Internal Control

What does it mean to “be in control”? You are in control when you maintain a mind-set over the stewardship of your resources and capabilities that is risk-based, employing your control: objectives; processes; controls; accountabilities; and assurances. This involves having an appropriate control environment that ensures effective controls are developed and implemented with appropriate feedback to manage your risks and service delivery.

Your control environment, when working in harmony with the enablers of modern comptrollership practices, is considered integrated when you have instituted distributed controls over the resources entrusted to you.

The integration of your controls, both horizontally and on a distributed basis, is needed to enhance the way in which your controls work together within your management and governance framework. Integrating appropriate risk-based controls across your processes, systems, people, finances, geography, and delivery mechanisms needs to be managed pervasively – not only vertically, but also horizontally, to be sustainable and effective.

For you to be in control implies that there is alignment, efficiency, and cohesion in the delivery of your key functional and/or service activities across all integrated control elements. This implies a balance between managing inherent risks, information, and integrated controls, to achieve intended results. Therefore, to be in control, and to achieve integrated control, requires an active risk-based mind-set across 5 integrated control elements.

Objectives – refers to the intended results of the various controls implemented. Risk management will determine the level or extent of control applicable (loose vs. tight), taking in consideration their cost and effectiveness;
Processes – refers to all the various procedures and processes where control will be implemented to meet your risks and intended results;
Controls – refers to the means or control instruments needed to effect risk-based decisions to achieve intended objectives and results;
Accountability – refers to roles and responsibilities for decisions and actions at each management level for the development, implementation, management, monitoring, and corrective measures of achieving integrated control; and
Assurance – refers the monitoring / assessment mechanisms put in place to provide you with confidence that the system of integrated controls is efficient, effective, and economical to support your control objectives and risks.
These are the elements that form the nucleus of integrated control that need to be applied in a continuous and sustained manner. When applying the 5 elements to design your control environment, it is important for you to balance:

the extent of the controls (loose / tight) with their distribution (pervasive / focused);
the cost to maintain controls (one-time / ongoing) with their intended use within processes (fluid / strict); and
individual responsibility (individual / systemic) with broader accountability (ownership / delegation).
These factors impact the approach to achieve integration across your control environment. Although there are other important factors that your specific situation will warrant, having an effective integrated set of controls will enable you to be apprised of and manage significant risks, monitor the reliability of controls, and ensure that your controls will be powerful and proactive agents for self-regulation.

Why is control important to you? Control is important because it represents the mind-set of core processes, activities, decisions, information, risk management and monitoring that you need to ensure that all components of your area of influence operate effectively, efficiently, and in harmony. You need to be in control to ensure that resources and assets entrusted to you are safeguarded and appropriately controlled, your resources are managed economically and efficiently in meeting your objectives, and that processes, services, and transactions are in accordance with Acts and regulations.

Certification / Review of Design of Internal Control Over Financial Reporting (ICFR)

In the private sector, under Multilateral Instrument 52-109, Certification of Disclosure in Issuers’ Annual and Interim Filings, CEOs and CFOs must certify that they have designed internal control over financial reporting to provide reasonable assurance over the reliability of financial reporting and the preparation of external financial statements in compliance with generally accepted accounting principles. They must also certify that they have caused the company to disclose – in the annual or interim Management Discussion and Analyses (MD&A), as appropriate – changes in internal control that have had or may have a material effect on the company’s internal control.

In the public sector, a similar requirement is set out in Treasury Board policy that requires the Deputy Head and the CFO to make representations that they have reviewed the effectiveness of the system of internal control over financial reporting to provide reasonable assurance over the reliability of financial reporting and the preparation of external financial statements in compliance with generally accepted accounting principles. They must disclose the results of their review in an annual departmental Statement on Internal Control that is to be disclosed in the Departmental Performance Report (DPR). The disclosure will also include any internal control deficiencies and actions that are being taken to correct material deficiencies, along with the Financial Statements Discussion and Analyses (FSD&A) disclosure.

These certifications represent significant undertakings and will require significant judgment on the part of the certifying officers.

What Is Required?

The requirements for certifying / reviewing the design of internal control are in place. As soon as possible, management needs to:

• establish an appropriate evaluation and oversight process; and
• implement procedures to evaluate the design of internal control over financial reporting and to ensure that significant changes in internal control can be identified so that appropriate disclosure can be made in the organization’s MD&A.

The Audit Committee should also be involved, either from being heavily engaged in the oversight of the planning, execution and conclusion stages of the process, or to being only involved at a high level of monitoring the certifications. Whatever level of oversight the Audit Committee adopts, it is important that management understand the Audit Committee’s expectations from the beginning and communicate openly with them throughout the process. Although certification / review is the responsibility of the CEO and CFO, that certification / review addresses an important financial reporting issue and has MD&A / FSD&A reporting implications that are serious accountabilities of the Audit Committee.

Design of Internal Control

Internal control over financial reporting is properly designed when those controls would be expected to prevent or detect errors or fraud that could result in material misstatements in the financial statements.

Evaluating the design involves:

• considering whether those controls, when in operation, would achieve this objective;
• determining whether the controls have been implemented (i.e. the control exists and the organization is using it); and
• considering whether appropriately qualified persons are intended to be carrying out the control.

Documenting Internal Controls

Documenting internal controls can be a significant undertaking. Determining the extent of documentation is a matter of judgment, influenced by the size of the organization, its business environment, and the complexity of its operations.

A “top-down, risk-based” approach can help decide how much documentation is required and where resources should be focused. Focus attention on where material errors could occur and the related key controls.

Internal controls can be documented through policies and procedures manuals or handbooks, narratives, flow charts, risk matrices, or some combination of these options.

Evaluating the Design of Internal Control

Typically in developing a design evaluation process, five major elements are considered:

• Select an internal control framework MI 52-109 does not require management to use a recognized control framework when evaluating the design of internal controls, however organizations typically use the framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO defines internal control, describes its components, and provides criteria against which management, Boards or other (Audit Committee or external auditors) can assess their control systems. Management should consider using such a framework because it provides an organized basis for evaluation, and is ever-greened internationally.
• Assess the Design of Internal Control To assess the design of controls, it is necessary to determine whether the control would effectively mitigate the identified financial reporting risk on a timely basis and whether the controls have been implemented.
• Assess Whether the Controls are Operational There are several techniques to assess whether the designed internal controls are in fact being used including inquiry / substantive inquiry, observation and / or inspection.

In addition the organization should consider using walkthroughs when evaluating the design of controls. Such walkthroughs provide evidence to:

• confirm an understanding of the process flow of transactions;
• confirm an understanding that activities are complete by determining whether all points at which misstatements could arise have been identified;
• evaluate the effectiveness of the design of controls; and
• confirm whether controls have been placed in operation.

• Determine the role of internal audit For organizations with an Internal Audit function, management should determine whether Internal Audit can effectively play a role in the evaluation of the design of internal controls. Internal Audit’s participation could include documenting controls, performing walkthroughs for management or simply providing oversight of the process.

• Address design deficiencies During the evaluation, management may discover internal control design deficiencies. A deficiency exists when the assessor concludes that a control is not capable of effectively preventing or detecting a misstatement in the financial statements or when a control necessary to mitigate a risk is missing.

The Audit Committee should encourage management to remediate ineffectively designed controls prior to year-end. Prioritizing remediation requirements can help determine that available resources focus on those deficiencies of greater significance.

Management should discuss with the Audit Committee the process for dealing with deficiencies. Together, they should determine the types of deficiencies that management should bring to the Audit Committee’s attention and the nature of such reporting.

Using the Design Evaluation for Future Evaluations of Effectiveness of Internal Controls

Certification / review of the effectiveness of internal control will require that the design evaluation process should dovetail with the organization’s future need for an assessment of the effectives of internal control. The process for evaluating the effectives of internal control builds on the process for evaluating design. Significant incremental elements include:

assessing if the control, when in operation, functions as designed;
determining the consistency with which the controls were applied; and
considering whether appropriately qualified persons are actually carrying out the control.
Carefully planned, the process for evaluating design can simplify the work required for the future evaluation of the effectives of internal control. The Audit Committee should encourage management to develop the design evaluation so it can be used to a maximum extent in the future evaluation of effectiveness of internal control.

External Auditor Involvement

Management may want help in documenting controls or evaluating the design of internal controls, or management and the Audit Committee may want to obtain some form of additional comfort on the assessment. External auditors can be asked to assist in various ways. For example, they may:

• provide advice and counsel regarding management’s processes;
• assist in documenting specific processes or areas of the organizations’s internal control over financial reporting;
• provide specialized resources to assist in complex areas such as information technology;
• review management’s draft documentation, providing observations and recommendations;
• perform specified procedures determined by management, and report findings and, as appropriate, recommendations; and
• where warranted, provide an integrated audit of the company’s internal control over financial reporting and its financial statements.

Management, the Audit Committee and the external auditors should consider these options, while the organization is developing its approach to this evaluation.

In summary

All organizations, regardless of size, need to develop a process to evaluate the design of internal control. The requirements for certifying / reviewing the design of internal control are now in place. Starting now will contribute to an effective evaluation and enable management to identify deficiencies early and prior to the reporting deadline. At the same time the Audit Committee should determine the extent of its involvement in the oversight of this process and communicate its expectations to management.

Are your internal controls integrated? Do you have the monitoring and assessment mechanisms to respond effectively? Are you comfortable signing off on your internal control fiduciary responsibilities? icorp.ca’s Insight service can help you discern the inner nature of complex management change. So who is supporting your integrated control needs? GO THERE!™

For more information about icorp.ca’s Insight expertise, contact us.