What Is the Cost to Have Systems and Procedures Designed

• COSO Framework
• Types of Controls
• Roles in Internal Control
• What can jeopardize controls
• Cost of Internal Controls

COSO defines Internal Control as a process, effected by an entity's Board, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.

COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission.  It is composed of the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA) and the Financial Executives Internationa (FEI).  These five (5) private sector organizations formed this joint initiative in 1985 to combat corporate fraud.  COSO is dedicated to guiding management on relevant aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud and financial reporting. It has established an internal control model against which organizations may assess their internal control systems.

COSO Internal Control Framework and Components

COSO's Internal Control – Integrated Framework enables organizations to effectively and efficiently develop systems of internal control that adapt to changing business and operating environments, mitigate risks to acceptable levels and support sound management decision making and governance.  It is being adopted by the IAFRMO as the internal control framework for the University.

All its five components need to be present and functioning effectively to have a good internal control system.These five (5) components are:

• Control Environment is the set of standards, processes and structures that ensure internal control is carried out across the organization.  It is the foundation of all other components of internal control.  The control environment consists of the integrity and ethical values of the organization, the parameters that enable the Board to carry out its governance oversight responsibilities, the organization structure and assignment of authority and responsibility, the process of attracting, developing and retaining competent individuals and the rigor around performance measures and rewards to drive accountability for performance.
• Risk Assessment forms the basis for determining how risks will be managed.   It involves a dynamic process of assessing risks to the achievement of objectives.  It also requires that management consider the suitability of objectives and the impact of possible changes in the external environment and within its own business model that may render internal controls ineffective.
• Control Activities are the actions established through policies and procedures that help ensure that management's directives to mitigate risks are carried out.  They are performed at all levels of the entity, at various stages within the business processes and over the technology environment.  They encompass a range of manual and automated activities:
  • Authorizations and approvals for certain transactions such as expense reimbursement prior to payment; purchase requisition prior to procurement.
  • Verification such as the review of reports by a supervisor to check the validity and accuracy of transactions executed by his/her staff; periodic asset counts; confirming receivables and payables with relevant parties
  • Account reconciliation such as comparing the total cash balance with the combined individual cash accounts on hand and in banks
  • Business performance reviews such as comparing actual revenue and/or expenses against budgets; monitoring Unit or Department performance against objectives
  • Access control such as assigning passwords to restrict computer, system and file access to authorized users or holding a person accountable for custody of cash, supplies or equipment

Segregation of duties is typically built into the development of control activities. Where it is not
possible, alternative control activities need to be put in place.

• Information and Communication enables the entity to carry out its internal control responsibilities.  Communication is the continual, iterative process of obtaining, providing and sharing information, flowing up, down and across the entity, from both internal and external sources.  It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously.
• Monitoring Activities such as ongoing or separate evaluations, or some combination of the two, are used to ascertain whether each of the five components is present and functioning.  Ongoing evaluations are built into business processes and provide timely information.  Separate evaluations are done periodically and vary in scope and frequency depending on the assessment of risks, effectiveness of ongoing evaluations and other management considerations.

Types of Controls
Most internal controls can be classified as either preventive or detective.

Preventive controls are designed to avoid errors or irregularities from occurring.A few examples are:

• Separation of duties: assigning different individuals to handle different segments of a process; e.g. for collecting cash, preparing deposits, recording transactions and reconciling records
• Manager review of purchase requisitions and invoices prior to approval to prevent inappropriate expenditures

Detective controls are designed to identify errors or irregularities after they have occurred. These controls are performed on a routine basis to identify any issues that pose a potential risk to the University on a timely basis.A few examples are:

• An exception report lists and detects incorrect or invalid entries or transactions
• Taking an annual physical inventory of items in a particular location will determine if any items have been misplaced or stolen
• A comparison of deposits per bank records against deposits in the University's records will detect errors in postings or missing transactions

Implementing good internal controls helps a department operate more efficiently and effectively and provides a reasonable level of assurance that the processes and resources that it is responsible for are adequately protected.

Roles in Internal Control
Everyone has a role in internal controls. An individual's responsibility depends on his/her role in the University:

• The Board of Trustees, University President and senior administrators establish a culture of compliance, ethics, competence and a strong control environment.
• Department/Unit Directors and managers establish and maintain internal controls within their areas of responsibility through policies, procedures and practices.
• Other Department/Unit personnel execute the control policies and procedures that have been established.

Role of Internal Audit in Controls
Internal Audit assists in maintaining effective controls by evaluating their effectiveness and efficiency and by making recommendations where control improvements are needed. In order to evaluate controls objectively, Internal Audit maintains its independence from daily operations and, therefore, will not create or maintain internal controls with and for the Departments/Units.

What can jeopardize internal controls?
While many circumstances may compromise the effectiveness of internal controls, a few of the most common and serious of these warrant special mention.  They frequently end up being flagged as audit findings:

Inadequate Segregation of Duties: Separating responsibility for physical custody of an asset from the related record keeping and reconciliation/verification is a critical control.

• A person who can authorize Purchase Orders (Purchasing) should not be capable of processing payments (Accounts Payable).
• The person who prepares the deposit should not post the receipts to their respective student or fund accounts.

Inappropriate Access to Assets: Internal controls should safeguard physical assets, restricted information, critical forms and the like.

• An employee who only needs to view computer information should have Read/View access only and not be granted Write/Create access.
• Only authorized individuals should be issued keys to restricted areas.

Inadequate Knowledge of University Policies and/or external laws and regulations: The University does not operate in a static environment, and therefore, new policies and revisions to policies and laws and regulations will always happen as the environment changes and as part of our continuous improvement.  All employees must understand their responsibilities and stay abreast of changes therein.

Form Over Substance: Controls can appear to be well designed, but still lack substance, as can happen with required approvals.

• An approver's signature attests to the accuracy of a transaction, but if the approver does not check the supporting documents to validate its legitimacy and accuracy, the approval process lacks substance.

Control Override: Exceptions to established policies can sometimes be necessary to accomplish a specific task, but can pose a significant risk if not effectively monitored and limited.

• Thorough documentation and approval of all exceptions will help management ensure the unusual transactions or events are clearly and adequately explained.  A periodic review of these exceptions also helps to identify the need for policy or procedural changes.
• Management also needs to be vigilant against control override as a result of collusion among employees.

Inherent Limitations: There is no such thing as a perfect control system.  Staff size may hinder efforts to properly segregate duties, which then requires the implementation of compensating controls to ensure that objectives are achieved.  An inherent limitation in any system is the element of human error resulting from such things as misunderstanding instructions, fatigue or stress.

• A manager who encourages his/her staff to take earned vacation time can improve the operations through cross-training of other staff while enabling the staff on leave to overcome, or avoid, stress and fatigue.

• The potential loss of a computer printer may justify the cost of installing a door lock, but not an alarm system.

Sometimes, there is no out-of-pocket cost to establishing adequate controls.Execution of a well-designed control procedure or a re-alignment of duties may be all that is necessary to have good controls, as well as reducing the risk of loss or theft.

• Logging out when your computer is not in use protects sensitive information.
• Voided receipts are approved by the supervisor of the person processing the receipts.

• A locked cash box establishes accountability for, and restricts access to cash.
• Assigning responsibility for equipment, supplies or records and information to an employee holds the employee accountability for them.

In analyzing the pertinent costs and benefits, managers should also consider their possible ramifications to the University at large and attempt to identify the tangible as well as the intangible benefits.

• It may be difficult to determine the cost of poor public relations and lost goodwill if a resigned employee leaks sensitive information because his/her access from our systems was not removed.

What Is the Cost to Have Systems and Procedures Designed

Source: https://www.ateneo.edu/internalaudit/what-is-internal-control

Share this post