Evaluation of Internal control mechanism in Audit of Autonomous Bodies.

Evaluation of Evaluation of Internal control Internal control

mechanism in Audit mechanism in Audit of Autonomous of Autonomous

BodiesBodies

What is Internal ControlWhat is Internal Control

Internal control is a processInternal control is a process Internal control is effected by peopleInternal control is effected by people Internal control is geared to the Internal control is geared to the

achievement of objectivesachievement of objectives Internal control cannot be expected Internal control cannot be expected

to provide absolute assurance of the to provide absolute assurance of the achievement of objectivesachievement of objectives

As defined by Committee of As defined by Committee of Sponsoring Organisations Sponsoring Organisations

(COSO), USA(COSO), USA Process effected by entities Process effected by entities

management and other personnel management and other personnel designed to provide reasonable designed to provide reasonable assurance regarding the achievement assurance regarding the achievement of objectives in the following three of objectives in the following three broad categoriesbroad categories Effectiveness and efficiency of operationsEffectiveness and efficiency of operations Reliability of financial reportingReliability of financial reporting Compliance with applicable laws and Compliance with applicable laws and

regulationsregulations

As defined by the Internal As defined by the Internal controls standards committee of controls standards committee of

INTOSAIINTOSAI Integral process to provide reasonable Integral process to provide reasonable

assurance that the following general assurance that the following general objectives are being achievedobjectives are being achieved Fulfilling accountability obligationsFulfilling accountability obligations Complying with applicable laws and regulationsComplying with applicable laws and regulations Executing orderly, ethical, economical, efficient and Executing orderly, ethical, economical, efficient and

effective operations effective operations Safeguarding resources against lossSafeguarding resources against loss

Internal control is a dynamic integral process Internal control is a dynamic integral process and management at all levels have to be and management at all levels have to be involved to provide reasonable assurance of involved to provide reasonable assurance of the achievement of its objectivesthe achievement of its objectives

Components of internal Components of internal controlscontrols

Control environment - Assignment of Control environment - Assignment of Authority and ResponsibilityAuthority and Responsibility

Risk assessmentRisk assessment Information and communicationInformation and communication MonitoringMonitoring Control activitiesControl activities

(1) Control Environment(1) Control Environment It sets the tone of an organization, It sets the tone of an organization,

influencing the control influencing the control consciousness of its staffconsciousness of its staff

It is foundation for all other It is foundation for all other components of internal control.components of internal control.

It provides discipline and structure.It provides discipline and structure.

(1) Control Environment(1) Control EnvironmentElements of Control environmentElements of Control environment

Personnel and professional integrity and Personnel and professional integrity and ethical values of management and staff.ethical values of management and staff.

Supportive attitude towards internal Supportive attitude towards internal control at all times.control at all times.

Commitment to competence.Commitment to competence. The “ tone at the top” (Management’s The “ tone at the top” (Management’s

philosophy and operating style)philosophy and operating style) Organization structureOrganization structure Human resource policies and practices.Human resource policies and practices.

Elements of Control Elements of Control environmentenvironment

Preferences and value standards of Preferences and value standards of Management and staff as reflected in Management and staff as reflected in their standards of behaviour.their standards of behaviour.

All should maintain and demonstrate All should maintain and demonstrate personal and professional integrity personal and professional integrity and ethical valuesand ethical values

All should exhibit a supportive All should exhibit a supportive attitude toward internal control at all attitude toward internal control at all times through out the organizationtimes through out the organization

Elements of Control Elements of Control environment – contd…environment – contd…

Managers and employees have to comply Managers and employees have to comply with the applicable codes of conduct at with the applicable codes of conduct at all times. Eg. disclosure of personal all times. Eg. disclosure of personal financial interest, outside position and financial interest, outside position and gift and reporting conflicts of interestgift and reporting conflicts of interest

Public organization should make visible Public organization should make visible to the public, integrity and ethical to the public, integrity and ethical values.values.

Behaviour of staff should be consistent Behaviour of staff should be consistent with mission.with mission.

Elements of Control Elements of Control environment – contd…environment – contd…Commitment to competenceCommitment to competence

includes the level of knowledge and skill includes the level of knowledge and skill needed to help effective performanceneeded to help effective performance

includes good understanding of individual includes good understanding of individual responsibilities with respect to internal responsibilities with respect to internal control.control.

Managers and employees are to maintain a Managers and employees are to maintain a level of competence that allows them to level of competence that allows them to understand the importance of developing understand the importance of developing and maintaining good internal control and and maintaining good internal control and to perform their duties in order to to perform their duties in order to accomplish the general objectives.accomplish the general objectives.


Commitment to competenceCommitment to competence Every one should be involved in Every one should be involved in

internal control with his/her own internal control with his/her own specific responsibilities.specific responsibilities.

Managers and staff must therefore Managers and staff must therefore maintain and demonstrate a level of maintain and demonstrate a level of skill necessary to assess risk and skill necessary to assess risk and help ensure effective and efficient help ensure effective and efficient performance.performance.


Tone at the topTone at the top Management’s philosophy and operating Management’s philosophy and operating

style reflects:style reflects: a supportive attitude towards internal a supportive attitude towards internal

control at all times, independence, control at all times, independence, competence and leading by example;competence and leading by example;

a code of conduct set out by a code of conduct set out by management and counseling management and counseling performance appraisals that support the performance appraisals that support the internal control objectives and that of internal control objectives and that of ethical operations.ethical operations.


Tone at the topTone at the top If the top management believes that internal If the top management believes that internal

control is important, others in organization control is important, others in organization will sense that and will respond by will sense that and will respond by conscientiously observing the controls conscientiously observing the controls established.established.

If organization feel’s that control is not If organization feel’s that control is not important, it is certain that the organisation’s important, it is certain that the organisation’s control objectives will not be achieved.control objectives will not be achieved.

Demonstration of insistence on ethical Demonstration of insistence on ethical conduct by management is of vital conduct by management is of vital importance.importance.


Organisational structureOrganisational structure Assignment of authority and responsibilityAssignment of authority and responsibility Empowerment and accountabilityEmpowerment and accountability Appropriate lines of reportingAppropriate lines of reporting Alternate lines of reporting Alternate lines of reporting

(whistleblower)(whistleblower) The organizational structure defines the The organizational structure defines the

entity’s key areas of authority and entity’s key areas of authority and responsibility.responsibility.

Internal Audit that reports to the top Internal Audit that reports to the top managementmanagement


HR policies and practicesHR policies and practices Hiring and staffing decisions should Hiring and staffing decisions should

include assurance that individuals have the include assurance that individuals have the integrity and the proper education and integrity and the proper education and experience to carry out their jobs and that experience to carry out their jobs and that necessary formal, on the job, and ethics necessary formal, on the job, and ethics training is provided. training is provided.

Securing the openness of selection process Securing the openness of selection process by publishing both the recruitment rules by publishing both the recruitment rules and vacant positions also helps to realize and vacant positions also helps to realize ethical human resource management.ethical human resource management.

(2) Control Activities(2) Control Activities Control activities are policies and Control activities are policies and

procedures established to address procedures established to address risk and to achieve the entity’s risk and to achieve the entity’s objectives.objectives.

To be effective, control activities To be effective, control activities must be appropriate, at all levels must be appropriate, at all levels and in all functions. They include a and in all functions. They include a range of range of detectivedetective and and preventivepreventive control activities.control activities.

(2) Control Activities (2) Control Activities (contd…)(contd…)

Detective and preventive control Detective and preventive control activitiesactivities

Authorization and approval procedureAuthorization and approval procedure Segregation of duties (authorizing, Segregation of duties (authorizing,

processing, recording, reviewing)processing, recording, reviewing) Control over access to resources and Control over access to resources and

recordsrecords VerificationsVerifications ReconciliationReconciliation

(2) Control Activities (2) Control Activities (contd…)(contd…)

Detective and preventive control Detective and preventive control activitiesactivities

Reviews of operating performanceReviews of operating performance Reviews of operations, processes and Reviews of operations, processes and

activitiesactivities Supervision (assigning, reviewing and Supervision (assigning, reviewing and

approving, guidance and training.)approving, guidance and training.) Entities should reach an adequate Entities should reach an adequate

balance between detective and balance between detective and preventive control activities.preventive control activities.

(3) Risk assessment(3) Risk assessment Precondition for risk assessment is Precondition for risk assessment is

that there is ‘clear and consistent that there is ‘clear and consistent agency objectives’agency objectives’

Risk assessment is the identification Risk assessment is the identification and analysis of relevant risks and analysis of relevant risks associated with achieving the associated with achieving the objectives and forming a basis for objectives and forming a basis for determining how risk should be determining how risk should be managed.managed.

(3) Risk assessment (3) Risk assessment (contd…)(contd…)

Four types of responses to risk must Four types of responses to risk must be considered : be considered : TransferTransfer ToleranceTolerance Treatment &Treatment & Termination Termination

Of these, risk treatment is the most Of these, risk treatment is the most relevant to these guidelines because relevant to these guidelines because effective internal control is the effective internal control is the major mechanism to treat the risk.major mechanism to treat the risk.

(4) Information and (4) Information and CommunicationCommunication

GAO standards on Internal Control’s guidance on GAO standards on Internal Control’s guidance on ‘information and communication’ - “‘information and communication’ - “Information Information should be recorded, communicated to should be recorded, communicated to management and others within the entity who management and others within the entity who need it and in a form and within a time frame that need it and in a form and within a time frame that enable them to carry out their internal control and enable them to carry out their internal control and other responsibilities”.other responsibilities”.

A Pre-condition for reliable and relevant A Pre-condition for reliable and relevant information is the prompt recording and information is the prompt recording and proper classification of transactions and proper classification of transactions and events.events.

All transactions and significant events All transactions and significant events should be fully documentedshould be fully documented

(4) Information and (4) Information and Communication (contd…)Communication (contd…)

For an entity to run and control its For an entity to run and control its operations, it must have relevant, operations, it must have relevant, reliable and timely communications reliable and timely communications relating to internal as well as external relating to internal as well as external events. Information is needed events. Information is needed throughout the agency to achieve all of throughout the agency to achieve all of its objectives.its objectives.

Effective communication should occur in Effective communication should occur in broad sense with information flowing broad sense with information flowing down, across and up the organization.down, across and up the organization.

(5) Monitoring(5) MonitoringConcept of monitoringConcept of monitoring Internal control deteriorates over Internal control deteriorates over

time if not properly maintained.time if not properly maintained. It is necessary to check the It is necessary to check the

functioning of internal control functioning of internal control through quality assurance unit andthrough quality assurance unit and

Focus review of specific operational Focus review of specific operational areas through management audit or areas through management audit or performance audit.performance audit.

Management(tone at the top) Management(tone at the top) involvement in internal control is involvement in internal control is crucial for effectiveness.crucial for effectiveness.

(5) Monitoring (contd…)(5) Monitoring (contd…) Monitoring quality of internal control is Monitoring quality of internal control is

accomplished through routine activities, accomplished through routine activities, separate evaluations or combination of both.separate evaluations or combination of both.

Ongoing monitoring of internal control is Ongoing monitoring of internal control is built in to the activity of entity.built in to the activity of entity.

Ongoing monitoring activities cover each of Ongoing monitoring activities cover each of the internal control components and involve the internal control components and involve action against irregular, unethical, action against irregular, unethical, uneconomical, inefficient and ineffective uneconomical, inefficient and ineffective control system. control system.

Monitoring is aimed at ensuring that Monitoring is aimed at ensuring that controls are operating as intended and are controls are operating as intended and are modified for changes in conditions.modified for changes in conditions.

Objectives of evaluation of Objectives of evaluation of Internal ControlsInternal Controls

To check whether To check whether Internal control systems have been Internal control systems have been

prescribed and documentedprescribed and documented Systems are adequateSystems are adequate Management implements these in the Management implements these in the

manner prescribedmanner prescribed Management periodically reviews them Management periodically reviews them

through internal audit and takes through internal audit and takes corrective measurescorrective measures

Evaluating Internal Evaluating Internal Controls – Control Controls – Control

EnvironmentEnvironment By looking and consulting By looking and consulting

organisational chart see that organisational chart see that organisation has vertical and lateral organisation has vertical and lateral channels of communication.channels of communication.

Auditor should examine the Auditor should examine the documentation regarding delegation documentation regarding delegation of authority and plans of succession.of authority and plans of succession.

Auditor also should see the span of Auditor also should see the span of control.control.


EnvironmentEnvironment Auditor should examine the number of Auditor should examine the number of

vacancies in organisation’s vacancies in organisation’s management and how many persons management and how many persons are in acting capacityare in acting capacity

It should also be seen that whether any It should also be seen that whether any arrangements for ensuring continuity of arrangements for ensuring continuity of operations in case of temporary operations in case of temporary absence of top management.absence of top management.


EnvironmentEnvironment To examine integrity and ethical values To examine integrity and ethical values

demonstrated by management see demonstrated by management see that it is free from any pressurethat it is free from any pressure

Adherence to the conduct rules may be Adherence to the conduct rules may be seenseen

Previous reports may be examined to Previous reports may be examined to see abovesee above

Auditor may also see the kind of values Auditor may also see the kind of values reflected in the behaviour.reflected in the behaviour.


EnvironmentEnvironment Management’s commitment to Management’s commitment to

competence as well as its philosophy and competence as well as its philosophy and operating style may examine with the operating style may examine with the help of managements approach towards help of managements approach towards human resource issues, way of decision human resource issues, way of decision making, way of problem solving and their making, way of problem solving and their active application.active application.

For this purpose auditor may examine For this purpose auditor may examine human resource policies.human resource policies.


EnvironmentEnvironmentFollowing issues are also to be examined -Following issues are also to be examined - Employee turnover in organisationEmployee turnover in organisation Succession planningSuccession planning Procedure of decision makingProcedure of decision making Use of inputs received from Use of inputs received from

subordinatessubordinates Process of problem solving (Whether it is Process of problem solving (Whether it is

participative or directive or mixture of participative or directive or mixture of both)both)

Evaluating Internal Evaluating Internal Controls – Risk AssessmentControls – Risk Assessment

See whether information supplied by branch See whether information supplied by branch offices of the organisation is reliable.offices of the organisation is reliable.

Also see whether the coordinating units Also see whether the coordinating units evaluate data suppliedevaluate data supplied

Examine the procedure for data verification. Examine the procedure for data verification. See whether procedures have been adhered See whether procedures have been adhered toto

Also see whether procedures exist to Also see whether procedures exist to remedy if the data turned to be inaccurate.remedy if the data turned to be inaccurate.

Evaluating Internal Evaluating Internal Controls – Risk AssessmentControls – Risk Assessment

See the factors which has impact on See the factors which has impact on the program.the program.

Examine the funding and see if the Examine the funding and see if the funds have been cut and what has funds have been cut and what has been the impact on internal control.been the impact on internal control.

See the risk factor in respect of See the risk factor in respect of funding.funding.

See the controls instituted to ensure See the controls instituted to ensure the appropriate use of funds.the appropriate use of funds.

Evaluating Internal Evaluating Internal Controls - InformationControls - Information

See that information available regarding See that information available regarding management decision making is relevant, management decision making is relevant, reliable and timely.reliable and timely.

Is it reliable for external reporting Is it reliable for external reporting purposes. purposes.

Examine the data use for decisions Examine the data use for decisions Examine whether crosschecks of data was Examine whether crosschecks of data was

carried out.carried out. See the documentary evidence for use of See the documentary evidence for use of

correct data and to see how it is used.correct data and to see how it is used.

Evaluating Internal Evaluating Internal Controls - CommunicationControls - Communication

See that effective and reliable internal See that effective and reliable internal communication between management and communication between management and stakeholder is available.stakeholder is available.

See whether organisation allow for easy flow See whether organisation allow for easy flow of information back or forth.of information back or forth.

See what is the process for notifying the See what is the process for notifying the management of the problems. Examine the management of the problems. Examine the procedure. Examine documents to see if procedure. Examine documents to see if stated procedure is adhered to . stated procedure is adhered to .

Examine documentary evidence to see if the Examine documentary evidence to see if the problem reported are considered and acted problem reported are considered and acted upon.upon.

Evaluating Internal Evaluating Internal Controls – Control ActivitiesControls – Control Activities Examine design and implementation of Examine design and implementation of

policies and procedures for managing policies and procedures for managing the programme.the programme.

See whether indices have been See whether indices have been established to monitor performance of established to monitor performance of organisation. organisation.

See that performance measures were See that performance measures were reviewed. See whether performance reviewed. See whether performance measures related to mission goals and measures related to mission goals and objective.objective.

Evaluating Internal Evaluating Internal Controls – Control ActivitiesControls – Control Activities See that performance data are See that performance data are

continually monitored and analyzed.continually monitored and analyzed. Examine whether policies to Examine whether policies to

safeguard assets are known to all safeguard assets are known to all Examine whether the organisation Examine whether the organisation

has identified and ensured adequate has identified and ensured adequate protection for its critical issue protection for its critical issue operationsoperations

Evaluating Internal Evaluating Internal Controls – Control ActivitiesControls – Control Activities Are assets like cash, assets Are assets like cash, assets

vulnerable to theft are vulnerable to theft are adequately guarded.adequately guarded.

See that stock verification See that stock verification procedures are adequate and procedures are adequate and are they adhered to.are they adhered to.

Has the organisation adequate Has the organisation adequate protection to funds.protection to funds.

Evaluating Internal Evaluating Internal Controls – Control ActivitiesControls – Control Activities See whether organisation established See whether organisation established

criteria for identifying the grantees for criteria for identifying the grantees for aid. See the criteria.aid. See the criteria.

See whether risk assessments performed See whether risk assessments performed and documented when systems are and documented when systems are changed.changed.

See whether data sensitivity and See whether data sensitivity and integrity is considered in risk integrity is considered in risk assessmentsassessments

Evaluating Internal Evaluating Internal Controls – Control ActivitiesControls – Control Activities See whether wide security programme See whether wide security programme

exists.exists. See whether access to information See whether access to information

software code is suitably restricted.software code is suitably restricted. See whether contingency plan for See whether contingency plan for

ensuring continuity of service exists.ensuring continuity of service exists. See whether transactions are properly See whether transactions are properly

and promptly classified. Supporting and promptly classified. Supporting records properly maintained.records properly maintained.

Evaluating Internal Evaluating Internal Controls – Internal Control Controls – Internal Control

Questionnaire (ICQ)Questionnaire (ICQ) ICQ is a great tool for evaluating and ICQ is a great tool for evaluating and

understanding an Internal Control understanding an Internal Control system. It contains a series of pre-system. It contains a series of pre-designed questions which the designed questions which the auditor may wish to ask.auditor may wish to ask.

Widely used.Widely used.

Limitations of Internal Limitations of Internal ControlsControls

Can provide only reasonable and not Can provide only reasonable and not absolute assurance about the absolute assurance about the achievement of the entities objectives achievement of the entities objectives

As it depends on human factor, is As it depends on human factor, is subject to flaws in design, errors of subject to flaws in design, errors of judgment or interpretation, judgment or interpretation, misunderstanding, collusion, fatigue misunderstanding, collusion, fatigue etc.etc.

Design of an internal control system Design of an internal control system faces resource constraintsfaces resource constraints

Objectives of assessment of Objectives of assessment of Internal ControlsInternal Controls

To check whether To check whether Internal control systems have been Internal control systems have been

prescribed and documentedprescribed and documented Systems are adequateSystems are adequate Management implements these in the Management implements these in the

manner prescribedmanner prescribed Management periodically reviews them Management periodically reviews them

through internal audit and takes through internal audit and takes corrective measurescorrective measures

Evaluation of Internal control mechanism in Audit of Autonomous Bodies.

Documents

Transcript of Evaluation of Internal control mechanism in Audit of Autonomous Bodies.