Elements of Internal Control Systems

An entity’s system of internal control consists of policies and procedures designed to provide
management with reasonable assurance that the company achieves its objectives and goals
including: Reliability of financial reporting, Compliance with applicable laws and regulations
and Effectiveness and efficiency of operations.
1.1.3.1 Control Environment
In internal control, the control environment sets the tone of the organization by influencing the
control consciousness of its people (Whittington and Pany, 2001). The control environment is the
central component of internal control system. It is made up of aspects such as ethical values, the
integrity of personnel tasked with formulating, setting up and administering the controls, the
directors, audit committees and the organization structure. The control environment is highly
dependent on the effectiveness of the management and the board of directors. The control
environment influence the consciousness of personnel (Aldridge and Colbert, 1994). It reflects
the the
attitude and policies of management in regard to the importance of internal controls in banks;
performance. Furthermore the control environment influences the history and culture of the
organization; thus it sets the supportive attitude towards internal control and management.
Cases of major loss within banks reflectmanagement’s inattention to and laxity in the control
culture of the banking institution. Further losses are attributable to laxity by the directors and
senior management.These cases also reflect a lack of appropriate incentives for management to
carry out strong line supervision and maintain a high level of control consciousness within the
banking sector. It is the responsibility of the board of directors and senior management to
emphasis the importance of internal control through their actions and words. This includes the
ethical values that management displays in their business dealings, both inside and outside the
7
organization. The words, attitudes and actions of the board of directors and senior management
affect the integrity, ethics and other aspects of the bank’s control culture(Basle, 1998)
1.1.3.2 Risk Assessment
Risk assessment refers to the assessment of factors that may have an inherent possibility of
affecting the attainment of the organization objectives. The risk assessment process enables the
organization to actively analyze all the relevant risk facing the firm (Karagiorgos et al., 2009).
Within most organizations the management is mandated with the responsibility of ensuring that
only acceptable risk face the firm. It is the managements responsibility to design internal control
systems that will ensure efficiency and effectiveness is ensured. Furthermore the internal control
system ensures reliability on the financial reporting of the institution in line with regulatory and
compliance requirements. This is ensured through periodic revier and evaluation of the control
systems.
Many banks that have suffered major losses neglected to recognize and assess the risks of new
products and activities, or update their risk assessments when significant changes occurred in the
environment or business conditions. Majority of the recent cases highlight the fact that control
systems that function well for traditional or simple products are unable to handle more
sophisticated or complex products. Banks are in the business of risk-taking ((Karagiorgos et al.,
2009). Banking is a business mostly associated with risk because of its large exposure to
uncertainty and huge considerations. Risk assessment is one of the most important practices to be
used especially in banks, for getting assurance about the reliability of the operations and
procedures being followed. In today’s dynamic environment, all banks are exposed to a large
number of risks such as credit risk, liquidity risk, foreign exchange risk, market risk and interest
rate risk, among others which may create some source of threat for a bank's survival and success.
8
Due to such exposure to various risks, efficient risk management is required. Managing risk is
one of the basic tasks to be done, once it has been identified and known. The risk and return are
directly related to each other, which means that increasing one will subsequently increase the
other and vice versa (Basle, 1998).
Effective risk management leads to more balanced trade-off between risk and reward, to realize
a better position in the future (Fatemi & Fooladi, 2006). It is also realized recently that Risk
assessment is essentially more important to be carried upon in the financial sector than any other
part of the economy. It makes more sense when it is known that the main purpose of the financial
institutions is to maximize revenues and offer the maximum value to the shareholders by
facilitating them with a variety of financial services especially by administering risks (AlTamimi
& Al-Mazrooei, 2007). The prime reason to adopt risk assessment practices is to avoid
the probable failure in future. But, in realistic terms, risk assessment is clearly not free of cost. In
fact, it is expensive in both resources and in institutional disruption. But the cost of delaying
avoiding proper risk management can lead to some adverse results, like failure of a bank and
possibly failure of a banking system.
1.1.3.3 Information and Communication System
According to Aldridge and Colbert (1994), internal control requires that all pertinent information
be
identified, captured, and communicated in a form and time frame that enable people to carry out
their financial reporting responsibilities. Effective communications should occur in a broad sense
with information flowing down, across, and up within all the sections of the organization
(Theofanis
et al., 2011). Recent literature on internal control system frameworks has raised some concerns
on
information and communication as one of the internal control system components because of
their
importance in influencing the working relationship within the organization at all levels (Amudo
9
&Inanga, 2009). Hence, such information must be communicated throughout the entire
organization
in order to permit personnel to carry out their responsibilities with regard to objective
achievement.
Some losses in banks occur because relevant personnel are not aware of or do not understand the
bank’s policies. In several instances, information about inappropriate activities that should have
been reported upward through organizational levels is not communicated to the board of
directors or senior management until the problems became severe. In other instances,
information in management reports is not complete or accurate, creating a falsely favorable
impression of a business situation. Adequate information and effective communication are
essential to the proper functioning of a system of internal control. From the bank’s perspective,
in order for information to be useful, it must be relevant, reliable, timely, accessible, and
provided in a consistent format. Information includes internal financial, operational and
compliance data, as well as external market information about events and conditions that are
relevant to decision making. Internal information is part of a record-keeping process that should
include established procedures for record retention(Theofanis et al., 2011).
1.1.3.4 Control Activities
Control activities refer to policies, procedures, and mechanisms put in place to ensure directives
of
the management are properly carried out (Aikins, 2011; Rezaee et al., 2001). Appropriate and
accurate documentation of policies and procedural guidelines helps to determine how the control
activities are to be executed. It also provides adequate information for auditors’ examination of
the
overall adequacy of control design over financial management practices (Aikins, 2011). These
control activities ensure that all necessary actions should be taken with the aim to address risks
so
that organizational objectives are achieved. According to Rezaee et al. (2001), internal control
activities occur throughout the organization. They include a range of activities like; approvals,
10
authorizations, verifications, reconciliations, reviews of operating performance, security of asset
and segregation of duties. Most of them are made possible through the help of the internal audit
function.
Banks’ department or division level management receives and reviews standard performance and
exception reports on a daily, weekly ormonthly basis. Functional reviews occur more frequently
than top-level reviews and usually are more detailed. For instance, a manager of commercial
lending may review weekly reports on delinquencies, payments received, and interest income
earned on the portfolio, while the senior credit officer may review similar reports on a monthly
basis and in a more summarized form that includes all lending areas. As with the top-level
review, the questions that are generated as a result of reviewing the reports and the responses to
those questions represent the controlactivity. Control activities are most effective when they are
viewed by management and all other personnel as an integral part of, rather than an addition to,
the daily activities of the bank (Rezaee et al., 2001).
When controls are viewed as an addition to the day-to-day activities, they are often seen as less
important and may not be performed in situations where individuals feel pressured to complete
activities in a limited amount of time. In addition, controls that are an integral part of the daily
activities enable quick responses to changing conditions and avoid unnecessary costs. As part of
fostering the appropriate control culture within the bank, senior management should ensure that
adequate control activities are an integral part of the daily functions of all relevantpersonnel. It is
not sufficient for senior management to simply establish appropriate policies and procedures for
the various activities and divisions of the bank. They must regularly ensure that all areas of the
bank are in compliance with such policies and procedures and also determine that existing
policies and procedures remain adequate. This is usually a major role of the internal audit
11
function (Basle, 1998)
1.1.3.5 Monitoring
Monitoring refers to the process of assessing the quality of the internal control structure over
time.
Since internal controls are processes, it is usually accepted that they need to be adequately
monitored in order to assess the quality and the effectiveness of the system’s performance over
time. By monitoring, the organization gets provided with assurance that the findings of audits
and
other reviews are promptly determined (Theofanis et al, 2011; Rezaee et al., 2001). Amudo and
Inanga (2009) add that monitoring of operations ensures effective functioning of internal controls
system. It’s through monitoring that an organization determines whether or not its policies and
procedures designed and implemented by management are being carried out effectively by
employees.
According to Bowrin (2004), monitoring can be achieved by regularly supervising and managing
activities like monitoring of customer complaints and feedback and audits conducted periodically
by internal auditors. Internal auditors can investigate and appraise internal control structure and
the
efficiency with which the various functions are performing their assigned duties. This way, they
can
bring a systematic and disciplined approach for the evaluation and improvement of risk
management activities and good governance process by examining of the internal controls and
evaluating how adequate and effective the controls are. Monitoring ensures that the findings of
audits and other reviews are promptly resolved (Rezaee et al., 2001).
In many cases, audits are not sufficiently rigorous to identify and report the control weaknesses
associated with problem banks. In other cases, even though auditors reported problems, no
mechanism is in place to ensure that management correct the deficiencies. The internal control
12
framework underlying this guidance is based on practices currently in place at many major
banks, securities firms, and non-financial companies, andtheir auditors. Moreover, this
evaluation framework is consistent with the increased emphasis of banking supervisors on the
review of a banking organization’s risk management and internal control processes. It is
important to emphasis that it is the responsibility of a bank’s board of directors and senior
management to ensure that adequate internal controls are in place at the bank and to foster an
environment where individuals understand and meet their responsibilities in this area. In turn, it
is the responsibility of banking supervisors to assess the commitment of a bank’s board of
directors and management to the internal control process (Basle, 1998)