kaplan's internal control study material

8/13/2019 Kaplan's Internal Control Study Material

1/18

Internal control systems

Internalcontrol andrisk management are fundamental components ofgoodcorporate governance.Good corporate governance means that the board mustidentify and manage all risks for a company. In terms of risk management, internal

control systems span finance, operations, compliance and other areas, i.e. all theactivities of the company.

Internal control definitions

Controlsattempt to ensure that risks, those factors which stop theachievement of company objectives, are minimised.

An internal control systemcomprises the whole network of systemsestablished in an organisation to provide reasonable assurance thatorganisational objectives will be achieved.

Internal management controlrefers to the procedures and policies in place

to ensure that company objectives are achieved. The control procedures and policies provide the detailed controls

implemented within the company.

Risk Management

The UK Corporate Governance Code recommends that 'The board should maintainsound risk management and internal control systems'.

The Cadbury Report noted that risk management should be systematic and also

embedded in company procedures. Furthermore there should be a culture of riskawareness.

The report's initial definition of risk management was 'the process by which executivemanagement, under board supervision, identifies the risk arising from business andestablishes the priorities for control and particular objectives'.

While Cadbury recognised the need for internal control systems for riskmanagement, detailed advice on application of those controls was provided by theCommittee of Sponsoring Organisations, (COSO) and the Turnbull Report.

Internal controls and COSO

COSO was formed in 1985 to sponsor the national commission on fraudulentreporting. The 'sponsoring organisations' included the American AccountingAssociation and the American Institute of Certified Public Accountants. COSO nowproduces guidance on the implementation of internal control systems in large andsmall companies.

In COSO, internal control is seen to apply to three aspects of the business:

(1)Effectiveness and efficiency of operations - that is the basic business objectives

including performance goals and safe guarding resources.
http://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Controlling%20risk.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Risk%20management.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Development%20of%20corporate%20governance.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Development%20of%20corporate%20governance.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Risk%20management.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Controlling%20risk.aspx


2/18

(2)Reliability of financial reporting - including the preparation of any publishedfinancial information.

(3)Compliance with applicable laws and regulations to which the company is subject.

Internal controls and Turnbull

The Turnbull committee was established after the publication of the 1998 CombinedCode in the UK to provide advice to listed companies on how to implement theinternal control principles of the code.

The overriding requirement of their report was that the directors should:

(a) implement a sound system of internal controls, and

(b) that this system should be checked on a regular basis.

The Turnbull Report requires:

(a) That internal controls should be established using a risk-based approach.Specifically a company should:

Establish business objectives. Identify the associated key risks. Decide upon the controls to address the risks. Set up a system to implement the required controls, including regular

feedback.

(b) That the system should be reviewed on a regular basis. TheUK CorporateGovernance Code (2010) contains the statement that:

'Thedirectors should, at least annually, conduct a review of the effectiveness of thegroup's system of internal control and should report to shareholders that they havedone so. The review should cover all controls, including financial, operational andcompliance controls and risk management.'

Objectives of internal control systems

A popular misconception is that the internal control system is implemented simply tostop fraud and error. As the points below show, this is not the case.

A lack of internal control implies that directors have not met their obligations undercorporate governance. It specifically means that the risk management strategy of thecompany will be defective.

The main objectives of an internal control system are summarised in the AuditingPractices Board (APB) and the COSO guidelines (detail provided below). An internalcontrol system is to ensure, as far as practicable:
http://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Audit%20and%20compliance.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Development%20of%20corporate%20governance.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Development%20of%20corporate%20governance.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/The%20board%20of%20directors.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/The%20board%20of%20directors.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Development%20of%20corporate%20governance.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Development%20of%20corporate%20governance.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Audit%20and%20compliance.aspx


3/18

the orderly and efficient conduct of its business, including adherence tointernal policies

the safeguarding of assets of the business the prevention and detection of fraud and error the accuracy and completeness of the accounting records, and

the timely preparation of financial information.

Benefitsof an internal control system are therefore:

Effectiveness and efficiency of operations. Reliability of financial reporting. Compliance with applicable laws and regulations.

These may further give rise to improved investor confidence.

Objectives of internal control

The objectives of an internal control system follow on from the need for internalcontrol in risk management and corporate governance.

The actual objectives of internal control systems are mentioned in many differentpublications and reports. Two of those are given below.

APB objectives

The APB in the UK provides guidance toauditors with specific reference to the

implementation of International Standards on Auditing. A definition of internalcontrols from the APB is:

'The internal control system - includes all the policies and procedures (internalrecords) adopted by the directors and management of an entity to succeed in theirobjective of ensuring, as far as practicable:
http://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Audit%20and%20compliance.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Audit%20and%20compliance.aspx


4/18

The main point to note here is that the internal control system encompasses thewhole business, not simply the financial records.

COSO objectives

COSO defines internal control as 'a process, effected by the entity's board ofdirectors, management and other personnel, designed to provide reasonableassurance regarding the achievement of objectives', in three particular areas:

(1) Effectiveness and efficiency of operations.

(2) Reliability of financial reporting.

(3) Compliance with applicable laws and regulations.

This definition contains a number of key concepts which illustrate the pervasivenessof internal control systems in a company.

Internal control is a process, rather than a structure. It is a continuing series ofactivities, planned, implemented and monitored by the board of directors and

management at all levels within an organisation.


5/18

Internal control provides only reasonable assurance, not absolute assurance,with regard to achievement of the organisation's objectives.

The objectives of internal control relate to assurance not only about reliablefinancial reporting and compliance, but also with regard to the effectivenessand efficiency of operations.

Internal control is therefore also concerned with the achievement ofperformance objectives, such as profitability.

It is also useful to think of internal control as a system for the management andcontrol of certain risks, to restrict the likelihood of adverse events or results.

Limitations of internal control systems

Warnings should be given regarding over-reliance on any system, noting in particularthat:

A good internal control system cannot turn a poor manager into a good one. The system can only provide reasonable assurance regarding the

achievement of objectives - all internal control systems are at risk frommistakes or errors.

Internal control systems can be by-passed by collusion and managementoverride.

Controls are only designed to cope with routine transactions and events. There are resource constraints in provision of internal control systems, limiting

their effectiveness.

In other words, it is good corporate governance to establish the system, risks withinthe company will be minimised, but those risks can never be entirely eliminated.

Sound control systems

It is not sufficient to simply have an internal control system since a system can beineffective and fail to support the organisation and serve the aim of corporategovernance.

The Turnbull guidance described three features of a sound internal controlsystem.


6/18

Turnbull's sound systems

Principle 1of the Turnbull Report:Establish and maintain a sound system ofinternal control.

Elements of internal control include:

(1) Facilitate the effective and efficient operation of the company enabling it torespond to any significant riskswhich stand in the way of the company achievingits objectives. The risks could be business, compliance, operational or financial.

(2) Ensure the quality of both internal (management) and external reporting.

(3) Ensure compliance with laws and regulations and with the company's internalpolicies regarding the running of the business.

In terms of risk management, the internal control system is more than simplychecking that, e.g. 'all goods despatched have been invoiced'. The Turnbullguidance described three features of a sound internal control system:

Firstly, the principles of internal control should be embedded within theorganisation's structures, procedures and culture. Internal control should not

be seen as a stand-alone set of activities and by embedding it into the fabricof the organisation's infrastructure, awareness of internal control issuesbecomes everybody's business and this contributes to effectiveness.

Secondly, internal control systems should be capable of responding quickly toevolving risks to the business arising from factors within the company and tochanges in the business environment. The speed of reaction is an importantfeature of almost all control systems. Any change in the risk profile orenvironment of the organisation will necessitate a change in the system and afailure or slowness to respond may increase the vulnerability to internal orexternal trauma.

Thirdly, sound internal control systems include procedures for reporting

immediately to appropriate levels of management any significant controlfailings or weaknesses that are identified, together with details of corrective


7/18

action being undertaken. Information flows to relevant levels of managementcapable and empowered to act on the information are essential in internalcontrol systems. Any failure, frustration, distortion or obfuscation ofinformation flows can compromise the system. For this reason, formal andrelatively rigorous information channels are often instituted in organisations

seeking to maximise the effectiveness of their internal control systems.

Roles in risk management and internal control

Responsibility for internal control is not simply an executive management role.

All employees have some responsibility for monitoring and maintaininginternal controls.

Roles in monitoring range from the CEO setting the 'tone' for internal controlcompliance, to the external auditor, reporting on the effectiveness of thesystem.

The Turnbull Report addresses the responsibilities of directors and management inrelation to risk and control.

Directors

Directors should:

Set appropriate internal control policies. Seek regular assurance that the system is functioning.

Review the effectiveness of internal control. Provide disclosures on internal controls in annual reports and accounts.

Directors should review internal controls under the five headings identified by COSOin 1992.

Control environment Risk assessment Information systems Control procedures Monitoring.

Management

Management should:

Implement board policies. Identify and evaluate the risks faced by the company.

The Turnbull Report also suggests that internal audit makes a significant andvaluable contribution to a company.

COSO Roles in risk management


8/18

The COSO guidelines note that 'everyone in an organisation has responsibilityfor internal control', hence the slightly wider explanation provided here.

The guidance below is an expanded version of the COSO recommendations.


9/18

King Report

The King Report on Corporate Governance (South Africa) provides a usefulframework for reviewing internal controls:

King Report - additional responsibilities


10/18

The King Report provides a list of eight points regarding responsibilities for riskmanagement within a company. These are summarised below:


11/18

SOX section 404 responsibilities

SOX sets out responsibilities regarding risk management. However,in direct contrastto other corporate governance systems, remember that these responsibilities arestatutory rather than guidance. The comments below relate specifically to the s404requirements of SOX, i.e. the audit and reporting of internal control systems within acompany.

There are two main areas of responsibility. Management are likely to delegate theauthority to obtain information on internal controls to the audit committee and/orinternal audit department. Obviously, the responsibility for managements' reportcannot be delegated. In SOX terms, management refers to the board, with specificemphasis on the CEO and CFO - these individuals have to attest that that controlsystem has been reviewed.
http://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Corporate%20governance%20approaches.aspxhttp://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Corporate%20governance%20approaches.aspx


12/18

Reviewing the effectiveness of internal control

In respect of reviewing the internal control system, the Turnbull Report (principle 2)stated:

the review is a normal responsibility of management the review itself, however, will be delegated to the audit committee (the board

do not have the time or the expertise to carry out the review themselves) the board must provide information on the internal control system and review

in the annual accounts the review should be carried out at least annually.

The COSO framework identifies five main elements of a control system againstwhich the review should take place.

These range from the board setting the overall philosophy of the company in termsof applying internal controls to the detail of the control activities.

Elements of an effective internal control system (COSO)


13/18

COSO identify five elements of an effective control system.

(1) Control environment

This is sometimes referred to as the 'tone at the top' of the organisation. It describesthe ethics and culture of the organisation,which provide a framework within whichother aspects of internal control operate. The control environment is set by the toneof management, its philosophy and management style, the way in which authority isdelegated, the way in which staff are organised and developed, and the commitment

of the board of directors.

The control environment has been defined by the Institute of Internal Auditors as:'The attitude and actions of the board and management regarding the significance ofcontrol within the organisation. The control environment provides the discipline andstructure for the achievement of the primary objectives of the system of internalcontrol.

The control environment includes the following elements:

Management's philosophy and operating style. Organisational structure. Assignment of authority and responsibility.


14/18

Human resource policies and practices. Competence of personnel.

(2) Risk assessment

There is a connection between the objectives of an organisation and the risks towhich it is exposed. In order to make an assessment of risks, objectives for theorganisation must be established. Having established the objectives, the risksinvolved in achieving those objectives should be identified and assessed, and thisassessment should form the basis for deciding how the risks should be managed.

The risk assessment should be conducted for each business within the organisation,and should consider, for example:

internal factors,such as the complexity of the organisation, organisationalchanges, staff turnover levels, and the quality of staff

external factors,such as changes in the industry and economic conditions,technological changes, and so on.

The risk assessment process should also distinguish between:

risks that are controllable:management should decide whether to acceptthe risk, or to take measures to control or reduce the risk

risks that are not controllable:management should decide whether toaccept the risk, or whether to withdraw partially or entirely from the businessactivity, so as to avoid the risk.

(3) Control activities

These are policies and procedures that ensure that the decisions and instructions ofmanagement are carried out. Control activities occur at all levels within anorganisation, and include authorisations, verifications, reconciliations, approvals,segregation of duties, performance reviews and asset security measures. Thesecontrol activities are commonly referred to as internal controls.

(4) Information and communication

An organisation must gather information and communicate it to the right people sothat they can carry out their responsibilities. Managers need both internal andexternal information to make informed business decisions and to report externally.The quality of information systems is a key factor in this aspect of internal control.

(5) Monitoring

The internal control system must be monitored. This element of an internal controlsystem is associated with internal audit, as well as general supervision. It isimportant that deficiencies in the internal control system should be identified andreported up to senior management and the board of directors.

Control activities


15/18

Within the control system, there are control activities. These are the detailed internalcontrols which are embedded within the operations of the company.

There have been various attempts at defining control activities - the list referred tomost often is from the APC (the Auditing Practices Committee - now the APB). The

APC provided a list of eight internal controls, as shown below. The controls areplaced into three groups to show how they work together. However, they arenormally listed in a different order to make them memorable, as the detailedexplanation below shows.

The APC list of internal controls can be remembered as SPAMSOAP:

SSegregation of duties

PPhysical

AAuthorisation and approval

MManagement

SSupervision

OOrganisation

AArithmetic and accounting

PPersonnel


16/18

which provides a useful mnemonic but does not necessarily explain the originalgrouping.

Segregation of duties

Most transactions can be broken down into three separate duties:the authorisationor initiation of the transaction, the handling of the assetthat isthe subject of the transaction, and the recordingof the transaction. This reduces therisk of fraud and may also reduce the risk of error.

For example, in the system for purchases and purchase accounting, the sameindividual should not have responsibility for:

making a purchase making the payment, and recording the purchase and the payment in the

accounts.

If one individual did have responsibility for more than one of these activities, therewould be potential for fraud. The individual could record fictitious purchases (e.g. thepurchase of goods ordered for personal use) and pay for transactions that had notoccurred.

Segregation of duties can also make it easier to spot unintentional mistakes, andshould not be seen simply as a control against fraud.

At board of director level, corporate governance codes state that the duties of the

chairman of the board and the CEO should be segregated, to prevent one individualfrom acquiring a dominant position on the board.

Although segregating duties provides protection against fraud by one individual, it isnot effective against collusion to commit fraud by two or more individuals.

Physical controls

Physical controls are measures and procedures to protect physical assets againsttheft or unauthorised access and use. They include:

using a safe to hold cash and valuable documents using secure entry systems to buildings or areas of a building dual custody of valuable assets, so that two people are needed to obtain

access to certain assets periodic inventory checks hiring security guards and using closed circuit TV cameras.

Authorisation and approval

Authorisation and approval controls are established to ensure that a transaction mustnot proceed unless an authorised individual has given his approval, possibly in

writing. For spending transactions, an organisation might establish authorisation


17/18

limits, whereby an individual manager is authorised to approve certain types oftransaction up to a certain maximum value.

Management control

Controls are exercised by management on the basis of information they receive.

Top level reviews.The board of directors or senior management might call for aperformance report on the progress of the organisation towards its goals. Forexample, senior management might review a report on the progress of theorganisation toward achieving its budget targets. Questions should be asked bysenior management, prompting responses at lower management levels. In this way,top level reviews are a control activity.

Activity controls. At departmental or divisional level, management should receivereports that review performance or highlight exceptions. Functional reviews should

be more frequent than top-level reviews, on a daily, weekly or monthly basis. As withtop-level reviews, questions should be asked by management that initiate controlactivity. An example of control by management is the provision of regularperformance reports, such as variance reports, comparing actual results with a targetor budget.

Supervision

Supervision is oversight of the work of other individuals, by someone in a position ofresponsibility. Supervisory controls help to ensure that individuals do the tasks they

are required to and perform them properly.

Organisation

Organisation controls refer to the controls provided by the organisation's structure,such as:

the separation of an organisation's activities and operations into departmentsor responsibility centres, with a clear division of responsibilities

delegating authority within the organisation establishing reporting lines within the organisation

co-ordinating the activities of different departments or groups, e.g. by settingup committees or project teams.

Arithmetic and accounting

Controls are provided by:

recording transactions properly in the accounting system being able to trace each individual transaction through the accounting records checking arithmetical calculations, such as double-checking the figures in an

invoice before sending it to a customer (sales invoice) or approving it for

payment (purchase invoice) to make sure that they are correct.


18/18

Personnel controls

Controls should be applied to the selection and training of employees, to make surethat: suitable individuals are appointed to positions within the organisation;individuals should have the appropriate personal qualities, experience and

qualifications where required; individuals are given suitable induction and training,to ensure that they carry out their tasks efficiently and effectively.

Staff should also be given trainingin the purpose of controls and the need to applythem. Specific training about controls should help to increase employee awarenessand understanding of the risks of failing to apply them properly.

kaplan's internal control study material

Documents