Monitor internal control operating procedures

Submitted by coleen.yan@edd… on Wed, 07/27/2022 - 15:34
Sub Topics

Roles and Responsibilities

In order to have a good understanding of the theory and practice of internal control procedures, it is necessary to have knowledge of how the accounting profession in Australia is organised and the various bodies that influence it. The main areas of employment within the accounting profession are as follows:

  • As an employee or partner in a firm of public accountants.
  • As an employee of a company or other operating entity to provide services to the organisation.
  • As an employee of a government department to administer government policy and financial services.

The range of services provided by the accounting profession includes:

  • Financial planning
  • Taxation compliance and planning
  • Business advisory services
  • Auditing
  • Foreign exchange operations
  • Advice on insolvency and reconstruction
  • Developing financial management systems1

Professional Accounting Bodies

There are a number of accounting bodies that provide support for the accounting profession, and these are listed below:

The NIA’s main mission is to provide professional recognition and support to enhance business success. The NIA provides professional recognition for graduates of TAFE and university courses.

The AAT is Australia’s largest paraprofessional body in the accounting and finance sector and is supported by the NIA. The AAT Australia provides recognition and status for paraprofessional accounting technicians, including bookkeepers, payroll officers, BAS service providers, assistant accountants, accounts payable, accounts receivable officers and other accounting support staff.

CPA Australia is the largest professional association and the largest professional finance, accounting and business body in Australia. To become a member of CPA Australia, you will need to graduate from an accredited course at an Australian university or overseas equivalent. Graduates of other courses will need to have their qualifications assessed.

The main objectives of the ICA are to develop the theory and practice of accountancy, maintain high standards of professional conduct and ensure compliance with practice and professional standards. 

The NIA and AAT Australia will be of interest to students studying the diploma course, while degree holders may become members of the CPA or the ICA.1

Regulators and other bodies within the Financial Industry

There are a number of principal bodies involved in setting standards, regulating professional activity, and establishing and maintaining the legal and economic framework, and these are set out below:

The Auditing and Assurance Standards Board has functions and powers under s227B of the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act), including the task of developing high-quality standards and related guidance for auditors and providers of other assurance services.

The Australian Accounting Standards Board is involved with the Financial Reporting Council in developing standards for both public and private sectors.

FRC comprises key stakeholders from the business community, the professional accounting bodies, and government and regulatory bodies. The FRC oversees the process of setting accounting standards.

The Australian Securities and Investments Commission was established under the ASIC Act, and its main role is to administer the Corporations Act 2001 (Cth) (Corporations Act). The ASIC has sole responsibility for the regulation of companies, takeovers and securities.

The Australian Prudential Regulation Authority is responsible for regulating banks, insurance companies, credit unions, superannuation funds and other financial bodies. The APRA has an obligation to advise the Treasurer as soon as practicable of any body regulated by the APRA that is in financial difficulty.1

Key Performance Indicators (KPIs)

Recommendation 3 of the ASX Corporate Governance Council principles and recommendations states that the board should disclose whether it has received assurance from the CEO or CFO that the declaration provided in accordance with s295A of the Corporations Act is based on a sound system of risk management and internal control and that the system is operating effectively in relation to financial reporting risks. One way to determine whether or not the company’s risk management and internal control system is operating effectively is to measure the performance of the company against key performance indicators. 

Key Performance Indicators (KPIs) help organisations understand how well they are performing in relation to their strategic goals and objectives. A KPI can be defined as providing the most important performance information to enable an organisation and their stakeholders to understand whether the organisation is performing efficiently and effectively. 

KPIs serve to reduce the complex nature of organisational performance to a small number of key indicators in order to make the performance more understandable. The three main reasons for measuring performance are set out below:

  • To learn and improve
  • To report externally and demonstrate compliance
  • To control and monitor people
A diagram depicting measuring performance

Key performance indicators include:

  • The business has enough revenue to meet its expenditure
  • The reports provide a true and accurate reflection of the accounts of the business
  • The reports of the company are produced in a timely manner
  • Compliance with organisational policies and procedures
  • A sound internal control structure
  • Risk management policies are effective

Compliance with internal control procedures should be monitored and measured against KPIs, and the results should be reported to management. Modifications must be made to comply with internal control procedures.12

Variations In Adoption Of Corporate Governance Requirements

Fraud and Error

Auditing Standard ASA 240 - The Auditor’s Responsibility to Consider Fraud in an Audit of a Financial Report - states that irregularities or errors in a financial statement can arise from fraud or error, e.g. whether the irregularity was intentional or unintentional.

Fraud is defined as acts of dishonesty and deceit in order to gain an advantage. The prevention and detection of fraud is the responsibility of management; the external auditor’s primary responsibility is to give a true and fair view of the company’s financial position.

A survey conducted by KPMG Fraud Survey 2008 revealed that internal control was the most effective method for detecting fraud.

A diagram depicting detecting fraud

A survey conducted by PricewaterhouseCoopers reported that 40% of Australian companies affected by crime also suffered through:

  • A decline in working morale
  • Impairment of business relations
  • Increased regulatory oversight
  • Infringement on management time
  • Extensive litigation costs
  • Damage to reputation

The most common incidents involving fraud include:

  • Misappropriation of funds
  • Fraudulent expense account claims
  • Purchase of company property for personal use
  • Financial statement manipulation
  • Collusion with insiders
  • Manipulation of cheques
  • Stolen credit cards
  • False invoices
  • Theft of inventory
  • Insertion of fictitious people on the payroll
  • Inflating gross pays
  • Theft of non-current assets

Most cases of fraud in an organisation are reported to the police, and action is taken through the courts. If the incident is minor, the organisation may conduct an internal investigation and enforce disciplinary proceedings, e.g. the employee may lose their job, be invited to resign or be demoted.1

Compliance with internal control procedures is essential for organizations to function efficiently and protect their assets. However, even the best-laid plans can go awry, and modifications to procedures may be required in order to maintain compliance. In these cases, it is important for organizations to develop and implement modifications quickly and effectively in order to minimize disruption.

In order to ensure that financial data is accurate and reliable, many businesses put into place internal control procedures. These procedures involve setting up systems and processes to check and verify the accuracy of data. Internal control procedures can be specific to an individual business or may be based on industry-wide guidelines.

The development and implementation of internal control procedures are an important part of good governance. By having effective controls in place, businesses can reduce the risk of financial errors and fraud and improve their overall efficiency.

In Australia, there are a number of regulatory bodies that help businesses develop appropriate internal control procedures. The Australian Securities and Investments Commission (ASIC) provides guidance on financial data reporting, while the Australian Prudential Regulation Authority (APRA) sets rules for the management of financial risks.

The organisation's governance structure should be evaluated regularly to identify any weaknesses or areas that need improvement.

Assessments of the governance structure and the evaluation of the opportunities for improvement can help the organisation develop a plan for change and put together a change management team to be responsible for implementing it.

A crucial step in the continual improvement cycle is monitoring the progress and success of the changes and making any additional adjustments necessary as they are identified.

Managing Change to internal control procedures

Team on brainstorming

As both data and information resources become much more complex in their functionality, interactivity, and appearance, there is an increasing need for coordination and management. In addition, effective cooperation and communication concerning updates, maintenance, and regular releases help improve user experience.

From time to time, all systems need scheduled maintenance or updates. Ensuring the stability of your infrastructure is part of the job.

Developing controls for systems and process modifications with well-clarified procedures minimise incidences of non-compliance and unexpected issues. Good change management entails planning, communication, monitoring, restoration, and follow-up procedures to reduce adversely impacting the end user.

All changes in systems, processes, computing hardware, software, networks, and applications, must follow the essential principles of change management.

Change management is the systematic process of planning, implementing, and monitoring changes to a business process, system, or organisation. Effective change management can help organisations increase efficiency and effectiveness while minimising disruptions. Several essential principles of change management can help make changes successful.

  • The first principle is always to have a clear goal for the change. The goal should be specific, measurable, achievable, relevant, and time-bound. 
  • It is important to have a solid plan for implementing the change. The plan should include timelines, steps for implementation, and who will be responsible for each step.
  • Communication is another key component of effective change management. All stakeholders should be kept informed of what's happening and why it's happening. 
  • It is vital to monitor the progress of the change and make any adjustments as needed.

The following general requirements are common elements of change management processes:

  • Scheduled change calendars and organisational communications operational procedures are developed to inform stakeholders of upcoming changes that impact operations
  • Regular planned changes are communicated to all stakeholders monthly through a communication mechanism such as email or automated system alerts
  • Unplanned emergency changes or outages are communicated immediately with regular progress updates 
  • Regular data system patching schedules are communicated to users and performed in such a way as to minimise downtime and impacts on user productivity
  • Changes affecting computing environmental facilities (e.g., air-conditioning, water, heat, plumbing, electricity, and alarms) shall be reported to or coordinated with stakeholders and shall be notified through change management communications
  • Processes shall ensure that production data is not unnecessarily replicated or used in non-production environments
  • Device configurations shall be backed up, and roll-back procedures must exist before implementing a change

Change Management Committees

A change management group or committee may be involved to discuss and coordinate the implementation of system changes and manage any resulting issues. The committee could include process owners, involved staff, chaired by a senior manager or director or their designee. Change teams often meet on a regular schedule determined by the requirements of internal control procedures.

The following procedures are typical of those implemented by change management committees:

Change Management Requests

Change management processes routinely include formalised procedures surrounding requests or suggestions for change typically:

  • Change requests must receive Change Management Committee approval before proceeding
  • All change requests need to be submitted to the committee, whether scheduled and unscheduled
  • All scheduled change requests must be aligned with organisational change management procedures.
  • All scheduled change requests must indicate the urgency and risk level attached to each request to allow the Change Management Committee sufficient time to review and decide to allow or delay the update.
  • A change review must be conducted for each change, whether scheduled or unscheduled, and whether successful or unsuccessful

Denying Change Management requests

The head of the change management team or their designee might deny a scheduled or unscheduled change for reasons such as:

  • Timing of the change impact on key business processes
  • Insufficient change planning or testing
  • Lack of stakeholder acceptance 
  • System or process integration or interoperability issues
  • Lack of or inadequate roll-back plans
  • Security risk

Administration

Change Management Log Forms are routinely used to record and formalise

  • Process or change owner contact information
  • Date of submission and date of the change
  • Nature of the requested change
  • success or failure indicators
  • Notes 

Audit Controls and Management

Documented procedures and evidence of their practice should be in place to enable audit tracking. Good examples of evidence of compliance include:

  • Change Management Committee meeting minutes
  • logs of change events
  • Archival records of meeting minutes and change logs
  • Anecdotal documentation and communications such as email and calendar records showing regular compliance with the policy

Module Linking
Main Topic Image
top view of project meeting
Is Study Guide?
Off
Is Assessment Consultation?
Off