Internal Control

WE CAME HERE TO • • • • • • •

Discuss Collaborate Network Exchange knowledge Sharpen our skills Exchange information Exchange experiences On INTERNAL CONTROLS

• OUTLINE • Introduction • Oversight of Internal Control to fraud Prevention, Detection, • Irregularities and other forms of financial improprieties. • Forms of Risk and control: • Risk based Control Vs Value Based Control • Value Optimization • Risk Management. • Conclusion • References

Introduction Well, the main aim of any activity in an organization should be to achieve the objectives of the organization itself. The main aim of internal auditing is to assist the organization to achieve its objectives. No Long Story! The Execution of the day- to day activities or routine requires strict application of certain processes and procedures in order to produce desired or acceptable result particularly where there is a measuring yardstick or basis of comparison or benchmark. Although flexibility is allowed within the confines of the satisfactory result to be obtained. The Consistency in strict application of principles and practices to day-to-day endeavour lends credence or enhances Business effectiveness, profitability, efficiency of management and a host of other impressive performance of the Business

The development in turn forms bedrock for meeting challenges, setting pace, designing standard control task and implementation phase. This is readily achieved through the experience gained in the course of doing things right and the expertise applied particularly when things do not go the way it was thought to be. Four major terms become relevant to an Enterprise which includes the followings • Achieving Objective • Risks threaten the realization of the objectives • Internal Control • Internal Auditing. An objective is something desired to be achieved. It Includes aims, thrusts, dreams and aspirations of a scheme, programme and a course of action

Risk(s) is a set of circumstances that hinder the achievement of objectives. An Internal Control definition by David Griffiths in his book, an introduction to Risk Based Auditing is a process which manages a risk. Internal auditing provides an independent and objective opinion to an organization’s management as to whether its risks are being managed to acceptable levels. In summary • Risks hinder objectives. • Internal controls manage risks. • Internal auditing provides opinions about whether internal controls are managing risks to acceptable levels.

Oversight of Internal control to fraud prevention and Detection. Beginning from genuine mistakes (Error of the Head), breakdown in the system ,insider abuses, corporate failures, bankruptcy and loss of Investment /investors funds, loss of public confidence or crisis of confidence and collapse of the institutions to the global financial meltdown, the challenge to the oversight function of internal control in fraud and other improprieties’ detection and prevention has been very enormous and unimaginable. No two organization are the same and as such cannot be immune to the incidence of corporate scandals caused or compounded by signs, symptoms and consequences’ of errors, irregularities and fraud including insider(s) abuses and other forms of improprieties (Financial and otherwise).

The concern for the oversight function were intensified based on the following realities • • • • • • • • • • •

Fraud is prevalent. Pervasive problems that knows no boundaries. Any one can commit fund based on the position of Fraud Triangle which states pressures/Motives, Perceived opportunity and the Rationalization for the fraud. Why people commit fraud despite their decent background. This is related to above The best deterrent is to increase the perception of detection in the minds of the perpetrators. Perpetrators are often trusted employee Fraud schemes are not unlimited in number. Red flags are only warnings signals. Auditors can’t be relied upon to detect fraud. Hotlines and fraud assessment questionnaire are useful techniques. Prevention is better and superior to detection. A matter of paying attention. In the light of these developments, increasing scope and attention are directed to the industry or profession that can guarantee safe and sound assurance on which trust and reliability of the advice can be bought and consumed as pain killer or relief for the victims of the developments. The usual questions mostly asked when things go wrong either in an enterprise, industry or globally was “where were the auditors”. The question therefore overheats the already heated system. Hence, the continuous oversight functions of internal control to cases of errors, irregularities, fraud and other improprieties.

Irregularities and other forms of financial improprieties Various financial improprieties and abuses exist in different sizes, shades, dimensions and designs. The major forms of financial improprieties include errors, irregularities and frauds. •

An error is an unintentional mistake. It is genuinely perceived as error of an honest person. This includes an omission or commission as well as misplacements in transaction processing, recording, analyzing, summarizing, interpreting and reporting.

•

Irregularities are re-occurring errors that has consistently give rise qualified opinion of the auditor of the financial statement/system appraiser. This includes alteration of records, regular correction of figures and frequent action to connote a deliberate intention.

•

Fraud involves the use of criminal deception to obtain undue illegal advantage. It is an intentional act. This takes various styles and fashion which includes misapplication, misappropriation, and theft, damage to books of accounts and other supporting facilities or infrastructural architecture such as hardware, software and networking.

An important issue to address on this phenomena lies in transparent process to gain credibility of the system and built in trust, gathering intelligence, Being Composed (in the face of stress), keeping promise, properly handling mistakes, avoiding destructive comments and showing other people that you care and most importantly, take a risk profile of any system to determine an enterprisewide risk analysis, rating (using well tested criteria) which enable effective planning and control with reasonable expectation of detecting and preventing cases of errors, irregularities and fraud and other forms of improprieties which signify efficiency of both audit and the enterprise resources utilized.

• Forms of Risks and Controls As earlier referred to risk is a set of circumstances that hinder the achievement of objectives. Right from the traditional internal and external audit, inspection, examination and other business condition assessment mechanism, risks have existed in transactions and events surrounding the existence of an enterprise as well those imposed and imagined. The only difference is the level of attention to details of most of this uneasily identified risk and the skills and diligence required couple with the focus of the audits/examination among other limitations. Traditional risks includes inherent risks, control risks and detection risks which the audit procedures have not been able to score 100% eliminating or substantially reducing since the design of the risk was to beat the controls in place. Modern risks are External (Political, Economic, Socio cultural, Technological, Legal/regulator, Environmental ),Operational (Delivery, (Service/product failure, Project delivery), capacity and capability,( Resources, Relationships, operations, reputations), Risk management performance and capability (governance, scanning, resilience, Security), (PSA targets, Change programmes, New projects and New policies)

Change

• The control focus and functions in place comprises of sets of circumstances of an enterprise risk profile, risk assessment, risk rating and the extent of reliance on the other components to support perfect functioning of an enterprise or working of a system. • The controls to be exercised also depend on the experiences (real and imagined), similarly observed situation /scenarios, peculiarities and anticipated development in addition to above. • The control focus on risk of events, transactions and the associated threats to the overall objectives of an enterprise.

The forms of control range from general to specific and contemporary setting in quality control. General controls includes physical controls, authorization controls, personnel controls, accounting and arithmetical control, management control, organization control, supervisory control and segregation of duties control. Specific control. Implicit in the general controls are the specific controls which the audit plans and procedures designed from the risk assessment /risk rating of an enterprise. It is application of general control to specific transaction, processes and circumstances of an enterprise. The specific objectives of any audit will address one or more of the following general management objectives: • Risks are appropriately identified and managed. • Interaction with the various governance groups occurs as needed. • Financial, managerial, and operating information is accurate, reliable, and timely • Employees’ actions are in compliance with Organization policies and procedures,and applicable laws and regulations.

• • • •

Resources are acquired economically, used efficiently, and adequately protected. • Plans and objectives are achieved. Quality and continuous improvement are fostered in the Organization’s control process. • Significant legislative or regulatory issues impacting the organization are recognized and addressed appropriately.

•

During the course of the audit, conditions may arise which warrant revising the audit procedures, scope or budgeted hours. The auditor should evaluate the situation, make timely recommendations to audit management, and obtain approval before incorporating any changes.

•

Contemporary controls includes specific transactions audit such as pre-payment and pre-purchase audit (including contract award, price verification, and survey and bidding/tender). Post-prepayment audit and special audit such as focused audit, investigation, Board of enquiry. In further emphasis to contemporary controls, addressing the risks using control measures will employ the followings

PREVENTIVE CONTROLS These controls are designed to limit the possibility of an undesirable outcome being realized. The more important it is that an undesirable outcome should not arise; the more important it becomes to implement appropriate preventive controls. The majority of controls implemented in organizations tend to belong to this category. Examples of preventive controls include separation of duty,whereby no one person has authority to act without the consent of another (such as the person who authorizes payment of an invoice being separate from the person who ordered goods prevents one person securing goods at public expense for their own benefit), or limitation of action to authorized persons (such as only those suitably trained and authorized being permitted to handle media enquiries prevents inappropriate comment being made to the press).

CORRECTIVE CONTROLS These controls are designed to correct undesirable outcomes which have been realized. They provide a route of recourse to achieve some recovery against loss or damage. An example of this would be design of contract terms to allow recovery of overpayment. Insurance can also be regarded as a form of corrective control as it facilitates financial recovery against the realization of a risk. Contingency planning is an important element of corrective control as it is the means by which organizations plan for business continuity / recovery after events which they could not control. DIRECTIVE CONTROLS These controls are designed to ensure that a particular outcome is achieved. They are particularly important when it is critical that an undesirable event is avoided typically associated with Health and Safety or with security. Examples of this type of control would be to include a requirement that protective clothing be worn during the performance of dangerous duties, or that staff be trained with required skills before being allowed to work unsupervised. DETECTIVE CONTROLS These controls are designed to identify occasions of undesirable outcomes having been realized. Their effect is, by definition, “after the event” so they are only appropriate when it is possible to accept the loss or damage incurred. Examples of detective controls include stock or asset checks (which detect whether stocks or assets have been removed without authorization), reconciliation (which can detect unauthorized transactions),

“Post Implementation Reviews” which detect lessons to be learnt from projects for application in future work, and monitoring activities which detect changes that should be responded to. In designing control, it is important that the control put in place is proportional to the risk. Apart from the most extreme undesirable outcome (such as loss of human life) it is normally sufficient to design control to give a reasonable assurance of confining likely loss within the risk appetite of the organization. Every control action has an associated cost and it is important that the control action offers value for money in relation to the risk that it is controlling. Generally speaking the purpose of control is to constrain risk rather than to eliminate it.

Risk based control Vs Value Based Control Traditional audit focused on the transaction and the control cycle of organization businesses. Various audit plans, procedures and tests revolves around obtaining evidence, reviewing controls and express opinion on the workings of the control in an enterprises processes and the systems in an integrated financial system to produce the financial statement which is reported upon. Hence the design of compliance, substantive and focused testing dominated the entire course of action of an audit engagement. Risk based control is simply a risk based auditing which requires critically and thoroughly examined risks attached or associated with the enterprise’s processes, business units and other related functions.

The definition of Internal auditing by the Institute of Internal Auditors as contained in the Code of Ethics underscore the mandates of risk based control. This is reproduced below. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Value Based control is a deliverable from the risk management initiatives and strategy employed on a SWOT analysis basis for the organization existence and relevance. Value Based control is a continuous effort deployed to consistently maintain the values and successes of the enterprise’s niche and surpasses the expectation of the clients in a way and manner to setting new pace and standard which has to be sustained until a new value and standard is established either by the enterprise’s internal design or in collaborative design or as imposed by the competitors or other external variable /force.

Value optimization This is the outcome of either the traditional or risk based auditing. It is to enhance the effectiveness /strengthen the activity undertaken either as a statutory response or in line with best business practice. In any case, it is expected to strengthen the enterprise on the inside, expand the enterprise on the outside and in the overall improves the bottom line.

Risk Management. The issues involved in risk management includes How do we manage risks? Who’s responsible for risks? Where does internal auditing fit in? and where does ‘risk management’ fit in? How do we manage risks? There are a number of ways the organization can manage risks to bring them to a level which the board consider acceptable:  void the risks, for example not starting up a business selling innovative A products or closing a factory making dangerous chemicals. This may mean giving up significant opportunities. This process is known as ‘termination’. Transfer them, the best example being insurance.  olerate them, without planning any contingencies. These are the ‘asteroid hits T earth’ type of risk. This does not mean that no-one will address this risk – governments may decide to try and deflect asteroids using nuclear missiles.  olerate them, and plan contingencies. These are the ‘hurricane destroys T factory’ type of risk. I ntroduce some processes to reduce the consequence or likelihood of a risk. These processes are usually referred to as ‘controls’ and include everything from having a clear strategy to installing a fire alarm. This method of management is known as ‘treatment’.

• Who’s responsible for risks? So, our objectives are threatened by risks, which demand a response to avoid them, accept them, transfer them or treat them. Who’s responsible for ensuring that the response is appropriate to manage risks to a level that our controlling board can Accept? The various rules and regulations make it clear that the management of an organization is responsible for: Identifying what risks exist. Assessing the risks. Ensuring that there is an appropriate response to all risks. Informing the board about risks which are outside acceptable levels (usually those which are to be tolerated or taken for the potential benefits)

Where does internal auditing fit in? Just as external auditors independently report on an organization’s accounts, so the internal audit activity independently reports that internal controls are operating properly. Recent financial scandals have reinforced the need for this type of independent opinion. So what is the purpose of internal auditing? It is frequently phrased in terms like, “to ensure proper internal controls exist”. The problem with this statement is that it gives the impression that internal auditing is only concerned with financial controls. Also, managers frequently consider controls to be the responsibility of accountants and auditors, and are not therefore prepared to accept ownership of them. Managers, however, can see how risks directly affect them and are more likely to accept that it is their responsibility to manage them. In addition, since the internal controls necessary depend on the risks identified. Where does ‘risk management’ fit in? Now this is where the fun starts. What is risk management and what responsibility does the internal audit activity have? Let’s start with some certainties: Managers own risks and it is their responsibility to control them. Internal auditing provides an opinion, to management, as to whether risks are properly controlled. ‘Risk management’ is a term widely used, and ‘Risk Manager’ jobs exist in Organizations. Theoretically, since managers own risks, they must ‘manage’ them. That accountability cannot be passed to a third party. In practice, risk managers tend to have responsibilities between managers and the internal audit activity, assisting the organization to identify its risks, running risk workshops, coaching staff in risk management and setting ‘best practice standards’.

Conclusion •

Internal Control is a serious business and as such designing, observing, implementing or executing the system of internal control has taken a centre stage in the life of an enterprise’s continuous existence and relevance. Internal auditing provides assurance service to management and also occupies a prominent role in providing interpretations of inestimable values that last and outlive an enterprise.

•

Local and International corporate scandals of different sizes, dimensions and magnitude has questioned the mandates of professional bodies, consultants and advisors in providing a value added service to improve the bottom line of both individual and corporate businesses.

•

Signing into Law Sarbanes-Oxley Act of 2002 has created a paradigm shift in the ‘business as usual’ of services professional. The drama of suicides, bankruptcy ,paying fines on penalty, surcharges and risk going to jail are few cases to mention.

•

As widely reported in business practice, one of the methods for discovering frauds in by instituting a sound system of internal control that will guarantee assurance to the organization processes. Hence, most corporate failure attributed to the inability of the external audit of the enterprise to nip the issues in the bud is rather unfortunate. Particular reference to Cadbury Nigeria Plc where the firm of Chartered Accountants (Akintola Williams Delloite) was fined N20million naira was a sad development to the Public Accounting practice.

•

Finally, every one in the organization is required to protect the resources of the organization as an internal control compliant in line with the age long definition of internal control which was put it as ‘whole system of controls, financial and otherwise established to carry on the business of an enterprise, in an orderly and efficient manner, safeguard the assets of enterprise and secure as far as possible the completeness, accuracy and validity of records.

•

Thank you for your time and attention

References • David Griffiths (2006), An Introduction to Risk Based Auditing. • The Orange Book, (2004) Management of Risk Principles and Concepts • The Folio issue 19 & 20 Magazine of the Institute of Financial Consultant, Canada, (2005) 10 Truths You Need To Know about Fraud & Try Transparency, Gain Credibility. • Brief literature on Audit process and Procedures.