WE CAME HERE TO

• Discuss
• Collaborate
• Network
• Exchange knowledge
• Sharpen our skills
• Exchange information
• Exchange experiences
On
INTERNAL CONTROLS
 • OUTLINE
• Introduction
• Oversight of Internal Control to fraud
Prevention, Detection,
• Irregularities and other forms of financial
improprieties.
• Forms of Risk and control:
• Risk based Control Vs Value Based Control
• Value Optimization
• Risk Management.
• Conclusion
• References
 Introduction
Well, the main aim of any activity in an organization
should be to achieve the objectives of the organization
itself.
The main aim of internal auditing is to assist the
organization to achieve its objectives. No Long Story!

The Execution of the day- to day activities or routine

requires strict application of certain processes and
procedures in order to produce desired or acceptable
result particularly where there is a measuring yardstick or
basis of comparison or benchmark.
Although flexibility is allowed within the confines of the
satisfactory result to be obtained.
The Consistency in strict application of principles and
practices to day-to-day endeavour lends credence or
enhances Business effectiveness, profitability, efficiency
of management and a host of other impressive
performance of the Business
The development in turn forms bedrock for meeting
challenges, setting pace, designing standard control task
and implementation phase.
This is readily achieved through the experience gained in
the course of doing things right and the expertise applied
particularly when things do not go the way it was thought
to be.
Four major terms become relevant to an Enterprise
which includes the followings
• Achieving Objective
• Risks threaten the realization of the objectives
• Internal Control
• Internal Auditing.
An objective is something desired to be achieved. It
Includes aims, thrusts, dreams and aspirations of a
scheme, programme and a course of action
 Risk(s) is a set of circumstances that hinder the
achievement of objectives.
An Internal Control definition by David Griffiths in
his book, an introduction to Risk Based Auditing
is a process which manages a risk.
Internal auditing provides an independent and
objective opinion to an organization’s
management as to whether its risks are being
managed to acceptable levels.
In summary
• Risks hinder objectives.
• Internal controls manage risks.
• Internal auditing provides opinions about
whether internal controls are managing risks to
acceptable levels.
Oversight of Internal control to fraud prevention and
Detection.
Beginning from genuine mistakes (Error of the Head),
breakdown in the system ,insider abuses, corporate
failures, bankruptcy and loss of Investment /investors
funds, loss of public confidence or crisis of confidence
and collapse of the institutions to the global financial
meltdown, the challenge to the oversight function of
internal control in fraud and other improprieties’ detection
and prevention has been very enormous and
unimaginable.

No two organization are the same and as such cannot

be immune to the incidence of corporate scandals
caused or compounded by signs, symptoms and
consequences’ of errors, irregularities and fraud
including insider(s) abuses and other forms of
improprieties (Financial and otherwise).
The concern for the oversight function were intensified based on the following realities

• Fraud is prevalent. Pervasive problems that knows no boundaries.

• Any one can commit fund based on the position of Fraud Triangle which states
pressures/Motives, Perceived opportunity and the Rationalization for the fraud.
• Why people commit fraud despite their decent background. This is related to above
• The best deterrent is to increase the perception of detection in the minds of the
perpetrators.
• Perpetrators are often trusted employee
• Fraud schemes are not unlimited in number.
• Red flags are only warnings signals.
• Auditors can’t be relied upon to detect fraud.
• Hotlines and fraud assessment questionnaire are useful techniques.
• Prevention is better and superior to detection.
• A matter of paying attention.

In the light of these developments, increasing scope and attention are directed to the
industry or profession that can guarantee safe and sound assurance on which trust and
reliability of the advice can be bought and consumed as pain killer or relief for the victims
of the developments.
The usual questions mostly asked when things go wrong either in an enterprise, industry
or globally was “where were the auditors”.
The question therefore overheats the already heated system. Hence, the continuous
oversight functions of internal control to cases of errors, irregularities, fraud and other
improprieties.
 Irregularities and other forms of financial improprieties

Various financial improprieties and abuses exist in different sizes,

shades, dimensions and designs. The major forms of financial
improprieties include errors, irregularities and frauds.

• An error is an unintentional mistake. It is genuinely perceived as

error of an honest person. This includes an omission or commission
as well as misplacements in transaction processing, recording,
analyzing, summarizing, interpreting and reporting.

• Irregularities are re-occurring errors that has consistently give rise

qualified opinion of the auditor of the financial statement/system
appraiser. This includes alteration of records, regular correction of
figures and frequent action to connote a deliberate intention.

• Fraud involves the use of criminal deception to obtain undue illegal

advantage. It is an intentional act. This takes various styles and
fashion which includes misapplication, misappropriation, and theft,
damage to books of accounts and other supporting facilities or
infrastructural architecture such as hardware, software and
networking.
An important issue to address on this phenomena
lies in transparent process to gain credibility of the
system and built in trust, gathering intelligence,
Being Composed (in the face of stress), keeping
promise, properly handling mistakes, avoiding
destructive comments and showing other people
that you care and most importantly, take a risk
profile of any system to determine an enterprise-
wide risk analysis, rating (using well tested criteria)
which enable effective planning and control with
reasonable expectation of detecting and preventing
cases of errors, irregularities and fraud and other
forms of improprieties which signify efficiency of
both audit and the enterprise resources utilized.
 • Forms of Risks and Controls
As earlier referred to risk is a set of circumstances that hinder the
achievement of objectives.
Right from the traditional internal and external audit, inspection,
examination and other business condition assessment mechanism,
risks have existed in transactions and events surrounding the existence
of an enterprise as well those imposed and imagined. The only
difference is the level of attention to details of most of this uneasily
identified risk and the skills and diligence required couple with the
focus of the audits/examination among other limitations.

Traditional risks includes inherent risks, control risks and detection

risks which the audit procedures have not been able to score 100%
eliminating or substantially reducing since the design of the risk was to
beat the controls in place.
Modern risks are External (Political, Economic, Socio cultural, Technological, Legal/regulator,
Environmental ),Operational (Delivery, (Service/product failure, Project delivery), capacity and capability,(
Resources, Relationships, operations, reputations), Risk management performance and capability (governance,
Change
scanning, resilience, Security), (PSA targets, Change programmes, New projects and New policies)
• The control focus and functions in place
comprises of sets of circumstances of an
enterprise risk profile, risk assessment, risk
rating and the extent of reliance on the other
components to support perfect functioning of an
enterprise or working of a system.
• The controls to be exercised also depend on the
experiences (real and imagined), similarly
observed situation /scenarios, peculiarities and
anticipated development in addition to above.
• The control focus on risk of events, transactions
and the associated threats to the overall
objectives of an enterprise.
 The forms of control range from general to specific and contemporary
setting in quality control.

General controls includes physical controls, authorization controls,

personnel controls, accounting and arithmetical control, management
control, organization control, supervisory control and segregation of duties
control.

Specific control. Implicit in the general controls are the specific controls
which the audit plans and procedures designed from the risk assessment
/risk rating of an enterprise. It is application of general control to specific
transaction, processes and circumstances of an enterprise.

The specific objectives of any audit will address one or more of the following
general management objectives:
• Risks are appropriately identified and managed.
• Interaction with the various governance groups occurs as needed.
• Financial, managerial, and operating information is accurate, reliable, and
timely
• Employees’ actions are in compliance with Organization policies and
procedures,and applicable laws and regulations.
• Resources are acquired economically, used efficiently, and
adequately protected.
• • Plans and objectives are achieved.
• Quality and continuous improvement are fostered in the
Organization’s control process.
• • Significant legislative or regulatory issues impacting the
organization are recognized and addressed appropriately.

• During the course of the audit, conditions may arise which warrant
revising the audit procedures, scope or budgeted hours. The auditor
should evaluate the situation, make timely recommendations to
audit management, and obtain approval before incorporating any
changes.

• Contemporary controls includes specific transactions audit such as

pre-payment and pre-purchase audit (including contract award,
price verification, and survey and bidding/tender). Post-prepayment
audit and special audit such as focused audit, investigation, Board
of enquiry.
In further emphasis to contemporary controls, addressing the risks
using control measures will employ the followings
 PREVENTIVE CONTROLS

These controls are designed to limit the possibility of an

undesirable outcome being realized. The more important it
is that an undesirable outcome should not arise; the more
important it becomes to implement appropriate preventive
controls. The majority of controls implemented in
organizations tend to belong to
this category. Examples of preventive controls include
separation of duty,whereby no one person has authority to
act without the consent of another (such as the person
who authorizes payment of an invoice being separate from
the person who ordered goods prevents one person
securing goods at public expense for their own benefit), or
limitation of action to authorized persons (such as only
those suitably trained and authorized being permitted to
handle media enquiries prevents inappropriate comment
being made to the press).
 CORRECTIVE CONTROLS

These controls are designed to correct undesirable outcomes which have been
realized. They provide a route of recourse to achieve some recovery against loss or
damage. An example of this would be design of contract terms to allow recovery of
overpayment. Insurance can also be regarded as a form of corrective control as it
facilitates financial recovery against the realization of a risk. Contingency planning is
an important element of corrective control as it is the means by which organizations
plan for business continuity / recovery after events which they could not control.

DIRECTIVE CONTROLS

These controls are designed to ensure that a particular outcome is achieved. They
are particularly important when it is critical that an undesirable event is avoided -
typically associated with Health and Safety or with security. Examples of this type of
control would be to include a requirement that protective clothing be worn
during the performance of dangerous duties, or that staff be trained with required
skills before being allowed to work unsupervised.

DETECTIVE CONTROLS

These controls are designed to identify occasions of undesirable outcomes having

been realized. Their effect is, by definition, “after the event” so they are only
appropriate when it is possible to accept the loss or damage incurred. Examples of
detective controls include stock or asset checks (which detect whether stocks or
assets have been removed without authorization), reconciliation (which can detect
unauthorized transactions),
“Post Implementation Reviews” which detect
lessons to be learnt from projects for application in
future work, and monitoring activities which detect
changes that should be responded to.
In designing control, it is important that the control
put in place is proportional to the risk. Apart from
the most extreme undesirable outcome (such as
loss of human life) it is normally sufficient to
design control to give a reasonable assurance of
confining likely loss within the risk appetite of the
organization. Every control action has an
associated cost and it is important that the control
action offers value for money in relation to the risk
that it is controlling. Generally speaking the
purpose of control is to constrain risk rather than
to eliminate it.
 Risk based control Vs Value Based Control
Traditional audit focused on the transaction and the
control cycle of organization businesses. Various audit
plans, procedures and tests revolves around obtaining
evidence, reviewing controls and express opinion on the
workings of the control in an enterprises processes and
the systems in an integrated financial system to produce
the financial statement which is reported upon. Hence
the design of compliance, substantive and focused
testing dominated the entire course of action of an audit
engagement.
Risk based control is simply a risk based auditing which
requires critically and thoroughly examined risks
attached or associated with the enterprise’s processes,
business units and other related functions.
The definition of Internal auditing by the Institute of Internal Auditors
as contained in the Code of Ethics underscore the mandates of risk
based control. This is reproduced below.

Internal auditing is an independent, objective assurance and

consulting activity designed to add value and improve an
organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control, and
governance processes.

Value Based control is a deliverable from the risk management

initiatives and strategy employed on a SWOT analysis basis for the
organization existence and relevance.

Value Based control is a continuous effort deployed to consistently

maintain the values and successes of the enterprise’s niche and
surpasses the expectation of the clients in a way and manner to
setting new pace and standard which has to be sustained until a new
value and standard is established either by the enterprise’s internal
design or in collaborative design or as imposed by the competitors or
other external variable /force.
 Value optimization
This is the outcome of either the traditional
or risk based auditing. It is to enhance the
effectiveness /strengthen the activity
undertaken either as a statutory response
or in line with best business practice. In any
case, it is expected to strengthen the
enterprise on the inside, expand the
enterprise on the outside and in the overall
improves the bottom line.
 Risk Management.

The issues involved in risk management includes How do we manage risks?

Who’s responsible for risks? Where does internal auditing fit in? and where does ‘risk
management’ fit in?

How do we manage risks?

There are a number of ways the organization can manage risks to bring them to a
level which the board consider acceptable:

 void the risks, for example not starting up a business selling innovative
A
products or closing a factory making dangerous chemicals. This may mean
giving up significant opportunities. This process is known as ‘termination’.

Transfer them, the best example being insurance.

 olerate them, without planning any contingencies. These are the ‘asteroid hits
T
earth’ type of risk. This does not mean that no-one will address this risk –
governments may decide to try and deflect asteroids using nuclear missiles.

 olerate them, and plan contingencies. These are the ‘hurricane destroys
T
factory’ type of risk.

I ntroduce some processes to reduce the consequence or likelihood of a risk.

These processes are usually referred to as ‘controls’ and include everything
from having a clear strategy to installing a fire alarm. This method of
management is known as ‘treatment’.
 • Who’s responsible for risks?

So, our objectives are threatened by risks, which demand a

response to avoid them, accept them, transfer them or treat them.

Who’s responsible for ensuring that the response is appropriate to

manage risks to a level that our controlling board can Accept?

The various rules and regulations make it clear that the

management of an organization is responsible for:
Identifying what risks exist.
Assessing the risks.
Ensuring that there is an appropriate response to all risks.
Informing the board about risks which are outside acceptable
levels (usually those which are to be tolerated or taken for the
potential benefits)
 Where does internal auditing fit in?

Just as external auditors independently report on an organization’s accounts, so the internal audit
activity independently reports that internal controls are operating properly. Recent financial scandals
have reinforced the need for this type of independent opinion.

So what is the purpose of internal auditing? It is frequently phrased in terms like, “to ensure proper
internal controls exist”. The problem with this statement is that it gives the impression that internal
auditing is only concerned with financial controls. Also, managers frequently consider controls to be
the responsibility of accountants and auditors, and are not therefore prepared to accept ownership of
them.

Managers, however, can see how risks directly affect them and are more likely to accept that it is their
responsibility to manage them. In addition, since the internal controls necessary depend on the risks
identified.

Where does ‘risk management’ fit in?

Now this is where the fun starts. What is risk management and what responsibility
does the internal audit activity have? Let’s start with some certainties:

Managers own risks and it is their responsibility to control them.

Internal auditing provides an opinion, to management, as to whether risks are properly controlled.

‘Risk management’ is a term widely used, and ‘Risk Manager’ jobs exist in
Organizations. Theoretically, since managers own risks, they must ‘manage’ them.
That accountability cannot be passed to a third party. In practice, risk managers tend
to have responsibilities between managers and the internal audit activity, assisting
the organization to identify its risks, running risk workshops, coaching staff in risk
management and setting ‘best practice standards’.
 Conclusion

• Internal Control is a serious business and as such designing, observing, implementing or executing
the system of internal control has taken a centre stage in the life of an enterprise’s continuous
existence and relevance. Internal auditing provides assurance service to management and also
occupies a prominent role in providing interpretations of inestimable values that last and outlive an
enterprise.

• Local and International corporate scandals of different sizes, dimensions and magnitude has
questioned the mandates of professional bodies, consultants and advisors in providing a value
added service to improve the bottom line of both individual and corporate businesses.

• Signing into Law Sarbanes-Oxley Act of 2002 has created a paradigm shift in the ‘business as
usual’ of services professional. The drama of suicides, bankruptcy ,paying fines on penalty,
surcharges and risk going to jail are few cases to mention.

• As widely reported in business practice, one of the methods for discovering frauds in by instituting a
sound system of internal control that will guarantee assurance to the organization processes.
Hence, most corporate failure attributed to the inability of the external audit of the enterprise to nip
the issues in the bud is rather unfortunate. Particular reference to Cadbury Nigeria Plc where the
firm of Chartered Accountants (Akintola Williams Delloite) was fined N20million naira was a sad
development to the Public Accounting practice.

• Finally, every one in the organization is required to protect the resources of the organization as an
internal control compliant in line with the age long definition of internal control which was put it as
‘whole system of controls, financial and otherwise established to carry on the business of an
enterprise, in an orderly and efficient manner, safeguard the assets of enterprise and secure as far
as possible the completeness, accuracy and validity of records.

• Thank you for your time and attention

 References
• David Griffiths (2006), An Introduction to Risk
Based Auditing.

• The Orange Book, (2004) Management of Risk -

Principles and Concepts

• The Folio issue 19 & 20 Magazine of the

Institute of Financial Consultant, Canada, (2005)
10 Truths You Need To Know about Fraud & Try
Transparency, Gain Credibility.

• Brief literature on Audit process and Procedures.