.managed.
(3) Risk assessment (3) Risk assessment (contd…)(contd…)
Four types of responses to risk must Four types of responses to risk must be considered : be considered : TransferTransfer ToleranceTolerance Treatment &Treatment & Termination Termination
Of these, risk treatment is the most Of these, risk treatment is the most relevant to these guidelines because relevant to these guidelines because effective internal control is the effective internal control is the major mechanism to treat the risk.major mechanism to treat the risk.
(4) Information and (4) Information and CommunicationCommunication
GAO standards on Internal Control’s guidance on GAO standards on Internal Control’s guidance on ‘information and communication’ - “‘information and communication’ - “Information Information should be recorded, communicated to should be recorded, communicated to management and others within the entity who management and others within the entity who need it and in a form and within a time frame that need it and in a form and within a time frame that enable them to carry out their internal control and enable them to carry out their internal control and other responsibilities”.other responsibilities”.
A Pre-condition for reliable and relevant A Pre-condition for reliable and relevant information is the prompt recording and information is the prompt recording and proper classification of transactions and proper classification of transactions and events.events.
All transactions and significant events All transactions and significant events should be fully documentedshould be fully documented
(4) Information and (4) Information and Communication (contd…)Communication (contd…)
For an entity to run and control its For an entity to run and control its operations, it must have relevant, operations, it must have relevant, reliable and timely communications reliable and timely communications relating to internal as well as external relating to internal as well as external events. Information is needed events. Information is needed throughout the agency to achieve all of throughout the agency to achieve all of its objectives.its objectives.
Effective communication should occur in Effective communication should occur in broad sense with information flowing broad sense with information flowing down, across and up the organization.down, across and up the organization.
(5) Monitoring(5) MonitoringConcept of monitoringConcept of monitoring Internal control deteriorates over Internal control deteriorates over
time if not properly maintained.time if not properly maintained. It is necessary to check the It is necessary to check the
functioning of internal control functioning of internal control through quality assurance unit andthrough quality assurance unit and
Focus review of specific operational Focus review of specific operational areas through management audit or areas through management audit or performance audit.performance audit.
Management(tone at the top) Management(tone at the top) involvement in internal control is involvement in internal control is crucial for effectiveness.crucial for effectiveness.
(5) Monitoring (contd…)(5) Monitoring (contd…) Monitoring quality of internal control is Monitoring quality of internal control is
accomplished through routine activities, accomplished through routine activities, separate evaluations or combination of both.separate evaluations or combination of both.
Ongoing monitoring of internal control is Ongoing monitoring of internal control is built in to the activity of entity.built in to the activity of entity.
Ongoing monitoring activities cover each of Ongoing monitoring activities cover each of the internal control components and involve the internal control components and involve action against irregular, unethical, action against irregular, unethical, uneconomical, inefficient and ineffective uneconomical, inefficient and ineffective control system. control system.
Monitoring is aimed at ensuring that Monitoring is aimed at ensuring that controls are operating as intended and are controls are operating as intended and are modified for changes in conditions.modified for changes in conditions.
Objectives of evaluation of Objectives of evaluation of Internal ControlsInternal Controls
To check whether To check whether Internal control systems have been Internal control systems have been
prescribed and documentedprescribed and documented Systems are adequateSystems are adequate Management implements these in the Management implements these in the
manner prescribedmanner prescribed Management periodically reviews them Management periodically reviews them
through internal audit and takes through internal audit and takes corrective measurescorrective measures
Evaluating Internal Evaluating Internal Controls – Control Controls – Control
EnvironmentEnvironment By looking and consulting By looking and consulting
organisational chart see that organisational chart see that organisation has vertical and lateral organisation has vertical and lateral channels of communication.channels of communication.
Auditor should examine the Auditor should examine the documentation regarding delegation documentation regarding delegation of authority and plans of succession.of authority and plans of succession.
Auditor also should see the span of Auditor also should see the span of control.control.
Evaluating Internal Evaluating Internal Controls – Control Controls – Control
EnvironmentEnvironment Auditor should examine the number of Auditor should examine the number of
vacancies in organisation’s vacancies in organisation’s management and how many persons management and how many persons are in acting capacityare in acting capacity
It should also be seen that whether any It should also be seen that whether any arrangements for ensuring continuity of arrangements for ensuring continuity of operations in case of temporary operations in case of temporary absence of top management.absence of top management.
Evaluating Internal Evaluating Internal Controls – Control Controls – Control
EnvironmentEnvironment To examine integrity and ethical values To examine integrity and ethical values
demonstrated by management see demonstrated by management see that it is free from any pressurethat it is free from any pressure
Adherence to the conduct rules may be Adherence to the conduct rules may be seenseen
Previous reports may be examined to Previous reports may be examined to see abovesee above
Auditor may also see the kind of values Auditor may also see the kind of values reflected in the behaviour.reflected in the behaviour.
Evaluating Internal Evaluating Internal Controls – Control Controls – Control
EnvironmentEnvironment Management’s commitment to Management’s commitment to
competence as well as its philosophy and competence as well as its philosophy and operating style may examine with the operating style may examine with the help of managements approach towards help of managements approach towards human resource issues, way of decision human resource issues, way of decision making, way of problem solving and their making, way of problem solving and their active application.active application.
For this purpose auditor may examine For this purpose auditor may examine human resource policies.human resource policies.
Evaluating Internal Evaluating Internal Controls – Control Controls – Control
EnvironmentEnvironmentFollowing issues are also to be examined -Following issues are also to be examined - Employee turnover in organisationEmployee turnover in organisation Succession planningSuccession planning Procedure of decision makingProcedure of decision making Use of inputs received from Use of inputs received from
subordinatessubordinates Process of problem solving (Whether it is Process of problem solving (Whether it is
participative or directive or mixture of participative or directive or mixture of both)both)
Evaluating Internal Evaluating Internal Controls – Risk AssessmentControls – Risk Assessment
See whether information supplied by branch See whether information supplied by branch offices of the organisation is reliable.offices of the organisation is reliable.
Also see whether the coordinating units Also see whether the coordinating units evaluate data suppliedevaluate data supplied
Examine the procedure for data verification. Examine the procedure for data verification. See whether procedures have been adhered See whether procedures have been adhered toto
Also see whether procedures exist to Also see whether procedures exist to remedy if the data turned to be inaccurate.remedy if the data turned to be inaccurate.
Evaluating Internal Evaluating Internal Controls – Risk AssessmentControls – Risk Assessment
See the factors which has impact on See the factors which has impact on the program.the program.
Examine the funding and see if the Examine the funding and see if the funds have been cut and what has funds have been cut and what has been the impact on internal control.been the impact on internal control.
See the risk factor in respect of See the risk factor in respect of funding.funding.
See the controls instituted to ensure See the controls instituted to ensure the appropriate use of funds.the appropriate use of funds.
Evaluating Internal Evaluating Internal Controls - InformationControls - Information
See that information available regarding See that information available regarding management decision making is relevant, management decision making is relevant, reliable and timely.reliable and timely.
Is it reliable for external reporting Is it reliable for external reporting purposes. purposes.
Examine the data use for decisions Examine the data use for decisions Examine whether crosschecks of data was Examine whether crosschecks of data was
carried out.carried out. See the documentary evidence for use of See the documentary evidence for use of
correct data and to see how it is used.correct data and to see how it is used.
Evaluating Internal Evaluating Internal Controls - CommunicationControls - Communication
See that effective and reliable internal See that effective and reliable internal communication between management and communication between management and stakeholder is available.stakeholder is available.
See whether organisation allow for easy flow See whether organisation allow for easy flow of information back or forth.of information back or forth.
See what is the process for notifying the See what is the process for notifying the management of the problems. Examine the management of the problems. Examine the procedure. Examine documents to see if procedure. Examine documents to see if stated procedure is adhered to . stated procedure is adhered to .
Examine documentary evidence to see if the Examine documentary evidence to see if the problem reported are considered and acted problem reported are considered and acted upon.upon.
Evaluating Internal Evaluating Internal Controls – Control ActivitiesControls – Control Activities Examine design and implementation of Examine design and implementation of
policies and procedures for managing policies and procedures for managing the programme.the programme.
See whether indices have been See whether indices have been established to monitor performance of established to monitor performance of organisation. organisation.
See that performance measures were See that performance measures were reviewed. See whether performance reviewed. See whether performance measures related to mission goals and measures related to mission goals and objective.objective.
Evaluating Internal Evaluating Internal Controls – Control ActivitiesControls – Control Activities See that performance data are See that performance data are
continually monitored and analyzed.continually monitored and analyzed. Examine whether policies to Examine whether policies to
safeguard assets are known to all safeguard assets are known to all Examine whether the organisation Examine whether the organisation
has identified and ensured adequate has identified and ensured adequate protection for its critical issue protection for its critical issue operationsoperations
Evaluating Internal Evaluating Internal Controls – Control ActivitiesControls – Control Activities Are assets like cash, assets Are assets like cash, assets
vulnerable to theft are vulnerable to theft are adequately guarded.adequately guarded.
See that stock verification See that stock verification procedures are adequate and procedures are adequate and are they adhered to.are they adhered to.
Has the organisation adequate Has the organisation adequate protection to funds.protection to funds.
Evaluating Internal Evaluating Internal Controls – Control ActivitiesControls – Control Activities See whether organisation established See whether organisation established
criteria for identifying the grantees for criteria for identifying the grantees for aid. See the criteria.aid. See the criteria.
See whether risk assessments performed See whether risk assessments performed and documented when systems are and documented when systems are changed.changed.
See whether data sensitivity and See whether data sensitivity and integrity is considered in risk integrity is considered in risk assessmentsassessments
Evaluating Internal Evaluating Internal Controls – Control ActivitiesControls – Control Activities See whether wide security programme See whether wide security programme
exists.exists. See whether access to information See whether access to information
software code is suitably restricted.software code is suitably restricted. See whether contingency plan for See whether contingency plan for
ensuring continuity of service exists.ensuring continuity of service exists. See whether transactions are properly See whether transactions are properly
and promptly classified. Supporting and promptly classified. Supporting records properly maintained.records properly maintained.
Evaluating Internal Evaluating Internal Controls – Internal Control Controls – Internal Control
Questionnaire (ICQ)Questionnaire (ICQ) ICQ is a great tool for evaluating and ICQ is a great tool for evaluating and
understanding an Internal Control understanding an Internal Control system. It contains a series of pre-system. It contains a series of pre-designed questions which the designed questions which the auditor may wish to ask.auditor may wish to ask.
Widely used.Widely used.
Limitations of Internal Limitations of Internal ControlsControls
Can provide only reasonable and not Can provide only reasonable and not absolute assurance about the absolute assurance about the achievement of the entities objectives achievement of the entities objectives
As it depends on human factor, is As it depends on human factor, is subject to flaws in design, errors of subject to flaws in design, errors of judgment or interpretation, judgment or interpretation, misunderstanding, collusion, fatigue misunderstanding, collusion, fatigue etc.etc.
Design of an internal control system Design of an internal control system faces resource constraintsfaces resource constraints
Objectives of assessment of Objectives of assessment of Internal ControlsInternal Controls
To check whether To check whether Internal control systems have been Internal control systems have been
prescribed and documentedprescribed and documented Systems are adequateSystems are adequate Management implements these in the Management implements these in the
manner prescribedmanner prescribed Management periodically reviews them Management periodically reviews them
through internal audit and takes through internal audit and takes corrective measurescorrective measures