Internal Control (IC) & Enterprise Risk Management (ERM)
• Presented by: • Mohamed El Mugtaba, MBA, CPA • Member of • Member Advisory Team
© Copyright M Mugtaba 2007
© Mohamed Mugtaba 2007
1
What is Internal Control
Published Internal Control – Integrated Framework
Defined Internal control as: • a process – effected by an entity board of directors, management, and other personnel – designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Reliable financial reporting b) Effectiveness and efficiency of operations and c) Compliance with applicable laws and regulations © Mohamed Mugtaba 2007
2
Objectives of Internal Control A well-designed system of internal control achieves the following objectives: • Accurate reliable financial statements • Safeguarding of assets • Adherence with applicable laws & regulations • Promotion of effective & efficient operations Fix your weak Internal Control The concept of (IC) reasonable assurance “cost of IC should not exceed its benefit” © Mohamed Mugtaba 2007
3
5 Components of Internal Control
CONTROL ACTIVITIES MONITORING (ongoing)
RISK ASSESSMENT INFORMATION & COMMUNICATION
RISK ASSESSMENT CONTROL ACTIVITIES
Infrastructure
MONITORING CONTROL ENVIRONMENT
INFORMATION & COMMUNICATIONS CONTROL ENVIRONMENT (foundation)
Good Internal Control Prevents © Mohamed Mugtaba 2007
4
CONTROL ENVIRONMENT FACTORS
Integrity and ethical values Commitment to competence Human resource policies and practice Assignment of authority and responsibilities Management’s philosophy and operating style Board of directors or audit committee participation © Mohamed Mugtaba 2007
5
Control Activities • Policies & procedures to ensure
management directives are followed, objectives attained, reporting complete & correct • Procedures to prevent errors, fraud • Procedures to detect errors, fraud • Documentation, approval, verification
P I P S
– – – –
Performance reviews (budget/actual/variance) Information processing (accuracy, completeness, authorization Physical controls (access to assets & records) Segregation of Duties (authorization, recordkeeping, & custody © Mohamed Mugtaba 2007
6
Risk Assessment • Managers assess business risk! • Operating objectives must be
•
well defined, addressing resource control and uses (e.g., technology, related laws, compliance with controls). Financial reporting risks relate to data processing, potential for error & fraud.
ERM Enterprise Risk Management
Best Practice © Mohamed Mugtaba 2007
RBIA 7 Risk-Based Internal Audit
Risk Assessment…… continued
Risk is reduced by : proper approvals, surveillance, processing, procedures, budgeting, training, “responsibility accounting,” reviewing variances from goals, technology, etc.
© Mohamed Mugtaba 2007
8
Information & Communication
• Information requirements (who
gets what data when?) • Reports consistent with objectives, with sufficient details for action • Feedback & revisions (often & proper) • Commitment to appropriate resources for effective information systems © Mohamed Mugtaba 2007
9
MONITORING Financial Reporting Controls
• Transaction cycles emphasis
(feedbacks, corrective actions) • “Real-time” basis • Variances from budgets; causes • Cross corroborations by employees • Investigating exceptions © Mohamed Mugtaba 2007
10
Control Principles
Control Principles Basic to “good” internal control are the following principles:
• Authorization and ApprovalDOP
– Transactions are authorized by a person with delegated approval authority. Accounting Manual
• Documentation of Policies and Procedures
– policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees helps provide day to day guidance to staff and will promote continuity of activities in the event of prolonged employee absences or turnover.
• Physical Security
– Equipment , inventories, cash , and other property are secured physically, counted periodically, and compared with amounts shown on control records. © Mohamed Mugtaba 2007
11
The Fundamental Principle of Internal Control
SEGREGATE:
Incompatible Functions Authorization Record Keeping Custody
Segregation of duties reduce the opportunities to allow any person to be in a position © Mohamed Mugtaba to both perpetrate and 2007 conceal errors
Examples:
12
Segregation of duties reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his duties
Examples…Incompatible Functions • Authorizing expenditure and payment • Bank reconciliation by disinterested parties (not involved in • • •
cash) HR and Payroll staff (authorise promotion/increment and payment) Payroll staff from general ledger staff Computer programmers from computer operations © Mohamed Mugtaba 2007
13
Limitations of Internal Control
The costs of internal controls must not exceed their benefits.
Costs
Benefits
Examples: 1- Admin Buildings 2- Copper © Mohamed Mugtaba 2007
14
Limitations of Internal Accounting Control Human Error
Human Fraud
Intent to defeat internal controls for personal gain
Negligence Fatigue Misjudgment Confusion
© Mohamed Mugtaba 2007
15
© Mohamed Mugtaba 2007
16
Enterprise Risk Management, (ERM) COSO Definition
Can You Read It ?
If your eye vision is > -1 Don’t worry – see next slide Source: COSO Enterprise Risk Management – Integrated Framework. 2004. © Mohamed Mugtaba 2007
17
Enterprise Risk Management, (ERM) COSO Definition
Breaking down the definition:
Process effected by board, management and personnel applied in strategy setting and across the enterprise designed to identify potential events that may affect the entity and manage risk to be within its risk appetite to provide reasonable assurance regarding the achievement of the entity objectives © Mohamed Mugtaba 2007
18
ERM Encompasses: Aligning risk appetite and strategy Enhancing risk response decisions Reducing operational surprises and losses Identifying and managing multiple and cross-enterprise risks Seizing opportunities More Details Improving deployment of capital
ERM OBJECTIVES
© Mohamed Mugtaba 2007
STRATEGIC OPERATIONS REPORTING COMPLIANCE
19
The ERM Framework
The eight components of the framework are interrelated …
© Mohamed Mugtaba 2007
20
ERM ENCOMPASSES INTERNAL CONTROL
ERM IC © Mohamed Mugtaba 2007
21
© Mohamed Mugtaba 2007
22