^

Business

Internal control

TOP OF MIND - Arthur Z. Machacon - The Philippine Star

(Part 2)

A cursory search for articles on “internal controls” in the internet showed the following:

• Town remedies internal control issues, receives favorable audit (May 11, 2012)

• Lack of internal controls could present problems for cattle industry (August 12, 2010)

• Coast Guard has IT internal control problems, audit says (May 3, 2010)

These articles show that Internal control is a big concern for all types of endeavors, whether it be a political subdivision , the coast guard or a cattle rancher.

Things to consider on internal control in business

Under Philippine Standards on Auditing (PSA) 315 and that of the COSO Framework, there are five things to consider about internal control:

 Control environment – This is the work atmosphere that an organization establishes for its employees, with the overall tone set from  the top.  This primarily pertains to a tone of honesty and integrity, with the most important element being the example set by the directors and officers of the corporation.  For instance, if management overstates revenues, employees might be encouraged to do shady deals,  overstate expenses on their travel reimbursement forms and other types of fraud.

Risk assessment – This component deals with possible threats from without and weaknesses within the business, and the development of controls, policies, and procedures to protect the business and manage risks. Management should be on the lookout for risks (e.g., competitive threats, insurable risks, new product lines, labor strife, etc.) that might develop at various levels so that these can be thwarted or avoided and defences  mounted. 

Control activities –  These are policies and procedures that help ensure the execution of management directives and promote actions that address risks faced by the organization.  Examples of specific control activities include those relating to authorization, physical controls, performance reviews, information processing and segregation of duties. 

Authorization control procedures take many forms: passwords authorize individuals to use computers, to access certain databases and to transact. Formal notice of authorized check signatories in the form of certified copies of the minutes of the Board meeting given to banks vest designated officers with check-signing authority and nothing can be withdrawn, no checks can be encashed  nor safe deposit boxes can be accessed without such authorization. Customers can only transact up to their authorized credit limits. Spending limits authorize individuals to spend only what is in their budget or approved level. For example when individuals are not authorized to approve purchases, they cannot order items for personal use and have their companies pay for the goods.

Physical controls such as vaults, safes, fences, locks and keys, among others, protect assets from theft. These preclude opportunities to commit fraud by making it difficult for people to access the assets. Money locked in a vault, for example, cannot be stolen unless someone gains access or unless someone who has the access violates the trust. 

Performance reviews include surprise checks of procedures, periodic comparison of accounting records and physical assets and a review of functional or activity performance.  An example of a surprise check would be a cash count on a cashier’s cash in custody. 

Some examples of information processing controls in an entity include programming on an accounting software that rejects unreasonable data (e.g., interest rate of 500 percent on a loan), numerical sequence checks on invoices inputted and system lock in case of wrong log-on data.

Segregation of duties seeks to prevent persons with access to readily realizable assets from being able to adjust the records and thereby control those assets;  for example the accounting for and the handling of cash are separated so that one person does not have access to both.

Information and communication –  This component encompasses the flow of reports and communications within the entity. Are the reports and communications timely, accurate, and complete?  It would be hard to do the financial reporting and monitoring that management does without reliance on the communication and reports generated by the financial accounting system. Further, there can be nothing more frustrating than not having the data you need on a timely basis.  The goal is the presentation of the right content to the right people in a timely manner.

Communicating what is and what is not appropriate or acceptable is crucial. Codes of conduct, orientation meetings, training, supervisor/employee discussions, and other types of communication that distinguish between acceptable and unacceptable behaviour should be routine activities.

Monitoring  –  This is a process to assess the effectiveness of internal control performance over time. This may take the form of management reviewing the reasonableness of reports such as basic financial statements, actual-to-budget comparisons, and profitability by division or matters such as monitoring of customer complaints and even periodic audits by internal auditors. In most entities, this information is produced on a monthly basis. 

Internal control on a personal level

On a personal level, we all practice internal control to a certain extent. We have our moral compass to set the tone of our daily conduct, which, ideally, should be founded on honesty and integrity.  We assess the threats around us and take inventory of our vulnerabilities. We take part in various control activities. Do you have locks for the doors of your house? That is internal control to safeguard the assets you own. Do you keep spare keys for your room in case someone gets locked out? That is internal control – a fall back feature in the event of such a contingency.  Do you have insurance for your car to cover repairs and third party liabilities in case of accidents?  Internal controls, though we may not realize it, are not just what “auditors” look into– they actually pervade our everyday lives. Indeed, good internal control is necessary for all types of endeavors.  Even in the business of one’s own life.

* * *

Arthur Z. Machacon is an Audit partner of Manabat Sanagustin & Co. (MS&Co.), the Philippine member firm of KPMG International. He has more than 18 years of external audit experience covering a wide spectrum of industries. He has also a significant experience in the audit of publicly-listed companies.

This article is for general information purposes only and should not be considered as professional advice to a specific issue or entity.The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of KPMG International  or MS&Co. For comments or inquiries, please email [email protected] or [email protected].

 

ARTHUR Z

COAST GUARD

CONTROL

CONTROLS

INTERNAL

MANABAT SANAGUSTIN

UNDER PHILIPPINE STANDARDS

  • Latest
  • Trending
Latest
Latest
abtest
Are you sure you want to log out?
X
Login

Philstar.com is one of the most vibrant, opinionated, discerning communities of readers on cyberspace. With your meaningful insights, help shape the stories that can shape the country. Sign up now!

Get Updated:

Signup for the News Round now

FORGOT PASSWORD?
SIGN IN
or sign in with