Internal Control – Governance, Risk Management, Compliances and Ethics Important Questions

Question 1.
Write short note on the following; Internal control.
OR
Elucidate the following; Internal control.
Answer:
According to Merriam – Webster Internal Control means:
“a system or plan of accounting and financial organization within a business comprising all the methods and measures necessary for safeguarding its assets, checking the accuracy of its accounting data or otherwise substantiating its financial statements, and policing previously adopted rules, procedures, and policies as to compliance and effectiveness”.

According to The Standard on Auditing 315 (SA 315) the nature of the internal control depicts the following :

  • Internal control is a process designed, implemented and maintained by those charged with the governance, management and other personnel.
  • It provides reasonable assurance about the achievement of an entity’s objectives in the categories of financial reporting, effectiveness and efficiency of operations, safeguarding of assets and compliance with applicable laws and regulations.

Internal control at the organizational level – Internal control objectives at the organizational level relate to the following :

  • Reliability of financial reporting
  • Timely feedback on the achievement of operational or strategic goals
  • Compliance with laws and regulations

Internal control at the specific transaction level – Internal control at the specific transaction level refers to the following:

  • The actions taken to achieve a specific objective
    Example: How to ensure the organization’s payments to third parties are for valid services rendered.
  • Reduction in process variation, leading to more predictable outcomes.

Question 2.
Internal control is a way for management to run a business and is integrated within the management process. Comment.
Answer:
According to Investopedia, Internal controls are:
“The mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability and prevent fraud. Besides complying with laws and regulations, and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial re-porting”.

Objectives of Internal Control – Objective behind the establishment of the internal control are as under:

  • Internal Control is a policy matter, designed and implemented by the company concerned.
  • It describes the rules and procedures to ensure the integrity of the financial statements.
  • It provides the mechanism of work flow in such a manner that no single person may carry out the process from the beginning to end.
  • It ensures that work is segregated in small parts and is checked and processed by an independent person.
  • It improves operational efficiency by improving the accuracy and timeliness of financial reporting.
  • It gives a reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.
  • It aids in detecting and preventing fraud and protecting the organization’s resources.
  • It reduces the process variations and arbitrary intervention in the work flow process.

Therefore, it can be stated that internal control is a way for management to run a business and is integrated within the management process.

Question 3.
Explain the scope of “Administrative Control”.
Answer:
Administrative controls include all managerial controls concerned with decision making process. Administrative controls have an indirect relationship with financial records.

For example: Quality control, works standards, periodic reporting, policy appraisal etc.

Administrative controls are very wide in their scope. They include all managerial controls concerned with decision-making process. They are concerned with the authorisation of transactions and include:

  • Anything from plan of organisation to procedures
  • Record keeping
  • Distribution of authority and the process of decision making.
  • Controls such as quality control through inspection
  • Performance budgeting
  • Responsibility accounting
  • Performance evaluation, etc.

Thus, administrative controls are those which help in improving the efficiency, productivity and not necessarily recorded under the accounting systems. Works standards, quality control, methods study and motion study are examples of administrative control.

Question 4.
Why the Information System is the most essential component of Internal Control?
Answer:
An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. Many information systems make extensive use of information technology (IT).

The information system relevant to financial reporting objectives, which includes the financial reporting system, encompasses methods and does the following:

  • Identify and record all valid transactions.
  • Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
  • Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
  • Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
  • Present properly the transactions and related disclosures in the financial statements.

The quality of system-generated information affects management’s ability to make appropriate decisions in managing and controlling the entity’s activities and to prepare reliable financial reports.

Communication, which involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting, may take such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management.

Thus Information System is the most essential component of Internal Control.

Question 5.
Prepare a Board note on internal control highlighting the elements of sound internal control system for a company.
Answer:
Following is a Note to the Board of directors on Internal Control:
To,
The Board of Directors
XYZ Ltd.
Subject: Note on Internal Control
Dear Sir,
Internal Control is a process for assuring achievement of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.

It is a means by which an organization’s resources are directed, monitored, and measured. It plays an important role in detecting and preventing fraud and protecting the organization’s resources, both physical and intangible.

Following are the elements of sound internal control system for a company:
Segregation of duties – Segregation of duties among different people allows internal checks to take place. It reduces the risk of intentional manipulation and error and increases the element of checking, however it does not eliminate the risk.

Organisational structure – The structure or pattern of an organisation includes defining and allocating responsibilities and identifying lines of reporting for all aspects of the enterprise’s operations, including the controls. The delegation of authority and responsibility should be clearly specified.

Objectives and Policy Statements – Objectives are the aims, goals, purposes or accomplishments laid down by the top management to be achieved by the middle and lower management. Policies and procedures provides the manner of achieving the objectives.

Authorisation and approval – All transactions should require authorisation or approval by an appropriate responsible person. The limits of these authorisations should be specified.

Personnel – Proper procedures should be made to ensure that personnel have capabilities commensurate with their responsibilities.

(Note: The list is inclusive and not exhaustive)

Sd.
Mr. A
Company Secretary
XYZ Ltd.

Question 6.
Internal check and internal control are two frequently used terms in risk management and compliance. Explain the meaning of Internal Check and Internal Control and also mention how these two are different from each other.
Answer:
Internal check – “Internal check” is a system of instituting checks on the day-to-day transactions which operate continuously as a part of routine system whereby the work of one person is complementary to the work of another, the object being the prevention or early detection of errors or fraud. The objective of such allocation of duties is that no single individual has an exclusive control over any one transaction or group of transactions.

Internal control – “Internal control”, as defined in accounting and auditing, as a process for assuring achievement of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.

It is a means by which an organization’s resources are directed, monitored, and measured. It plays an important role in detecting and preventing fraud and protecting
the organization’s resources, both physical and intangible.

For example:

  • Physical Resources : Machinery and property.
  • Intangible Resources : Reputation or intellectual property such as trademarks.

Following are the differences between internal check and internal control:

Basis Internal Check Internal Control
Meaning Internal check refers to the way of allocating responsibility, segregation of work, where work of the subordinates is checked by the immediate supervisors to verify that the work is carried out according to the company policies and guidelines. Internal control is the system implemented by a company to ensure the integrity of financial and accounting information and that the company is progressing towards fulfilling its profitability and operational objectives in a successful manner.
Verification One person’s work is independently checked by another person(s). It is a self-balancing mechanism implemented by the management, so as to ensure that the entire work process is divisible in parts, so that not a single person may have the access to complete the entire process.
Implementation Internal checks are implemented at all organizational levels such as tactical and operational level. Internal controls are designed and documented at the corporate management level.
When it is done As soon as one part or process is completed, it is checked by another. Internal Control is a policy decision by the management and is a continuous process.
Purpose Safeguarding or minimizing errors and frauds in actions transactions and records, so as to ensure the efficient running of business. Formulation and circulation of management principles and policies and effective and speedy execution thereof with the help of internal checking and internal audit activities.
Scope Scope of internal check is narrower compared to internal control. Wider in scope than internal check.

Question 7.
What do you understand by internal control? What are its components?
Answer:
“Internal control” is defined as a process, affected by an organization’s people and information technology systems, designed to help the organization accomplish specific goals or objectives.

It is a means by which an organization’s resources are directed, monitored, and measured. It plays an important role in preventing and detecting fraud and protecting the organization’s resources, both physical and intangible.

The Appendix 1 of SA 315 provides the following Internal Control Components :

Component Meaning
Control Environment The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. Control Environment comprises of the following elements :

1. Communication and enforcement of integrity and ethical values.
2. Commitment to competence.
3. Participation by those charged with governance.
4. Management’s philosophy and operating style.
5. Organizational structure.
6. Assignment of authority and responsibility.
7. Human resource policies and practices.
Entity’s Risk Assessment Process Every entity faces a variety of risks from external and internal sources. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives
Information and Communication Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity.
Control Activities Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities can be carried out by the following means:

1. Performance reviews
2. Information processing
3. Physical controls
Monitoring Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to affect the principles within each component, is present and functioning.

Question 8.
Write short note on the following; COSO’s internal control framework.
Answer:
Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Following are the components of Internal Control as defined by COSO:

  • Control environment
  • Risk Assessment
  • Control Activities
  • Information
  • Monitoring Activities

The concepts from the definition of Internal Control by COSO can be elaborated as under:

  • Achieving Objectives: Geared to the achievement of objectives in one or more separate but overlapping Categories.
  • A process consisting of ongoing tasks and activities: It is a means to an end, not an end in itself.
  • Effected by people: It is not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to effect internal control.
  • Assurance to senior management: Able to provide reasonable assurance, not absolute assurance, to an entity’s senior management and board of directors
  • Adaptable to the entity structure: Flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process.

Question 9.
Answer the following in brief; What are the three categories of objectives provided in COSO International Control Integrated Framework?
Answer:
The COSO International Control Integrated Framework sets forth the following three categories of objectives, which allow organizations to focus on separate aspects of internal control:

Objective Meaning
Operations Objectives These pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.
Reporting Objectives These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or the entity’s policies.
Compliance Objectives These pertain to adherence to laws and regulations to which the entity is subject.

Question 10.
Elucidate principles on Internal Control enunciated by Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Answer:
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) had originally identified five components of internal control, which became widely adopted for use in assessing the effectiveness of internal controls.

Its more recently updated framework identifies 17 principles mapped to the original components. These Principles are as under:

Component 1 : Control Environment

  • Principle 1 : Demonstrates commitment to integrity and ethical values
  • Principle 2 : Exercises oversight responsibility
  • Principle 3 : Establishes structure, authority, and responsibility
  • Principle 4 : Demonstrates commitment to competence
  • Principle 5 : Enforces accountability

Component 2 : Risk Assessment

  • Principle 6 : Specifies suitable objectives
  • Principle 7 : Identifies and analyzes risk
  • Principle 8 : Assesses fraud risk
  • Principle 9 : Identifies and analyzes significant change

Component 3 : Control Activities

  • Principle 10 : Selects and develops control activities
  • Principle 11 : Selects and develops general controls over technology
  • Principle 12 : Deploys control activities through policies and procedures

Component 4 : Information & Communication

  • Principle 13 : Uses relevant information
  • Principle 14 : Communicates internally
  • Principle 15 : Communicates externally

Component 5 : Monitoring Activities

  • Principle 16 : Conducts ongoing and/or separate evaluations
  • Principle 17 : Evaluates and communicates deficiencies

Question 11.
Write short note on the following; CEO/CFO certification.
Answer:
As per Regulation 17(8) of SEBI (LODR) Regulations, 2015, the Chief Executive Officers and the Chief Financial Officers shall provide the compliance certificate to the Board of Directors as specified in Part B of Schedule II.

The following compliance certificate shall be furnished by Chief Executive officer and Chief Financial Officer:
A. They have reviewed financial statements and the cash flow statement for the year and that to the best of their knowledge and belief:

  • These statements do not contain any materially untrue statement or omit any material fact or contain statements that might be misleading.
  • These statements together present a true and fair view of the listed entity’s affairs and are in compliance with existing accounting standards, applicable laws and regulations.

B. There are, to the best of their knowledge and belief, no transactions entered into by the listed entity’s during the year which are fraudulent, illegal or violative of the company’s code of conduct.

C. They accept responsibility for establishing and maintaining internal controls for financial reporting and that they have evaluated the effectiveness of internal control systems of the listed entity’s pertaining to financial reporting and they have disclosed to the.auditors and the Audit Committee, deficiencies in the design or operation of such internal controls, if any, of which they are aware and the steps they have taken or propose to take to rectify these deficiencies.

D. They have indicated to the auditors and the Audit committee:-

  • Significant changes in internal control over financial reporting during the year.
  • Significant changes in accounting policies during the year and that the same have been disclosed in the notes to the financial statements.
  • Instances of significant fraud of which they have become aware and the involvement therein, if any, of the management or an employee having a significant role in the listed entity’s internal control system over financial reporting.

Question 12.
Write a short note on the following; classification of internal control.
Answer:
Internal control can broadly be classified into two categories:
1. Accounting controls/financial controls – Accounting controls comprise the plan of organisation and all methods and procedures that are concerned mainly with and relate to, the safeguarding of assets and the reliability of the financial information.
For example : Maintaining inventory.

2. Administrative controls – Administrative controls are very wide in their scope. They include all other managerial controls concerned with decision making process. Administrative controls have an indirect relationship with financial records.
For example : Quality control, works standards, periodic reporting, policy appraisal etc.

Question 13.
“A variety of internal control techniques can help prevent improprieties.” Comment.
Answer:
Variety of internal control techniques can help prevent improprieties covering following points as mentioned below:

  • There should be clear division of the work.
  • Segregation of the work should be in such a manner that the work done by one person is the beginning of the work for another person.
  • There should be the clarity of the responsibility.
  • The work flow process be documented or standardized so that the staff may perform the work as suggested in the work flow chart.
  • No single persons should be allowed to have access or control over any important business operation.
    There should be job rotation of the staff duties periodically.
  • Staff should be asked to go on mandatory leave periodically so that other person may come to know if someone is playing foul with the system.
  • Persons having the charge of the important assets should not be al¬lowed to have access to the books of account.
  • Periodical inspection of the physical assets is carried out to ensure its physical existence as well in good working conditions.

Question 14.
What are the methods adopted for Internal Control in modern organization?
Answer:
The following methods are adopted for Internal Control in modern organization :

Internal Check – Internal check is done by allocation of authority and work in such a manner so as to keep a check on the day-to-day transactions which operate continuously as part of routine system whereby the work of one person is automatically proved independently or is complementary to the work of another, the object being prevention or early detection of error and frauds.

Internal Audit – Internal Audit is an :

  • Independent appraisal function
  • Established within the organization
  • To examine and evaluate the activities as a service to the management
  • To assist the members for effective discharge of their responsibilities
  • To furnish with analyses, appraisals, suggestions etc.

Flow Charts – The work flow process be documented or standardized so that the staff may perform the work as suggested in the work flow chart.

Internal Control Questionnaire – An internal control questionnaire is a document which an auditor provides to employees of a company before performing an audit. The questionnaire is useful to determine which areas the audit should focus on. When employees answer the questions, the auditor knows whether the company is keeping accurate records overall, and has evidence that shows who is responsible for which documents. The company receives the benefits of having a cheaper, faster and more effective audit because of the internal control questionnaire.

Inter firm and Intra firm Comparisons – Inter firm comparison means a comparison of two or more similar business units with the objective of finding the competitive position to improve the profitability and productivity of those business units. Thus, inter firm comparison is a tool used by the management of a company to compare its operating performance and financial results with those of similar companies engaged in the same industry.

Question 15.
You are Company Secretary of XYZ Limited. You are required by the Chairman of your company to prepare a note for the Board of directors highlighting the main aspects of internal auditing.
Answer:
Following is a Note to the Board of directors on Internal Audit :
To,
The Board of Directors XYZ Ltd.
Subject : Note on Internal Audit
Dear Sir,
Institute of Internal Auditors has defined internal audit as under:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its .objectives by – bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

The following are the main aspects of internal auditing :

  1. Review, appraisal and evaluation of the soundness, adequacy and application of financial, accounting and other operating controls.
  2. Ascertaining the adequacy and reliability of management information and control systems.
  3. Ascertaining the achievement of management objectives and compliance with established plans, policies and procedures.
  4. Ensuring proper safeguards for assets – their utilization and accounting thereof.
  5. Detection and prevention of fraud and error.
  6. Ascertaining the integrity of management data in an organisation.
  7. Identifying the areas of cost reduction, coupled with increased production, improved productivity and improved systems.
  8. Ascertaining the quality of performance and undertaking ‘value for money’ exercises.
  9. Compliance with statutory laws and rules including adherence to the Companies (Auditors’ Report) Order, 2003 to avoid adverse comments from the statutory auditors.
  10. Undertaking special reviews and assignments directed by management to ensure economical and efficient use of resources.
  11. To provide for a channel of communicating new ideas to the top management.

Sd.
Mr. A
Company Secretary
XYZ Ltd.

Question 16.
What are the steps involved in an internal control mechanism?
Answer:
In order to establish the internal control mechanism the following steps should be followed :

  1. Identify the key areas where the internal control mechanism is to be established.
  2. Every work flow should be so documented that it is not complete if another person has not checked it out.
  3. The other person’s role should start when the first person’s role comes to an end.
  4. Establish the surprise check mechanism where the money matters are involved.
  5. Reporting of the non-adherence of key compliance areas.
  6. Review mechanism of the control units.
  7. Establishment of Vigil Mechanism: The organization should establish a vigil mechanism as per the provisions of Rule 7 of the Companies (Meetings of Board and its Powers) Rules, 2014.

Question 17.
Are there any limitations of internal control? Explain.
Answer:
Following are the limitations of internal control:

  1. Internal control cannot change an inherently poor manager into a good one.
  2. Internal control cannot ensure success, or even survival in case of shifts in government policy or programs, competitors’ actions or economic conditions, since these are beyond the management’s control.
  3. An internal control system, no matter how well conceived and operated, can provide only reasonable and not absolute assurance to management and the board regarding achievement of an entity’s objectives.
  4. The likelihood of achievement is affected by limitations inherent in all internal control systems.
    Controls can be circumvented by the collusion of two or more people, and management has the ability to override the system.
  5. Another limiting factor is that the design of an internal control system must reflect the fact that there are resource constraints, and the benefits of controls must be considered relative to their costs.

Thus, while internal control can help an entity achieve its objectives, it is not a panacea.

Question 18.
According to Regulation 1$ of SEBI (LODR) Regulations, 2015 what is the role of the audit committee and the information to be reviewed by the audit committee?
Answer:
The role of the audit committee shall include the following:

  1. Oversight of the listed entity’s financial reporting process and the disclosure of its financial information to ensure that the financial statement is correct, sufficient and credible.
  2. Recommendation for appointment, remuneration and terms of appointment of auditors of the listed entity.
  3. Approval of payment to statutory auditors for any other services rendered by the statutory auditors.
  4. Reviewing, with the management, the quarterly financial statements before submission to the board for approval.
  5. Reviewing and monitoring the auditor’s independence and performance, and effectiveness of audit process.
  6. Approval or any subsequent modification of transactions of the listed entity with related parties.
  7. Scrutiny of inter-corporate loans and investments.

(Note: The list above is inclusive and not exhaustive)

Review of information by Audit Committee – The audit committee shall mandatorily review the following information:

  1. Management discussion and analysis of financial condition and results of operations.
  2. Statement of significant related party transactions (as defined by the audit committee), submitted by management.
  3. Management letters/letters of internal control weaknesses issued by the statutory auditors.
  4. Internal audit reports relating to internal control weaknesses.
  5. The appointment, removal and terms of remuneration of the chief internal auditor shall be subject to review by the audit committee.

Statement of deviations:

  1. Quarterly statement of deviation(s) including report of monitoring agency, if applicable, submitted to stock exchange(s) in terms of Regulation 32(1).
  2. Annual statement of funds utilized for purposes other than those stated in the offer document/prospectus/notice in terms of Regulation 32(7).

Governance Risk Management Compliances and Ethics Notes