bea2004 notes unit 4 - internal control and internal audit…

9 pages

English

bea2004 notes unit 4 - internal control and internal audit…

Undoe - Rhgj201

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

9 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

BEA 2004 AUDITING 2007 Background Notes Unit 4 Internal Control and Internal Audit Internal control Internal control within a commercial enterprise has been defined as: The whole system of controls financial and otherwise, established by the management in order to carry on the business of the enterprise in an orderly and efficient manner, ensure adherence to management policies, safeguard the assets and secure as far as possible the completeness and accuracy of the records. 1This is expanded a little in the Turnbull Guidance (first issued in 1999 a revised version issued by the FRC in October 2005) which states: An internal control system encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together: facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company's objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed; help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation; help ensure compliance with applicable laws and regulations, and also with internal policies with ...

Informations

Publié par	Undoe
Nombre de lectures	20
Langue	English

Extrait

BEA 2004

AUDITING

2007

Background Notes Unit 4

Internal Control and Internal Audit

Internal control

Internal control within a commercial enterprise has been defined as:

The whole system of controls financial and otherwise, established by the management in order

to carry on the business of the enterprise in an orderly and efficient manner, ensure adherence

to management policies, safeguard the assets and secure as far as possible the completeness

and accuracy of the records.

This is expanded a little in the Turnbull Guidance

(first issued in 1999 a revised

version issued by the FRC in October 2005) which states:

An internal control system encompasses the policies, processes, tasks,

behaviours and other aspects of a company that, taken together:

facilitate its effective and efficient operation by enabling it to respond

appropriately to significant business, operational, financial,

compliance and other risks to achieving the company's objectives.

This includes the safeguarding of assets from inappropriate use or

from loss and fraud and ensuring that liabilities are identified and

managed;

help ensure the quality of internal and external reporting. This

requires the maintenance of proper records and processes that

generate a flow of timely, relevant and reliable information from

within and outside the organisation;

help ensure compliance with applicable laws and regulations, and

also with internal policies with respect to the conduct of business.

Available at

http://www.frc.org.uk/documents/pagemanager/frc/Web%20Optimised%20Combined%20Code%203r

d%20proof.pdf

The traditional approach to internal control focused on specific types of control

designed to aid the in achieving these objectives. Such controls might include:

•

Authorisation controls to ensure that transactions take place only after suitable

authorisation, for example purchases, credit sales etc.

•

Segregation of duties, for example segregating responsibilities for trading and

record keeping in a foreign exchange operation.

•

Organizational and supervisory controls to ensure knowledge of duties, proper

conduct of those duties, lines of reporting etc.

•

Security controls to ensure that there is no improper access to the record

keeping system, that assets are protected from unauthorised removal etc.

•

Arithmetic and data controls to assist in ensuring the accuracy of record

keeping and transactions processing.

(for an example of weaknesses in traditional controls which were instrumental in the

failure of one of the UK’s best known merchant banks see the relevant section of the

1996

Bank of England Report on the collapse of Barings Bank

)

More recently (as evidenced by the COSO 1992 report

in the US and the Turnbull

report in the UK) internal control has come to be seen as integrated within the risk

management framework of commercial (and other) entities and as such embraces:

•

Compliance risk management and control

•

Operational risk management and control

A relevant section of this report is available at http://www.numa.com/ref/barings/bar03.htm#13.10

This report proposed the following definition of internal control:

process, effected by an organization’s

board of directors, management and other personnel, designed to provide reasonable assurance regarding the

achievement of specific objectives in effectiveness and efficiency of operations, reliability of financial reporting, and

compliance with applicable laws and regulations.

•

Financial statement risk management

with increasing emphasis being placed on the overall ‘control environment’ (which

was defined in SAS 300

Accounting and Internal Control Systems and Risk

Assessments

as ‘the overall attitude, awareness and actions of directors and

management regarding internal controls and their importance in the entity…Factors

reflected in the control environment include:

•

the philosophy and operating style of the directors and management;

•

the entity’s organisational structure and methods of assigning authority and

responsibility…; and

•

the directors’ methods of imposing control, including the internal audit

function, the functions of the board of directors and personnel policies and

procedures.’)

and less on a check list of particular specific controls.

Today internal control and the control environment is seen as being an important part

of the overall corporate governance structure. In the UK the work of the Cadbury

Committee (see Collier, 1997) as subsequently revised and taken forward by the

Greenbury and Hampel Committees led to the development of the Combined Code

covering various aspects of corporate governance. The Code is not statutory and

adherence to the Code is not mandatory but for listed companies the Financial

Services Authority requires disclosure of non-adherence. The Code sets out the

responsibilities of management with regard to internal controls as follows:

C2: ‘The board should maintain a sound system of internal control to safeguard

shareholders’ investment and the company’s assets’.

SAS 300 is now largely subsumed within ISA (UK and I)

315 (available at

http://www.frc.org.uk/images/uploaded/documents/ACF15D.pdf

) which contains similar provisions to

those previously in SAS 300.

Available at

http://www.frc.org.uk/documents/pagemanager/frc/Web%20Optimised%20Combined%20Code%203r

d%20proof.pdf

(this links to the 2003 version – there were minor revisions,

not relevant to these notes,

in the June 2006 version (available on the FRC website)).

C2.1: ‘The directors should, at least annually, conduct a review of the effectiveness of the

group’s system of internal controls and should report to shareholders that they have done

so.

The review should cover all material controls, including financial, operational and

compliance controls and risk management systems’.

Guidance on what this review should entail is provided in the Turnbull report the

original (1999) version of which required that companies should:

•

Understand the general control environment in which they operate

•

Perform risk assessment

•

Formulate control objectives

•

Design controls to alleviate high likelihood/high impact risks

•

Implement a controls programme

•

Evaluate the results of the controls programme

•

Assess the adequacy of the risk driven control framework

(although these requirements are not specifically repeated in the revised (2005)

version)

For most companies the statutory external auditor has a limited formal role in terms of

the assessment of the adequacy of the internal control system (statutory requirements

for certain types of financial service providers require reporting on internal controls as

do the requirements in much of public sector audit). However the courts (and auditing

standards) require that the auditor should bring to the attention of management

perceived deficiencies in the system of internal control on a timely basis – and if

management fail to act on their advice the auditor should consider whether there are

wider reporting responsibilities. The statutory requirement for companies to maintain

proper accounting records (and the requirement for the auditor to form an opinion as

to whether they have done so) may also be seen as implying at least some minimum

degree of evaluation of internal control.

Although statutory requirements in respect to mainstream company audit in the UK

are limited in nature - as are those contained within auditing standards ISA (UK & I)

315 merely requires the auditor to obtain ‘an understanding of internal control

relevant to the audit’ - the importance of internal control in terms of the manner in

which auditors formulate their audit opinions mean that in practice evaluating the

control environment and the quality of internal controls is a key element in the great

majority of audits of companies of any size.

(In the USA the Sarbanes-Oxley Act

(enacted in July 2002) following the Enron and

WorldCom debacles requires a statement by management of public companies of their

responsibility for establishing and maintaining an adequate internal control structure

together with an assessment of the effectiveness of the internal control structure and

the procedures for financial reporting. The auditor is required to ‘attest to, and report

on, the assessment made by management.’)

A synopsis of the Act is available at

http://www.aicpa.org/info/sarbanes_oxley_summary.htm

Internal audit

Internal audit is a separate non-statutory function which has developed greatly in

standing and importance in the last twenty years. It is now seen as a significant part of

the overall corporate governance and risk management framework and the existence

of an internal audit function is now strongly encouraged for quoted companies, the

Combined Code stating:

C 3.5 The audit committee should monitor and review the effectiveness of the

internal audit activities. Where there is no internal audit function, the audit

committee should consider annually whether there is a need for an

internal audit function and make a recommendation to the board, and the

reasons for the absence of such a function should be explained in the

relevant section of the annual report.

Internal audit is wide ranging in its scope and may have a role inter alia in terms of

•

Compliance and system controls

•

Performance management

•

Investigation and ‘trouble shooting’

In 1999 The Institute of Internal Auditors (IIA, 1999) set out a revised definition of

internal audit ‘Internal auditing is an independent, objective assurance and consulting

activity designed to add value and improve an organization’s operations. It helps an

organization accomplish its objectives by bringing a systematic, disciplined approach

to evaluate and improve the effectiveness of risk management, control, and

governance processes…’

A relatively recent high profile, if not necessarily typical, example of the work of the

internal auditor has been the publication by the Treasury of the report of the internal

auditor of the Financial Services Authority (FSA) into the role played by the FSA as

regulator of Equitable Life (the ‘Baird Report’)

. Another has been the focus on the

work of internal audit in the WorldCom scandal in the US and in relation to the

reported recoverable oil and gas reserves of Shell.

Although internal audit is now much more prominent than in previous years issues do

arise as to how effectively this function can play its ascribed role within the overall

corporate governance structure. One problem lies in the great variety in the scope and

nature of the work of the internal audit function in different companies. More specific

concerns relate to the qualifications and reporting independence of internal auditors.

Although there is a worldwide body of internal auditors the Institute of Internal

Auditors, IIA (with a separate UK offshoot) with its own standards and professional

qualification membership of this body is not mandatory in any sense, and where

membership is present problems of monitoring and enforcing standards are

significantly greater than for external auditors in the absence of any supporting

statutory framework. The fact that the internal auditor is an employee of the company

provides a clear threat to independence (although it may be noted that the external

auditor too is reliant upon clients for fee income). There are few safeguards to protect

the independence of the internal auditor although over time lines of reporting

responsibility have shifted from reporting within the finance function (typically to the

Director of Finance) toward reporting either to the main board collectively or to an

audit committee comprising non-executive directors.

In coming to their audit opinion external auditors should take cognizance of the wok

of internal audit and may, if they choose to do so, place reliance upon the work of the

internal audit function provided that they are satisfied as to its competence and

independence. Such reliance may relate to the role of internal audit within the overall

system of internal control or it may be direct in terms of reliance upon specific

compliance or substantive tests performed by the internal auditor. ISA (UK & I) 610

requires the auditor to be aware of the activities of internal audit in the context of

identifying the risk of material financial misstatement and if the activities of internal

The Baird Report is available by search of the Treasury’s web site

www.hm-treasury.gov.uk

See Gwilliam and Marnet (2006)

audit are relevant to that risk assessment then the auditor should appraise and assess

the activities of the internal auditor with reference to:

•

Organizational status (independence, freedom of reporting)

•

Scope of function (nature of assignments and management response thereto)

•

Technical competence (adequate technical training, hiring procedures,

professional qualifications)

•

Due professional care (appropriate planning, supervision, review and

documentation)

If, in the light of this assessment the external auditor intends to place reliance upon

specific aspects of the work of the internal auditor (and following further evaluation

of the nature and conduct of those specific procedures) then it is necessary for the

external auditor to carry out specific audit procedures in relation to that work – the

nature and extent of these procedures will depend upon the auditor’s assessment of

the risk of material misstatement in the relevant area, the assessment of internal audit

and evaluation of their specific work.

A development in recent years has been the trend for companies to outsource the

internal audit function, with typically the work being undertaken by special units

within the large accounting firms. Advantages claimed for such outsourcing include

the possibilities of economies of scale in the provision of internal audit services; a

greater and more cost effective scope of international coverage; access to leading edge

practice and specialist skills; greater flexibility for the company and a clearer market

focus from the provider. Perceived disadvantages may include a lack of institutional

knowledge and a potential loss of independence in that antagonising key management

personnel may lead to the loss of the outsourced contract. These concerns are

heightened when the internal audit services are provided by the company’s external

auditor. Issues as to both enhanced fee dependence and the possibility of impact upon

the investigative and reporting activities of the external auditor were brought into

sharp focus by the collapse of Enron for whom Arthur Andersen acted as both the

internal and external auditor.

This led to a number of large firms ceasing to offer

Although in the Appendix to the final report of the bankruptcy examiner which discusses the role of

Arthur Andersen the bankruptcy examiner was not in fact critical of the provision of internal audit

services by Arthur Andersen – and indeed suggested that there might be benefits from the provision of

internal audit services to audit clients and in the US the Sarbanes Oxley Act now

prohibits the provision of internal audit services to audit clients by auditors.

References

Collier, P.,1997, ‘Corporate Governance and Audit Committees’, pp.70-84 in Sherer M. and

Turley S. Current Issues in Auditing 3rd edn.

COSO, 1992,

Committee of Sponsoring Organizations of the Treadway Commission, Internal

Control – Integrated Framework.

Gwilliam, D. , and Marnet O., 2006. ‘Audit in the Corporate Governance Framework: A

Cornerstone Built on Shifting Sand’, Working paper, UWA.

IIA, 1999, Institute of Internal Auditors IIA Professional Practices Framework for Internal

Auditing.

Turnbull Committee, 1999, Guidance for Directors of Listed Companies in the United

Kingdom, ICAEW. Available by search on

www.icaew.co.uk/internalcontrol

what it termed an ‘integrated audit’. See Batson (2003) available at

http://www.enron.com/corp/por/pdfs/examinerfinal/NBFinalAppendixB1.pdf

Univers
Ebooks
Livres audio
Presse
Podcasts
BD
Documents

Livre audio en ligne - Développement personnel Livre en ligne Tout le catalogue Tous les Intérêts

bea2004 notes unit 4 - internal control and internal audit…

YouScribe

Le catalogue

Le service

Les conditions