Prof. Arif Ahmed

Internal Financial Control – How Ready Are You?

South Asian Management Technologies Foundation

Housekeeping• Slides will be available on our SlideShare page; the link will be

emailed to you

• Recording of the webinar will be available to download; the link will be emailed to you

• Please take the time to complete the post-webinar survey that will pop up at the end

• You can type your questions throughout the session in the Question box

• Time will be allocated at the end for Professor Ahmed to address your questions

Your Presenter – Prof. Arif Ahmed

Prof. Arif Ahmed is a Chartered Accountant and MBA (Finance) and has more than 25 years of experience under his belt in the area of finance and risk management.

In addition to training, Prof. Ahmed has assisted many organisations to design and implement financial management and control systems across various industries including media, metals and minerals, logistics, banking, engineering, energy, hospitality, paper, etc. He is one of the most sought after speakers for his inimitable style of blending concepts with application in industry.  

3

Internal Control

COSO 2013 Environment • Flexible and customizable

– 17 principles – across 5 areas – helps to

• Specify objectives• Assess risks• Deploy controls

– Addresses objectives across the organization

• Fraud risk, compliance, etc.

Internal Control Changing Areas

• Enhanced Risk Assessments– Risk assessments are often conducted in silos. – Entity should have approved risk assessment

methodology that considers the 17 Principles.

• Fraud Risk Assessments– Consideration of the potential for fraud. – Management to consider the risk of override of

controls, and the board (or the audit committee) oversees this assessment.

Internal Control Changing Areas

• Information Technology– The 2013 COSO Framework includes

additional considerations related to IT – Considerations for ensuring quality of

information.

• Outsourced Service Providers (OSPs)

– Greater attention and oversight of third-party risk management to manage the resulting risks.

– Management should consider how OSPs are monitored.

Control Environment• Set of standards, processes, and structures that

provide basis for carrying out control.• Comprises integrity and ethical values of the

organization– Establish tone at the top– Establish expected standards /Code of conduct – Establish parameters to enable Board to carry out

its governance oversight responsibilities• Hiring policies, whistleblower policy,

responsibilities and authorities, process documentation.

Risk Assessment• Risk: likelihood of a threat materializing and

adversely affect achievement of objectives– Probability, frequency and exposure assessment– Establish objectives linked at different levels of

the entity• Apply internal control to achieve multiple objectives

• Complementary and Supplementary controls,– Establish risk tolerances and appetite– Manage risks to stay within risk appetite/

tolerance level

Risk Assessment

Fraud Risk Assessment

• Considers Various Types of Fraud– The assessment of fraud considers

• Fraudulent reporting, Financial and non-financial

• Misappropriation of assets, and

• Illegal Acts

• Management override of controls

• Assesses– Incentive and Pressures– Opportunities– Attitudes and Rationalizations

Control Activities

• The actions established through policies and procedures that help ensure management’s directives to mitigate risks are carried out.

• Performed at all levels within the entity– Preventive– Detective– Corrective

• Approvals & Authorizations, verifications, reconciliations, Reviews, Asset safeguarding, Segregation of duties, etc.

Control in an IT Environment• General Controls

– Access security– System change control– Data centre and network operations

• Application controls– Transaction Controls – Accuracy, completeness

and validity

• An Information Systems Audit could be carried out to assess adherence to General and Application Controls in IT Environment

Information and Communication

• An information system is the set of activities, involving people, processes, data and technology, – which enable entity to obtain, generate, use, and

communicate transactions and information – to maintain accountability and – measure and review the entity’s performance or

• Communication relates to sharing information used in designing, implementing, or conducting internal control.

Quality of Information• Quality of information depends on:

– Accessible– Correct– Current– Protected– Retained– Sufficient– Timely– Valid– Verifiable

Monitoring• Evaluations used to ascertain whether

components of internal control are present and functioning– Ongoing evaluations:

• Built into business processes• Provide timely information

– Separate evaluations:• Conducted periodically• Vary in scope and frequency

– Dependent on assessment of risks, effectiveness of ongoing evaluations, other management considerations

Focus Areas for Internal Control1.Demonstrates commitment to integrity and ethical values2.Exercises oversight responsibility3.Establishes structure, authority and responsibility4.Demonstrates commitment to competence5.Enforces accountability

16.Conducts ongoing and/or separate evaluations17.Evaluates and communicates deficiencies

13.Uses relevant information14.Communicates internally15.Communicates externally

10.Selects and develops control activities11.Selects and develops general controls over technology12.Deploys through policies and procedures

6.Specifies suitable objectives7.Identifies and analyzes risk8.Assesses fraud risk9.Identifies and analyzes significant change

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

Any Questions?

Thank You!