INTERNAL CONTROL SYSTEMS

WESTPAC: a case study

In May 2009, Leo Gao applied for a NZ$100,000 loan at Westpac in Rotorua, NZ,
to get his petrol station business out of financial trouble. The loan was approved but the
bank accidentally deposited NZ$10 million into his account instead of the approved
$100,000. Upon realising the mistake, Mr Gao and his girlfriend Kara Hurring transferred
most of the money to other accounts and quickly fled the country (Sydney Morning
Herald 2009). New Zealand and Chinese Police chased the couple throughout Asia for
nearly two years before Ms Hurring returned to New Zealand to face charges, and Mr.
Gao was arrested a few months after in the Chinas border (Sydney Morning Herald
2011).
This case placed Westpac in the spotlight and also brought up questions about
organisations internal controls systems, risk management and security policies and
procedures. In this report, Westpacs internal controls are reviewed and control
mechanisms presented, suggesting how Westpac could have prevented the episode.

Corporate Governance and IT Governance

Corporate Governance is a broad term referring to the manner organisations are
managed, how risks are assessed and activities monitored as to achieve its objectives

and goals (Considine et al. 2012). The implementation of an effective internal control
system will lead to compliance with organisations policies and procedures ensuring
integrity, honesty, transparency and performance accountability, reflecting a solid
corporate governance (Rada 2004).
The board of directors of the organisation need to ensure information and
technology systems within the organistion are being implemented and used in order to
meet strategy standards and assist in achieving organisations goals (Considine et al.
2013, p. 298; Luciano & Testa 2011). Da Silva and Neto (2014) say the IT strategic
planning also must be developed in accordance with Corporate Governance and
relevant regulations.
IT managers should consider five specific areas to ensure good IT governance:

Adding value: ensures expected performance, productivity and

profitability
2. Managing risk: ensures reliability of IT systems and develop
emergency plans
3. Matching IT to strategy: ensures IT supports organisation's
goals
4. Measuring performance: ensures effectveness and efficiency
of IT systems
5. Managing resources: ensures appropriate use of IT resources
(Considine et al. 2013, p. 298)

Luciano and Testa (2011) say that a framework to monitor specifically information
and technology controls is the COBIT (Control Objectives for Information and related
Technology), which has been proved very effective guiding IT governance in business.
The COBIT framework sets guidelines to evaluate if IT systems comply with IT risk
assessment and managers investments, and also ensures service quality for clients and
guide auditors performance.
Internal Control and Internal Audit
Internal Control is the set up of systems and procedures, essential at any
organisation, ensuring the companys objectives are being met effectively, efficiently in

compliance with relevant regulation and producing reliable reports (Considine et al.
2012, p. 305).
Internal controls can be divided into five components:

1. Control environment: management's awareness and attitudes

towards internal controls and how it operates
2. Risk Assessment: the process of evaluating risks within
organisation's environment and their possible impacts on
organisation's performance
3. Information and communication: the process of identifying
important data and making them easily acessible to all
employees
4. Monitoring: constinuously checking internal controls to ensure
they are effective and relevant
5. Control Activities: how managers respond to risks previously
identified
(Etheridge 2012; Considine 2012, p. 308-314)

Auditing is the assessment of organisations and evaluation of their business

processes, assuring validity and reliability of their financial reports (Elefterie & Ruse
2012). Internal audit is part of the monitoring component of internal control systems, with
internal auditors being independent employees, not connected to any other activities
within the organisation (Considine et al. 2012, p. 314).
The Sarbanes-Oxley Act (SOX) of 2002 was created to promote a strong
corporate accountability through internal control complying with corporate governance
and to boost investors confidence after financial scandals that shook the market in
previous years (Diaminides 2005). Furthermore, it provides guidelines for the
implementation of internal control systems and sets requirements and regulations for
auditors (Cohen & Qaimmaqami 2005), focusing particularly in audit committees (Cohen
& Brodsky 2004). Internal auditors evaluate management control and their findings aim
to provide feedback in elements such as, but not limited to, managers responsibilities,

skills, procedures and decisions, in order to improve business performance (Zechero

2014).
Auditors are required to not only to understand control structures but also
document their knowledge about the five components of internal control as stated in the
Committee of Sponsoring Organisations (COSO) integrated framework (Etheridge
2012). This understanding will help auditors evaluated how reliable control systems are
(Bell et al. 1998).
Auditors also must evaluate IT risk management and IT internal controls (Luciano
& Testa 2011). The COBIT framework can also be referred to as it defines the rules IT
controls must comply with according to SOX (Moreira & da Silva 2013).
Cunningham (2012) states that even with the compliance of SOX regulations to
avoid fraud, auditors will always face the possibility of missing an error. Therefore, a
strong internal control system is essential to minimise and try to eliminate fraudulent
reports (Cosidine et al. 2013, p. 305). Furthermore, the auditor must be able to identify
any deficits in internal control and assess their significance and possible necessity of
modifications and improvements (Etheridge 2012).
Input Controls and data entry routines
Medina Quintero et al. (2015) states that organisations are continuously investing
in accounting information system technologies as it has become crucial in business in
the 21st century. Data quality assurance is essential for organisations using
computerised information systems, and it will be influenced by a number of factors such
as employees skills and training provided (Xu et al. 2002).
A financial institution such as a bank like Westpac should have strong internal
controls so as to avoid such a gigantic and damaging mistake as the mentioned above.
As the case indicates, Westpac clearly needed to improve its internal control system. A
skilled and competent internal audit team would assist with the creation and
implementation of new strategies to prevent this episode from occurring again.
Some input controls to assure data entry accuracy in a computerised information
system are listed on the table below.

Validity checks
checks if an input given is an acceptable value
Completeness checks
checks if all required data are entered
Limit checks
checks if the value fits within an upper pre-determined limit
Range checks
checks pre-determined upper and lower limits
Reasonableness checks
check if input is within a reasonalble numeric range
(Considine et al. 2012, p. 355-6)

Data entry checks could be complemented by manual checks. Other verification

processes could be created and implemented for transaction inputs of values above the
limits, such as the transaction being placed on hold until manually checked by an
employee.
Conclusion
A strong and efficient internal control system is essential for the successful
performance and survival of any organisation. Employees should be skilled to the job
and undergo continuous training to ensure service quality and minimise risks.
Furthermore, a skilled audit committee will ensure compliance with financial reporting
regulations and minimise, if not avoid, fraud and misconduct and ensure the true
financial position of the company is being revealed. Auditors must maintain an essential
level of ongoing training to be able to continuously evaluate, improve and reorganise
internal controls. Efficient internal controls are a reflection of a good corporate
governance and impact on the organisations image in business environment and the
society.
REFERENCES

$10m bank error in your favour: man arrested, 2001, Sydney Morning Herald, viewed 8
April 2016, <http://www.smh.com.au/world/10m-bank-error-in-your-favour-man-arrested20110930-1l0u5.html>.
Benns, M, Hawkins, P & Watson, L 2009, Missing decimal points, now a familys missing
with millions, Sydney Morning Herald, viewed 5 April 2016,
<http://www.smh.com.au/world/missing-decimal-point-now-a-familys-missing-withmillions-20090523-biva.html>.
Cohen, A F & Brodsky, D M 2004, The US Sarbanes-Oxley Act of 2002: What
audit committees of non-US issuers need to know, International Journal of
Disclosure and Governance, vol. 1, no. 4, pp. 313-323, ProQuest, viewed 6
April 2016,
<http://search.proquest.com/pqrl/docview/196309437/fulltextPDF/4D361457
456344BCPQ/2?accountid=30802>.

Cohen, A.F. & Qaimmaqami, D.J. 2005, The US Sarbanes-Oxley Act of 2002:
Summary and update for non-US issuers, International Journal of Disclosure
and Governance, vol. 2, no. 1, pp. 81-106, ProQuest, viewed 6 April 2016,
<http://search.proquest.com/pqrl/docview/196308528/4D361457456344BCP
Q/4?accountid=30802>.
Considine, B, Parkes, A, Olesen, K, Blount, Y, Speer, D, 2012, Accounting information
systems, 4th ed, John Wiley & Sons Australia, Queensland.
Cunningham, L A 2004, The Appeal and Limits of Internal Controls to Fight
Fraud, Terrorism, Other Ills, Journal of Corporation Law, vol. 29, no. 2, pp.
267-336, ProQuest, viewed 7 April 2016,
<http://search.proquest.com/pqrl/docview/220810074/fulltext/92F1A76FDF6C
4835PQ/17?accountid=30802>.

da Silva, L.M. & Neto, J.S. 2014, "METHOD FOR MEASURING THE ALIGNMENT BETWEEN INFORMATION
TECHNOLOGY STRATEGIC PLANNING AND ACTIONS OF INFORMATION TECHNOLOGY
GOVERNANCE", Journal of Information Systems and Technology Management : JISTEM, vol. 11, no. 1,
pp. 131-152.http://search.proquest.com/pqrl/docview/1530083131/F96C745A2D424C72PQ/7?accountid=30802
Damianides, M. 2005, "SARBANES-OXLEY AND IT GOVERNANCE: NEW GUIDANCE ON IT CONTROL
AND COMPLIANCE", Information Systems Management, vol. 22, no. 1, pp. 77-85.

http://search.proquest.com/pqrl/docview/214122540/F96C745A2D424C72PQ/12?
accountid=30802
Elefterie, L, Ruse, E 2012, Inteligent strategies as a support for business process
auditing research directions, Economics, Management and Financial Markets, 7(4),
320-325, ProQuest, viewed 4 April 2016,
<http://search.proquest.com/docview/1326326835?accountid=30802>.
Etheridge, C.E. 2012, Audit 101: A Guide to Employee Benefit Plan Audits:
Internal Control, Journal of Pension Benefits, vol. 19, no. 4, pp. 67-70,
ProQuest, viewed 5 April 2016,
<http://search.proquest.com/pqrl/docview/1026800658/fulltextPDF/92F1A76F
DF6C4835PQ/9?accountid=30802>.

Luciano, E.M. & Testa, M.G. 2011, "CONTROLES DE GOVERNANA DE TECNOLOGIA DA INFORMAO
PARA A TERCEIRIZAO DE PROCESSOS DE NEGCIO: UMA PROPOSTA A PARTIR DO
COBIT/CONTROLS OF INFORMATION TECHNOLOGY MANAGEMENT FOR BUSINESS PROCESSES
OUTSOURCING BASED ON COBIT",Journal of Information Systems and Technology Management :
JISTEM, vol. 8, no. 1, pp. 237-262.

http://search.proquest.com/pqrl/docview/869739454/F96C745A2D424C72PQ/2?accountid=30802

Medina-Quintero, J, Mora, A, Abrego, D 2015, Enterprise technology in

support for accounting information systems: an innovation and productivity
approach, Journal of Information Systems and Technology Management:
JISTEM, 12(1), 29-44, ProQuest, viewed 4 April 2016,
<http://search.proquest.com/docview/1683323159?accountid=30802>.
Moreira, J.R.P. & da Silva, P.C. 2013, "IT MANAGEMENT MODEL FOR FINANCIAL REPORT ISSUANCE
AND REGULATORY AND LEGAL COMPLIANCE", Journal of Information Systems and Technology
Management : JISTEM, vol. 10, no. 3, pp. 597-620.

http://search.proquest.com/pqrl/docview/1503137885/F96C745A2D424C72PQ/6?accountid=30802

Satava, D, Caldwell, C, Richards, L 2006, Ethics and the auditing culture: Rethinking
the foundation of accounting and auditing, Journal of Business Ethics, 64(3), 271-284,
ProQuest, viewed 4 April 2016, <doi:http://dx.doi.org/10.1007/s10551-005-0556-y>.
Xu, H, Jeretta, HN, Brown, N & Nord, GD 2002, Data quality issues in implementing an
ERP, Industrial Management & Data Systems, vol. 102, no. 1, pp. 47-58, ProQuest,
viewed 9 April 2016,

<http://search.proquest.com/pqrl/docview/234924773/6ECF7172B5E34C28PQ/3?
accountid=30802>.
Zecheru, V 2014, Internal Audit - Managerial Control Relation, Revista de
Management Comparat International, vol. 15, no. 1, pp. 106-114, ProQuest,
viewed 7 April 2016,
<http://search.proquest.com/pqrl/docview/1545872070/fulltext/92F1A76FDF6
C4835PQ/6?accountid=30802>.