• Internal control procedures
• Effectiveness and performance
What is Meant by 'Internal Control'? 37
INTERNAL CONTROL CONCEPT AND CULTURE
I I I I I I
(f) LU
en Wc/3
< LJJ
C/)0 Wb
Q W 2 o < i Q
LU
o LU LU Q
1x1 cr 5 9
Oz>
LU Z
LU MJ LU LU
LU
ETHICAL VALUES QUALITY OF PERSONNEL
HIGH TECHNOLOGY ORGANIZATION AND STRUCTURE
Figure 2.3 Infrastructure and pillars supporting a valid solution to internal control
• Independence of opinion and action
• Auditing of internal control rules and functions.
Part II and Part III elaborate in greater detail on these issues by focusing on a company's core functions and the type of internal control that serves them best. Chapter 9 explains how to establish an efficient internal control structure; Chapters 10 and 11 concentrate on the implementation of internal control in a credit institution, taking the limits system as an example.
Chapter 12 examines how to apply internal control concepts in manufacturing - particularly in engineering design, product development, and quality assurance.
A case can, however, be made that fundamental concepts concerning the methodology and the most basic procedures should be explained at this point in time because in this way they become a framework on which all subsequent discussion is based. This would allow us to tackle the harder job of internal control intelligence before getting involved into specific
implementation cases and the best practices these might involve.
38 Why Internal Control Systems Must be Audited
Let me immediately add to the preceding statement that accountability for internal control should be in every job description - even if the existence of prescribed internal control procedures, though necessary, is not sufficient for the exercise of effective internal control. While a description of duties and responsibilities must be in place, prescribed procedures that are not actually performed do nothing to establish control. Therefore, the board, CEO, and senior management must give thoughtful attention to a family of issues which includes:
• Prescribed set of procedures
• Practices actually followed
• Ways and means for enforcement and
• The culture of the organization vis-a-vis internal control.
Among themselves these four bullet points give an incentive to tailor internal control design and testing to meet top management requirements.
By serving as benchmarks they also help in establishing a consistent approach to the procedural aspects which must be observed at all time by everybody in the organization.
The principle is that rules, guidelines, and procedures must always be tested. Evaluation of competence in carrying them out requires some degree of subjective judgement because attributes such as intelligence, knowledge, and attitude are not exactly quantifiable. Therefore, senior management should be alert for indications that:
• Employees have failed consistently or substantially to perform their internal control duties
• Or, a serious question has been raised concerning their business behaviour and their abilities.
To be in a position to reach such conclusions, the auditing department and/
or managers themselves must review reports and responses emanating from internal control chores; examine written evidence on merits and demerits concerning the company's system of management controls; find out what each department does in internal control practice; and elaborate on the functions of personnel within each department. An analytical approach requires posing as many focused questions as possible during person-to- person meetings.
Because independence of opinion is fundamental to the correct functioning of an internal control system, in judging the independence of a person, senior management must avoid looking at that person strictly as
What is Meant by 'Internal Control'? 39 an individual. It should also examine the functions the person performs within the context of company operations, as well as the way in which he or she responds in a given situation. For example, an individual may be the sole cheque signer while an assistant may prepare monthly statements. This is a weak spot in internal control.
For obvious reasons I never tire of emphasizing the need for independence of opinion and action by people responsible for internal control activities. The same is true about separation of duties, //"employees who have access to assets also have access to accounting records, perform related review operations, or immediately supervise the activities of other employees who maintain the records, then, they may be able to both perpetrate and conceal defalcations:
• Duties concerned with the custody of assets are incompatible with record-keeping for those assets
• Duties concerned with the performance of business activities are incompatible with authorization or review of those activities.
Not only should such organizational glitches not be allowed to happen, and must be immediately corrected where they exist, but full attention should also be given by the board to the way internal controls are audited. An effective way to begin an on-site review of internal control is to identify the various key functions applicable to the area under review. For each position, a number of questions should be asked:
• Is this a critical position?
• Can a person in this position do something unethical?
• How will this act affect the recording of transactions?
• Can an error perpetrate material irregularities of some type?
Not only fraud but also plain errors must be brought under the magnifying glass. If an error can be made or irregularity perpetrated, senior management and/or the auditors should examine the likelihood that normal routines could disclose it on a timely basis: Do controls exist that would prevent or detect significant errors or the perpetration of irregularities?
What are the specific opportunities open to the individual to conceal any irregularity? Are there any mitigating controls that will reduce or eliminate such opportunities?
As the concepts behind these queries document, there are no miracles to be made through internal control policies and procedures. What there is, is a systematic approach turning over every stone in the organization and in
40 Why Internal Control Systems Must be Audited
its procedures, with the objective of uncovering weaknesses in the structure, in the individual fulfilling a given job, or in both. Anything short of a methodological approach and a penetrating mind able to challenge the obvious is guaranteed to give substandard results.