Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evaluation of Internal control mechanism in Audit of Autonomous Bodies.

Similar presentations


Presentation on theme: "Evaluation of Internal control mechanism in Audit of Autonomous Bodies."— Presentation transcript:

1 Evaluation of Internal control mechanism in Audit of Autonomous Bodies

2 What is Internal Control Internal control is a process Internal control is a process Internal control is effected by people Internal control is effected by people Internal control is geared to the achievement of objectives Internal control is geared to the achievement of objectives Internal control cannot be expected to provide absolute assurance of the achievement of objectives Internal control cannot be expected to provide absolute assurance of the achievement of objectives

3 As defined by Committee of Sponsoring Organisations (COSO), USA Process effected by entities management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following three broad categories Process effected by entities management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following three broad categories Effectiveness and efficiency of operations Effectiveness and efficiency of operations Reliability of financial reporting Reliability of financial reporting Compliance with applicable laws and regulations Compliance with applicable laws and regulations

4 As defined by the Internal controls standards committee of INTOSAI Integral process to provide reasonable assurance that the following general objectives are being achieved Integral process to provide reasonable assurance that the following general objectives are being achieved Fulfilling accountability obligations Fulfilling accountability obligations Complying with applicable laws and regulations Complying with applicable laws and regulations Executing orderly, ethical, economical, efficient and effective operations Executing orderly, ethical, economical, efficient and effective operations Safeguarding resources against loss Safeguarding resources against loss Internal control is a dynamic integral process and management at all levels have to be involved to provide reasonable assurance of the achievement of its objectives Internal control is a dynamic integral process and management at all levels have to be involved to provide reasonable assurance of the achievement of its objectives

5 Components of internal controls Control environment - Assignment of Authority and Responsibility Control environment - Assignment of Authority and Responsibility Risk assessment Risk assessment Information and communication Information and communication Monitoring Monitoring Control activities Control activities

6 (1) Control Environment It sets the tone of an organization, influencing the control consciousness of its staff It sets the tone of an organization, influencing the control consciousness of its staff It is foundation for all other components of internal control. It is foundation for all other components of internal control. It provides discipline and structure. It provides discipline and structure.

7 (1) Control Environment Elements of Control environment Personnel and professional integrity and ethical values of management and staff. Personnel and professional integrity and ethical values of management and staff. Supportive attitude towards internal control at all times. Supportive attitude towards internal control at all times. Commitment to competence. Commitment to competence. The “ tone at the top” (Management’s philosophy and operating style) The “ tone at the top” (Management’s philosophy and operating style) Organization structure Organization structure Human resource policies and practices. Human resource policies and practices.

8 Elements of Control environment Preferences and value standards of Management and staff as reflected in their standards of behaviour. Preferences and value standards of Management and staff as reflected in their standards of behaviour. All should maintain and demonstrate personal and professional integrity and ethical values All should maintain and demonstrate personal and professional integrity and ethical values All should exhibit a supportive attitude toward internal control at all times through out the organization All should exhibit a supportive attitude toward internal control at all times through out the organization

9 Elements of Control environment – contd… Managers and employees have to comply with the applicable codes of conduct at all times. Eg. disclosure of personal financial interest, outside position and gift and reporting conflicts of interest Managers and employees have to comply with the applicable codes of conduct at all times. Eg. disclosure of personal financial interest, outside position and gift and reporting conflicts of interest Public organization should make visible to the public, integrity and ethical values. Public organization should make visible to the public, integrity and ethical values. Behaviour of staff should be consistent with mission. Behaviour of staff should be consistent with mission.

10 Elements of Control environment – contd… Commitment to competence includes the level of knowledge and skill needed to help effective performance includes the level of knowledge and skill needed to help effective performance includes good understanding of individual responsibilities with respect to internal control. includes good understanding of individual responsibilities with respect to internal control. Managers and employees are to maintain a level of competence that allows them to understand the importance of developing and maintaining good internal control and to perform their duties in order to accomplish the general objectives. Managers and employees are to maintain a level of competence that allows them to understand the importance of developing and maintaining good internal control and to perform their duties in order to accomplish the general objectives.

11 Elements of Control environment – contd… Commitment to competence Every one should be involved in internal control with his/her own specific responsibilities. Every one should be involved in internal control with his/her own specific responsibilities. Managers and staff must therefore maintain and demonstrate a level of skill necessary to assess risk and help ensure effective and efficient performance. Managers and staff must therefore maintain and demonstrate a level of skill necessary to assess risk and help ensure effective and efficient performance.

12 Elements of Control environment – contd… Tone at the top Management’s philosophy and operating style reflects: Management’s philosophy and operating style reflects: a supportive attitude towards internal control at all times, independence, competence and leading by example; a supportive attitude towards internal control at all times, independence, competence and leading by example; a code of conduct set out by management and counseling performance appraisals that support the internal control objectives and that of ethical operations. a code of conduct set out by management and counseling performance appraisals that support the internal control objectives and that of ethical operations.

13 Elements of Control environment – contd… Tone at the top If the top management believes that internal control is important, others in organization will sense that and will respond by conscientiously observing the controls established. If the top management believes that internal control is important, others in organization will sense that and will respond by conscientiously observing the controls established. If organization feel’s that control is not important, it is certain that the organisation’s control objectives will not be achieved. If organization feel’s that control is not important, it is certain that the organisation’s control objectives will not be achieved. Demonstration of insistence on ethical conduct by management is of vital importance. Demonstration of insistence on ethical conduct by management is of vital importance.

14 Elements of Control environment – contd… Organisational structure Assignment of authority and responsibility Assignment of authority and responsibility Empowerment and accountability Empowerment and accountability Appropriate lines of reporting Appropriate lines of reporting Alternate lines of reporting (whistleblower) Alternate lines of reporting (whistleblower) The organizational structure defines the entity’s key areas of authority and responsibility. The organizational structure defines the entity’s key areas of authority and responsibility. Internal Audit that reports to the top management Internal Audit that reports to the top management

15 Elements of Control environment – contd… HR policies and practices Hiring and staffing decisions should include assurance that individuals have the integrity and the proper education and experience to carry out their jobs and that necessary formal, on the job, and ethics training is provided. Hiring and staffing decisions should include assurance that individuals have the integrity and the proper education and experience to carry out their jobs and that necessary formal, on the job, and ethics training is provided. Securing the openness of selection process by publishing both the recruitment rules and vacant positions also helps to realize ethical human resource management. Securing the openness of selection process by publishing both the recruitment rules and vacant positions also helps to realize ethical human resource management.

16 (2) Control Activities Control activities are policies and procedures established to address risk and to achieve the entity’s objectives. Control activities are policies and procedures established to address risk and to achieve the entity’s objectives. To be effective, control activities must be appropriate, at all levels and in all functions. They include a range of detective and preventive control activities. To be effective, control activities must be appropriate, at all levels and in all functions. They include a range of detective and preventive control activities.

17 (2) Control Activities (contd…) Detective and preventive control activities Authorization and approval procedure Authorization and approval procedure Segregation of duties (authorizing, processing, recording, reviewing) Segregation of duties (authorizing, processing, recording, reviewing) Control over access to resources and records Control over access to resources and records Verifications Verifications Reconciliation Reconciliation

18 (2) Control Activities (contd…) Detective and preventive control activities Reviews of operating performance Reviews of operating performance Reviews of operations, processes and activities Reviews of operations, processes and activities Supervision (assigning, reviewing and approving, guidance and training.) Supervision (assigning, reviewing and approving, guidance and training.) Entities should reach an adequate balance between detective and preventive control activities. Entities should reach an adequate balance between detective and preventive control activities.

19 (3) Risk assessment Precondition for risk assessment is that there is ‘clear and consistent agency objectives’ Precondition for risk assessment is that there is ‘clear and consistent agency objectives’ Risk assessment is the identification and analysis of relevant risks associated with achieving the objectives and forming a basis for determining how risk should be managed. Risk assessment is the identification and analysis of relevant risks associated with achieving the objectives and forming a basis for determining how risk should be managed.

20 (3) Risk assessment (contd…) Four types of responses to risk must be considered : Four types of responses to risk must be considered : Transfer Transfer Tolerance Tolerance Treatment & Treatment & Termination Termination Of these, risk treatment is the most relevant to these guidelines because effective internal control is the major mechanism to treat the risk. Of these, risk treatment is the most relevant to these guidelines because effective internal control is the major mechanism to treat the risk.

21 (4) Information and Communication GAO standards on Internal Control’s guidance on ‘information and communication’ - “Information should be recorded, communicated to management and others within the entity who need it and in a form and within a time frame that enable them to carry out their internal control and other responsibilities”. GAO standards on Internal Control’s guidance on ‘information and communication’ - “Information should be recorded, communicated to management and others within the entity who need it and in a form and within a time frame that enable them to carry out their internal control and other responsibilities”. A Pre-condition for reliable and relevant information is the prompt recording and proper classification of transactions and events. A Pre-condition for reliable and relevant information is the prompt recording and proper classification of transactions and events. All transactions and significant events should be fully documented All transactions and significant events should be fully documented

22 (4) Information and Communication (contd…) For an entity to run and control its operations, it must have relevant, reliable and timely communications relating to internal as well as external events. Information is needed throughout the agency to achieve all of its objectives. For an entity to run and control its operations, it must have relevant, reliable and timely communications relating to internal as well as external events. Information is needed throughout the agency to achieve all of its objectives. Effective communication should occur in broad sense with information flowing down, across and up the organization. Effective communication should occur in broad sense with information flowing down, across and up the organization.

23 (5) Monitoring Concept of monitoring Internal control deteriorates over time if not properly maintained. Internal control deteriorates over time if not properly maintained. It is necessary to check the functioning of internal control through quality assurance unit and It is necessary to check the functioning of internal control through quality assurance unit and Focus review of specific operational areas through management audit or performance audit. Focus review of specific operational areas through management audit or performance audit. Management(tone at the top) involvement in internal control is crucial for effectiveness. Management(tone at the top) involvement in internal control is crucial for effectiveness.

24 (5) Monitoring (contd…) Monitoring quality of internal control is accomplished through routine activities, separate evaluations or combination of both. Monitoring quality of internal control is accomplished through routine activities, separate evaluations or combination of both. Ongoing monitoring of internal control is built in to the activity of entity. Ongoing monitoring of internal control is built in to the activity of entity. Ongoing monitoring activities cover each of the internal control components and involve action against irregular, unethical, uneconomical, inefficient and ineffective control system. Ongoing monitoring activities cover each of the internal control components and involve action against irregular, unethical, uneconomical, inefficient and ineffective control system. Monitoring is aimed at ensuring that controls are operating as intended and are modified for changes in conditions. Monitoring is aimed at ensuring that controls are operating as intended and are modified for changes in conditions.

25 Objectives of evaluation of Internal Controls To check whether To check whether Internal control systems have been prescribed and documented Internal control systems have been prescribed and documented Systems are adequate Systems are adequate Management implements these in the manner prescribed Management implements these in the manner prescribed Management periodically reviews them through internal audit and takes corrective measures Management periodically reviews them through internal audit and takes corrective measures

26 Evaluating Internal Controls – Control Environment By looking and consulting organisational chart see that organisation has vertical and lateral channels of communication. By looking and consulting organisational chart see that organisation has vertical and lateral channels of communication. Auditor should examine the documentation regarding delegation of authority and plans of succession. Auditor should examine the documentation regarding delegation of authority and plans of succession. Auditor also should see the span of control. Auditor also should see the span of control.

27 Evaluating Internal Controls – Control Environment Auditor should examine the number of vacancies in organisation’s management and how many persons are in acting capacity Auditor should examine the number of vacancies in organisation’s management and how many persons are in acting capacity It should also be seen that whether any arrangements for ensuring continuity of operations in case of temporary absence of top management. It should also be seen that whether any arrangements for ensuring continuity of operations in case of temporary absence of top management.

28 Evaluating Internal Controls – Control Environment To examine integrity and ethical values demonstrated by management see that it is free from any pressure To examine integrity and ethical values demonstrated by management see that it is free from any pressure Adherence to the conduct rules may be seen Adherence to the conduct rules may be seen Previous reports may be examined to see above Previous reports may be examined to see above Auditor may also see the kind of values reflected in the behaviour. Auditor may also see the kind of values reflected in the behaviour.

29 Evaluating Internal Controls – Control Environment Management’s commitment to competence as well as its philosophy and operating style may examine with the help of managements approach towards human resource issues, way of decision making, way of problem solving and their active application. Management’s commitment to competence as well as its philosophy and operating style may examine with the help of managements approach towards human resource issues, way of decision making, way of problem solving and their active application. For this purpose auditor may examine human resource policies. For this purpose auditor may examine human resource policies.

30 Evaluating Internal Controls – Control Environment Following issues are also to be examined - Employee turnover in organisation Employee turnover in organisation Succession planning Succession planning Procedure of decision making Procedure of decision making Use of inputs received from subordinates Use of inputs received from subordinates Process of problem solving (Whether it is participative or directive or mixture of both) Process of problem solving (Whether it is participative or directive or mixture of both)

31 Evaluating Internal Controls – Risk Assessment See whether information supplied by branch offices of the organisation is reliable. See whether information supplied by branch offices of the organisation is reliable. Also see whether the coordinating units evaluate data supplied Also see whether the coordinating units evaluate data supplied Examine the procedure for data verification. See whether procedures have been adhered to Examine the procedure for data verification. See whether procedures have been adhered to Also see whether procedures exist to remedy if the data turned to be inaccurate. Also see whether procedures exist to remedy if the data turned to be inaccurate.

32 Evaluating Internal Controls – Risk Assessment See the factors which has impact on the program. See the factors which has impact on the program. Examine the funding and see if the funds have been cut and what has been the impact on internal control. Examine the funding and see if the funds have been cut and what has been the impact on internal control. See the risk factor in respect of funding. See the risk factor in respect of funding. See the controls instituted to ensure the appropriate use of funds. See the controls instituted to ensure the appropriate use of funds.

33 Evaluating Internal Controls - Information See that information available regarding management decision making is relevant, reliable and timely. See that information available regarding management decision making is relevant, reliable and timely. Is it reliable for external reporting purposes. Is it reliable for external reporting purposes. Examine the data use for decisions Examine the data use for decisions Examine whether crosschecks of data was carried out. Examine whether crosschecks of data was carried out. See the documentary evidence for use of correct data and to see how it is used. See the documentary evidence for use of correct data and to see how it is used.

34 Evaluating Internal Controls - Communication See that effective and reliable internal communication between management and stakeholder is available. See that effective and reliable internal communication between management and stakeholder is available. See whether organisation allow for easy flow of information back or forth. See whether organisation allow for easy flow of information back or forth. See what is the process for notifying the management of the problems. Examine the procedure. Examine documents to see if stated procedure is adhered to. See what is the process for notifying the management of the problems. Examine the procedure. Examine documents to see if stated procedure is adhered to. Examine documentary evidence to see if the problem reported are considered and acted upon. Examine documentary evidence to see if the problem reported are considered and acted upon.

35 Evaluating Internal Controls – Control Activities Examine design and implementation of policies and procedures for managing the programme. Examine design and implementation of policies and procedures for managing the programme. See whether indices have been established to monitor performance of organisation. See whether indices have been established to monitor performance of organisation. See that performance measures were reviewed. See whether performance measures related to mission goals and objective. See that performance measures were reviewed. See whether performance measures related to mission goals and objective.

36 Evaluating Internal Controls – Control Activities See that performance data are continually monitored and analyzed. See that performance data are continually monitored and analyzed. Examine whether policies to safeguard assets are known to all Examine whether policies to safeguard assets are known to all Examine whether the organisation has identified and ensured adequate protection for its critical issue operations Examine whether the organisation has identified and ensured adequate protection for its critical issue operations

37 Evaluating Internal Controls – Control Activities Are assets like cash, assets vulnerable to theft are adequately guarded. Are assets like cash, assets vulnerable to theft are adequately guarded. See that stock verification procedures are adequate and are they adhered to. See that stock verification procedures are adequate and are they adhered to. Has the organisation adequate protection to funds. Has the organisation adequate protection to funds.

38 Evaluating Internal Controls – Control Activities See whether organisation established criteria for identifying the grantees for aid. See the criteria. See whether organisation established criteria for identifying the grantees for aid. See the criteria. See whether risk assessments performed and documented when systems are changed. See whether risk assessments performed and documented when systems are changed. See whether data sensitivity and integrity is considered in risk assessments See whether data sensitivity and integrity is considered in risk assessments

39 Evaluating Internal Controls – Control Activities See whether wide security programme exists. See whether wide security programme exists. See whether access to information software code is suitably restricted. See whether access to information software code is suitably restricted. See whether contingency plan for ensuring continuity of service exists. See whether contingency plan for ensuring continuity of service exists. See whether transactions are properly and promptly classified. Supporting records properly maintained. See whether transactions are properly and promptly classified. Supporting records properly maintained.

40 Evaluating Internal Controls – Internal Control Questionnaire (ICQ) ICQ is a great tool for evaluating and understanding an Internal Control system. It contains a series of pre-designed questions which the auditor may wish to ask. ICQ is a great tool for evaluating and understanding an Internal Control system. It contains a series of pre-designed questions which the auditor may wish to ask. Widely used. Widely used.

41 Limitations of Internal Controls Can provide only reasonable and not absolute assurance about the achievement of the entities objectives Can provide only reasonable and not absolute assurance about the achievement of the entities objectives As it depends on human factor, is subject to flaws in design, errors of judgment or interpretation, misunderstanding, collusion, fatigue etc. As it depends on human factor, is subject to flaws in design, errors of judgment or interpretation, misunderstanding, collusion, fatigue etc. Design of an internal control system faces resource constraints Design of an internal control system faces resource constraints

42 Objectives of assessment of Internal Controls To check whether To check whether Internal control systems have been prescribed and documented Internal control systems have been prescribed and documented Systems are adequate Systems are adequate Management implements these in the manner prescribed Management implements these in the manner prescribed Management periodically reviews them through internal audit and takes corrective measures Management periodically reviews them through internal audit and takes corrective measures


Download ppt "Evaluation of Internal control mechanism in Audit of Autonomous Bodies."

Similar presentations


Ads by Google