What is Internal Control?

There are varied definitions, but I find the definition in the International Standards on Auditing as the most comprehensive. It defines Internal Control as “The process designed and effected by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations”. Internal control consists of five components namely:
• The control environment;
• The entity’s risk assessment process;
• The information systems, including the related business processes relevant to financial reporting, and communication;
• Control activities; and
• Monitoring of controls.

We can de-mystify the jargon and simply look at what each component entails.

Control environment refers to the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s internal control and its importance in the entity. The control environment is the foundation for effective internal control, providing discipline and structure by setting the tone at the top thereby influencing the control consciousness of the entity’s personnel. The control environment, however, in itself does not prevent or detect fraud and has to be supported by other internal control components.

The entity’s risk assessment process is the process by which risks relevant to the business are identified and formulation of an action plan on how to address those risks.

Information systems relate to the financial reporting objectives, which includes the accounting system and consists of the procedures and records established to initiate, record, process, and report entity transactions and to maintain accountability for the related assets, liabilities and equity.

Control activities are the policies and procedures that help ensure that management directives are carried out, for example, that necessary actions are taken to address risks that threaten the achievement of the entity’s objectives.

Monitoring of controls is a process to assess the effectiveness of internal control performance over time, and involves assessing the design and operations of controls on a timely basis and taking necessary corrective actions.

What does the above mean in simple terms? In the complex business world in which our businesses operate, the only way to build strong controls is firstly to get the management to appreciate that these are required in an organisation and setting the standards for compliance. The management then needs to identify the key risks facing the organisation and develop policies and procedures to mitigate the risks, and systems to monitor and report on these risks. The last step is to constantly monitor the risks and ensure that the policies and procedures to mitigate risks are current. This means that every organisation must dedicate resources to strengthen the controls which in turn increases the efficiency and effectiveness by which the organisation operates.

In the next edition we will review the practical means by which an effective organisation structure can aid in the creation of a strong control environment.

An Article by Ashif Kassam, Managing Partner, HLB Ashvir, Appearing in the Windsor News January - March 2007 Edition (A Quarterly Newsletter of The Windsor Golf Hotel & Country Club).

In a follow up to the article on Control Environment in the previous edition of the Windsor News, this article looks at the basic governance structure required to sustain a strong control environment.

Corporate governance is the process by which companies are directed and controlled with the objective of increasing shareholders value and satisfying stakeholders. This is achieved by establishing a system of clearly defined authorities and responsibilities which results in a system of internal control that is regularly tested to ensure effectiveness. The concept of corporate governance is embodied in various codes including the Code of Best Practice for Corporate Governance issued by the Centre of Corporate Governance with the underlying principles remaining the same.

Respective Responsibilities of the Shareholders’ and the Board

The shareholders’ role is to appoint the board of directors and the external auditors. This role is extended to holding the board responsible and accountable for efficient and effective governance.

The board in turn is responsible for the governance of the organisation. It is also responsible for conducting the business and operations with integrity and in accordance with generally accepted corporate practices, based on transparency, accountability and responsibility.

Board of Directors

To be effective, a board should comprise both executive and non-executive directors with at least one third being non-executives. The board should be chaired by a non-executive director. All non-executive directors should be independent of management. The board should be composed of members who possess varied and extensive skills in core areas of the business, management, accountancy and information communication and technology. Directors should be required to disclose all areas of conflict of interest to the board and be excluded from voting on such areas of conflict. The board should also have access to the company secretary and legal counsel.

The board is overall responsible for the development of internal financial control which provides safeguard against material mis-statement and fraud thereby ensuring the fair presentation of the financial statements. In addition, the board is also responsible for identifying current and future risks and ensuring that the necessary systems and controls are in place to enable such risks to be measured, controlled and effectively monitored.

The chairman’s role on the other hand should be to provide leadership to the board without limiting the principle of collective responsibility for board decisions. He acts as the link between the board and the managing director and should play a lead role in consensus building between the board members, the managing director and senior management.

Whilst providing the overall leadership, the board delegates the authority for day to day management to the managing director and retains the overall responsibility for financial and operating decisions and monitoring performance of senior management.

The board should meet regularly, at least quarterly and have a formal schedule of matters reserved to it. Board papers should generally be circulated two weeks prior to the board meetings.

As a pre-requisite new board members should undergo a formal induction process to ensure that they are fully conversant with the organisations’ policies, structure and corporate governance principles. In addition, the board should develop a formal evaluation mechanism whereby each director and the board as a whole are evaluated annually against pre-set performance benchmark.

To effectively fulfil its responsibilities, the board usually delegates certain responsibilities to sub-committees, with the chairman of each sub-committee reporting to the board on the committee matters. The key board committees are:

Board Audit Committee

The committee should ideally comprise non-executive directors and be chaired by a professional accountant. Its functions include:
• Monitoring and strengthening the effectiveness of management information and internal control systems.
• Review of financial information and improving the quality of financial reporting.
• Strengthening the effectiveness of internal and external audit functions, and deliberating on significant issues arising from internal and   external audits.
• Increasing the stakeholders' confidence in the credibility and stability of the organisation.
• Monitoring instances of non-compliance with the International Financial Reporting Standards and applicable legislation.

Nominations and Remuneration Committee

The committee usually comprises both executives and non-executives with the key function of developing and reviewing human resources policies and approving senior management appointments and remuneration.

In a contemporary business environment the above structure at a minimum will ensure that the organisation has an effective oversight function which will not only monitor controls but also ensure that risks are reviewed regularly in light of changes in the business environment.

An Article by Ashif Kassam, Managing Partner, HLB Ashvir Appearing in the Windsor News April - June 2007 Edition (A Quarterly Publication of the Windsor Golf Hotel & Country Club).