Controls may be tangible policies, procedures and activities or they may be embodied in less tangible behavioral aspects such as ethical values. They are designed by management and put into place with the intent of containing risks within risk tolerances established by the organizational risk management process so that business objectives can be achieved at the lowest cost.
Organizational Responsibilities for Internal control:
- Board of directors - Establish and maintain the organization's governance process and obtain assurances concerning the effectiveness of the risk management and control processes.
- Senior managers - Oversee the establishment, administration and assessment of the system of risk management and control processes.
- Operational managers - Design, apply and provide ongoing monitoring of the control processes in their respective areas
- Chief audit executive - Develop an audit plan that ensure sufficient evidence will be obtained to evaluate the effectiveness of risk management and control processes.
- Audit Committee - Oversee the evaluation of the company's internal control system including information technology security and control
- Internal and External auditors - Provide varying degrees of assurance about the state of effectiveness of the risk management and control processes in selected activities and functions of the organization.
- Employees - Perform job responsibilities to the level of identified standards.
Control framework is a recognized system of concepts encompassing all elements of internal control. Increasingly, organizations are using control frameworks to establish effective internal control systems. Example of recommended frameworks as follows:
COSO Internal Control Framework:
Five interrelated components of the framework:-
- Control environment - sets the tone of an organization by influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
- Risk assessment - The identification and analysis of relevant risks to achievement of objectives, forming a basis for determining how the risks should be managed.
- Control activities - The policies and procedures that help ensure that management directives are carried out. They help to ensure that necessary actions are taken to address risks to achievement of the entity's objectives.
- Information and communications - Pertinent information must be identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities.
- Monitoring - Internal control systems need to be monitored - a process that assesses the quality of the system's performance over time.
CoCo Internal Control Framework:
4 interrelated components:-
- Purpose - The mission, vision, strategy, risks and opportunities, policies, planning and performance targets and indicators that provide a clear driver for control criteria that people can understand.
- Commitment - The ethical values, integrity, human resource policies, authorities, accountability and mutual trust that get people to commit to control philosophy.
- Capability - The knowledge, skills, tools, communication processes, information, coordination and control activities that provide people with the resources and competence to participate in designing and installing good controls and being able to assess risks.
- Monitoring and learning - The monitoring of internal and external environments and performance as well as challenging assumption reassessing information needs and information systems, conducting follow-up procedures and effectiveness of control.
The CoCo model presents 20 specific control criteria within these control components. It states that all 20 must be in place for internal control to be effective.
Cadbury Internal Control Framework:
- Control environment - The attitude and actions of the directors, management and employees that set the tone for control within the organization.
- Identification and evaluation of risks and control objectives - The identification and analysis of relevant business risks in a timely manner.
- Information and communication - The performance indicators, information systems, and other systems that communicate the right information to the right people and enable them to carry out their responsibilities.
- Control procedures - The policies and procedures or control activities that facilitate the execution of management directives and ensure compliance.
- Monitoring and corrective action - The monitoring process that assesses the quality of the internal control system's performance and reports on required changes and weaknesses necessitating corrective action.
Hard Internal Controls:
- Organizational structure
- Restrictive formal processes
- Centralized decision-making
Soft control examples:
- Shared values
- Strong leadership
- High expectation
- High ethical standards
One particular useful method for evaluating soft controls is control self-assessment (CSA). CSA refers to a variety of assessment techniques, including facilitated workshops and surveys in which the assessment is performed by people involved in the area or process being assessed rather than by an independent party.
Even though lack of independence reduces the reliability of the results, well-designed, disciplined CSA technique produces results that are still quite reliable.
CSA process allows management or work teams to directly involve in:
- Participation in the assessment of internal control
- Evaluate risk
- Develop action plans to address identified weaknesses.
- Assess the likelihood of achieving business objectives.
Authoritarianism refers to rigid adherance to conventional values and recognized authority.
Empowerment implies that employees have the authority to make decisions and take actions in their areas without prior approval.
Models of management:
- Custodial - orientation toward security blanket
- Supportive - promotes participation and involvement
- Collegial - towards teamwork and creativity instead of superior/subordinate relationship
A change agent is an individual who facilitates change within the organization.
Types of organizational conflicts and causes:
- Vertical conflict - Occurs between different hierarchical levels, commonly involves disagreements over resources, goals, deadlines or performance results
- Horizontal conflict - Occurs between persons or groups at the same hierarchical level, commonly involves goal incompatibilities, resource scarcities or interpersonal factors.
- Line-staff conflict - Involves disagreements over who has authority or control over certain matters.
- Role conflicts - Occurs when communication prove to be inadequate or upsetting. Often involves unclear communications of work expectations, excessive expectations and etc.
- Workflow inter-dependencies - occurs when interdependence is high and people are frustrated in some way while attempting to meet collaborative goals.
- Domain ambiguities - Occurs when people do not understand scope of authority or lines of responsibility.
- Resource scarcity - Occurs when various individuals or groups try to gain or maintain maximum share of scarce or shrinking resources.
Constructive conflicts - leads to beneficial results
Dysfunctional conflict - lead to experiences that erode relationships and derail progress toward goals.
Conflict management approaches includes:
- Interest-based bargaining
- Authoritative command
There are specific type of opinion being expressed by the auditor and what it means regarding the strength of internal controls, as terms may have different meanings in different environments.
- Positive assurance - Take a position on the strength of internal controls. Different ratings may be used, such as that internal controls are satisfactory or unsatisfactory, effective or ineffective, meets expectation or does not meet expectations.
- Negative assurance indicates that nothing come to the internal auditor's attention that would indicate inadequate internal controls. Such an opinion is less valuable than positive assurance as it provides limited assurance that sufficient evidence was gathered to determine whether internal controls were inadequate.
- In a qualified opinion, specific findings contradict the overall opinion. This type of opinion can be useful in situation where there is an exception to the general opinion. For example, a qualified opinion may indicate that controls were satisfactory, with the exception of accounts payable controls, which require significant improvement.