0 valutazioniIl 0% ha trovato utile questo documento (0 voti)
25 visualizzazioni34 pagine
The document discusses internal control frameworks and concepts. It defines internal control as a process designed to provide reasonable assurance regarding an organization's objectives related to operations, reporting, and compliance. The key components of an effective internal control framework discussed are the control environment, risk assessment, control activities, information and communication, and monitoring activities. The document outlines objectives, principles, and roles involved in maintaining an effective system of internal controls.
The document discusses internal control frameworks and concepts. It defines internal control as a process designed to provide reasonable assurance regarding an organization's objectives related to operations, reporting, and compliance. The key components of an effective internal control framework discussed are the control environment, risk assessment, control activities, information and communication, and monitoring activities. The document outlines objectives, principles, and roles involved in maintaining an effective system of internal controls.
The document discusses internal control frameworks and concepts. It defines internal control as a process designed to provide reasonable assurance regarding an organization's objectives related to operations, reporting, and compliance. The key components of an effective internal control framework discussed are the control environment, risk assessment, control activities, information and communication, and monitoring activities. The document outlines objectives, principles, and roles involved in maintaining an effective system of internal controls.
• Understand what is meant by internal control in a
variety of frameworks. LEARNING • Identify the objectives, components, and principles of OBJECTIVES an effective internal control framework. • Know the roles and responsibilities each group in an organization has regarding internal control. • Identify the different types of controls and the appropriate application for each of them. • Obtain an awareness of the process for evaluating the system of internal controls. FRAMEWORKS
• body of guiding principles that form a template against which organizations
can evaluate a multitude of business practices. These principles are comprised of various concepts, values, assumptions, and practices intended to provide a benchmark against which an organization can assess or evaluate a particular structure, process, or environment, or a group of practices or procedures. Specific to the practice of internal auditing, various frameworks are used to assess the design adequacy and operating effectiveness of controls DEFINITION OF INTERNAL CONTROL
• Geared to the achievement of objectives in one or more separate
but overlapping categories-operations, reporting, and compliance. • A process consisting of ongoing tasks and activities-a means to an end, not an end in itself. a process, effected by an entity’s board of directors, • Effected by people-not merely about policy and procedure management, and other personnel, designed to provide manuals, systems, and forms, but about people and the actions reasonable assurance regarding the achievement of they take at every level of an organization to effect internal objectives relating to operations, reporting, and control. compliance. • Able to provide reasonable assurance, but not absolute assurance, to an entity’s senior management and board of directors. • Adaptable to the entity structure-flexible in application for the entire entity or board of directors, management, and for a particular subsidiary, division, operating unit, or business process. THE OBJECTIVES, COMPONENTS, AND PRINCIPLES OF INTERNAL CONTROL Internal Control Process
Control Risk Control
Environment Assessment Activities
Information & Monitoring
Communication Activities Control Environment • The control environment is the control consciousness of an organization; • It is the atmosphere in which people conduct their activities and carry out their control responsibilities. • An effective control environment is an environment where competent people: – understand their responsibilities, – the limits to their authority, and – are knowledgeable, mindful, and committed to doing what is right and doing it the right way. • The control environment is greatly influenced by the extent to which individuals recognize that they will be held accountable. Components of control environment 1. Integrity and Ethical Values 2. Commitment to competence 3. Management‘s Philosophy and Operating Style 4. Organisational structure 5. Assignment of Authority and Responsibility 6. Oversight groups Integrity and Ethical Values
• Formal codes of conduct & policies
communicating appropriate ethical and moral behavioral standards and addressing acceptable operational practices and conflicts of interest. • Management appropriately addresses intervention or overriding internal control. Commitment to competence • Management has identified and defined the tasks required to accomplish particular jobs and fill the various positions. • Formal job descriptions & training needs’ analysis. Management’s Philosophy and Operating Style • Has an appropriate attitude toward risk- taking. • Endorses the use of performance- based management. • There has not been excessive personnel turnover in key functions, such as operations and program management, accounting, or internal audit. Organizational structure • The agency’s organizational structure is appropriate for its size and the nature of its operations. • Balancing the degree of centralization versus decentralization. • Key areas of authority and responsibility are defined & communicated throughout the organization. • Human Resource Policies and Practices
• Policies and procedures are in place for
hiring, orienting, training, evaluating, counseling, promoting, compensating, disciplining, and terminating employees. Oversight Groups
• Within the organisation, there are mechanisms in
place to monitor and review operations and programs. • The agency has an audit committee or senior management council consisting of high-level line and staff executives that review the internal audit work and coordinate closely with the external auditors. • The internal audit operation it reports to the entity’s head. • Internal audit reviews that unit’s activities and systems and provides information, analyses, appraisals, recommendations, and counsel to management. Risk Assessment The central theme of internal control is (1) to identify risks to the achievement of an organization's objectives and (2) to do what is necessary to manage those risks. Thus, setting goals and objectives is a precondition to internal controls. Setting organizational objectives • Operational objectives: achievement of the basic mission(s) of a department and the effectiveness and efficiency of its operations, including performance standards and safeguarding resources against loss. • Financial reporting objectives: preparation of reliable financial reports, including the prevention of fraudulent public financial reporting. • Compliance objectives: adherence to applicable laws and regulations. • Risk assessment is the identification and analysis of risks associated with the achievement of operations, financial reporting, and compliance goals and objectives. • This, in turn, forms a basis for determining how those risks should be managed. Identify Risks after Determining Goals • A risk is anything that could jeopardize the achievement of an objective. – What could go wrong? – How could we fail? – What must go right for us to succeed? – Where are we vulnerable? – What assets do we need to protect? – Do we have liquid assets or assets with alternative uses? – How could someone steal from the department? – How could someone disrupt our operations? – How do we know whether we are achieving our objectives? – On what information do we most rely? – On what do we spend the most money? – How do we bill and collect our revenue? – What decisions require the most judgment? – What activities are most complex? – What activities are regulated? – What is our greatest legal exposure? The costs of risks • When evaluating the potential impact of risk, both quantitative and qualitative & qualitative costs need to be addressed. • Quantitative costs: cost of property, equipment, or inventory, cash dollar loss, damage and repair costs, cost of defending a lawsuit, etc. • Qualitative costs: Loss of public trust, violation of laws, default on a project, bad publicity. Risk analysis • Management has established a formal process to analyze risks, and that process may include informal analysis based on day-to-day management activities. • Criteria have been established for determining low, medium, and high risks. • Appropriate levels of management and employees are involved in the risk analysis. • The risks identified and analyzed are relevant to the corresponding activity objective. Managing Risk During Change • Management must give special attention to risks presented by changes: – the hiring of new personnel to occupy key positions – introduction of new or changed information systems – rapid growth and expansion or rapid downsizing. – the production or provision of new outputs or services. – establishment of operations in a new geographical area. Control Activities
Control activities are actions,
supported by policies and procedures that, when carried out properly and in a timely manner, manage or reduce risks. Preventive Controls
• Preventive controls attempt to deter
or prevent undesirable events from occurring. • They are proactive controls that help to prevent a loss. • Examples: separation of duties, proper authorization, adequate documentation, and physical control over assets. Detective Controls
• Detective controls attempt to
detect undesirable acts. • They provide evidence that a loss has occurred but do not prevent a loss from occurring. • Examples: reviews, analyses, variance analyses, reconciliations, physical inventories, and audits. Information systems (Technology) Controls
(1) General Controls and
(2) Application Controls. General Controls • General controls apply to entire information systems and to all the applications that reside on the systems. Examples: • Access Security, Data & Program Security, Physical Security • Software Development & Program Change Controls • Data Center Operations • Disaster Recovery. Application Controls • Input Controls (Data Entry) complete and accurate recording of authorized transactions -Authorization -Validation -Error Notification and Correction • Processing Controls: complete and accurate processing of authorized transactions. • Output Controls: complete and accurate audit trail of the results of processing. Information & Communications • For an organisation to run and control its operations, it must have relevant, reliable information, both financial and non- financial, relating to external as well as internal events. • That information should be recorded and communicated to management and others within the agency who need it and in a form and within a time frame that enables them to carry out their internal control and operational Monitoring
Assessing the quality of performance over time a n d
ensure that the fi ndings of audits a n d other reviews are promptly resolved. Ongoing monitoring • Management’s strategy provides for routine feedback and monitoring of performance and control objectives. • Operating reports are integrated or reconciled with financial and budgetary reporting system data and used to manage operations on an ongoing basis.