Internal controls and Audit
Internal Controls are systematic and procedural steps adopted by an organization to mitigate risks, primarily in the areas of financial accounting and reporting, operational processing and compliance with laws and regulations.
Internal Controls (ICs) are essentially risk mitigation steps taken to strengthen the organization’s systems and processes, as well as help to prevent and detect errors and irregularities. The actual steps of mitigation (e.g., review, approval, physical count, segregation of duty, etc.) are referred to as ‘Control Activities’.
When ICs mitigate the risk of financial exposure, they are also referred to as Internal Financial Controls (IFCs) and when they mitigate operational risks, they are also referred to as Operational Controls (OCs). ICs generally operate with human intervention (Manual Controls), but in an automated environment, computer controls are deployed to secure the systems and called IT General Controls (such as access controls) or check transaction processing at an application level and called Application Controls (such as sequential numbering of invoices, etc.).
Internal Controls can be broad-based covering the whole entity (i.e., Code of Conduct), or focused to a specific process or area (such as Order processing or Payroll, etc.). In the former case they are generally referred to as “Entity Level Controls (ELCs)” as part of the “Control Environment”. In the case of latter, they are also referred to as “Process Level Controls (PLCs)”.
“Internal Controls Framework” is a pre-defined benchmark Internal Control System, based on suitable criteria, which can be used by management or auditors to assess the design, adequacy and operating effectiveness of the overall internal control system.
Responsibilities for internal control
As per Companies Act, 2013, in a limited company, the board of directors are responsible for ensuring that appropriate internal controls are in place. Their accountability is to the shareholders, as the directors act as their agents. In turn, the directors may consider it prudent to establish a dedicated internal control function. The point at which this decision is taken will depend on the extent to which the benefits of function will outweigh the costs.
The directors must pay due attention to the control environment. If internal controls are to be effective, it is necessary to create an appropriate culture and embed a commitment to robust controls throughout the organization.
Internal Control Procedures:
- Physical controls on access to assets
- Authorization and approvals
- Segregation of Duties
- Management Controls
- Arithmetic and accounting controls
- Human Resources controls
Internal Audit
Internal audit testing is the internal assessment of internal controls and as such is a management responsibility to ensure compliance and conformity of internal controls to pre-determined standards.
Internal audit provides independent assurance on the effectiveness of internal controls and risk management processes to enhance governance and achieve organizational objectives.
As per SIA (Standards on Internal Audit) 210 issued by ICAI, the Internal Audit Function is the responsibility of the Chief Internal Auditor or the designated person. He performs a number of activities to achieve the objectives as outlined in Terms of Engagement. A few of the critical activities are as follows:
- Define the overall plan, scope and methodology of the Internal Audit Function on a periodic basis.
- Oversee and monitor various audit assignments, their proper planning, execution, reporting of findings and subsequent closure of reported observations.
- Plan, acquire, engage and review the performance, training and development of professional staff, talent and other resources to achieve its objectives.
- Identify, source, engage and manage external experts and technical solutions, if required.
- Communicate and engage with all key stakeholders regarding progress and achievement of objectives.
- Develop and maintain a quality evaluation and improvement program
Responsibility of Internal Auditor
- The Internal Auditor shall ensure that the entity has designed, implemented and maintains effective and efficient Internal Controls. The audit procedures shall be sufficient to allow the Internal Auditor to check the design, proper implementation and operating effectiveness of the Internal Controls.
- Any shortcoming shall result in recommendations for improvement and suggestions on how to make the Internal Controls more efficient and effective in line with the objectives.
- Where the Internal Auditor is required to provide an independent opinion over the presence, design, implementation and/or operating effectiveness over Internal Controls, this shall be consistent with the requirements of SIA 110, “Nature of Assurance”, especially with regard to the need to have a clear understanding of the Internal Controls Framework which shall form the basis of the assurance.
Key risks
The internal auditor shall review and reports on internal controls in relation to key risks affecting the organization. The objective should be to test the extent to which the controls will manage the risk if it crystallizes. The conclusions of these reports should enable management to reconsider the controls and modify or redesign them if appropriate.
Compliance
Organizations have to implement performance standards in relation to compliance. This may be to satisfy the demands of external regulators, or to operate to pre-determined internal standards. Internal audit should review operations for compliance with such standards. In this respect, the work of internal auditors has broadened, as organizations increasingly pursue compliance not only with industry standards for products and service provision, but also with criteria relevant to environmental standards.