acca paper f1 accountant in business phần 6 docx

215

Control, security

and audit

Introduction

In this chapter we move to the main elements of internal control systems that

organisations operate (Section 1). Controls must be linked to organisational

objectives and the main risks that organisations face (Section 2). In addition

internal control systems do not just consist of the controls themselves but also

the control environment within which controls operate.

Internal audit is a key part of the control system of larger companies

(Section 3) and the external audit function exists to review controls and report

upon the financial statements (Section 4).

Organisations are becoming increasingly reliant on computerised information

systems. It is vital therefore to ensure these systems are secure – to protect

the information held on them, to ensure operations run smoothly, to prevent

theft and to ensure compliance with legislation (Sections 5 and 6).

Security and legal issues are likely to crop up regularly in the examination.

Topic list Syllabus reference

1 Internal control systems D3 (a)(b)

2 Internal control environment and procedures D3 (c)(d)

3 Internal audit and internal control D2 (a)(b)

4 External audit D2 (a)(b)

5 IT systems security and safety D3 (e)

6 Building controls into an information system D3 (f)

216 9: Control, security and audit ~ Part D Specific functions of accounting and internal financial control

Study guide

Intellectual level

D2 Internal and external auditing and their functions

(a) Define internal and external audit. 1

(b) Explain the main functions of the internal auditor and the external auditor. 1

D3 Internal financial control and security within business organisations

(a) Explain internal control and internal check. 1

(b) Explain the importance of internal financial controls in an organisation. 2

(c) Describe the responsibilities of management for internal financial control. 1

(d) Describe the features of effective internal financial control procedures in an

organisation.

2

(e) Identify and describe features for protecting the security of IT systems and

software within business.

1

(f) Describe general and application systems controls in business. 1

Exam guide

The syllabus regards internal control as a specific and very important business function, supported by

effective and secure management information.

1 Internal control systems

Internal controls should help organisations counter risks, maintain the quality of reporting and comply with

laws and regulations. They provide reasonable assurance that the organisations will fulfil their objectives.

An internal control is any action taken by management to enhance the likelihood that established

objectives and goals will be achieved. Management plans, organises and directs the performance of

sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Thus, control

is the result of proper planning, organising and directing by management. (Institute of Internal Auditors)

1.1 Direction of control systems

In order for internal controls to function properly, they have to be well-directed. Managers and staff will be

more able (and willing) to implement controls successfully if it can be demonstrated to them what the

objectives of the control systems are, whilst objectives provide a yardstick for the board when they come

to monitor and assess how controls have been operating.

1.2 Turnbull guidelines

The UK's Turnbull report provides a helpful summary of the main purposes of an internal control system.

(Note that the Turnbull report is not examinable but provides a useful background.)

Turnbull comments that internal control consists of 'the policies, processes, tasks, behaviours and other

aspects of a company that taken together:

(a) Facilitate its effective and efficient operation by enabling it to respond appropriately to significant

business, operational, financial, compliance and other risks to achieving the company's

objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud

and ensuring that liabilities are identified and managed.

FAST FORWARD

Key term

Part D Specific functions of accounting and internal financial control ~ 9: Control, security and audit 217

(b) Help ensure the quality of internal and external reporting. This requires the maintenance of

proper records and processes that generate a flow of timely, relevant and reliable information

from within and without the organisation.

(c) Help ensure compliance with applicable laws and regulations, and also with internal policies with

respect to the conduct of business'

The Turnbull report goes on to say that a sound system of internal control reduces but does not eliminate

the possibilities of poorly-judged decisions, human error, deliberate circumvention of controls,

management override of controls and unforeseeable circumstances. Systems will provide reasonable

(not absolute) assurance that the company will not be hindered in achieving its business objectives and in

the orderly and legitimate conduct of its business, but won't provide certain protection against all possible

problems.

1.3 Need for control framework

Internal control frameworks include the control environment within which internal controls operate. Other

important elements are the risk assessment and response processes, the sharing of information and

monitoring the environment and operation of the control system.

Organisations need to consider the overall framework of controls since controls are unlikely to be very

effective if they are developed sporadically around the organisation, and their effectiveness will be very

difficult to measure by internal audit and ultimately by senior management.

1.4 Control environment and control procedures

The internal control system comprises the control environment and control procedures. It includes all

the policies and procedures (internal controls) adopted by the directors and management of an entity to

assist in achieving their objective of ensuring, as far as practicable, the orderly and efficient conduct of its

business, including adherence to internal policies, the safeguarding of assets, the prevention and detection

of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation

of reliable financial information. Internal controls may be incorporated within computerised accounting

systems. However, the internal control system extends beyond those matters which relate directly to the

accounting system.

Perhaps the simplest framework for internal control draws a distinction between

x Control environment – the overall context of control, in particular the attitude of directors and

managers towards control

x Control procedures – the detailed controls in place

The Turnbull report on Internal Control also highlights the importance of

x Information and communication processes

x Processes for monitoring the continuing effectiveness of the system of internal control

However, any internal control system can only provide the directors with reasonable assurance that their

objectives are reached. This is because of inherent limitations such as human error or fraud, collusion

between employees or controls being overridden by managers.

2 Internal control environment and procedures

The control environment is influenced by management's attitude towards control, the organisational

structure and the values and abilities of employees.

Key term

FAST FORWARD

FAST FORWARD

218 9: Control, security and audit ~ Part D Specific functions of accounting and internal financial control

2.1 Nature of control environment

The control environment is the overall attitude, awareness and actions of directors and management

regarding internal controls and their importance in the entity. The control environment encompasses the

management style, and corporate culture and values shared by all employees. It provides the background

against which the various other controls are operated.

The Turnbull report highlighted a number of elements of a strong control environment.

x Clear strategies for dealing with the significant risks that have been identified

x The company's culture, code of conduct, human resource policies and performance reward

systems supporting the business objectives and risk management and internal control systems

x Senior management demonstrating through its actions and policies commitment to competence,

integrity and fostering a climate of trust within the company

x Clear definition of authority, responsibility and accountability so that decisions are made and

actions are taken by the appropriate people

x Communication to employees what is expected of them and scope of their freedom to act

x People in the company having the knowledge, skills and tools to support the achievements of the

organisation's objectives and to manage effectively its risks

However, a strong control environment does not, by itself, ensure the effectiveness of the overall internal

control system although it will have a major influence upon it.

The control environment will have a major impact on the establishment of business objectives, the

structuring of business activities, and dealing with risks.

Controls can be classified in various ways including administrative and accounting; prevent, detect and

correct; discretionary and non-discretionary; voluntary and mandated; manual and automated.

The mnemonic SPAMSOAP can be used to remember the main types of control.

Control procedures are those policies and procedures in addition to the control environment which are

established to achieve the entity's specific objectives. (Auditing Practices Board)

2.2 Classification of control procedures

You may find internal controls classified in different ways, and these are considered below. Classification

of controls can be important because different classifications of control are tested in different ways.

Classification Detail

Administration These are concerned with achieving the objectives of the organisation and with

implementing policies. These controls relate to channels of communication and

reporting responsibilities.

Accounting These controls aim to provide accurate accounting records and to achieve

accountability. They apply to recording transactions and establishing responsibilities for

records, transactions and assets.

Prevent These are controls designed to prevent errors from happening in the first place. For

example, checking invoices from suppliers against goods received notes before paying

the invoices.

Detect These are designed to detect errors once they have happened. Examples include bank

reconciliations and physical checks of inventory against inventory records.

Correct These are designed to minimise or negate the effect of errors. An example would be a

back-up of computer input at the end of the day.

Key term

Key term

FAST FORWARD