215 Control, security and audit Introduction In this chapter we move to the main elements of internal control systems that organisations operate (Section 1). Controls must be linked to organisational objectives and the main risks that organisations face (Section 2). In addition internal control systems do not just consist of the controls themselves but also the control environment within which controls operate. Internal audit is a key part of the control system of larger companies (Section 3) and the external audit function exists to review controls and report upon the financial statements (Section 4). Organisations are becoming increasingly reliant on computerised information systems. It is vital therefore to ensure these systems are secure – to protect the information held on them, to ensure operations run smoothly, to prevent theft and to ensure compliance with legislation (Sections 5 and 6). Security and legal issues are likely to crop up regularly in the examination. Topic list Syllabus reference 1 Internal control systems D3 (a)(b) 2 Internal control environment and procedures D3 (c)(d) 3 Internal audit and internal control D2 (a)(b) 4 External audit D2 (a)(b) 5 IT systems security and safety D3 (e) 6 Building controls into an information system D3 (f) 216 9: Control, security and audit ~ Part D Specific functions of accounting and internal financial control Study guide Intellectual level D2 Internal and external auditing and their functions (a) Define internal and external audit. 1 (b) Explain the main functions of the internal auditor and the external auditor. 1 D3 Internal financial control and security within business organisations (a) Explain internal control and internal check. 1 (b) Explain the importance of internal financial controls in an organisation. 2 (c) Describe the responsibilities of management for internal financial control. 1 (d) Describe the features of effective internal financial control procedures in an organisation. 2 (e) Identify and describe features for protecting the security of IT systems and software within business. 1 (f) Describe general and application systems controls in business. 1 Exam guide The syllabus regards internal control as a specific and very important business function, supported by effective and secure management information. 1 Internal control systems Internal controls should help organisations counter risks, maintain the quality of reporting and comply with laws and regulations. They provide reasonable assurance that the organisations will fulfil their objectives. An internal control is any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Management plans, organises and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Thus, control is the result of proper planning, organising and directing by management. (Institute of Internal Auditors) 1.1 Direction of control systems In order for internal controls to function properly, they have to be well-directed. Managers and staff will be more able (and willing) to implement controls successfully if it can be demonstrated to them what the objectives of the control systems are, whilst objectives provide a yardstick for the board when they come to monitor and assess how controls have been operating. 1.2 Turnbull guidelines The UK's Turnbull report provides a helpful summary of the main purposes of an internal control system. (Note that the Turnbull report is not examinable but provides a useful background.) Turnbull comments that internal control consists of 'the policies, processes, tasks, behaviours and other aspects of a company that taken together: (a) Facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company's objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed. FA S T F O RWAR D Key term Part D Specific functions of accounting and internal financial control ~ 9: Control, security and audit 217 (b) Help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and without the organisation. (c) Help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business' The Turnbull report goes on to say that a sound system of internal control reduces but does not eliminate the possibilities of poorly-judged decisions, human error, deliberate circumvention of controls, management override of controls and unforeseeable circumstances. Systems will provide reasonable (not absolute) assurance that the company will not be hindered in achieving its business objectives and in the orderly and legitimate conduct of its business, but won't provide certain protection against all possible problems. 1.3 Need for control framework Internal control frameworks include the control environment within which internal controls operate. Other important elements are the risk assessment and response processes, the sharing of information and monitoring the environment and operation of the control system. Organisations need to consider the overall framework of controls since controls are unlikely to be very effective if they are developed sporadically around the organisation, and their effectiveness will be very difficult to measure by internal audit and ultimately by senior management. 1.4 Control environment and control procedures The internal control system comprises the control environment and control procedures. It includes all the policies and procedures (internal controls) adopted by the directors and management of an entity to assist in achieving their objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to internal policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information. Internal controls may be incorporated within computerised accounting systems. However, the internal control system extends beyond those matters which relate directly to the accounting system. Perhaps the simplest framework for internal control draws a distinction between x Control environment – the overall context of control, in particular the attitude of directors and managers towards control x Control procedures – the detailed controls in place The Turnbull report on Internal Control also highlights the importance of x Information and communication processes x Processes for monitoring the continuing effectiveness of the system of internal control However, any internal control system can only provide the directors with reasonable assurance that their objectives are reached. This is because of inherent limitations such as human error or fraud, collusion between employees or controls being overridden by managers. 2 Internal control environment and procedures The control environment is influenced by management's attitude towards control, the organisational structure and the values and abilities of employees. Key term FA S T F O RWAR D FA S T F O RWAR D 218 9: Control, security and audit ~ Part D Specific functions of accounting and internal financial control 2.1 Nature of control environment The control environment is the overall attitude, awareness and actions of directors and management regarding internal controls and their importance in the entity. The control environment encompasses the management style, and corporate culture and values shared by all employees. It provides the background against which the various other controls are operated. The Turnbull report highlighted a number of elements of a strong control environment. x Clear strategies for dealing with the significant risks that have been identified x The company's culture, code of conduct, human resource policies and performance reward systems supporting the business objectives and risk management and internal control systems x Senior management demonstrating through its actions and policies commitment to competence, integrity and fostering a climate of trust within the company x Clear definition of authority, responsibility and accountability so that decisions are made and actions are taken by the appropriate people x Communication to employees what is expected of them and scope of their freedom to act x People in the company having the knowledge, skills and tools to support the achievements of the organisation's objectives and to manage effectively its risks However, a strong control environment does not, by itself, ensure the effectiveness of the overall internal control system although it will have a major influence upon it. The control environment will have a major impact on the establishment of business objectives, the structuring of business activities, and dealing with risks. Controls can be classified in various ways including administrative and accounting; prevent, detect and correct; discretionary and non-discretionary; voluntary and mandated; manual and automated. The mnemonic SPAMSOAP can be used to remember the main types of control. Control procedures are those policies and procedures in addition to the control environment which are established to achieve the entity's specific objectives. (Auditing Practices Board) 2.2 Classification of control procedures You may find internal controls classified in different ways, and these are considered below. Classification of controls can be important because different classifications of control are tested in different ways. Classification Detail Administration These are concerned with achieving the objectives of the organisation and with implementing policies. These controls relate to channels of communication and reporting responsibilities. Accounting These controls aim to provide accurate accounting records and to achieve accountability. They apply to recording transactions and establishing responsibilities for records, transactions and assets. Prevent These are controls designed to prevent errors from happening in the first place. For example, checking invoices from suppliers against goods received notes before paying the invoices. Detect These are designed to detect errors once they have happened. Examples include bank reconciliations and physical checks of inventory against inventory records. Correct These are designed to minimise or negate the effect of errors. An example would be a back-up of computer input at the end of the day. Key term Key term FA S T F O RWAR D Part D Specific functions of accounting and internal financial control ~ 9: Control, security and audit 219 Question Prevent controls How can prevent controls be used to measure performance and efficiency? Answer In the above examples the system outputs could include information, say, about the time lag between delivery of goods and invoicing: (a) As a measure of the efficiency of the invoicing section (b) As an indicator of the speed and effectiveness of communications between the despatch department and the invoicing department (c) As relevant background information in assessing the effectiveness of cash management You should be able to think of plenty of other examples. Credit notes reflect customer dissatisfaction, for example: how quickly are they issued? 2.2.1 Other classifications Classification Detail Discretionary These are controls which are subject to human discretion. For example, checking a signature on a purchase order. Non- discretionary These are controls which are provided automatically by the system and cannot be overridden. For example, entering a pin number at a cash dispensing machine. Voluntary These controls are chosen by the organisation to support the management of the business. Mandated These controls are required by law and imposed by external authorities. Manual These controls demonstrate a one-to-one relationship between the processing functions and controls, and the human functions. Automated These controls are programmed procedures designed to prevent, detect and correct errors all the way through processing. General These controls are used to reduce the risks associated with the computer environment. General controls are controls which relate to the environment in which the application is operated. Application These controls are used to reduce the risks associated with the computer environment. Application controls are controls that prevent, detect and correct errors. Financial These controls focus on the key transaction areas, with the emphasis being on the safeguarding of assets and the maintenance of proper accounting records and reliable financial information. 2.3 Types of financial control procedure The old UK Auditing Practices Committee's guideline Internal controls gave a useful summary that is often remembered as a mnemonic, 'SPAMSOAP'. (a) Segregation of duties. For example, the chairman/Chief Executive roles should be split. (b) Physical. These are measures to secure the custody of assets, eg only authorised personnel are allowed to move funds on to the money market. 220 9: Control, security and audit ~ Part D Specific functions of accounting and internal financial control (c) Authorisation and approval. All transactions should require authorisation or approval by an appropriate responsible person; limits for the authorisations should be specified, eg a remuneration committee is staffed by non-executive directors (NEDs) to decide directors' pay. (d) Management should provide control through analysis and review of accounts, eg variance analysis, provision of internal audit services. (e) Supervision of the recording and operations of day-to-day transactions. This ensures that all individuals are aware that their work will be checked, reducing the risk of falsification or errors, eg budgets, managers' review, exception or variance reports. (f) Organisation: identify reporting lines, levels of authority and responsibility. This ensures everyone is aware of their control (and other) responsibilities, especially in ensuring adherence to management policies, eg avoid staff reporting to more than one manager. Procedures manuals will be helpful here. (g) Arithmetical and accounting: to check the correct and accurate recording and processing of transactions, eg reconciliations, trial balances. (h) Personnel. Attention should be given to selection, training and qualifications of personnel, as well as personal qualities; the quality of any system is dependent upon the competence and integrity of those who carry out control operations, eg use only qualified staff as internal auditors. 2.4 Internal checks Internal controls should not be confused with internal checks, which have a more restricted definition. Internal checks are defined as the checks on the day-to-day transactions whereby the work of one person is proved independently or is complementary to the work of another, the object being the prevention or early detection of errors and fraud. It includes matters such as the delegation and allocation of authority and the division of work, the method of recording transactions and the use of independently ascertained totals, against which a large number of individual items can be proved. Internal checks are an important feature of the day-to-day control of financial transactions and the accounting system. Arithmetical internal checks include pre-lists, post-lists and control totals. A pre-list is a list that is drawn up before any processing takes place. A post-list is a list that is drawn up during or after processing. A control total is a total of any sort used for control purposes by comparing it with another total that ought to be the same. A pre-list total is a control total, so that for example, when cash is received by post and a pre-list prepared and the receipts are recorded individually in the cash book, and a total of amounts entered in the cash book is obtained by adding up the individual entries, the control total obtained from the cash book can be compared with, and should agree with, the pre-list control total. Control totals, as you should already be aware, are frequently used within computer processing. 2.5 Aims of internal checks Segregate tasks, so that the responsibility for particular actions, or for defaults or omissions, can be traced to an individual person. Create and preserve the records that act as confirmation of physical facts and accounting entries. Break down routine procedures into separate steps or stages, so as to facilitate an even flow of work and avoid bottlenecks. Reduce the possibility of fraud and error. The aim should be to prevent fraud and error rather than to be able to detect it after it has happened. Efficient internal checks make extensive fraud virtually impossible, except by means of collusion between two or more people. Key term Key terms Part D Specific functions of accounting and internal financial control ~ 9: Control, security and audit 221 Internal checks, importantly, imply a division of work, so that the work of one person is either proved independently or else is complementary to the work of another person. 2.6 Characteristics of a good internal control system (a) A clearly defined organisation structure (i) Different operations must be separated into appropriate divisions and sub-divisions. (ii) Officers must be appointed to assume responsibility for each division. (iii) Clear lines of responsibility must exist between each division and sub-division and the board. (iv) There must be overall co-ordination of the company's activities (through corporate planning). (b) Adequate internal checks (i) Separation of duties for authorising a transaction, custody of the assets obtained by means of the transaction and recording the transaction. (ii) 'Proof measures' such as control totals, pre-lists and bank reconciliations should be used. (c) Acknowledgement of work done: persons who carry out a particular job should acknowledge their work by means of signatures, initials, rubber stamps and so on. (d) Protective devices for physical security. (e) Formal documents should acknowledge the transfer of responsibility for goods. When goods are received, a goods received note should be used to acknowledge receipt by the storekeeper. (f) Pre-review: the authorisation of a transaction (for example a cash payment, or the purchase of an asset) should not be given by the person responsible without first checking that all the proper procedures have been carried out. (g) A clearly defined system for authorising transactions within specified spending limits. (h) Post-review: completed transactions should be reviewed after they have happened; for example, monthly statements of account from suppliers should be checked against the purchase ledger accounts of those suppliers. (i) There should be authorisation, custody and re-ordering procedures. (i) Funds and property of the company should be kept under proper custody. Access to assets (either direct or by documentation) should be limited to authorised personnel. (ii) Expenditure should only be incurred after authorisation and all expenditures are properly accounted for. (iii) All revenue must be properly accounted for and received in due course. (j) Personnel should have the capabilities and qualifications necessary to carry out their responsibilities properly. (k) An internal audit department should be able to verify that the control system is working and to review the system to ensure that it is still appropriate for current circumstances. 2.7 Limitations on the effectiveness of internal controls Not only must a control system include sufficient controls, but also these controls must be applied properly and honestly . (a) Internal controls depending on segregation of duties can be avoided by the collusion of two or more people responsible for those duties. (b) Authorisation controls can be abused by the person empowered to authorise the activities. (c) Management can often override the controls they have set up themselves. 222 9: Control, security and audit ~ Part D Specific functions of accounting and internal financial control 3 Internal audit and internal control 3.1 Internal audit Internal audit has been defined as: An independent appraisal activity established within an organisation as a service to it. It is a control which functions by examining and evaluating the adequacy and effectiveness of other controls. The investigative techniques developed are applied to the analysis of the effectiveness of all parts of an entity's operations and management. The work of internal audit is distinct from the external audit which is carried out for the benefit of shareholders only and examines published accounts. Internal audit is part of the internal control system. 3.2 The need for internal audit The role of internal audit will vary according to the organisation's objectives but is likely to include review of internal control systems, risk management, legal compliance and value for money. The Turnbull report in the UK stated that listed companies without an internal audit function should annually review the need to have one, and listed companies with an internal audit function should review annually its scope, authority and resources. Turnbull states that the need for internal audit will depend on: x The scale, diversity and complexity of the company's activities x The number of employees x Cost-benefit considerations x Changes in the organisational structures, reporting processes or underlying information systems x Changes in key risks x Problems with internal control systems x An increased number of unexplained or unacceptable events Although there may be alternative means of carrying out the routine work of internal audit, those carrying out the work may be involved in operations and hence lack objectivity. 3.3 Objectives of internal audit The role of the internal auditor has expanded in recent years as internal auditors seek to monitor all aspects (not just accounting) of the business, and add value to their organisation. The work of the internal auditor is still prescribed by management, but it may cover the following broad areas. (a) Review of the accounting and internal control systems. The establishment of adequate accounting and internal control systems is a responsibility of management and the directors. Internal audit is often assigned specific responsibility for the following tasks. x Reviewing the design of the systems x Monitoring the operation of the systems by risk assessment and detailed testing x Recommending cost effective improvements Review will cover both financial and non-financial controls. (b) Examination of financial and operating information. This may include review of the means used to identify, measure, classify and report such information and specific enquiry into individual items including detailed testing of transactions, balances and procedures. (c) Review of the economy, efficiency and effectiveness of operations. (d) Review of compliance with laws, regulations and other external requirements and with internal policies and directives and other requirements including appropriate authorisation of transactions. FA S T F O RWAR D Key term Part D Specific functions of accounting and internal financial control ~ 9: Control, security and audit 223 (e) Review of the safeguarding of assets. (f) Review of the implementation of corporate objectives. This includes review of the effectiveness of planning, the relevance of standards and policies, the company's corporate governance procedures and the operation of specific procedures such as communication of information. (g) Identification of significant business and financial risks, monitoring the organisation's overall risk management policy to ensure it operates effectively, and monitoring the risk management strategies to ensure they continue to operate effectively. (h) Special investigations into particular areas, for example suspected fraud. 3.4 Internal audit and risk management Internal audit will play a significant part in the organisation's risk management processes, being required to assess and advise on how risks are countered. Internal audit's work will be influenced by the organisation's appetite for bearing risks, but internal audit will assess: x The adequacy of the risk management and response processes for identifying, assessing, managing and reporting on risk x The risk management and control culture x The internal controls in operation to limit risks x The operation and effectiveness of the risk management processes The areas auditors will concentrate on will depend on the scope and priority of the assignment and the risks identified. Where the risk management framework is insufficient, auditors will have to rely on their own risk assessment and will focus on recommending an appropriate framework. Where a framework for risk management and control is embedded in operations, auditors will aim to use management assessment of risks and concentrate on auditing the risk management processes. 3.5 The features of internal audit From these definitions the two main features of internal audit emerge. (a) Independence: although an internal audit department is part of an organisation, it should be independent of the line management whose sphere of authority it may audit. (b) Appraisal: internal audit is concerned with the appraisal of work done by other people in the organisation, and internal auditors should not carry out any of that work themselves. The appraisal of operations provides a service to management. 3.6 Types of audit Internal audit is a management control, as it is a tool used to ensure that other internal controls are working satisfactorily. An internal audit department may be asked by management to look into any aspect of the organisation. Five different types of audit can be distinguished. (The first three types are considered further in the following paragraphs.) x Operational audit x Social audit x Systems audit x Management investigations x Transactions audit Operational audits can be concerned with any sphere of a company's activities. Their prime objective is the monitoring of management's performance at every level, to ensure optimal functioning according to pre-determined criteria. They concentrate on the outputs of the system, and the efficiency of the organisation. They are also known as 'management', 'efficiency' or 'value for money' audits. A systems audit is based on a testing and evaluation of the internal controls within an organisation so that those controls may be relied on to ensure that resources are being managed effectively and information provided accurately. Two types of tests are used. 224 9: Control, security and audit ~ Part D Specific functions of accounting and internal financial control (a) Compliance tests seek evidence that the internal controls are being applied as prescribed. (b) Substantive tests substantiate the entries in the figures in accounts. They are used to discover errors and omissions. The auditor will be interested in a variety of processing errors when performing compliance tests. x At the wrong time x Error x Incompleteness x Fraud x Omission The key importance of the two types of test is that if the compliance tests reveal that internal controls are working satisfactorily, then the amount of substantive testing can be reduced , and the internal auditor can concentrate the audit effort on those areas where controls do not exist or are not working satisfactorily. 3.7 Example Suppose a department within a company processes travel claims which are eventually paid and recorded on the general ledger. (a) When conducting compliance tests, the internal auditor is looking at the controls in the travel claim section to see if they are working properly. This is not the same as looking at the travel claims themselves. For example, one of the internal controls might be that a clerk checks the addition on the travel claim and initials a box to say that he has done so. If he fails to perform this arithmetic check, then there has been a control failure - regardless of whether the travel claim had, in fact, been added up correctly or incorrectly. (b) When conducting substantive tests, the internal auditor is examining figures which he has extracted directly from the company's financial records. For this sort of test, the auditor is concerned only with establishing whether or not the figure in the ledger is correct. He or she is not concerned as to how it got there. A transactions or probity audit aims to detect fraud and uses only substantive tests. 3.8 Accountability The internal auditor is accountable to the highest executive level in the organisation, preferably to the audit committee of the Board of Directors. There are three main reasons for this requirement. x The auditor needs access to all parts of the organisation. x The auditor should be free to comment on the performance of management. x The auditor's report may need to be actioned at the highest level to ensure its effective implementation. The accountability of the internal auditor is tested on the Pilot Paper. 3.9 Independence Given an acceptable line of responsibility and clear terms of authority, it is vital that the internal auditor is and is seen to be independent . Independence for the internal auditor is established by three things. x The responsibility structure x The auditor's own approach x The auditor's mandatory authority Internal audit requires a highly professional approach which is objective, detached and honest. Independence is a fundamental concept of auditing and this applies just as much to the internal auditor as to the external auditor. The internal auditor should not install new procedures or systems, neither should he engage in any activity which he would normally appraise, as this might compromise his independence. Exam focus point [...]... topics to be examined This is certainly the case on the Pilot Paper 1 What is fraud? FAST FORWARD Key term In a corporate context fraud can fall into one of two main categories: removal of funds or assets from a business or the intentional misrepresentation of the financial position of a business Fraud may be generally defined as 'deprivation by deceit' In a court case, fraud was defined as 'a false... assessing external and internal risks Part D Specific functions of accounting and internal financial control 10: Identifying and preventing fraud 247 2.2.3 Business risks FAST FORWARD A number of factors tend to crop up frequently as indicators of potential fraud situations; these can be categorised under business and personnel risks An alert management team will always be aware of the industry or business. .. process similar in many ways to the evolution of independent auditing 228 9: Control, security and audit Part D Specific functions of accounting and internal financial control Required Explain why the internal and independent auditors' review of internal control procedures differ in purpose Answer The internal auditors review and test the system of internal control and report to management in order to... functions of accounting and internal financial control 10: Identifying and preventing fraud 249 Long term effects on company performance The reduction in working capital makes it more difficult for the company to operate effectively In the most serious cases, fraud can ultimately result in the collapse of an otherwise successful business, such as Barings 3.2 Intentional misrepresentation of the financial position... of accounting and internal financial control Passwords are also used by administrators to control access rights for the reading, modifying and deleting functions 6. 2.7 Administrative controls Personnel selection is important Some employees are always in a position of trust Computer security officer Senior systems analyst Database administrator Measures to control personnel include the following Careful... form (copies 1-3)and in the inventory records maintained by the store-keepers The objectives here are to see that no goods are released from inventory without appropriate authority and that a record of inventory movements is maintained (iv) Control over the invoicing of customers The main control requirement here will be to use sequentially pre-numbered invoices with checks being carried out to control... hazard Flooding and water damage are often encountered following firefighting activities elsewhere in a building This problem can be countered by the use of waterproof ceilings and floors together with the provision of adequate drainage 5.2.3 Weather Wind, rain and storms can all cause substantial damage to buildings In certain areas the risks are greater, for example the risk of typhoons in parts of... accounting and internal financial control 9: Control, security and audit 231 Answer (a) (b) (c) (d) 'Postcode' all pieces of hardware Invisible ink postcoding is popular, but visible marking is a better deterrent Heated soldering irons are ideal for imprinting postcodes onto objects with a plastic casing Mark the equipment in other ways Some organisations spray their hardware with permanent paint, perhaps... they rely are misrepresentations of the truth (a) (b) 250 Investors making decisions based on inaccurate information will find actual returns deviating from expectations Suppliers will extend credit without knowing the financial position of the company 10: Identifying and preventing fraud Part D Specific functions of accounting and internal financial control ... measures involve the use of smoke detectors Corrective measures may include installation of a sprinkler system (water-based or possibly gas-based to avoid electrical problems), training of fire officers and good sitting of exit signs and fire extinguishers Flooding Water damage may result from flooding or from fire recovery procedures If possible, large installations should not be situated in basements . accounting and internal financial control Study guide Intellectual level D2 Internal and external auditing and their functions (a) Define internal and external audit. 1 (b) Explain the main functions. of the internal auditor and the external auditor. 1 D3 Internal financial control and security within business organisations (a) Explain internal control and internal check. 1 (b) Explain the. company will not be hindered in achieving its business objectives and in the orderly and legitimate conduct of its business, but won't provide certain protection against all possible problems. 1.3