Chapter4 Internal control systems

Internal control It is any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Controls is the result of proper planning, organizing and directing by management. Effective internal controls have to be well-directed. Internal control consists of the policies, processes, tasks, behaviors and other aspects of a company that taken together.

Purposes of internal control system Facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational financial, compliance and other risks to achieving the company’s objectives. Help ensure the quality of internal and external reporting. Help ensure compliance with applicable laws and regulations, and also with internal policies with respects to the conduct of business.

Internal control and risk A critical function of internal control system is to deal with risk. Risk is bound up with doing business. Types of risk: Fundamental Particular risks Speculative Pure risks Risks & CG Shareholder’s return Director’s remuneration

Internal control framework I.C framework Control environment The overall context of control Control procedures The detailed controls in place

Internal control frameworks It includes all the policies and procedures which adopted by the directors and managers to assist in achieving their objectives of ensuring the orderly and efficient conduct of its business Risk is very important. Reasonable assurance is provided only. The challenges and limitations.

Dec, 2012, 3 (a) Explain typical reasons why an internal control system might be ineffective. (5 marks) (b) Explain the internal control deficiencies that led to the increased product failures at Yaya. (10 marks) Company Logo

Dec, 2012, 3 (a) Ineffective internal controls Well designed IC systems can be ineffective for a number of reasons. Costs outweighing benefits. This is when an IC system provides poor value for money or it provides more assurance than is needed. In such a situation, the control will not be supported or trusted by those working alongside or within the control, and this will reduce its effectiveness. Failures in human judgement when assessing a control, or fraud in measuring or reporting a control. Where a control relies upon human measurement, error is always a possibility either through lack of training, incompetence, willful negligence or having a vested interest in control failure (such as with Jane Goo, who believed she could gain financially by a product failing to pass successfully trough a quality control standard). Collusion between employees, perhaps with a vested interest in misapplying or circumventing a control. The risk of this is greater

Dec, 2012, 3 when two or more people believe they may gain by it. It could be, for example, a sales team misquoting sales figures against a budget or directors misreporting accounting data to increase their bonuses or maintain a higher share price before exercising share options. The collusion between Jane Goo and John Zong was one of the factors that may have led to the failure of QC controls being effective at Yaya. Non-routine or unforeseen events can render controls ineffective if they are intended to monitor a specific process only. Most IC are unable to cope with extraordinary events and so need to be adapted or circumvented when such events occur. Previous or existing controls can become obsolete because they are not updated to meet changed conditions. A control introduced to monitor a process or risk that has changed, reduced or been discontinued will no longer be effective. Changes to key risks, for example, need to modified if they are to continue to remain effective in controlling the risk.

Purpose of control frameworks Achieving orderly and efficient conduct of the business. Adherence to internal policies and laws. Safeguarding assets. Prevention and detection of fraud. Accuracy and completeness of accounting records. Timely preparation of reliable financial information.

COSO’s framework-RM Enterprise risk management(ERM) is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Relative to internal control, ERM has a wider context.

COSO’s framework Control environment Risk assessment Control activities Information and communication Monitoring activities

COSO’s framework Internal or control environment Objective setting Event identification Risk assessment Risk response Control activities or procedures Information and communication Monitoring

COSO’s framework-other dimensions Categories of objectives Operations Reporting Compliances Levels of objectives Entity level Division Operation unit Function

Evaluating control systems Principals-based or rules-based? The evaluating factors Objectives Linking with risks The controls- compatibility, pyramid, environment, review HR issues Information Feedback and response Cost and benefit

Jun, 2010, 3 (a) Distinguish between rules-based and principles-based approaches to internal control system compliance as described by Claire Mahmood and discuss the benefits to an organization of a principles-based approach. (7 marks)

Jun, 2010, 3 3 (a) Distinguish between rules and principles This case refers to compliance with regard to internal control systems in particular but rules and principles are the two generic approaches to corporate governance and depend upon the nature of regulation. Rules-based control is when behavior is underpinned and prescribed by statute of the country’s legislature. Compliance is therefore enforceable in law such that companies can face legal action if they fail to comply. In a principles-based jurisdiction, compliance is required under stockmarket listing rules but non-compliance is allowed based on the premise of full disclosure of all areas of non-compliance. It is believed that the market mechanism is then capable of valuing the extent of non-compliance and signaling to the company when an unacceptable level of compliance is reached.

Jun, 2010, 3 Benefits to an organization There are four main benefits to the organization of a principles-based approach. First, it avoids the need for strict compliance with inflexible legislation which, typically, fails to account for differences in size and the risk profiles of specific companies or sectors. Second, compliance is less burdensome in time and expenditure for the organization as the minutiae of general legislation can be interpreted in context rather than obeyed in detail. Third, a principles-based approach allows companies to develop their own sector and situation-specific approaches to internal internal control challenges. These will typically depend upon each company’s interpretation of its own internal control challenges.

Jun, 2010, 3 Forth, principles-based approach allows for flexibility and temporary periods of non-compliance with relevant external standards on the basis of ‘comply or explain’, a flexibility that would not be possible in a rules-based jurisdiction.