Do you want to access the full text of articles?

Please see our digital edition archive for the full text of articles.

Alternatively:

If you are a Chartered Accountants Ireland member, please visit the RIS service where Accountancy Ireland is available free of charge via the EBSCO databases.

If you are an Accountancy Ireland subscriber (i.e. you pay each year to receive your copy of Accountancy Ireland) please contact our Subscriptions Department quoting your subscription number and include details of the article you want.

All other users should enquire from their local public or college library about accessing full text Accountancy Ireland articles.

Home / ... / August 2005 / Internal Control: A Risk Based Approach

Do your responsibilities include assessing and improving financial systems and preparing for the arrival of the external auditor? In the first of a new series examining key issues in the International Standards on Auditing (ISAs (UK & Ireland), Charles Watchorn highlights the key points of ISA (UK and Ireland) 315: Understanding the Entity and its Environments and Assessing the Risks of Material Misstatement and says reading through the new standard could save you time and money.

ISA (UK and Ireland) 315: Understanding the Entity and its Environments and Assessing the Risks of Material Misstatement provides models for: - assessing the need for internal controls (a risk based approach) within the financial reporting process, and - analysing internal control components. Specific paragraphs in the ISA deal with the application of these principles to smaller entities.

Broadly defined, an effective internal control is one which: - addresses an identified business risk, - is designed to minimise or eliminate that risk, - is implemented, - operates as designed, and which - management can monitor the operation of (and take effective corrective action if necessary). BUSINESS RISK Defined as the risk of an adverse consequence occurring to the operations of the business due to an internal or external condition (existing or being created), Business Risk can be - inherent and continuous, e.g. the risk of inventory loss or damage in a warehouse due to theft or fire, or -can arise from developments in the business, e.g. through the development of a new product requiring research and development and which may result in the obsolescence of existing products. In both these scenarios there is a business risk (which arises hand in hand with the business opportunities presented) that loss can occur to the business, which the business cannot effectively adapt to, leading to a drain in resources and potentially causing problems for the business to meet its external commitments.

The financial reporting risk (a subset of business risk) may be that the items are improperly accounted for, e.g. insufficient provisions being created or items being expensed, which leads to inaccurate information being presented to management and misstatement of financial results. Stage one in managing these risks is to identify the risk, consider its potential impact on the business and decide the appropriate action to deal with it.

The internal control system is this process of managing business risk. We will consider the elements of internal control in the context of financial reporting risk. INTERNAL CONTROL When a business risk is identified does it automatically follow that an elaborate formal system of internal control, based around complex computer systems, monthly management accounts etc., to minimise the risk of error occurring in financial processes, is required?

The answer is ‘no’. Risks which could lead to errors in the financial systems should be addressed, but the compensating controls are determined in proportion to the seriousness of the risk. For example, in the case of a smaller entity it may not be necessary to have an elaborate computerised control in place over capital purchases, the involvement and supervision of management in the transactions may be sufficient to manage the risks. In the case of a larger entity because of the volume and number of steps in processing capital purchases, management involvement may not be realistic, in this case a formal systems control may be the only way of reducing risk within this process.

‘Internal control’ as applied to the financial processes within the organisation, not only equates to reconciliations and sign-off of paper, but extends to all those processes and activities, formalised or not, which can reduce the risk of financial error or misstatement.

Readers should consider all of their business processes, with a potential impact on financial reporting, and where a relevant process is identified which reduces or eliminates an identified risk, consider whether it is worthwhile documenting and monitoring it.

Most companies, for example, maintain organisational charts and job descriptions. Amongst other purposes, these reduce the risk that a critical finance function will be overlooked or left unsupervised. It is a relatively simple process for management to ensure this these are reviewed and up to date.

COMPONENTS OF INTERNAL CONTROL An internal control system not only encompasses the procedural mechanics of internal control but also the participation and involvement of management.

Management should consider the advantages of undertaking a formal controls review and updating systems documentation on a regular basis (this in itself could be considered evidence of the effectiveness of the control environment), addressing particularly what could pose a risk to the integrity of the financial systems, processes and the resulting financial information. An assessment of the appropriateness and effectiveness of internal controls will encompass considerations wider than the mechanical processes undertaken (the control activities).

The control environment This includes the attitudes, awareness and actions of management and those charged with governance concerning the entity's internal control and its importance in the entity. The control environment might encompass: - Communication and enforcement of integrity and ethical values. - Commitment to competence. - Participation by those charged with governance. - Management's philosophy and operating style. - Organisational structure. - Assignment of authority and responsibility. - Human resource policies and practices. These elements could be seen as the ‘hygiene’ factors which create the environment in which proper financial controls can be created and maintained.

The entity's risk assessment process This is the process for identifying and responding to business risks and the results thereof. In most businesses the process of identifying business risks is undertaken on a continuous basis but is rarely documented, it is only when a risk is identified and action is considered necessary does evidence of management's consideration emerge. Management may initiate action, or determine that the risk itself may not be significant to initiate action or due to the resources needed (cost or time) to implement a formal control. In some instances an informal control (e.g. director's review of certain transactions) may be sufficient to address this risk.

The consideration of business risk is often made at board or management meetings. It is worthwhile to evidence via the minutes that the risk was considered regardless of whether action was considered necessary.

The ISA makes note of certain risks that may be of particular relevance to financial reporting and risks that can arise or change due to circumstances.

Information systems These systems are normally considered the ‘formal’ financial reporting controls of the entity.

The ISA gives a technical definition of what an information system relating to financial reporting encompasses. To paraphrase the ISA the financial reporting system, enabling the entity to produce complete and accurate financial information (and ultimately financial statements), covers those recording and reporting systems, manual or computerised, designed to initiate, record, process and report transactions and to maintain the accounting records for assets, liabilities and equity.

The information system covers not just the trial balance and journals, but also items such as purchase and sales orders, debtor statements, fixed asset cards, which are integral parts of the financial reporting system.

Communication relates to the flow of information between personnel, which again might be formalised in policies, e.g. the reporting of unusual transactions as they occur; or informal, e.g. regular conversations between a financial controller and the staff within a department.

Control activities These are the acts that are undertaken to ensure that management's reactions to assessed risks are executed.

Control activities would cover the policies, procedures and processes that make the operation of the controls formal, e.g. if the organisation has a policy in relation to bank reconciliations, the production, review and follow-up action taken and evidenced in respect of the same.

The ISA gives several examples of relevant control activities: - Performance reviews - review and comparison by management of actual compared to budget or forecast, consideration of the significance of variation and the determination of action. - Information processing - controls to ensure the accuracy, completeness and authorisation of transactions. An example would be policies to ensure that users could not access or change programs to override controls or erase or introduce transactions without a proper record being kept. - Physical controls - these would comprise the physical actions to protect an entity's assets (e.g. securing of assets and protection against theft or fire, e.g. keeping keys of trucks secure when not in use and ensuring adequate insurance is provided) and information (e.g. ensuring anti-virus and firewall software is installed and kept up to date and original and back-up computer files are safely stored). - Segregation of duties - the separation of functions within the same accounting process. In the case of smaller entities this may involve the separation of the authorisation and review functions from the initiation and processing.

Monitoring of Controls Management should consider whether controls are operating as intended and when conditions change whether changes in controls are appropriate. An example of this would be management's review of bank reconciliations and an upgrade in the level of review when a new electronic payments system is introduced. Where a control is not operating effectively, e.g. if a control is not effective in minimising a risk to an acceptable level, an appropriate change should be introduced. This could be viewed as the ‘feedback loop’, an essential element of any control system.

INTERNAL CONTROL & EXTERNAL AUDIT The ISA requires updated audit planning from the auditors focussing on obtaining an understanding and documenting of the business and its environment, and the particular factors present that may give rise to a risk of material misstatement in the financial statements.

This will result in the external auditor updating their documentation of the systems and controls of a business and asking more specific questions of the directors and managers of a business. The auditor will obtain an understanding of the internal controls present (or the absence of the same) in the business, regardless of whether a formal internal control system is in place or whether the auditor intends to rely on them.

The end result is that many more questions will be asked by the auditor and more demands placed on management time. Obviously if management have already updated their own internal documentation and processes, this will minimise those demands.