Essentials Companion © KHS Pickett 2011 Training Slides

Narrative

You will need a copy ACCT7142-Essential Guide to Internal Auditing

of the book as future 2nd Edition
reference material
for this presentation.
Chapter Four

Internal Controls
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative Training Aim

This presentation is To present a brief introduction to internal auditing that will
aimed at increasing give you an initial understanding of:
your level of
understanding of the 1.Control frameworks.
following topics.
2.Control mechanisms.

3.Our control model.

4.The internal audit role.

Essentials Companion © KHS Pickett 2011 Training Slides

Narrative YOUR CHOICE

In the UK, the Internal control: facilitates the effectiveness and
Turnbull report on efficiency of operations, helps ensure the reliability
corporate of internal and external …………………….. and assists
governance compliance with laws and regulations.
described the What is the missing word:
importance of
internal control. 1.auditing
Which attribute is
least appropriate. 2.reporting

3.regulations
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative YOUR CHOICE ANSWERED

The correct response Internal control: facilitates the effectiveness and
is number 2; internal efficiency of operations, helps ensure the reliability
and external of internal and external …………………….. and assists
reporting. compliance with laws and regulations.
What is the missing word:

1.auditing

2.reporting

3.regulations
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative
Why Controls?
A word from the
experts – in this case The board should maintain a sound system of
the UK’s combined internal control to safeguard shareholders’
code on corporate investment and the company’s assets. The board
governance 2008. should, at least annually, conduct a review of the
which requires the effectiveness of the group’s system of internal
board to review their controls and should report to shareholders that
system of internal they have done so. The review should cover all
control at least material controls, including financial, operational
annually. and compliance controls and risk management
systems.
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative
The Turnbull report
The UK’s Turnbull The reports from management to the board should, in
report on corporate relation to the areas covered by them, provide a
governance balanced assessment of the significant risks and the
addressed this idea effectiveness of the system of internal control in
of internal control. managing those risks. Any significant control failings or
weaknesses identified should be discussed in the
reports, including the impact that they have had, could
have had, or may have, on the company and the
actions being taken to rectify them. It is essential that
there be openness of communication by management
with the board on matters relating to risk and control.
Essentials Companion © KHS Pickett 2011
Narrative
The catastrophic company
failures of Enron and WorldCom
led to the Sarbanes-Oxley Act in
2002 to tighten up company
regulation. One huge implication
was the use of SOX internal
control certification over
financial reporting systems. SOX
led amended SEC annual filing
requirements which meant that
registrant’s annual report had to
include an report on internal
control over financial reporting.
Training Slides
Sarbanes Oxley Reporting Requirements
•Statement of management’s responsibility for establishing and
maintaining adequate internal control over financial reporting.
•Statement identifying the framework used by management to
evaluate the effectiveness of internal control over financial reporting.
•Management’s assessment of the effectiveness of the registrant’s
internal control over financial reporting.
•A statement that the registered public accounting firm on
management’s assessment of the registrant’s internal control over
financial reporting.
The assessment by management of its internal controls had to be
done in conjunction with a suitable internal control framework which
is free from bias and allows qualitative and quantitative
measurements of internal control to be made in a consistent manner.
Essentials Companion © KHS Pickett 2011 objectives

inherent risks
Narrative
We have developed a
simple model in Figure 4,1
to help explain internal
control. An organization
risk control
will set clear objectives and strategy achievements
then assess the inherent
risks to achieving these
objectives. Before it can
reach the black
achievements box, there
needs to be a control
strategy to deal with the
inherent risks and provide a
reasonable expectation of
getting there.
Essentials Companion © KHS Pickett 2011 objectives

inherent risks
Narrative
If all risks could be
controlled through the risk
control strategy and if
everyone behaved in an
risk control
exactly predictable way, we strategy achievements
could stop our model here
and we would always
achieve our business
objectives. Unfortunately
this is not the case.
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative
An Exercise
Have a go at this
short exercise.

Think of the last time things went wrong at

work and consider the extent to which this
could have been predicted and guarded
against.
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative
One Response to your Exercise
How did you get on?
Some argue that Controls help mitigate the impact of all those
most events can be
material risks that undermine your efforts to
anticipated while
others feel it is succeed.
impossible to guard
against everything.
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative Management’s responsibilities

Turnbull has made
clear that
management is The board of directors is responsible for the company’s
responsible for the system of internal control. It should set appropriate
controls that are put policies on internal control and seek regular assurance that
in place to manage will enable it to satisfy itself that the system is functioning
risk. effectively. The board must further ensure that the system
of internal control is effective in managing risks in the
Management’s role is manner which it has approved.
on pages 98 to 100.
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative Internal audit’s responsibilities

On the other hand,
the internal auditor
has to be concerned The internal audit activity must assist the organization in
about the state of maintaining effective controls by evaluating their
control in the effectiveness and efficiency and by promoting continuous
organization. The pace improvement.
has been set by the IIA
whose Performance
Standard 2130 goes
straight to the point.
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative Scope of internal control

IIA’s Performance
Standard 2130.A1
provides four key 1.Reliability and integrity of financial and operational
aspects of the scope information;
of controls.
2.Effectiveness and efficiency of operations;

3.Safeguarding of assets; and

4.Compliance with laws, regulations, and contracts.

Essentials Companion © KHS Pickett 2011 objectives

inherent risks
Narrative
control parameter - limits
So activity moves an
organization towards
achieving its preventive controls
risk control
objectives, by keeping strategy achievements
the activities within
prescribed standards. preventive controls

Preventive controls
control parameter - limits
are set which ensure
everything is
contained with the
upper and lower
control parameters.
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative
An Exercise
List all the issues that
you would consider
when designing good
controls.

What are the attributes of good controls.

Essentials Companion © KHS Pickett 2011 Training Slides

Narrative An Exercise – one response

Here are just some of •Controls are all means devised to promote the achievement of
the issues that affect agreed objectives.
the way controls are •All controls have a corresponding cost
•Controls belong to those who operate them.
designed and •Internal control is all about people since controls work well only if
implemented within they are geared to the user’s needs in terms of practicality and
an organization. usefulness.
•Overcontrol is as bad as undercontrol.
See pages 102 to •Entropy is the tendency to decay and all control systems will
103. underachieve where they are not reviewed and updated regularly.
•The organizational culture affects the type of control features that
are in place, which may be bureaucratic or flexible in nature.
Essentials Companion © KHS Pickett 2011 objectives

inherent risks
Narrative
control parameter - limits

Because there is so performance

much to consider preventive controls
when designing risk control
strategy achievements
controls, a suitable
control environment preventive controls
and framework is
communications
required to drive the control parameter - limits
risk control strategy.
control
We will deal with environment
these next.
control
framework
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative
The Control Framework
Some time ago,
Committee of
Sponsoring
MONITORING
Organizations (see
www.coso.org)
Launched their CONTROL
ACTIVITIES
Internal Control—
Integrated
Framework. RISK ASSESSMENT

CONTROL ENVIRONMENT
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative The Control Environment

The control environment sets the tone of an
Sticking with the
COSO framework,
organization, influencing the control consciousness
we can use their of its people. It is the foundation for all other
definition of the components of internal control, providing discipline
control environment. and structure. Control environment factors include
the integrity, ethical values and competence of the
Pages 104 through to entity’s people; management’s philosophy and
113 describes the operating style; the way management assigns
COSO and several
other controls
authority and responsibility, and organizes and
frameworks. develops its people; and the attention and direction
provided by the board of directors.
Essentials Companion © KHS Pickett 2011 objectives

inherent risks
Narrative corrective controls/learning

control parameter - limits

We can now refine our
detective controls
control model by adding in performance
the reporting line on preventive controls
controls to the board and risk control
AC (audit committee). We strategy achievements
also include other types of
control such as detective preventive controls

controls where activities

falls outside the parameters control parameter - limits detective controls
and corrective controls that
control corrective controls/sanctions
seek to fix defective
environment
activities. The idea is to corporate governance
keep our business in line control Board and AC
with the set success criteria framework
(or parameters).
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative
An Exercise
Control mechanisms
are all those specific
measures in place to
that seek to mitigate
specific risks to the
business. How would How would you categorize the control
you categorize
mechanisms that are applied in your
them?
organization?
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative
Examples of Control Mechanisms
We can answer this
•Authorization
question of •Physical access restrictions
catagorizing controls •Supervision
with a suitable list. •Compliance checks
•Procedures
Each item is •Recruitment and human resource practices
•Segregation of duties
explained in pages
•Document numbering and referencing
115 to 118. •Project management
•Financial systems controls
•IT security
•Performance management
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative
An Exercise
We said earlier on
that is everyone was
perfect, and all risk
could be contained
then we would never
fail. The question is Why do controls sometimes fail?
then, why do
controls fails in the
real world?
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative
Why Controls Fail
We can answer this
question with a •Management override
suitable list. •Lack of staff
•Poor control culture
Each item is •Staff collusion
explained in pages •Reliance on single performance indicator
118 to 120. •Reliance on memory
•Retrospective recording
•Uncontrolled delegation
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative The Fallacy of Perfection

There is a great deal of material
around on internal control along with •Controls tend to cost money and slow an organization down.
thousands of specific control
mechanisms for key business
•Controls are needed to help manage risks to an
systems like procurement, income, organization’s business.
transport, stores etc. Some adopt the
view that anything and everything
•Controls cannot guarantee success.
can be controlled with the right set •Control is effected through people and dependent on the
of measures and this position leads
us to the fallacy of perfection. The way they behave and relate to each other.
more measures put in place to •Even the best-managed organization can fail.
achieve objectives the greater the
certainty of achieving objectives. But The fallacy is that controls will ensure success and it is just a
the measures will normally cost
money and time and will tend to
question of how many measures are needed and how they
involve doing more work, to get to should be best implemented. While internal control can help
the end result. In business, time,
additional work and cost are all
an entity achieve its objectives, it is not a panacea.
factors that run counter to success.
Essentials Companion © KHS Pickett 2011 objectives GAP

inherent risks
Narrative corrective controls/learning

control parameter - limits

We have added in the Statement of
internal control One important detective controls
performance
constituent of the control model is
the feed into the published
preventive controls
statement on internal control. directive controls
risk control
And there is the ‘Gap’ which breaks achievements
strategy
through the upper and lower
control parameters. This gap may
be defined as ‘an extra capacity to preventive controls
allow for growth and the potential
to reach outside the norm, communications
challenge existing assumptions and control parameter - limits detective controls
search for new corporate
inspiration’. This is important so control corrective controls/sanctions
policy,
that control frameworks don’t just environment competence
contain activities, but also allow for corporate governance
& training Statement on
some experimentation and Board and AC
innovation, that break the rules but control internal control
still sit within the constitution. framework
Essentials Companion © KHS Pickett 2011

Narrative
We need to outline the Linking risk management,
link between
corporate governance
governance and control
codes, risk
management and
internal control. Have
a look at the next slide Risk Internal
for our approach to Management Controls
this task.
Essentials Companion © KHS Pickett 2011

Narrative
Corporate Governance Codes
Corporate governance codes,
corporate structures and disclosure
arrangements will help promote
good accountability. Within the
Internal Corporate Structures
context of the control framework,
the organization should employ a
Control
process for identifying, assessing
and managing risk. After having Framework Disclosure Arrangements
assessed key risk, they will need to
be managed in line with a defined
risk management strategy. Internal
controls will seek to mitigate
unacceptable levels of risk. The
Risk Internal
strategy for managing risk and
ensuring controls do the job in Management Controls
hand should then be incorporated
into an overall strategy that drives Corporate
the organization towards the Strategies &
achievement of its objectives. Review
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative
Where does Internal Auditing fit into
To answer this the internal control equation?
question we need to
return to the
definition of internal Internal auditing is an independent, objective
auditing. The final assurance and consulting activity designed to add
part makes clear we value and improve an organization’s operations. It
are concerned with helps an organization accomplish its objectives by
risk management, bringing a systematic, disciplined approach to
control and evaluate and improve the effectiveness of risk
governance management, control and governance processes.
processes.
Essentials Companion © KHS Pickett 2011 objectives GAP
Audit of
residual risk
inherent risks
Narrative corrective controls/learning

control parameter - limits

For the audit role two more
boxes appear in our model detective controls
performance
called Audit of Residual
preventive controls
Risk. The top box says that directive controls
risk control
internal audit will assess strategy achievements
whether the risk that
remains after all controls preventive controls
are in place, is within
communications
acceptable levels. The control parameter - limits detective controls
bottom box says that audit
Audit of
will review the way residual control policy, corrective controls/sanctions
residual risk
environment
risk is presented to competence
& training corporate governance
stakeholders in terms of Board and AC
Statement on
control internal control
assertions on the adequacy framework
of internal controls.
Essentials Companion © KHS Pickett 2011 Training Slides

Narrative Training Aim

We hope that this To present a brief introduction to internal auditing that will
presentation has give you an initial understanding of:
increased your level
of understanding of 1.Control frameworks.
the following topics.
2.Control mechanisms.

3.Our control model.

4.The internal audit role.

Essentials Companion © KHS Pickett 2011 Training Slides

Narrative

You will need a copy Essential Guide to Internal Auditing 2nd Edition
of the book as future
reference material
for this presentation. Chapter Four

Internal Controls