You are on page 1of 11

1

GUIDANCE FOR DIRECTORS ON INTERNAL CONTROL

INTRODUCTION

GUIDANCE FOR DIRECTORS ON INTERNAL CONTROL Part 1 - Introduction Part 2 - The Components of an Effective Internal Control System Part 3 - Questions to Ask to Assess the Effectiveness of an Internal Control System Part 4 - Conflicts of Interest

Why are internal controls important ?


A good internal control system is a key mechanism for providing management with reasonable assurance in that it helps : reduce the business risks of the company. safeguard the companys assets from loss or shrinkage, or from fraud. ensure the correctness and the reliability of the companys financial reporting.

ensure the companys employees comply with the relevant laws and regulations. the company to operate efficiently, allocate resources appropriately, and achieve its set objectives. protect investment of the shareholders.

What are internal controls ?


An internal control system is a process, effected by a companys board of directors, management and staff, designed to provide reasonable assurance that: The company operates its business effectively and efficiently, achieving its objectives (including the safeguarding of assets against loss or misuse). Financial data and reports are correct and reliable. The company operates in compliance with the relevant laws and regulations.

Who is responsible for the internal control system ?


The board of directors is responsible for the establishment of an effective internal control system and ensuring that the system is effective in managing business risks to an appropriate level through the establishment of appropriate internal control and risk management policies, and regular assessment of whether

the system is functioning effectively.

Management is responsible for the effective implementation of the policies stipulated by the board.

Employees must perform their duties in compliance with the internal control system established by the management.

How do I assess the effectiveness of an internal control system ?


An effective internal control system must consist of the following five major components A sound control environment A sound risk assessment process Sound operational control activities An effective information and communication system An effective monitoring and evaluation system Therefore, in reviewing whether the internal control system is effective, the board of directors should consider if all of the above five components are in place, and whether they are effectively implemented. The components are explained in Part 2.

2
GUIDANCE FOR DIRECTORS ON INTERNAL CONTROL

PART 2 - THE FIVE COMPONENTS OF AN EFFECTIVE INTERNAL CONTROL SYSTEM

GUIDANCE FOR DIRECTORS ON INTERNAL CONTROL Part 1 - Introduction Part 2 - The Components of an Effective Internal Control System Part 3 - Questions to Ask to Assess the Effectiveness of an Internal Control System Part 4 - Conflicts of Interest

Component 1 : Control Environment The control environment is the tone of an organisation or factors influencing the internal control system to operate as the company hopes; and creates a control atmosphere which promotes awareness of the importance of internal control systems among everyone in the company.

Examples are managements consciousness of the importance of integrity and business ethics, an appropriate organisational structure, clear assignment of authority and responsibility, and written policies and procedures. A good control environment is therefore an important foundation for an effective internal control system.

Component 2 : Risk Assessment Any company operating a business, regardless of size, structure, nature, industry, or geography, is surrounded by business risks at all times. Risks can arise from both internal and external factors such as the following :

Internal factors : Management lacks integrity and ethics. Unqualified personnel. Changes in computerised systems result in changes in the internal control system. The company expands faster than its existing infrastructure can cope with. High turnover of management and employees. Lack of adequate supervision because of, for example, the remoteness of branches.

External factors : Changes in technology force the company to change its operating procedures. Changes in consumer behavior outdate existing goods and service. A competitive environment unfavourably affects prices and market share.

The passage of new laws impacts on the companys operations. If the company is to avoid the hazards arising from the above risks, the companys management must regularly : Identify the type of risks to which the company is exposed or expects to be exposed to. Analyse the impact of such risks on the company, including the likelihood of their occurrence. Determine the measures to be taken in order to manage the risks. Component 3 : Control Activities Control activities are policies and procedures that help ensure that the management directives, issued in order to reduce business risk and enable the company to achieve its business objectives, are acted upon throughout the company. Examples of control activities are : Procedures to ensure that the companys accounting data, information and financial reporting are correct and complete. Appropriate assignation of authority and approval of transactions at a suitable level. Preventive and detective physical controls over the loss of assets, including fraud (such as physical counts of assets and segregation of duties). Procedures to ensure that the company accords with the relevant laws and regulations.

Component 4 : Information and Communication Quality information (whether of a financial, accounting, marketing, or other nature) and the process by which such information is communicated to the appropriate person, are critical.

Quality information has the following characteristics :

(1) It is relevant to the decision to be made. (2) It is accurate and complete. (3) It is current. (4) It is presented in an easily comprehensible format.

Component 5 : Monitoring and Evaluation Monitoring and evaluation is a process of following up and assessing the quality of internal control performance within the company, established in order to provide assurance to the board of directors and the management that the internal control system is operating, that modifications are made when circumsatnces change, and that deficiencies are promptly remedied. For example, periodic reviews of the internal control system are made and reported on by the responsible management and the internal auditors, and the management and employees are required to sign a letter of representation to confirm that they are in compliance with the companys code of conduct (see Part 4).

3
GUIDANCE FOR DIRECTORS ON INTERNAL CONTROL

PART 3 - QUESTIONS TO ASK TO ASSESS THE EFFECTIVENESS OF AN INTERNAL CONTROL SYSTEM


GUIDANCE FOR DIRECTORS ON TERNAL CONTROL Part 1 - Introduction Part 2 - The Components of an Effective Internal Control System Part 3 - Questions to Ask to Assess the Effectiveness of an Internal Control System Part 4 - Conflicts of Interest

1. On the Control Environment 1.1 Has the company established written codes of conduct and regulations that prohibit management and employees from being involved in conflicts of interest with the company (see Part 4), including penalties in case of violation of such codes and regulations?

1.2

Does the company require that all employees sign a letter of representation to confirm that they are in compliance with the regulations established?

1.3

Does the conduct of the companys management set a good example for their subordinates?

1.4

Does the company have a good organisational structure which enables management to act correctly, swiftly and efficiently in planning, directing and controlling the operations?

1.5 Does the company have an internal audit function which works in compliance with international standards and which is able to function as an efficient

management tool as it reports directly to the audit committee or top executives, enabling it to independently report the results of audits and express its opinions openly?

1.6 Has the company established written policies and working practices for financial transactions and for general administration?

1.7

Has the company established written human resource policies and practices in the areas of recruitment, training, performance evaluation, promotion, and

compensation and fringe benefits, in order to encourage employees to have integrity and work efficiently?

1.8

Has the company drawn up job descriptions specifying appropriate knowledge, ability, and qualifications for personnel in each position?

1.9

Does the company set unrealistic performance targets or provide excessive incentives or compensation, which may encourage fraud or malfeasance, such as setting unrealistic sales targets and thus encouraging the manipulation of sales figures?

1.10 Does the management apply accounting policies in accordance with generally accepted accounting principles which are appropriate to the nature of the companys business and avoid accounting policies which lead to distortion of the companys operating results?

1.11 Does the company periodically rotate all work positions and duties, and require all personnel in sensitive areas, where there is a high risk of fraud and

misappropriation, to take annual leave so that other personnel work in their stead?

2. Risk Assessment 2.1 Does the company set clear business targets (such as targets and an overall business plan that can be used to evaluate performance) as guidelines for employees to use in their work?

2.2

Does management arrange for the evaluation of business risks arising from both external and internal factors, such as foreign currency risk and competitive risk, and for the regular analysis of the possible effects of such risks on the operations of the company?

2.3

Has the management stipulated measures or procedures to reduce risks to an acceptable level, or informed employees what level of risk is acceptable to the company?

3. Control Activities 3.1 Does the company adopt clearly defined budgets and/or key performance indices as tools in planning and control, to keep operating results in line with expectations?

3.2

Does the company report its operating results on a regular and timely basis; and does it compare those reports with figures derived from the planning and control tools, in order to provide an appropriate basis for managements business decision making and problem solving?

3.3

Are duties and responsibilities completely segregated in the following three areas in order to provide check and balance mechanisms? (1) Authorisation of transactions (2) Recording of accounting transactions and data (3) Custody of assets

3.4

Does the company have a list of persons who are authorised to approve each type of financial transactions?

3.5

Does the company maintain documentary evidence which facilitates the separation of responsibilities and monitoring of work performance at all times, including the identification of the persons accountable for errors?

3.6

Does the company monitor and safeguard its assets to prevent their loss and misuse through, for example, periodic physical counts of assets, the use of security guards to prevent loss of assets, and the insurance of inventories or fixed assets at their replacement cost?

3.7

Does the company prohibit the management (including top executives) from authorising transactions related to themselves, such as overseas traveling expenses and entertainment expenses?

4. Information and Communication 4.1 Does the company arrange for up-to-date reports of significant information to be provided to its management and the board of directors on a regular basis?

4.2

Have communication channels been established to ensure that employees at all levels gain an understanding of the companys policies and regulations and to ensure that information is communicated to the relevant people?

4.3

Has the company established communication channels which allow employees to report any suspected fraudulent practices, such as by appointing a committee or certain senior officials to be responsible for receiving complaints, or by installing suggestion boxes?

4.4

Is a data security system in place in order to prevent an unauthorised access?

4.5

Has the company prepared a disaster recovery plan and contingency plan to prevent the loss of information?

4.6

Does the company make complete disclosure of related party transactions?

5. Monitoring and Evaluation 5.1 Are reporting systems in place to identify variances from expected performance and is corrective action taken?

5.2

Are internal audits performed by persons with adequate knowledge and proficiency, and who report directly to the board of directors and senior management?

5.3

Are internal control weaknesses noted by either internal or external auditors promptly reported directly to the senior management, including the board of directors, so that prompt corrective actions can be taken?

5.4

Does the company have a policy requiring the management to report immediately to the board of directors in all cases of fraud, suspected fraud, breaches of laws, or other irregularities which may have a significant impact on the companys reputation and financial position?

4
GUIDANCE FOR DIRECTORS ON INTERNAL CONTROL

PART 4 - CONFLICTS OF INTEREST

GUIDANCE FOR DIRECTORS ON INTERNAL CONTROL Part 1 - Introduction

Conflict of interest arises when one person performs two roles which have different objectives or interests. Conflicts may arise because personal interests are incompatible with the companys interests, forcing a person to make a choice which may lead to fraud and misappropriation. Therefore, all directors and employees of the company should avoid any situation which may lead to a conflict of interest.
Part 4 - Conflicts of Interest Part 3 - Questions to Ask to Assess the Effectiveness of an Internal Control System Part 2 - The Components of an Effective Internal Control System

Samples of conflict of interest 1. Unauthorised divulging of confidential information whether or not for personal gain and whether or not harm to the Company is intended. Disclosure of confidential information to customers, suppliers, competitors or others, except for information transmitted as part of normal job activities, or information that has been created for public distribution.

2. Use of confidential information for the purchase of company securities or securities of other companies.

3. The acceptance or offer of gifts, or other favors which go beyond common courtesies in order to induce someone to act in a particular way.

4. Entertainment or reception of customers, contractors, suppliers, service providers, or government officials, which goes beyond an appropriate level or is held in

inappropriate venues such as entertainment places or places offering various types of service.

5. Requiring or accepting any benefits, whether money or goods, from customers, brokers or agents, business owners, contractors, suppliers, service providers, and any individuals or organisations that have transactions with the company (money or

goods includes gifts, loans, fees, commissions, sharing of benefits, services, privileges, employment, and approval of contracts).

6. Investment in, or being a director or employee of, a customer, supplier, service provider, or competitor.

7. Transactions between related companies, between an individual and the company, or between relatives of management and the company.

This article is extracted from the handbook Guidance for Directors on Internal Control which was prepared by the Institute of Certified Accountants and Auditors of Thailand, together with representatives of both the major educational institutions and private sector companies, for the Stock Exchange of Thailand (www.set.or.th) in March 2000.

You might also like