internal financial control - how ready are you - webinar
TRANSCRIPT
Prof. Arif Ahmed
Internal Financial Control – How Ready Are You?
South Asian Management Technologies Foundation
Housekeeping• Slides will be available on our SlideShare page; the link will be
emailed to you
• Recording of the webinar will be available to download; the link will be emailed to you
• Please take the time to complete the post-webinar survey that will pop up at the end
• You can type your questions throughout the session in the Question box
• Time will be allocated at the end for Professor Ahmed to address your questions
Your Presenter – Prof. Arif Ahmed
Prof. Arif Ahmed is a Chartered Accountant and MBA (Finance) and has more than 25 years of experience under his belt in the area of finance and risk management.
In addition to training, Prof. Ahmed has assisted many organisations to design and implement financial management and control systems across various industries including media, metals and minerals, logistics, banking, engineering, energy, hospitality, paper, etc. He is one of the most sought after speakers for his inimitable style of blending concepts with application in industry.
3
Internal Control
COSO 2013 Environment • Flexible and customizable
– 17 principles – across 5 areas – helps to
• Specify objectives• Assess risks• Deploy controls
– Addresses objectives across the organization
• Fraud risk, compliance, etc.
Internal Control Changing Areas
• Enhanced Risk Assessments– Risk assessments are often conducted in silos. – Entity should have approved risk assessment
methodology that considers the 17 Principles.
• Fraud Risk Assessments– Consideration of the potential for fraud. – Management to consider the risk of override of
controls, and the board (or the audit committee) oversees this assessment.
Internal Control Changing Areas
• Information Technology– The 2013 COSO Framework includes
additional considerations related to IT – Considerations for ensuring quality of
information.
• Outsourced Service Providers (OSPs)
– Greater attention and oversight of third-party risk management to manage the resulting risks.
– Management should consider how OSPs are monitored.
Control Environment• Set of standards, processes, and structures that
provide basis for carrying out control.• Comprises integrity and ethical values of the
organization– Establish tone at the top– Establish expected standards /Code of conduct – Establish parameters to enable Board to carry out
its governance oversight responsibilities• Hiring policies, whistleblower policy,
responsibilities and authorities, process documentation.
Risk Assessment• Risk: likelihood of a threat materializing and
adversely affect achievement of objectives– Probability, frequency and exposure assessment– Establish objectives linked at different levels of
the entity• Apply internal control to achieve multiple objectives
• Complementary and Supplementary controls,– Establish risk tolerances and appetite– Manage risks to stay within risk appetite/
tolerance level
Risk Assessment
Fraud Risk Assessment
• Considers Various Types of Fraud– The assessment of fraud considers
• Fraudulent reporting, Financial and non-financial
• Misappropriation of assets, and
• Illegal Acts
• Management override of controls
• Assesses– Incentive and Pressures– Opportunities– Attitudes and Rationalizations
Control Activities
• The actions established through policies and procedures that help ensure management’s directives to mitigate risks are carried out.
• Performed at all levels within the entity– Preventive– Detective– Corrective
• Approvals & Authorizations, verifications, reconciliations, Reviews, Asset safeguarding, Segregation of duties, etc.
Control in an IT Environment• General Controls
– Access security– System change control– Data centre and network operations
• Application controls– Transaction Controls – Accuracy, completeness
and validity
• An Information Systems Audit could be carried out to assess adherence to General and Application Controls in IT Environment
Information and Communication
• An information system is the set of activities, involving people, processes, data and technology, – which enable entity to obtain, generate, use, and
communicate transactions and information – to maintain accountability and – measure and review the entity’s performance or
• Communication relates to sharing information used in designing, implementing, or conducting internal control.
Quality of Information• Quality of information depends on:
– Accessible– Correct– Current– Protected– Retained– Sufficient– Timely– Valid– Verifiable
Monitoring• Evaluations used to ascertain whether
components of internal control are present and functioning– Ongoing evaluations:
• Built into business processes• Provide timely information
– Separate evaluations:• Conducted periodically• Vary in scope and frequency
– Dependent on assessment of risks, effectiveness of ongoing evaluations, other management considerations
Focus Areas for Internal Control1.Demonstrates commitment to integrity and ethical values2.Exercises oversight responsibility3.Establishes structure, authority and responsibility4.Demonstrates commitment to competence5.Enforces accountability
16.Conducts ongoing and/or separate evaluations17.Evaluates and communicates deficiencies
13.Uses relevant information14.Communicates internally15.Communicates externally
10.Selects and develops control activities11.Selects and develops general controls over technology12.Deploys through policies and procedures
6.Specifies suitable objectives7.Identifies and analyzes risk8.Assesses fraud risk9.Identifies and analyzes significant change
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
Any Questions?
Thank You!