Internal Controls and Control Activities
|
Compliance with section 404 of the Sarbanes-Oxley Act 2002 requires that internal controls over financial reporting are in place and effective. Control activities are one element of five that make up an internal control Note that section 404 only requires the company and its auditors to examine internal controls over financial reporting. The principal source of information on internal controls and how to audit them, is from the Committee Of Sponsoring Organisations (COSO) for the Treadway Commission. Set up to investigate ways to improve financial reporting and prevent fraud, they produced an extensive framework. The COSO framework makes it clear that no one element of internal controls, takes precedence over the others. Each internal control must be looked at holistically, taking all the elements into consideration. The other four elements are:- control environment, risk assessment, Information and communication and monitoring. COSO further splits control activities down into two types. Policy and Procedure. Policy establishes what should be done. Procedures are the actions of people to implement the stated policies. As stated above control activities can not be seen in isolation from the rest of the elements identified by COSO. Indeed some are influenced or link into other elements. Characteristics of control activities are listed below. The complexity of modern business means that no two corporate entities are going to be the same. Objectives, business circumstances and management will all be different. Consequently we have to assume that each entity will have its own control activities. Policies do not have to be written. Verbally communication can be just as effective. In particular, where the policy is long standing or in smaller organisations, where there is close interaction between management layers and close supervision. Control activities link directly to the risk assessment process. The essential part of risk assessment is that an objective may fail to be achieved. Establishment of control activities should be based on supporting risk assessment. This is more important than the type of control activity (e.g. preventitive or detective.) Following on from the documentation of policy, is the performance of the procedures to enact them. In most cases this is the more important stage in determining effectiveness. All significant business activities should be evaluated. The range of controls activities is huge. COSO identifies some broad groupings. It has to be emphasised that the important aspect to consider in effectiveness is "how well does it deal with managing risk?" Top level reviews are management's reviews of actual performance versus budgets, forecasts and prior performance. Other forms include benchmarking, comparing data and considering unusual relationships, followed by corrective action where necessary. Note these should occur after the event. Creating a budget is not a control activity. Information processing controls exist for checking accuracy, completeness and authorization of transactions. They break down in to general controls and application controls. The difference is that general controls are at the data centre level or acquisition levels. Application controls are for individual applications, to ensure transactions are valid, authorized and accurately processed. Physical Controls cover the physical security of assets.Included are secured facilities, identity management, safeguards to ensure application security and data. The extent to which the physical controls should be considered is linked to the effect on financial reporting. For example data was corrupted that would be picked up by periodic data checking. If financial reporting relied solely on the data source in question then the physical security controls would have to be questioned. Segregation of duties involves assigning different people the responsibilities for recording transactions, authorizing transactions and ensuring security of assets. The aim is to ensure that no one individual is in a position to both perpetrate and conceal irregularities or errors. In small companies this can be a problem, due to the small number of staff.
|
Related Articles
Similar Areas Selected Books Keywords information processing controls
|