Element of a sound System of Internal Control:

COSO Framework:

In 1992 a report was published on internal control by the committee of sponsoring organization of the Treadway commission of COSO.The report entitled 'internal control-Integrated framework provided a broad  framework that companies could use to access the effectiveness of their system of internal control.The COSO framework identified five integrated elements in a system of internal control:

 

• The control environment 

• Risk assessment 

• Control activities(internal controls)

• Information and communication

• Monitoring

 

The Turnbull Report: elements of an internal control system:

A similar framework for internal control was identified by the Turnbull Report in the UK(1999 revised 2005).This guidance on internal control states that:'A company's system of internal control will reflect is control environment which encompasses its organizational structure.'The system includes:

• control activities

• information and communication processes and

• processes for monitoring the continuing effectiveness of the system of internal control.

 

The report goes on to state that the internal control system should:

• be embedded in the operations of the company and should form part of its culture.

• should be able to respond quickly to changing risks to the business from factors within the company and its business environment and

• Should include procedures for reporting to management any significant failures or weaknesses in control that have been identified and details of the action that is being taken to correct the problem.

 

A sound system of internal control should keep risks within a tolerable level provided that they are applied property.However an internal controll system cannot protect a company against losses from factors that the system is not designed prevent.The Turnbull Report explains this by stating that a sound system of internal control reduces but cannot elimiate the possibility of:

• human error

• poor judgement in decision making

• unforeseen events and circumstances

• management overriding controls

• control processes being deliberately circumvented by employees and others.

 

This means that a sound system of internal control provides reasonable assurance that a company will not be delayed in reaching its business objectives by situations which can reasonably be predicted.However, a system of internal control cannot protect against a company not meeting its business objectives or against material losses,errors,fraud or breach of laws/regulations.

 

Control Environment:

The control environment describes the ethical and cultural attitudes towards risk and risk control within the company.The ethical standards and cultural attitudes to risk are set by top management and the cultural environment has therefore been described as the tone at the top. A definition of control environment,provided by the Institute of Internal Auditors is as follows:

The control environment is the attitude and actions of the board and management regarding the significance of control within the organization.The control environment provides the discipline and structure for the achievement of the objective of the system of internal control.

 

The control environment includes:

• The organization structure within the company.

• The assignment of authority and responsibility.

• The competence of employees and human resources (HR) practices and policies.

• The operating style and general philosophy of management towards control.

• The ethical values of the company and the integrity of its management and other employees.

 

Senior management is responsible for setting the internal control policies.However,the control environment extends to all employees.The Turnbull report comments that as part of their accountability for achieving objectives all employees have some responsibility for internal control.Between them they should have the necessary skills,knowledge and authority to set-up operate and keep an eye on the internal control system.To do this they need an understanding of the company the risks it faces and its overall objectives,industries and markets.

 

Risk Assessment:

Risk assessment is the process used by companies to identify and assess the risks that the company faces and changes in those risks.The risk assessment process involves prioritising  the risks and if possible putting a quantitative measurement to them. Companies may identify broad categories of risk within their operations and establish a risk committee or risk task force for identifying and assessing risks within each category.

 

Example:

A manufacturing company might categorise its operational risks as selling and markets,delivery,production and purchasing and resources.Most of these risk categorises involve more than one function or department within the company.Selling and markets is as aspect of operations that affects not just the marketing department but also research and development qulaity control and customer services and so on.The company might set up a risk committee for each category of operations,and each committee would be required to report back to senior management on risk identification and assessment.

 

Information and Commnication:

Within a system of internal control there must be a system for reporting to management information about risks,the effectiveness of controls,failures in control and the success of action to remove weaknesses in controls and reduce risks.The information provided needs to be timely relevant and reliable.

• Management need information about risks and their significance in order to make decisions.

• Management also need information that allows them to review and assess the effectiveness of controls.

• The board of directors need information to enable them to monitor internal controls and risk management and assess the effectiveness of the system.

 

Monitoring the Internal control System:

The internal control system should contain processes for monitoring the application of internal control and risk management practices and policies.Monitoring processes might include:

• internal audit reviews and reports

• formal control self assessments by management

• other management reviews

• confirmation by employees of compliance with policies and codes of conduct.

 

Reports on the monitoring of internal control should be provided to management on a regular basis and management should report to the board of directors.The monitoring systems might identify the need for improvements or changes in controls when existing  controls are not sufficiently effective.

 

Example: Failure of an internal control system

A very well-known example of failure in a system of internal control is the collapse of baring bank in 1995 as a resultof losses incurred in trading by a rouge trader Nick Leeson.

 

Leeson was transferred to the singapore office of the bank in 1992 as a general  manager.He then took an examination that qualified him to trade on the singapore exchange SIMEX.He soon become the General manager of the singapore office,its head trader and(because of his previous experience with the work) the effective head of back office operations,which included the settlement of market transactions by the bank.

 

Leeson took unauthorised  speculative positions in his trading on the SIMEX exchange and also Japan's Chaka exchange hidiing the result of his trading in an unused error account number 88888.By the end of 1992 losses hidden in this account were $3.2million.By the end of 1993 the losses had risen to 23 million pound and by the end of 1994 they were 208 million pound.Baring senior management in london were not aware of what was happening.Leeson was able to pay for the losses by borrowing funds from other parts of the bank and from client accounts(by falsifying accounting records and other documentation).

 

While making heavy losses in account 88888,Leeson also reported some profits on trading in three other accounts, which he reported to barings management.Some of the profits were made by cross-trading with account 88888,so that the profits were actually achieved by adding to the losses in account 88888,Leeson and the barings staff in singapore were paid bonuses on the basis of these reported profits.

 

In Feburary 1995,Leeson left singapore and boarded a plane for Kuala Lumpur,Leaving behind losses of 827 million pound in the singapore office.The bank could not afford to sustain losses of this size and it collapsed soon after.The collapse of Barings can be explained by severe weaknesses in the Internal control system.

 

•  Monitoring of the internal control system was weak,or non-existent.

• Information about risk and control was not fed back to senior management in London or the board of directors of the bank.

 

Establishing and maintaining a system of internal control:

The board of directors is responsible for establishing and maintaining the systems of internal control and risk management.

Three ways in which they can do this are by means of :

• rigorous internal audit checks.

• external audit of the financial statements.

• regular evaluation of the internal control system and risk management system.

 

Internal Control:Transparency and Disclosure:

When a stock market company discovers a weakness in its system of internal control,the board should consider whether it has a duty to notify investors immediately.Regulations about transparency and reporting should require companies to make pulic any information about weaknesses in internal control or risk management that have had a material impact on the company's financial performance or financial position.

 

Example:

In February 2007 Alfred McAlpine a UK support services company discovered accounting irregularities at one of its subsidiary companies following an internal investigation.The board was informed that incorrect reports of production volumes and sales had been provided by the subsidiary's management systematically over a period of about three years and that the actions by management had been deliberate.

The board of directors made an immediate announcement to the stock market information services reporting the discovery of the accounting irregularities and the possibility of fraud.It also reported that:

• the company would be reducing its profit forecast for the current year.

• the managers at the subsidiary thought to be responsible for the false reporting had been suspended pending further invedtigation and

• independent forensic accountants had been appointed to investigate the accounts of the subsidiary in details this investigation would delay the publication of the company's financial statement for 2006.

 

The company's share price fell by over 20% on the day that this news was reported.However the prompt reporting by the board of directors was a necessary part of good governance-even though the existence of the accounting regulations undiscovered for several years was an indication of weaknesses in internal control.