Internal Controls in Current Scenario

1
Internal Controls in Current Scenario
CA Apoorv Mathur Partner NMR
CO Chartered Accountants
December 01, 2012
2
Content
3
Risks
4
Risk taking is integral to businessRisk and
business go hand in hand
Taking decisions
Business
Requires
Risk exposures
Leads to
Exercising options
Successful businesses
Unsuccessful businesses
Take decisions after understanding the associated
risk exposures
Take decisions without understanding the
associated risk exposures
Decision dichotomy
Taking informed decisions
Taking uninformed decisions
Understand the impact of the risk exposures
Unaware of the impact of the risk exposures
Prepared for appropriate response to the risk
arising out of the exposures
Unprepared for appropriate response to the risk
arising out of the exposures
Increased assurance about achievement of business
objectives
Achievement of business objective left to chance
5
Risks are diverse
Entity Level Risks (ELR)
Process Level Risks (PLR)

• Supplier Payables Management
• Inventory Management
• BoM (Bill of Materials) Management
• Maintenance Management
• Finance Accounts
• General Overheads Management
• Payroll / HR Management
• Fixed Assets Management
• Receivables Management
• Imports / Exports Logistics
• Insurance Management
• Cost Accounting
• Budgetary Control
• Sub contracting Management
• IT General Controls
• Customer Complaint Management

Impact the efficiency of processes and operations
Strategic Risk
Impact the achievement of goals and targets
Doing the wrong thing
Financial Risk
Doing it in a way that loses money or incurs
unnecessary liabilities
Operational Risk
Doing the right thing wrongly
Compliance Risk
Not doing what should be done
6
and so are measures to address risks
Mitigation Plans
Internal Controls
7
Setting the context
8
Understanding Internal Controls

• Internal Control is a process, effected by an
  entitys Board of Directors, Management and other
  Key Personnel, designed to provide Reasonable
  Assurance regarding the achievement of objectives
  in the following categories
• Operations Objective Effectiveness and
  Efficiency of Operations
• Reporting Objective Reliability of Reporting
• Compliance Objective Compliance with applicable
  Laws and Regulations
• Internal Control is not one event or
  circumstance, but a dynamic process that is
  inherent in the way management runs the business.
  Embedded within this process are Policies and
  Procedures.
• Policies reflect managements statement of what
  should be done and Procedures consists of actions
  that implement a policy. These Policies and
  Procedures exist to effect Controls.

9
Types of Internal Controls

• Detective Controls Controls designed to detect
  errors or irregularities that may have occurred
• Preventive Controls Designed to prevent errors
  or irregularities from occurring in the first
  place
• Corrective Controls Designed to correct errors
  or irregularities that have been detected

10
Components of Internal Controls (1)

• Control Environment This provides discipline,
  process and structure to the internal controls of
  the organization. Principles governing the
  Control Environment
• Organizations commitment to integrity and
  ethical values
• Independence of Management and development
  performance of Internal Control
• Organizations commitment to attract, develop and
  retain competent individuals
• Accountability of individuals for their internal
  control responsibilities

11
Components of Internal Controls (2)

• Risk Assessment Dynamic process of identifying
  analyzing risks to achieve entitys objectives,
  forming a basis for determining how risks should
  be managed. Principles governing the Risk
  Assessment
• Identification and Assessment of risks related to
  specific entitys objectives
• Analysis to determine the mechanism to manage the
  risks
• Consideration of potential for fraud
• Identification and assessment of changes
  impacting the system of Internal Control

12
Components of Internal Controls (3)

• Control Activities Actions performed at all
  levels of Management established by Policies and
  Procedures to help ensure that managements
  directives to mitigate risks to the achievement
  of objectives are carried out.
• Principles governing the Control Activities
• Selection and development of control activities
  that contribute to mitigate the risks for
  achievement of objectives to acceptable levels
• The organization deploys control activities as
  manifested in policies that establish what is
  expected in procedures to effect policies.

13
Components of Internal Controls (4)

• Information and Communication Information is
  necessary to carry out Internal Control
  Responsibilities in support of achievement of its
  objectives. Communication enables all personnel
  to understand Internal Control responsibilities
  and their importance to the achievement of
  objectives.
• Principles governing the Information and
  Communication
• Generation and usage of relevant information to
  support functioning of other components of
  Internal Control
• Internal communication of objectives and
  responsibilities of Internal Control
• External communication to support functioning of
  other components of Internal Control

14
Components of Internal Controls (5)

• Monitoring Activities Ongoing evaluation to
  ascertain whether each of the Internal Control
  components are effectively functioning.

15
Corporate Governance - Components
01
07
Internal Control is a Key Component of Corporate
Governance
Compliance with applicable laws and regulations
Board of Directors related
Corporate Governance
Audit Committee related
Certification of internal controls over financial
reporting
02
06
Code of conduct
Risk Management
Policies and procedures
05
03
04
Areas where WE CAN ASSIST the organization
16
Strengthening risk management Proposed approach
17
Proposed approach Process level risks

• Understand and document potential Process Level
  Risks (PLRs) including potential fraud
  vulnerabilities
• Document the As-is internal controls (including
  relevant fraud prevention and detection controls)
  within each core process with respect to the PLRs
  covering the following details
• Description of internal control
• Type of internal control (Preventive/Detective)-(M
  anual/IT)
• Internal control frequency
• Internal control ownership
• Conduct walkthrough of As-is internal controls
  to review the design effectiveness of these
  internal controls to address the PLRs
• Perform a limited review of sample transactions
  to review the operating effectiveness of such
  internal controls

18
Proposed approach Process level risks (Contd)

• Based on the internal controls walkthrough and
  limited review of sample transactions, identify
  and classify the potential gaps into following
  categories
• Design deficiency of internal control
• Operating ineffectiveness of the internal control
• Make recommendations for addressing the
  identified potential internal control gaps
• Discuss and agree the identified potential
  internal controls gaps and recommendations with
  the process heads including implementation plan
  and ownerships
• Procedures to be documented incorporating all
  desired Internal Controls ensuring the acceptable
  level of risk exposure. Documented Procedures are
  called Standard Operating Procedures.

19
Process Level Risks ------------------ Policies
--- Procedures ---- Internal Audit
20
Standard Operating Procedures (SOP)
21
Standard Operating Procedures (SOP)

• Standard Operating Procedures define the process
  objectives and tasks therein
• By specifying detailed work-steps
• Identifying the personnel responsible for each
  work-step
• Specifying the point in time, location and how
  each work-step is to be performed.

22
Standard Operating Procedures (SOP) -
Benefits!!

• Benefits of Standard Operating Procedures
• Alignment of Processes with Business Need
• Standardization of Processes
• Transparent, Robust and Flexible Processes in
  a Dynamic Environment
• Defined Roles and Responsibilities for persons,
  departments and committees
• Key Performance Indicators defined

23
Standard Operating Procedures (SOP)- Benefits!!

• Benefits of Standard Operating Procedures
• Monitoring Procedures to track compliance
• Adequate level of Segregation of Duties
• Identify Information System Needs.

24
Standard Operating Procedures (SOP)- Components
.
Overview

• Business rationale for the processes and
  sub-processes
• Process owners
• Departments involved

• Reporting mechanism of the department holding
  responsibility of the process

Reporting Structure

• Key process inputs including documents and
  information flows that are required for effective
  execution of the process and the sub-process

Key Inputs

• Diagrammatic representation of the sequence of
  the activities and the tasks therein, with key
  information, decision points and documents flow

Process Flow
25
Standard Operating Procedures (SOP)- Components
.

• Sequential description of activities to be
  executed in order to achieve the objectives and
  ensure adequate risk management

Process Narratives

• Key process outputs, including the key documents,
  exception based management and operational
  information

Key Outputs

• Key parameters used for measuring performance of
  the individuals and departments

KPI
26
Standard Operating Procedures (SOP)- Proposed
Approach!!

• Understanding Documenting As is Process
• Identifying the Risks and Control Gaps in the
  Current Process
• Plug in Control Gaps in current process and
  Documenting the Revised Process
• Documentation of Revised Process and discussion
  with Process Owners
• Workshop for Conducting Training

27
Standard Operating Procedures (SOP)- Key
Deliverables!!

• Process Flow Charts
• Process Narratives
• Key Responsibility Areas (KRA)
• Key Performance Indicators (KPI)
• Formats and Annexure of documents to be prepared
  in various process

28
Sample SOP Finance Accounts- Invoice
Processing Process Flow
Process
Input
Output
29
Sample SOP Finance Accounts- Invoice
Processing Process Narrative

• Once the material is received by Stores (covered
  in Procurement Inventory management SOP), the
  vendor invoice is sent to Finance department. On
  receipt of the invoice, it is stamped as
  evidence of receipt. If the invoice is
  received by any other department it is sent to
  Finance department within one working day.
• The following Journals are passed
• Dr ABC/Project/Consumable Stores
• Cr Provision for pending GRN/ Party
• A three way match between the PO, GRN and the
  Invoice is done, wherein the quantity in the PO
  is matched against the quantity in the GRN and
  the price in the PO is matched against the price
  in the Invoice.
• If the three way match is successful, i.e. the
  quantity and price match, the Invoice details are
  updated against the relevant PO and GRN in the
  system.

30
Sample SOP Finance Accounts- Invoice
Processing Process Narrative

• In case the three way match is not successful,
  i.e. if the quantity in the GRN does not match
  the quantity in the PO or the rate in the PO does
  not match the rate in the Invoice, the Finance
  department files the invoices separately and
  payment is put on hold.
• Procurement department is notified regarding the
  discrepancy and follow up with the vendor.
• The Procurement department follows up with vendor
  and tries to solve the discrepancy with the
  vendor. In case discrepancy is resolved, the
  Finance department is informed and payment is
  processed. If the discrepancy is not resolved the
  Invoice is sent back to the vendor.
• The Invoice details and due date for payment is
  updated in the system and the due date for
  payment is entered.
• A journal entry is passed in the system for
  booking the payments. The journal voucher is
  approved as per SOA. The journal voucher and
  invoice are filed by the Finance department.

31
Sample SOP Finance Accounts- Invoice
Processing KRA
Activity Responsibility Frequency
Verification of Invoice Executive Accounts Daily
Preparation of Debit/ Credit Notes Executive Accounts Daily
Accounting of vendor invoice Executive Accounts Daily
Report of outstanding vendor balances Manager Accounts Weekly
Checking adequacy of funds Manager Accounts Weekly
Vendor Payment Advice Note Executive Accounts Weekly
Preparation of cheque Executive Accounts Weekly
Entry in cheque register Executive Accounts Weekly
Vendor payment accounting Executive Accounts Weekly
32
Sample SOP Finance Accounts- Invoice
Processing KPI
Measure Unit Remarks
Time taken for booking invoices from the time of receipt from vendors Days
Violation of Policy Guidelines Yearly
no. of invoices processed on time Measures the efficiency of processing invoices
33
Key Business Processes
34
Key Business Processes Key Risks - Procurement
to Pay

• Selection of Inappropriate vendor in case of
  inadequate vendor selection procedure
• Materials purchased at Higher Rates
• Unauthorized amendment to Vendor Master giving
  undue benefits to any vendor
• Standard contract terms do not exist with
  vendors
• PO raised without authorized Requisition
• Split Purchase Orders
• Unauthorized amendments to Purchase Orders
• Unauthorized/ Inadequate Invoice Processing
• Duplicate/ Fictitious Invoice processing
  resulting in Excess Payments

Procurement Policy laid down by Management
SOP prepared in line with Business Policy and
putting Internal Controls to mitigate Business
Risks
Risk centric Internal Audit done to validate the
adherence of Business Policies and Standard
Operating Procedures
35
Key Business Processes Key Risks - Inventory
Management

• Goods received not as per Purchase Order
• Goods physically received is less than the
  invoice quantity
• Receipt of material without PO
• Non recording / recovery of shortages
• Material not as per the agreed quality /
  specification
• Unauthorized issue of material
• Wrong material/ quantity is issued for
  production
• Excess Material consumption
• Risk of material open to pilferage
• Physical damage/ loss of material
• Variance in actual and book stock

Inventory Policy laid down by Management
SOP prepared in line with Business Policy and
putting Internal Controls to mitigate Business
Risks
Risk centric Internal Audit done to validate the
adherence of Business Policies and Standard
Operating Procedures
36
Key Business Processes Key Risks - Human
Resource Payroll

• Hiring of personnel without adequate validation
  checks
• Unauthorized updation to the employee master
• Employee promotions have taken place without
  adequate justification
• Unauthorized modification of attendance
• Incorrect salaries paid to the employees
• Excess payment/ deduction because of wrong
  updation of parameters
• Expense reimbursements are processed without
  appropriate checks being made for the eligibility
  of employee as per the Company policy
• Incorrect calculation of Full and Final
  Settlement amount

HR Payroll Policy laid down by Management
SOP prepared in line with Business Policy and
putting Internal Controls to mitigate Business
Risks
Risk centric Internal Audit done to validate the
adherence of Business Policies and Standard
Operating Procedures
37
Key Business Processes Key Risks - Order to Cash

• Significant differences in the forecasted and
  actual sales
• Unapproved prices entered into the system
• Revision in price list not adequately approved
• Non-existence of formal contracts for contractual
  customers
• Improper execution of contracts
• The price entered at the time of order processing
  is lower than the authorized price/ market price
• Excess credit value and time to customers
• Inadequate controls over creation and maintenance
  of customer master

Order to Cash Policy laid down by Management
SOP prepared in line with Business Policy and
putting Internal Controls to mitigate Business
Risks
Risk centric Internal Audit done to validate the
adherence of Business Policies and Standard
Operating Procedures
38
Key Business Processes Key Risks - Finance
Accounts

• Inadequate vendor master maintenance
• Vendor invoices processed at higher price than
  the purchase order price
• Incorrect application of discounts
• Early/ overdue payment
• Incorrect financial reporting
• Idle balances in bank leading to blockage of
  working capital
• Ineffective/ absence of segregation of duties for
  cash disbursements, receipts and accounting for
  cash
• Cash-in transit or cash-in safe is not insured
• Imposition of penalty and interest due to non
  submission of return and/ or non payment of
  statutory dues compliance

FA Policy laid down by Management
SOP prepared in line with Business Policy and
putting Internal Controls to mitigate Business
Risks
Risk centric Internal Audit done to validate the
adherence of Business Policies and Standard
Operating Procedures
39
Basic Principle Governing Internal Audit -
Internal Control Risk Management System
Internal Control Risk Management Systems

• Internal auditor should
• Obtain an understanding of the risk management
  and Internal Control Framework established and
  implemented by the Management.
• Perform steps for assessing the adequacy of the
  framework developed in relation to the
  organizational set up and structure.
• Review the adequacy of the framework.
• Perform Risk-Based Audits on the basis of Risk
  Assessment Process.

40
Internal Control Evaluation - Procedure
Test of Controls
The internal auditor should evaluate whether the
internal controls are designed and operating as
contemplated in the preliminary assessment of
control risk and whether they were used
throughout this period.

• The internal auditor should identify internal
  control weaknesses that have not been corrected
  and make recommendations to correct those
  weaknesses.
• He must document the rationale in deciding which
  audit recommendations should be followed up and
  when, in contrast with recommendations where no
  follow-up is needed.
• The internal auditor should also inquire from the
  management and document that either audit
  recommendations have been effectively implemented
  or that senior management has accepted the risk
  of not implementing the recommendations

Monitoring Internal Audit Findings
For internal controls found to contain continuing
weaknesses , Internal Auditor should consider if

• Management has increased supervision and
  monitoring.
• Additional or compensating controls have been
  instituted.
• Management accepts the risk inherent with the
  control weakness.
• The internal auditor should make management
  aware, as soon as practical and at an appropriate
  level of responsibility, of material weaknesses
  in the design or operation of the internal
  control systems, which have come to the internal
  auditor's attention

41
Questions
42
Thank You !