Académique Documents
Professionnel Documents
Culture Documents
Risk Assessment
Risk assessment is the identification and analysis of relevant risks to achievement of the
objectives, forming a basis for determining how the risks should be managed. Because economic,
industry, regulatory and operating conditions will continue to change, mechanisms are needed to
identify and deal with the special risks associated with change.
Control Activities
Control activities are the policies and procedures that help ensure management directives
are carried out. They help ensure that necessary actions are taken to address risks to achievement
of the entity's objectives. Control activities occur throughout the organization, at all levels and in
all functions. They include a range of activities as diverse as approvals, authorizations,
verifications, reconciliations, reviews of operating performance, security of assets and segregation
of duties.
Information and Communication
Pertinent information must be identified, captured and communicated in a form and
timeframe that enable people to carry out their responsibilities. Information systems produce
reports, containing operational, financial and compliance-related information, that make it
possible to run and control the business. They deal not only with internally generated data, but
also information about external events, activities and conditions necessary to informed business
decision-making and external reporting. Effective communication also must occur in a broader
sense, flowing down, across and up the organization. All personnel must receive a clear message
from top management that control responsibilities must be taken seriously. They must understand
their own role in the internal control system, as well as how individual activities relate to the work
of others. They must have a means of communicating significant information upstream. There
also needs to be effective communication with external parties, such as customers, suppliers,
regulators and shareholders.
Monitoring
Internal control systems need to be monitored--a process that assesses the quality of the
system's performance over time. This is accomplished through ongoing monitoring activities,
separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of
operations. It includes regular management and supervisory activities, and other actions personnel
take in performing their duties. The scope and frequency of separate evaluations will depend
primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures.
Internal control deficiencies should be reported upstream, with serious matters reported to top
management and the board.
There is synergy and linkage among these components, forming an integrated system that
reacts dynamically to changing conditions. The internal control system is intertwined with the
entity's operating activities and existed for fundamental business reasons. Internal control is most
effective when controls are built into the entity's infrastructure and are a part of the essence of the
enterprise. "Built in" controls support quality and empowerment initiatives, avoid unnecessary
costs and enable quick response to changing conditions. There is a direct relationship between the
three categories of objectives, which are what an entity strives to achieve, and components, which
represent what is needed to achieve the objectives. All components are relevant to each objectives
category. When looking at any one category--the effectiveness and efficiency of operations, for
instance--all five components must be present and functioning effectively to conclude that internal
control over operations is effective.
Physical Controls
This class of controls relates primarily to human activities employed in accounting
systems. These controls also includes physical security measures including locked doors and desk
drawers, safe filing cabinet, and vaults whereby access is restricted to authorized person only.
Transaction Authorization the purpose of transaction authorization is to ensure that all
material transactions processed by the information system are valid and in accordance
with managements objectives.
Segregation of Duties one of the most important control activities is the segregation of
-
Responsibility for the custody of assets should be separate from the recording
responsibility.
The organization should be structured so that a successful fraud requires collusion
between two or more individuals with incompatible duties.
The following activities shall be adequately separated to provide for a distinct distribution
Authorizing disbursements;
Disbursing ;
Access Control the purpose of access controls is to ensure that only authorized
personnel have access to the firms assets. Unauthorized access exposes assets to
misappropriation, damage, and theft.
Number Control
The number control is defined as the use of pre-assigned numbers in certain documents to
ensure the integrity and completeness of transactions.
-
The numbers are usually pre-printed on the form. The number control shall be used for
cash vouchers, official receipts, expense vouchers, and other important records of the
company.
A master registry of documents that are numbered shall be maintained and each issuance
shall be recorded to determine its completeness. The number shall always be used when
posting the transactions in the ledgers (subsidiary and general) and when making
verifications. Documents that are numbered shall at all times be kept in the vault under the
joint custody of two (2) employees. The working file or those which are used for daily
transactions can be in the custody of the employee in charge of these transactions. At the
end of the day, these working files must be kept inside the vault.
Dual Control
Dual control means that the work of one person shall be verified by another person to
determine:
-
Joint custody
Joint Custody shall mean keeping cash, vital records and documents in safes or with the
keys and combinations under the care of two (2) employees, one of whom be an officer. With
this policy, no one person can gain sole access to the contents of the vault. The custodian of the
keys and combinations shall ensure that these are not made available to any other person in the
company. Duplicate keys and combinations shall be maintained and used in case of absence of
anyone of the regular custodians. Alternate custodians shall also be appointed to facilitate
access to the cash records. Vault combinations must be changed after it has been exposed to
persons other than the regular custodian or alternate custodian.
Arithmetic controls
Calculations and summations are recomputed and checked in source documentation,
financial listing, and reports.
Physical control
This means physical security measures of assets and accounting records or documents. This
may also include locked doors and desk drawers, safe filing cabinet, and vaults whereby access is
restricted to authorized person only.
Personnel
Only those persons who are adequately qualified and experienced are recruited to
undertake specified duties and responsibilities. As far as possible a level of honesty and
integrity should also be assured before hiring the applicant. This control includes capability and
psychological testing as well as taking up of reference and inquiry to previous employers.
Also, if employees have a fundamental understanding of company systems, which comes
from a combination of experience and intensive training by the company, then they will
understand why controls are used, as well as the ramifications of their absence. Conversely, the
lack of experience or training tends to result in the lapsing of controls.
Independent balancing
Independent balancing is the process wherein the records posted by one person shall be
verified by another person in the same department or office.
-
The subsidiary ledger totals be verified against the general ledger figures and must at all
times be balanced.