Thursday, June 11, 2009

Segregation of Duties

Segregation of duties is critical to effective internal control because it reduces the risk of mistakes and inappropriate actions. It helps fight fraud by discouraging collusion and enhancing internal check. Segregation of duties is an Internal Control Concept in which individuals do not have responsibility for incompatible activities. In general, the following functions should be separated among employees:

  • Approval
  • Accounting/reconciling
  • Asset custody

In other words one person should normally not participate in one or more than one function.

Transaction involve the following stages to complete


Initiate


Authorize


Record


Process


Reconcile


Handle Assets


Report

Segregation of duties is critical to effective internal control; it reduces the risk of both erroneous and inappropriate actions. In general, the approval function, the accounting/reconciling function, and the asset custody function should be separated among employees. When these functions cannot be separated, due to small department size, a detailed supervisory review of related activities is required as a compensating control activity. Segregation of duties is a deterrent to fraud because it requires collusion with another person to perpetrate a fraudulent act.

Specific examples of segregation of duties are as follows:

  • The person who requisitions the purchase of goods or services should not be the person who approves the purchase.
  • The person who approves the purchase of goods or services should not be the person who reconciles the monthly financial reports
  • The person who approves the purchase of goods or services should not be able to obtain custody of checks.
  • The person who maintains and reconciles the accounting records should not be able to obtain custody of checks.
  • The person who opens the mail and prepares a listing of checks received should not be the person who makes the deposit.
  • The person who opens the mail and prepares a listing of checks received should not be the person who maintains the accounts receivable records.

Segregation of duties becomes more important when the size of the organization grows considerably. In small organization it is possible to review most of the transaction by the owner or the top level management of the organization and may see little importance of segregation of duties. As the size of the organization grows, the importance of segregation of duties becomes more and more important. SOD has been observed as the bigger risk especially in the organization whose size is growing fast. It is mainly because SOD is balanced by deep review of top level management for all the critical transaction but when the size of the organization becomes larger it is virtually impossible to offer that level of deep review for those transactions. In such situation the management needs to review the roles of an employee seriously and attempt to minimize this risk. If management overlooks this matter sooner or later the management will have to encounter fraud related problem.

Tuesday, June 9, 2009

Roles and responsibilities in internal control

According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to effect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play:
Chief executive officer (CEO): The CEO has ultimate responsibility and ownership of the internal control system. The individual in this role sets the tone at the top that affects the integrity and ethics and other factors that create the positive control environment needed for the internal control system to thrive. Aside from setting the tone at the top, much of the day-to-day operation of the control system is delegated to other senior managers in the company, under the leadership of the CEO.
Chief financial officer (CFO): Much of the internal control structure flows through the accounting and finance area of the organization under the leadership of the CFO. In particular, controls over financial reporting fall within the domain of the chief financial officer. The audit committee should use interactions with the CFO, and others, as a basis for their comfort level on the internal control over financial reporting.
This is not intended to suggest that the CFO must provide the audit committee with a level of assurance regarding the system of internal control over financial reporting. Rather, through interactions with the CFO and others, the audit committee should get a gut feeling about the completeness, accuracy, validity, and maintenance of the system of internal control over financial reporting.
Controller/director of accounting or finance: Much of the basics of the control system come under the domain of this position. It is key that the controller understands the need for the internal control system, is committed to the system, and communicates the importance of the system to all people in the accounting organization. Further, the controller must demonstrate respect for the system though his or her actions.
Internal audit: A main role for the internal audit team is to evaluate the effectiveness of the internal control system and contribute to its ongoing effectiveness. With the internal audit team reporting directly to the audit committee of the board of directors and/or the most senior levels of management, it is often this function that plays a significant role in monitoring the internal control system. It is important to note that many not-for-profits are not large enough to employ an internal audit team. Each organization should assess the need for this team, and employ one as necessary.
Board of director/audit committee: A strong, active board is necessary. This is particularly important when the organization is controlled by an executive or management team with tight reins over the organization and the people within the organization. The board should recognize that its scope of oversight of the internal control system applies to all the three major areas of control: over operations, over compliance with laws and regulations, and over financial reporting. The audit committee is the board's first line of defense with respect to the system of internal control over financial reporting. All other personnel: The internal control system is only as effective as the employees throughout the organization that must comply with it. Employees throughout the organization should understand their role in internal control and the importance of supporting the system through their own actions and encouraging respect for the system by their colleagues throughout the organization.

Control Issues and Limitation

Cost of controls

Costs of controls can include the price of physical safeguards, the value of additional hours of employee work incurred, your time, etc. The costs should be less than the benefits. Employee supervision is where most owner-operated businesses get this comparison wrong, particularly by assuming too low a benefit to a control over a long-term and trusted employee. It is not uncommon for the been-there-forever, taken-for-granted, almost-a-member-of-the-family employee to take advantage of the paternal way in which he or she is treated to loot the company blind.


Implementing controls

Proper control design and selection are only the first steps. The most important factors in making them work are communication and organization. Simply putting the controls in place won't guarantee their effectiveness.

Make sure that your people are aware of and understand the controls; and then find ways to influence their behavior so that they agree to respect them. Organization issues involved include the chain of command structure, cost constraints, job descriptions, and the company’s formal and informal feedback loops.

Every control system needs to be flexible and change as the company evolves. No system of internal controls can completely protect against all risks of theft. Keep in mind that risk is a matter of possibilities and probabilities, and therefore must involve the analysis of both positive and negative outcomes. An analysis of internal controls needs to consider the key risks facing the company, the company’s objectives, and the existing controls and procedures.


Employee motivation Perceived equity

Since it isn’t always possible to eliminate the opportunities for theft, attention should also be paid to the rationalization used by wrongdoers. Most cases of employee theft or misbehavior involve issues of perceived equity. Employees who perceive that they are not being treated fairly are much more prone to steal from their employer. It is important to be perceived as being fair, but not weak. Make sure all of your employees know what is expected of them, and treat everybody consistently. Avoid setting unreachable goals or creating other pressures to commit fraud, remove obstacles that block effective performance, and establish clear and consistent procedures with no exceptions.


Limitations:

Internal control can provide reasonable, not absolute, assurance that the objectives of an organization will be met. The concept of reasonable assurance implies a high degree of assurance, constrained by the costs and benefits of establishing incremental control procedures.

Effective internal control implies the organization generates reliable financial reporting and substantially complies with the laws and regulations that apply to it. However, whether an organization achieves operational and strategic objectives may depend on factors outside the enterprise, such as competition or technological innovation. These factors are outside the scope of internal control; therefore, effective internal control provides only timely information or feedback on progress towards the achievement of operational and strategic objectives, but cannot guarantee their achievement.

Internal control involves human action, which introduces the possibility of errors in processing or judgment. Internal control can also be overridden by collusion among employees (see separation of duties) or coercion by top management.

Saturday, June 6, 2009

Preventive and Detective Controls

Controls can be either preventive or detective. The intent of these controls is different. Preventive controls attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss. Examples of preventive controls are separation of duties, proper authorization, adequate documentation, and physical control over assets. Few Example of detective controls are given below:

  • Obtaining pre-approval on actions or transactions before they can be processed
  • Using document control numbers to make sure all transactions are accounted for
  • Matching and comparing documents from different sources to ensure integrity
  • Testing clerical accuracy
  • Locks on doors and gates
  • Physical controls over cash, checks, signature plates, and inventory
  • Computer passwords, access controls, and file locks, to prevent unauthorized electronic access
  • Computer backups for both audit trails and disaster planning
  • Batch totals on data entry work
  • Validating input data against established parameters to ensure accurate keypunching.
  • Segregation of duties, well defined job descriptions and standards
  • Job rotation, enforced vacations, etc., to reduce chances of long-term embezzlement schemes
  • Employee screening and training programs
  • Drug testing of employees and applicants

Preventive controls are subject to breakdown, with the biggest cause being individual circumvention. Sometimes it is malicious and sometimes it is well intentioned (we can get from one department to another easier if we prop the locked doors open, for example, or I can cut my data entry time by a third if I dummy my batch totals). In some companies physical controls are widely ignored – most major thefts of inventory happen in front of other employees who either assume that the thief is acting properly, or do not want to get involved.

Detective controls, on the other hand, attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring. Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits. Some Examples are:

  • Enforcement of job descriptions and standards to keep employees acting as expected
  • Supervisory review and sign-off of accounting work, expense reports, commission statements, payroll data, etc.
  • Cycle counts of inventory
  • Surprise cash counts
  • Management review and approval of account write-offs
  • Review of monitoring information and reports to ensure that controls are functioning as planned
  • Exception reporting and resolution to highlight out-of-the-norm items
  • internal audit
  • Supervisory peer review

Comparison of actual results to budgeted or forecasted results

Detective controls tend to be less expensive and more reliable than the preventive controls discussed earlier, because they can often be applied over a large number of transactions in a short time.

If detective controls review less than 100 percent of a certain activity, their review has to be somewhat random. If cash drawers are “surprise” counted by management Mondays, Wednesdays, and Fridays (60 percent of all work days), the counts are predictable and cash skimming will most likely occur during the other days of the week. Random counts would tend to deter skimming because they are unpredictable.

Since fraud perpetrators either ignore or compromise the preventive controls in place, it is imperative that management perform its supervisory and monitoring functions. Do not be afraid to manage – people generally want and need both direction and feedback in order to feel satisfied with their work.

Like preventive controls, detective controls are also subject to breakdown. To minimize the chance of both types of control breaking down, it is important to design the controls so that they do not get subverted – control the right thing and make the control easy to follow, implement, monitor, and reinforce. Implement the control properly, monitor and evaluate any feedback related to the control, and whenever possible, tie controls to incentive systems.

Both types of controls are essential to an effective internal control system. From a quality

Point, preventive controls are essential because they are proactive and emphasize quality.

However, detective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses.

Control activities include approvals, authorizations, verifications, reconciliations, reviews of performance, security of assets, segregation of duties, and controls over information systems.

Friday, June 5, 2009

Internal Control Objectives

Internal Control objectives are desired goals or conditions for a specific event cycle which, if achieved, minimize the potential that waste, loss, unauthorized use or misappropriation will occur. They are conditions which we want the system of internal control to satisfy. For a control objective to be effective, compliance with the control activities must be measurable and observable.

Control activities are the policies and procedures that help ensure management directives are carried out and these are designed in such a manner that it achieves the control objective. Effectiveness of control objective solely depends upon the effective design of control activities to address the need of control objective.

The control objectives include authorization, completeness, accuracy, validity, physical safeguards and security, error handling and segregation of duties.

Authorization

The objective is to ensure that all transactions are approved by responsible personnel in accordance with specific or general authority before the transaction is recorded.

Completeness

The objective is to ensure that no valid transactions have been omitted from the accounting records.

Accuracy

The objective is to ensure that all valid transactions are accurate, consistent with the originating transaction data and information is recorded in a timely manner.

Validity

The objective is to ensure that all recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management's general authorization.

Physical Safeguards & Security

The objective is to ensure that access to physical assets and information systems are controlled and properly restricted to authorized personnel.

Error handling

The objective is to ensure that errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management.

Segregation of Duties

The objective is to ensure that duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing the transaction.

A well designed process with appropriate internal controls should meet most, if not all of these control objectives.

Tuesday, June 2, 2009

Component of Internal Control

Internal Control consists of five interrelated component. Internal control systems operate at different levels of effectiveness. Determining whether a particular internal control system is effective is a judgment resulting from an assessment of whether the five components - Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring - are present and functioning. Effective controls provide reasonable assurance regarding the accomplishment of established objectives.

Control environment:
It is an overall attitude of the management towards the existence and effectiveness of control.The control environment is the control consciousness of an organization. It is the atmosphere in which people conduct their activities and carry out their control responsibilities. An effective control environment is an environment where competent people understand their responsibilities, the limits to their authority, and are knowledgeable, mindful, and committed to doing what is right and doing it the right way. They are committed to following an organization's policies and procedures and its ethical and behavioral standards.
The control environment encompasses technical competence and ethical commitment; it is an intangible factor that is essential to effective internal control.
A governing board and management enhance an organization's control environment when they establish and effectively communicate written policies and procedures, a code of ethics, and standards of conduct. Moreover, a governing board and management enhance the control environment when they behave in an ethical manner-creating a positive "tone at the top"—and when they require that same standard of conduct from everyone in the organization.
Leaders of each department, area or activity establish a local control environment. This is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include:
· Integrity and ethical values;
· The commitment to competence;
· Leadership philosophy and operating style;
· The way management assigns authority and responsibility, and organizes and develops its people;
· Policies and procedures

Risk Assessment:
Risk is an uncertainty associated with an event the outcome of which could adversely affect the attainment of organization objective. Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economics, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
Objectives must be established before administrators can identify and take necessary steps to manage risks. Operations objectives relate to effectiveness and efficiency of the operations, including performance and financial goals and safeguarding resources against loss. Financial reporting objectives pertain to the preparation of reliable published financial statements, including prevention of fraudulent financial reporting. Compliance objectives pertain to laws and regulations which establish minimum standards of behavior. The process of identifying and analyzing risk is an ongoing process and is a critical component of an effective internal control system. Attention must be focused on risks at all levels and necessary actions must be taken to manage. Risks can pertain to internal and external factors. After risks have been identified they must be evaluated.
Managing change requires a constant assessment of risk and the impact on internal controls. Economic, industry and regulatory environments change and entities' activities evolve. Mechanisms are needed to identify and react to changing conditions.

Control Activities
Control activities are actions, supported by policies and procedures that, when carried out properly and in a timely manner, manage or reduce risks. In other words Control activities are the policies and procedures that help to ensure management directives are carried out. They help in ensuring that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels, and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Who is Responsible? In the same way that managers are primarily responsible for identifying the financial and compliance risks for their operations, they also have line responsibility for designing, implementing and monitoring their internal control system.
Control activities usually involve two elements: a policy establishing what should be done and designing procedures to implement the policy. All policies must be implemented thoughtfully, conscientiously and consistently.

Information and Communication
Pertinent information must be identified, captured and communicated in a form and time frame that enables people to carry out their responsibilities. Effective communication must occur in a broad sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream.
Reliable and relevant information from both internal and external sources must be identified, captured, processed, and communicated to the people who need it--in a form and timeframe that is useful. Information systems produce reports, containing operational, financial, and compliance-related information that makes it possible to run and control an organization.
Information and communication systems can be formal or informal. Formal information and communication systems--which range from sophisticated computer technology to simple staff meetings-should provide input and feedback data relative to operations, financial reporting, and compliance objectives; such systems are vital to an organization's success.
When assessing internal control over a significant activity (or process), the key questions to ask about information and communication are as follows:
Does our department get the information it needs from internal and external sources in a form and timeframe that is useful?
Does our department get information that alerts it to internal or external risks (e.g. legislative, regulatory, and developments)?
Does our department get information that measures its performance-information that tells the department whether it is achieving its operations, financial reporting, and compliance objectives?
Does our department identifies, capture, process, and communicate the information that others need (e.g., information used by our customers or other departments)-in a form and timeframe that is useful?
Does our department provide information to others that alerts them to internal or external risks?
Does our department communicate effectively--internally and externally?

Information and communication are simple concepts. Nevertheless, communicating with people and getting information to people in a form and timeframe that is useful to them is a constant challenge. When completing a Business Controls Worksheet for a significant activity (or process) in a department, evaluate the quality of related information and communication systems.

Monitoring
Monitoring is the assessment of internal control performance over time; it is accomplished by ongoing monitoring activities and by separate evaluations of internal control such as self-assessments, peer reviews, and internal audits. The purpose of monitoring is to determine whether internal control is adequately designed, properly executed, and effective. Internal control is adequately designed and properly executed if all five internal control components (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring) are present and functioning as designed. Internal control is effective if management and interested stakeholders have reasonable assurance that:
They understand the extent to which operations objectives are being achieved.
Published financial statements are being prepared reliably.
Applicable laws and regulations are being compiled.
While internal control is a process, its effectiveness is an assessment of the condition of the process at one or more points in time. Just as control activities help to ensure that actions to manage risks are carried out, monitoring helps to ensure that control activities and other planned actions to effect internal control are carried out properly and in a timely manner and that the end result is effective internal control.
Ongoing monitoring activities include various management and supervisory activities that evaluate and improve the design, execution, and effectiveness of internal control. Separate evaluations, on the other hand, such as self-assessments and internal audits, are periodic evaluations of internal control components resulting in a formal report on internal control. Department employees perform self-assessments; internal auditors who provide an independent appraisal of internal control perform internal audits. Management's role in the internal control system is critical to its effectiveness. Managers, like auditors, don't have to look at every single piece of information to determine that the controls are functioning and should focus their monitoring activities in high-risk areas. The use of spot checks of transactions or basic sampling techniques can provide a reasonable level of confidence that the controls are functioning as intended.

Internal Control

  • If company owners did all the work themselves, assuming they always acted in their own best interest, there would be virtually no loss from internal theft, unreliable financial reporting, non-compliance with applicable laws and regulations, or inefficient use of resources.
    As soon as you hire employees or outside contractors, you introduce those losses, or at least the risk of those losses. To control that risk, the owners then need to set goals and objectives for employees to strive for, define tasks, identify and quantify risks, establish policies, set boundaries, monitor progress, and take corrective action when needed.
    Control what?

    Before designing a system of internal controls, it is important to understand what needs to be controlled. This involves identifying risks and the potential cost of each risk. Determine how often you expect each type of loss would likely occur, and what the cost per occurrence is likely to be. Multiply these two numbers together to get the total loss potential for each type of loss. Later you will compare loss potential with the cost of controls, in order to do a cost-benefit analysis and make sure controls don’t cost more than the potential losses they are designed to prevent.

    Meaning:

    The systems used by a company to minimize the risk of loss are known as internal controls. Internal control is the responsibility of both directors and managers of the company.

    Internal Control System is system of controls, both financial and non-financial, set up by the management of an organization to carry out the function of the company in an orderly and efficient manner. The system should ensure that management policies are adhered to, assets are safeguarded, and the records of the company's activities are both complete and accurate. In other words, internal control is defined as a process established by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's resources are directed, monitored, and measured. It provides reasonable assurance of
    Effectiveness and efficiency of operations,
    reliability of financial reporting, safeguarding of assets,
    reliability and integrity of information assets and
    Compliance with policies, procedures, laws and regulations.

    Internal control is a process; it is means to an end and not an end itself:
    Internal control assists in achieving the organizational goal in more systematic and organized manner. Organisation aim to maintain good internal control to achieve its objective, off course maintaining the sound internal control system alone will not achieve its objective, it is one of the effort organization has to make in order to reach its goal.

    Effective internal control helps an organization achieve its operations, financial Reporting and compliance objectives:
    Effective internal control is a built-in part of the management process (i.e., plan, organize, direct, and control). Internal control keeps an organization on course toward its objectives and the achievement of its mission, and minimizes surprises along the way. Internal control promotes effectiveness and efficiency of operations, reduces the risk of asset loss, and helps to ensure compliance with laws and regulations. Internal control also ensures the reliability of financial reporting (i.e., all transactions are recorded and that all recorded transactions are real, properly valued, recorded on a timely basis, properly classified, correctly summarized and posted).

    People at every level of an organization affect internal control:
    Internal control is affected by people; it’s not merely policy, manual, and forms, but people at every level of the organization. In other words the traditional understanding of internal audit limited to policy, manual and forms no longer support achieving business objective in today’s complex and dynamic challenging work environment. In the present context every people of the organization is part for effective internal control.

    Internal control can provide only reasonable assurance - not absolute assurance -regarding the achievement of an organization's objective:
    Plenty of stakeholders and managers still believe that implementation of internal control gives them absolute assurance relating to effectiveness and efficiency of their operation to entity’s management and other stakeholders; this concept has to be clarified so that over reliance on internal control can be prevented. The stakeholders must be educated that the existence of internal control does not give absolute assurance to the business. The internal control merely gives reasonable assurance to the business. Off course Effective internal control helps an organization achieve its objectives; it does not ensure success. There are several reasons why internal control cannot provide absolute assurance that objectives will be achieved: cost/benefit realities, collusion among employees, and external events beyond an organization's control.