Guidance ICS
-
Upload
warendra-bagaskara-alwie -
Category
Documents
-
view
218 -
download
0
Transcript of Guidance ICS
-
7/30/2019 Guidance ICS
1/11
GUIDANCE FOR DIRECTORS
ON INTERNAL CONTROL
Part 1 - Introduction
Part 2 - The Components ofan Effective Internal
Control System
Part 3 - Questions to Ask toAssess the
Effectiveness of an
Internal ControlSystem
Part 4 - Conflicts of Interest
GUIDANCE FOR DIRECTORS ON INTERNAL CONTROL
INTRODUCTION
Why are internal controls important ?
A good internal control system is a key mechanism
for providing management with reasonable
assurance in that it helps :
reduce the business risks of the company. safeguard the companys assets from loss or shrinkage, or from fraud.
ensure the correctness and the reliability of the companys financial
reporting.
ensure the companys employees comply with the relevant laws and regulations.
the company to operate efficiently, allocate resources appropriately, and achieve its
set objectives.
protect investment of the shareholders.
What are internal controls ?
An internal control system is a process, effected by a companys board of directors,
management and staff, designed to provide reasonable assurance that:
The company operates its business effectively and efficiently, achieving its objectives
(including the safeguarding of assets against loss or misuse).
Financial data and reports are correct and reliable.
The company operates in compliance with the relevant laws and regulations.
Who is responsible for the internal control system ?
The board of directors is responsible for the
establishment of an effective internal control system and
ensuring that the system is effective in managing
business risks to an appropriate level through the
establishment of appropriate internal control and risk
management policies, and regular assessment of whether
1
-
7/30/2019 Guidance ICS
2/11
the system is functioning effectively.
Management is responsible for the effective implementation of the policies stipulated
by the board.
Employees must perform their duties in compliance with the internal control system
established by the management.
How do I assess the effectiveness of an internal contro l system ?
An effective internal control system must consist of the following five major components
A sound control environment
A sound risk assessment process
Sound operational control activities
An effective information and communication system
An effective monitoring and evaluation system
Therefore, in reviewing whether the internal control system is effective, the board of
directors should consider if all of the above five components are in place, and whether
they are effectively implemented. The components are explained in Part 2.
-
7/30/2019 Guidance ICS
3/11
GUIDANCE FOR DIRECTORSON INTERNAL CONTROLPart 1 - Introduction
Part 2 - The Components of
an Effective InternalControl System
Part 3 - Questions to Ask to
Assess theEffectiveness of an
Internal Control
System
Part 4 - Conflicts of Interest
GUIDANCE FOR DIRECTORS ON INTERNAL CONTROL
PART 2 - THE FIVE COMPONENTS OF AN EFFECTIVE INTERNAL
CONTROL SYSTEM
Component 1 : Control Environment
The control environment is the tone of an organisation or factors
influencing the internal control system to operate as the company hopes;
and creates a control atmosphere which promotes awareness of the
importance of internal control systems among everyone in the
company.
Examples are managements consciousness of the importance of integrity and business
ethics, an appropriate organisational structure, clear assignment of authority and
responsibility, and written policies and procedures. A good control environment is
therefore an important foundation for an effective internal control system.
Component 2 : Risk AssessmentAny company operating a business, regardless of size, structure, nature, industry, or
geography, is surrounded by business risks at all times. Risks can arise from both
internal and external factors such as the following :
Internal factors :
Management lacks integrity and ethics.
Unqualified personnel.
Changes in computerised systems result in changes in the internal control system.
The company expands faster than its existing infrastructure can cope with.
High turnover of management and employees.
Lack of adequate supervision because of, for example, the remoteness of branches.
External factors :
Changes in technology force the company to change its operating procedures.
Changes in consumer behavior outdate existing goods and service.
A competitive environment unfavourably affects prices and market share.
2
-
7/30/2019 Guidance ICS
4/11
The passage of new laws impacts on the companys operations.
If the company is to avoid the hazards arising from the above risks, the companys
management must regularly :
Identify the type of risks to which the company is exposed or expects to be exposed
to.
Analyse the impact of such risks on the company, including the likelihood of their
occurrence.
Determine the measures to be taken in order to manage the risks.
Component 3 : Control Activities
Control activities are policies and procedures that help ensure that the management
directives, issued in order to reduce business risk and enable the company to achieve
its business objectives, are acted upon throughout the company. Examples of control
activities are :
Procedures to ensure that the companys accounting data, information and financial
reporting are correct and complete.
Appropriate assignation of authority and approval of transactions at a suitable level.
Preventive and detective physical controls over the loss of assets, including fraud
(such as physical counts of assets and segregation of duties).
Procedures to ensure that the company accords with the relevant laws and
regulations.
Component 4 : Information and Communication
Quality information (whether of a financial, accounting, marketing, or other nature) and
the process by which such information is communicated to the appropriate person, are
critical.
Quality information has the following characteristics :
(1) It is relevant to the decision to be made.
(2) It is accurate and complete.
(3) It is current.
(4) It is presented in an easily comprehensible format.
-
7/30/2019 Guidance ICS
5/11
Component 5 : Monitoring and Evaluation
Monitoring and evaluation is a process of following up and assessing the quality of
internal control performance within the company, established in order to provide
assurance to the board of directors and the management that the internal control
system is operating, that modifications are made when circumsatnces change, and that
deficiencies are promptly remedied. For example, periodic reviews of the internal control
system are made and reported on by the responsible management and the internal
auditors, and the management and employees are required to sign a letter of
representation to confirm that they are in compliance with the companys code of
conduct (see Part 4).
-
7/30/2019 Guidance ICS
6/11
GUIDANCE FOR DIRECTORS
ON TERNAL CONTROL
Part 1 - Introduction
Part 2 - The Components of
an Effective Internal
Control System
Part 3 - Questions to Ask to
Assess theEffectiveness of anInternal Control
System
Part 4 - Conflicts of Interest
GUIDANCE FOR DIRECTORS ON INTERNAL CONTROL
PART 3 - QUESTIONS TO ASK TO ASSESS THE EFFECTIVENESS OF
AN INTERNAL CONTROL SYSTEM
1. On the Control Environment
1.1 Has the company established written codes of conduct and
regulations that prohibit management and employees from
being involved in conflicts of interest with the company
(see Part 4), including penalties in case of violation of such
codes and regulations?
1.2 Does the company require that all employees sign a letter of
representation to confirm that they are in compliance with
the regulations established?
1.3 Does the conduct of the companys management set a good example for their
subordinates?
1.4 Does the company have a good organisational structure which enables
management to act correctly, swiftly and efficiently in planning, directing and
controlling the operations?
1.5 Does the company have an internalaudit function which works in compliance
with international standards and which is able to function as an efficient
management tool as it reports directly to the audit committee or top executives,
enabling it to independently report the results of audits and express its
opinions openly?
1.6 Has the company established written policies and working practices for
financial transactions and for general administration?
1.7 Has the company established written human resource policies and practices in
the areas of recruitment, training, performance evaluation, promotion, and
3
-
7/30/2019 Guidance ICS
7/11
compensation and fringe benefits, in order to encourage employees to have
integrity and work efficiently?
1.8 Has the company drawn up job descriptions specifying appropriate knowledge,
ability, and qualifications for personnel in each position?
1.9 Does the company set unrealistic performance targets or provide excessive
incentives or compensation, which may encourage fraud or malfeasance, such
as setting unrealistic sales targets and thus encouraging the manipulation of
sales figures?
1.10 Does the management apply accounting policies in accordance with generally
accepted accounting principles which are appropriate to the nature of the
companys business and avoid accounting policies which lead to distortion of
the companys operating results?
1.11 Does the company periodically rotate all work positions and duties, and require
all personnel in sensitive areas, where there is a high risk of fraud and
misappropriation, to take annual leave so that other personnel work in theirstead?
2. Risk Assessment
2.1 Does the company set clear business targets (such as targets and an overall
business plan that can be used to evaluate performance) as guidelines for
employees to use in their work?
2.2 Does management arrange for the evaluation of business risks arising from
both external and internal factors, such as foreign currency risk and
competitive risk, and for the regular analysis of the possible effects of such
risks on the operations of the company?
2.3 Has the management stipulated measures or procedures to reduce risks to an
acceptable level, or informed employees what level of risk is acceptable to the
company?
-
7/30/2019 Guidance ICS
8/11
3. Control Activit ies
3.1 Does the company adopt clearly defined budgets and/or key performance
indices as tools in planning and control, to keep operating results in line with
expectations?
3.2 Does the company report its operating results on a regular and timely basis;
and does it compare those reports with figures derived from the planning and
control tools, in order to provide an appropriate basis for managements
business decision making and problem solving?
3.3 Are duties and responsibilities completely segregated in the following three
areas in order to provide check and balance mechanisms?
(1) Authorisation of transactions
(2) Recording of accounting transactions and data
(3) Custody of assets
3.4 Does the company have a list of persons who are authorised to approve each
type of financial transactions?
3.5 Does the company maintain documentary evidence which facilitates the
separation of responsibilities and monitoring of work performance at all times,
including the identification of the persons accountable for errors?
3.6 Does the company monitor and safeguard its assets to prevent their loss and
misuse through, for example, periodic physical counts of assets, the use of
security guards to prevent loss of assets, and the insurance of inventories or
fixed assets at their replacement cost?
3.7 Does the company prohibit the management (including top executives) from
authorising transactions related to themselves, such as overseas traveling
expenses and entertainment expenses?
4. Information and Communication
4.1 Does the company arrange for up-to-date reports of significant information to
be provided to its management and the board of directors on a regular basis?
-
7/30/2019 Guidance ICS
9/11
4.2 Have communication channels been established to ensure that employees at
all levels gain an understanding of the companys policies and regulations and
to ensure that information is communicated to the relevant people?
4.3 Has the company established communication channels which allow employees
to report any suspected fraudulent practices, such as by appointing a
committee or certain senior officials to be responsible for receiving complaints,
or by installing suggestion boxes?
4.4 Is a data security system in place in order to prevent an unauthorised access?
4.5 Has the company prepared a disaster recovery plan and contingency plan to
prevent the loss of information?
4.6 Does the company make complete disclosure of related party transactions?
5. Monitoring and Evaluation
5.1 Are reporting systems in place to identify variances from expected
performance and is corrective action taken?
5.2 Are internal audits performed by persons with adequate knowledge and
proficiency, and who report directly to the board of directors and senior
management?
5.3 Are internal control weaknesses noted by either internal or external auditors
promptly reported directly to the senior management, including the board of
directors, so that prompt corrective actions can be taken?
5.4 Does the company have a policy requiring the management to report
immediately to the board of directors in all cases of fraud, suspected fraud,
breaches of laws, or other irregularities which may have a significant impact on
the companys reputation and financial position?
-
7/30/2019 Guidance ICS
10/11
GUIDANCE FOR DIRECTORS
ON INTERNAL CONTROL
Part 1 - Introduction
Part 2 - The Components of
an Effective InternalControl System
Part 3 - Questions to Ask to
Assess theEffectiveness of an
Internal Control
System
Part 4 - Conflicts of Interest
GUIDANCE FOR DIRECTORS ON INTERNAL CONTROL
PART 4 - CONFLICTS OF INTEREST
Conflict of interestarises when one person performs two roles which have
different objectives or interests. Conflicts may arise because personal
interests are incompatible with the companys interests, forcing a person
to make a choice which may lead to fraud and misappropriation. Therefore,
all directors and employees of the company should avoid any situation
which may lead to a conflict of interest.
Samples of conflict of interest
1. Unauthorised divulging of confidential information whether or not for personal gain
and whether or not harm to the Company is intended. Disclosure of confidential
information to customers, suppliers, competitors or others, except for information
transmitted as part of normal job activities, or information that has been created for
public distribution.
2. Use of confidential information for the purchase of company securities or securities
of other companies.
3. The acceptance or offer of gifts, or other favors which go beyond common
courtesies in order to induce someone to act in a particular way.
4. Entertainment or reception of customers, contractors, suppliers, service providers,or government officials, which goes beyond an appropriate level or is held in
inappropriate venues such as entertainment placesor places offering various types
of service.
5. Requiring or accepting any benefits, whether money or goods, from customers,
brokers or agents, business owners, contractors, suppliers, service providers, and
any individuals or organisations that have transactions with the company (money or
4
-
7/30/2019 Guidance ICS
11/11
goods includes gifts, loans, fees, commissions, sharing of benefits, services,
privileges, employment, and approval of contracts).
6. Investment in, or being a director or employee of, a customer, supplier, service
provider, or competitor.
7. Transactions between related companies, between an individual and the company,
or between relatives of management and the company.
This article is extracted from the handbook Guidance for Directors on Internal Control which was prepared by the
Institute of Certified Accountants and Auditors of Thailand, together with representatives of both the major
educational institutions and private sector companies, for the Stock Exchange of Thailand (www.set.or.th) in
March 2000.