Internal Control and Risk Management
In order for the plans made for the actualization of business goals to be successful, it is required to foresee the situations which will hinder the realization of these goals and plan for how the system should react in the case of encountering these problems. Uncertainty can never be eliminated completely but can be reduced if the situations foreseen can be kept under control.
- Coordinates the internal control activities which are structured independent from operational units.
The purpose of internal control is to ensure that the activities, policies, defined procedures, instructions within the systems it covers are executed in an effective and efficient way.
In this manner it contains the following sub functions;
- Independent Assessment
- Reporting to Higher Managers
Internal control process and internal control actions and tools are designed, planned and executed by analyzing risk structure of the activities performed within the organization. The analysis of activities are crucial for the identification of Critical Control Points.
Depending on the structure of the organization, multilevel Internal Control Systems which includes auto control functions, can also be designed.
Controls, decrease the possibility of systems for not reaching the defined goals. In this context, the Internal Control function gives specific amount of assurance to the management. There is always the risk of inadequate or incorrect design of internal control processes and activities which will result in risk control function not to meet the desired outputs. That’s why internal control systems should be established by teams that are competent and experienced especially in Strategic Planning, Process Modeling and Process Analysis.
Control activities can be;
Control activities are only useful by employing corrective preventions. If a low fuel indicator does not trigger the driver for visiting a gas station, the longer duration, higher power or different colors of the low gas fuel indicator does not have any benefit.
Internal Control: 5 Components
In 1985, Treadway Commission which is established in the sponsorship of AICPA (American Institute of Certified Public Accountants), AAA (American Accounting Association), FEI (Financial Executives International), IIA (Institute of Internal Auditors) and IMA (Association of Accountant and Financial Professionals in Business), today known as COSO has published Internal Control – Integrated Framework in order to set a guidance for internal control activities. The framework which was designed for private sector and recently developed as a Risk Management model, has been adapted to the public sector by The International Organization of Supreme Audit Institutions (INTOSAI). The adapted Internal Control model has collected an organization’s goals in 4 categories. Which are:
- Safeguarding Resources
In this model there are also five components defined which represents all the functions and tools required for the actualization of the targets in the 4 categories mentioned above. Five components which should be adapted for all the targets specifically are given below:
- Control Environment
- Risk Assessment
- Control Activities
- IT Control Activities
1. Control Environment
Control Environment constitutes a basis for other components. It forms a structure that identifies an organization’s approach to Internal Control. It assess the maturity of assets (procedures, human resources, competencies, operation philosophy) and control systems.
It includes following elements:
Integrity and Ethics
Administrative rules, compliance with moral and ethical behavior standards, relationships with personnel, suppliers, investors, competitors and auditors.
Official and unofficial job descriptions and methods including specific tasks, required information and skill analysis to enable execution of tasks (Competency analysis).
Independency from senior management, period and timeliness of meetings with financial director and accounting personnel, adequacy and timeliness of the information which is given to auditing committee for monitoring financial status of the business unit and operational results, adequacy and timeliness of informing auditing committee about critical events, inappropriate behavior and research activities.
Management’s Philosophy and Operating Style
Management’s approach to Risk Management (such as: avoiding, acceptance etc.), interaction of top management with operational management, financial reporting manner and behavior.
Convenience and qualification of organizational structure to provide required information flow, experience, knowledge and adequacy of responsibility on completion of tasks of the key managers.
Authorization and Responsibility Assignment
Assignment of responsibilities in accordance to organizational purpose and goals and delegation, standards and procedures related to control function, adequate amount and quality of workforce (especially for data processing and accounting functions).
Human Resources Policies and Applications
Hiring and placement, training, succession, effectiveness of pay structures, convenience of improvement actions to prevent violence of rules, procedures and policies. Effectiveness and efficiency of inquiry for correctness of applicant’s CV’s. Succession and preservance of employees (Performance Assessment)
2. Risk Assessment
It is the component in which hinders that can be encountered for realization of organization’s goals are analyzed, assessed and actions that should be taken are identified.
In contains following elements;
Identification of goals in accordance to mission and vision and from strategic level to activity level (operational goals, financial reporting goals and goals for compliance with regulations).
Risk Identification and Risk Analysis
Identification and analysis of risks in business unit and activity level.
Perception of change, acceptance and management skills and standards.
3. Control Activities
It corresponds to all the policies, procedures and instructions defined for meeting the desired goals.
It covers following elements;
Policy and procedures
Operational and financial reporting and regulations, compliance policy and procedures; preventive, detective and manual controls, computer controls and organizational controls. (Top management reviews, activity control, Data sensitivity and completeness, physical controls, performance indicators, segregation of duties)
4. IT Control Activities
It is the component which regulates the relationship network with the internal and external shareholders in order for the internal control activities to run properly.
Acquisition and reporting the business unit’s performance information to the management. Providing information to the right person on time and in adequate detail. IT development and revision.
Effectiveness of relation between the duties and control responsibilities of the employees, establishment of communication channels for reporting of unconformities, evaluability and reach of employee suggestions to top management, timeliness and qualification of communication between organizational functions, effectiveness and reachability to suppliers, customers and other external shareholders through communication channels, effectiveness and response time to requests of suppliers, regulatory and other external shareholders.
It is the component which monitors the internal control activities
It contains the following elements:
Attainment of proof that internal control function performs correctly; commitment for identification of external shareholders’ problems; periodic control of physical assets’ records; heed for the suggestions of internal and external auditors; attainment of feedback form training, seminars, sessions and other meetings; examining personnel for critical activities, effectiveness of internal control.
Internal assessment frequency and coverage, convenience and logicalness of assessment methodology, convenience of documentation quality.
Reporting of Unconformities
Detection of unconformities and reporting mechanism, convenience of reporting protocols and monitoring actions.