For a system of internal controls to be effective, it needs to successfully mitigate the business risks identified by management.
(1) A system of internal control plays a key role in managing significant risks to the achievement of business objectives.
(2) A sound system of internal control contributes significantly to protecting the investment of shareholders, safeguarding the assets of the company and ensuring compliance with laws and regulations.
(3) One of the objectives of an internal control system is to prevent or reduce the likelihood of fraud, and to detect fraud when it does occur.
(4) The internal control system should be reviewed continually and managed.
(5) The costs of a control should not exceed the likely benefits from reduced risks.
(6) Internal control systems should be an integral part of an organization.
(7) Effective financial controls, including the maintenance of proper accounting records, are an important element of a system of internal control.
Reporting on internal control
(1) Shareholders are entitled to know whether the internal control system is sufficient to safeguard their investment.
(2) The board should, at least annually, conduct a review of the effectiveness of internal control systems and report to shareholders.
(3) The review should cover all material controls, including financial, operational and compliance controls and risk management systems.
(4) The objectives of reporting are to recommend for changes, to assist management identification of risk and control issues, and to ensure action takes place.
(5) Reporting may be voluntary or required by statue.
Content of report
(1) Objectives of audit work.
(2) Summary of process undertaken by auditor.
(3) Major outcomes of the work and audit opinion.
(4) Recommendation and key action points.
(1) To enable management to identify and manage risks and monitor internal controls, they need adequate information.
(2) There should be effective channels of communication within the organization.
(3) Information should be provided regularly to management.
(4) Management need both internal and external information.
(5) The actual information provided to management varies, depending on different levels of management.
(6) There should be an adequate, integrated information system, supplying internal financial, operational and compliance data and relevant external data.
(7) The information should be reliable, timely and accessible, and provided in a consistent format (more understandable).
(8) The characteristics of information will change depending on the management level.