ACCA P1 Governance, Risk and Ethics - 2010 - Study text - Emile Woolf Publishing
Подождите немного. Документ загружается.
Chapter 8: Internal control systems
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 175
Controls should include measures to reduce the risk of fraud.
Financial controls should ensure the completeness and accuracy of accounting
records, and the timely preparation of financial information.
Controls should be in place to ensure compliance with key regulations, such as
health and safety regulations or, in the case of banks, anti-money laundering
regulations.
2.2 Internal control: financial, operational and compliance controls
The Turnbull Report in the UK defined an internal control system as ‘the policies,
processes, tasks, behaviours and other aspects of a company’ that, taken together:
Help it to operate effectively and efficiently. These operational controls should
allow the company to respond in an appropriate way to significant risks to
achieving the company’s objectives. ‘This includes the safeguarding of assets
from inappropriate use or from loss and fraud and ensuring that liabilities are
identified and managed.’
Help it to ensure the quality of external and internal financial reporting
(financial controls).
Help ensure compliance with applicable laws and regulations, and also with
internal policies for the conduct of business (compliance controls).
Financial controls
Financial controls have been explained as internal accounting controls that are
sufficient to provide reasonable assurance that:
transactions are made only in accordance with the general or specific
authorisation of management
transactions are recorded so that financial statements can be prepared in
accordance with accounting standards and generally-accepted accounting
principles
transactions are recorded so that assets can be accounted for
access to assets is only allowed in accordance with the general or specific
authorisation of management
the accounting records for assets are compared with actual assets at reasonable
intervals of time, and appropriate action is taken whenever there are found to be
differences.
Operational controls
Operational controls are controls that help to reduce operational risks, or identify
failures in operational systems when these occur. The nature of operational risks
varies between companies, because their operations differ widely.
In general terms, operational risks are risks of failures in operations due to factors
such as human error, a failure in processes, a failure in systems, and so on.
Paper P1: Professional accountant
176 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
One example of operational risk is the risk of a failure in health and safety systems
and system controls. A well-publicised example was the series of apparent safety
failures (and failures in safety controls) that led to an explosion at the Texas oil
refinery of oil company BP in 2005, where 15 people were killed and about 500
injured. In addition to the direct losses suffered by BP, the incident also led to over
1,000 civil legal actions against the company and a federal grand jury investigation
into whether criminal charges should be brought against the company.
Compliance controls
Compliance controls are concerned with making sure that an entity complies with
all the requirements of relevant legislation and regulations.
The potential consequences of failure to comply with laws and regulations vary
according to the nature of the industry and the regulations. For a manufacturer of
food products, for example, food hygiene regulations are important. For a bank,
regulations to protect consumers against mis-selling and other unfair practices are
important.
When regulations are specific, compliance controls often involve detailed
procedures for checking that every regulation has been properly complied with, and
that there is documentary evidence that the checks have been made. This is often
called a box-ticking approach to compliance.
A box-ticking approach to compliance control is more usually associated with a
rules-based approach to regulation rather than a principles-based approach.
2.3 The nature of internal controls
If you have already studies auditing, you should be familiar with the nature of
internal financial controls. If you are not sure what internal controls are, a brief
reminder is given here.
Some years ago, a guideline of the UK Auditing Practices Board identified eight
categories of internal (financial) controls, which can be remembered by the
mnemonic SPAMSOAP.
Type of control Explanation
S
Segregation of
duties
Where possible, duties should be divided between two or
more people, so that the work done by one person
automatically acts as a check on the work done by the
other person. This should reduce the risk of accidental
mistakes or deliberate fraud.
P
Physical controls These are measures to protect assets against theft, loss or
physical damage.
A
Authorisation
and approval
controls
These are controls over spending decisions and decisions
to enter into transactions. These decisions must be taken
or approved by a person with specific authority.
M
Management
controls
Controls over systems are applied by management. In
accounting, one example of a management control
system is the system of budgeting and budgetary control.
Chapter 8: Internal control systems
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 177
S
Supervision Controls can be applied by supervising the work done by
employees.
O
Organisation
controls
Everyone in the company should understand what his or
her responsibilities are, and there should be lines of
reporting from junior to senior staff.
A
Arithmetical and
accounting
controls
In accounting systems, there are many controls of this
type, such as control total checks and bank reconciliation
checks.
P
Personnel
controls
There should be controls over the selection and training
of employees, to ensure that they are suitably qualified
and skilled for the work that they do.
This brief list should help you to understand the range of controls that might be
applied and that together make up the controls in an internal control system.
2.4 Causes of internal control failure
Internal control failure occurs when internal controls do not work and do not
prevent a loss or adverse event from happening. Although there are controls in
place, they fail to prevent the loss that they were intended to prevent.
There are two main causes of internal control error:
Weaknesses in the design of controls. Controls that are intended to prevent a
loss or adverse event may not be good enough or sufficiently robust.
Weaknesses in the application of controls. The design of the controls may be
sufficient, but the controls are not applied in practice in they way that they
should be.
Controls may not be applied properly for several reasons.
Human error. Employees or manager may make mistakes, so that controls
intended to prevent a loss do not work properly. A supervisor may be required
to check that an employee has done a task properly, but may fail to carry out the
check.
Poor judgement. Information may be provided that enables a manager to make
a control decision, but the manager may make a poor decision based on the
information he has been given. For example, a manager may be given
information to suggest that there is excessive spending on materials purchases,
but he may decide to do nothing about it.
Control systems may break down. If controls are automated, they may
occasionally fail because of a technical breakdown in the system. For example,
an aeroplane may crash because of failures in the on-board control systems for
the pilot.
Overriding of controls. Controls may not work because a manager may decide
to ignore them or override them. Senior managers may be guilty of this offence,
when they have an attitude that controls are for other people but not for them.
Unforeseeable circumstances. Controls may fail because circumstances arise
that had not been foreseen and controls were therefore not designed to deal with
them.
Paper P1: Professional accountant
178 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
Elements of a sound system of internal control
COSO Framework
The Turnbull Report: elements of an internal control system
Control environment
Risk assessment
Information and communication
Monitoring the internal control system
Establishing and maintaining a system of internal control
Internal control: transparency and disclosure
3 Elements of a sound system of internal control
3.1 COSO Framework
In 1992 a report was published on internal control by the Committee of Sponsoring
Organizations of the Treadway Commission, or COSO. The report, entitled ‘Internal
Control – Integrated Framework’ provided a broad framework that companies
could use to assess the effectiveness of their system of internal control.
The COSO Framework identified five integrated elements in a system of internal
control:
The control environment
Risk assessment
Control activities (internal controls)
Information and communication
Monitoring.
3.2 The Turnbull Report: elements of an internal control system
A similar framework for internal control was identified by the Turnbull Report in
the UK (1999, revised 2005). This guidance on internal control states that: ‘A
company’s system of internal control will reflect its control environment which
encompasses its organisational structure.’ The system includes:
control activities
information and communication processes, and
processes for monitoring the continuing effectiveness of the system of internal
control.
The Report goes on to state that the internal control system should:
‘be embedded in the operations of the company and should form part of its
culture’
Chapter 8: Internal control systems
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 179
should be able to respond quickly to changing risks to the business from factors
within the company and its business environment, and
should include procedures for reporting to management any significant failures
or weaknesses in control that have been identified and details of the action that
is being taken to correct the problem.
A sound system of internal control should keep risks within a tolerable level,
provided that they are applied properly. However, an internal control system
cannot protect a company against losses from factors that the system is not designed
prevent. The Turnbull Report explains this by stating that a sound system of
internal control reduces, but cannot eliminate, the possibility of:
poor judgement in decision-making
human error
control processes being deliberately circumvented by employees and others
management overriding controls
unforeseen events and circumstances.
This means that a sound system of internal control provides reasonable assurance
that a company will not be delayed in reaching its business objectives by situations
which can reasonably be predicted. However, a system of internal control cannot
protect against a company not meeting its business objectives or against material
losses, errors, fraud or breach of laws/regulations.
3.3 Control environment
The control environment describes the ethical and cultural attitudes towards risk
and risk control within the company. The ethical standards and cultural attitudes to
risk are set by top management, and the cultural environment has therefore been
described as ‘the tone at the top’.
A definition of the control environment, provided by the Institute of Internal
Auditors, is as follows:
The control environment is ‘the attitude and actions of the board and management
regarding the significance of control within the organisation. The control
environment provides the discipline and structure for the achievement of the …
objectives of the system of internal control.’
The control environment includes:
the ethical values of the company and the integrity of its management and other
employees
the operating style and general philosophy of management towards control
the organisation structure within the company
the assignment of authority and responsibility
the competence of employees and human resources (HR) practices and policies.
Paper P1: Professional accountant
180 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
Senior management is responsible for setting the internal control policies. However,
the control environment extends to all employees. The Turnbull Report comments
that as part of their accountability for achieving objectives, all employees have some
responsibility for internal control. Between them they should have the necessary
skills, knowledge and authority to set-up, operate and keep an eye on the internal
control system. To do this, they need an understanding of the company, the risks it
faces and its overall objectives, industries and markets.
3.4 Risk assessment
Risk assessment is the process used by companies to identify and assess the risks
that the company faces, and changes in those risks. The risk assessment process
involves prioritising the risks, and (if possible) putting a quantitative measurement
to them.
Companies may identify broad categories of risk within their operations, and
establish a risk committee or risk task force for identifying and assessing risks
within each category.
Example
A manufacturing company might categorise its operational risks as: selling and
markets, delivery, production, and purchasing and resources. Most of these risk
categories involve more than one function or department within the company.
Selling and markets is an aspect of operations that affects not just the marketing
department, but also research and development, quality control and customer
services, and so on.
The company might set up a risk committee for each category of operations, and
each committee would be required to report back to senior management on risk
identification and assessment.
Risk and risk assessment are described in more detail in a later chapter.
3.5 Information and communication
Within a system of internal control, there must be a system for reporting to
management information about risks, the effectiveness of controls, failures in
control and the success of action to remove weaknesses in controls and reduce risks.
The information provided needs to be timely, relevant and reliable.
Management need information about risks and their significance, in order to
make decisions.
Management also need information that allows them to review and assess the
effectiveness of controls.
The board of directors need information to enable them to monitor internal
controls and risk management, and assess the effectiveness of the system.
Chapter 8: Internal control systems
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 181
3.6 Monitoring the internal control system
The internal control system should contain processes for monitoring the application
of internal control and risk management practices and policies. Monitoring
processes might include:
internal audit reviews and reports
formal ‘control self-assessments’ by management
confirmation by employees of compliance with policies and codes of conduct
other management reviews.
Reports on the monitoring of internal control should be provided to management
on a regular basis, and management should report to the board of directors.
The monitoring systems might identify the need for improvements or changes in
controls, when existing controls are not sufficiently effective.
Example: Failure of an internal control system
A very well-known example of failure in a system of internal control is the collapse
of Barings Bank in 1995 as a result of losses incurred in trading by a ‘rogue trader’,
Nick Leeson.
Leeson was transferred to the Singapore office of the bank in 1992 as a general
manager. He then took an examination that qualified him to trade on the Singapore
exchange SIMEX. He soon became the general manager of the Singapore office, its
head trader and (because of his previous experience with the work) the effective
head of ‘back office’ operations, which included the settlement of market
transactions by the bank.
Leeson took unauthorised speculative positions in his trading on the SIMEX
exchange and also Japan’s Osaka exchange, hiding the results of his trading in an
unused error account, number 88888. By the end of 1992, losses hidden in this
account were £2 million. By the end of 1993 the losses had risen to £23 million and
by the end of 1994 they were £208 million. Barings senior management in London
were not aware of what was happening. Leeson was able to pay for the losses by
borrowing funds from other parts of the bank and from client accounts (by
falsifying accounting records and other documentation).
While making heavy losses in account 88888, Leeson also reported some profits on
trading in three other accounts, which he reported to Barings management. Some of
the profits were made by cross-trading with account 88888, so that the profits were
actually achieved by adding to the losses in account 88888. Leeson and the Barings
staff in Singapore were paid bonuses on the basis of these reported profits.
In February 1995, Leeson left Singapore and boarded a plane for Kuala Lumpur,
leaving behind losses of £827 million in the Singapore office. The bank could not
afford to sustain losses of this size, and it collapsed soon after.
Paper P1: Professional accountant
182 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
The collapse of Barings can be explained by severe weaknesses in the internal
control system.
The control environment was poor and the control culture was not strong
enough. Senior management rewarded staff for making trading profits without
regard for risk or controls.
There were many weaknesses in internal controls. The segregation of duties was
inadequate: Leeson was general manager, trader and in charge of the settlement
of trading transactions. The organisation structure was weak: lines of reporting
from Leeson to London were not clear, partly because the London office
underwent a re-organisation. Leeson was inadequately supervised and reporting
to management was inaccurate (falsified). Systems of authorisation and approval
were inadequate: Leeson was able to obtain large amounts of money from other
offices of Barings, which he could use to pay for his losses. The accounting
controls did not work properly.
Information about risk and control was not fed back to senior management in
London or the board of directors of the bank.
Monitoring of the internal control system was weak, or non-existent.
3.7 Establishing and maintaining a system of internal control
The board of directors is responsible for establishing and maintaining the systems of
internal control and risk management.
Three ways in which they can do this are by means of:
rigorous internal audit checks
external audit of the financial statements
regular evaluation of the internal control system and risk management system.
3.8 Internal control: transparency and disclosure
When a stock market company discovers a weakness in its system of internal
control, the board should consider whether it has a duty to notify investors
immediately. Regulations about transparency and reporting should require
companies to make public any information about weaknesses in internal control or
risk management that have had a material impact on the company’s financial
performance or financial position.
Example
In February 2007 Alfred McAlpine, a UK support services company, discovered
accounting irregularities at one of its subsidiary companies following an internal
investigation. The board was informed that incorrect reports of production volumes
and sales had been provided by the subsidiary’s management systematically over a
period of about three years, and that the actions by management had been
deliberate.
Chapter 8: Internal control systems
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 183
The board of directors made an immediate announcement to the stock market
information services, reporting the discovery of the accounting irregularities and
‘the possibility of fraud’. It also reported that:
an initial estimate suggested that as a result of the irregularities, net assets of the
group had been over-stated by about £11 million in the financial statements for
the previous financial year
the company would be reducing its profit forecast for the current year
the managers at the subsidiary thought to be responsible for the false reporting
had been suspended pending further investigation, and
independent forensic accountants had been appointed to investigate the
accounts of the subsidiary in detail: this investigation would delay the
publication of the company’s financial statements for 2006.
The company’s share price fell by over 20% on the day that this news was reported.
However, the prompt reporting by the board of directors was a necessary part of
good governance – even though the existence of the accounting regularities,
undiscovered for several years, was an indication of weaknesses in internal control.
Paper P1: Professional accountant
184 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP