In my last article, “Internal Audit under the new Companies Act 2013 – Opportunity or Responsibility for the Internal Auditor?”, released through this medium on 11th November 2014, some of the key words used were, Orderly and Efficient conduct of Business, Internal Financial Controls, Policies and Procedures, Accounting Records, Safeguarding Assets, preventing Frauds and Errors and so on.
On preventing frauds, my article “How do you prevent instances of Fraud in Organizations – Some True Stories“has earlier been shared with you on 5th November 2014. Current article is on Internal Controls. In the coming weeks, I wish share my thoughts on some of the other key words.
Though the term Internal Controls is widely in use, when I ask young Chartered Accountants “How do Internal Controls manifest in an Organization?”, a comprehensive response has not been generally forthcoming. Hence this attempt.
I like to explain Internal Controls using 5 “P”s. They are Policies, Processes, Procedures, Practices and you can guess the 5th“P”. Otherwise, you will find it in one of the following paragraphs. While all these “P”s serve various purposes, our focus is on their relevance to Internal Controls, and how an Internal Auditor could use them in the discharge of his / her duties.
Policies
Policies are an important means of communication, used by the Board of Directors, to convey to the external world and to internal stakeholders, on the Organization’s methods of conducting business. We know that Accounting Policies are included in the published accounts, to help readers understand the basis of preparing financial statements. Policies serve certain other purposes as well. Policies are the first step towards achieving Organizational Objectives.They are relatively permanent in nature, and deserve the attention of the top management. Absence of a relevant policy could be a control weakness. Policies could be grouped under “Corporate Policies” and “Functional Policies”. Examples of Functional policies are Sales Policies, ManufacturingPolicies, HR& Admin Policies, IT Policies and so on.
Let us look at the relevance of a Sales Policy. If you are engaged in Hotels business, with a chain of hotels, there is a need for a Policy on Discounts to Room Tariff. Otherwise General Manager of each hotel in the chain, could go for individual discretion, which may not be in the interest of the organization. Thus if you are the Internal Auditor of a hotel chain, you could recommend a “Discount Policy” if it is not documented and followed. Similarly, Internal Auditor needs to review whether all important business aspects are adequately addressed through policies.
Processes
Processes help in implementing Policies. Process focus is important while designing Systems, whether computerized or manual. Processes can be classified in to Core (Key) Processes that are essential for conducting business, and Processes for Support Functions. For example, if your organization is in EPC (Engineer, Procure and Construct) business, your core Process starts with receipt of Enquiry from prospective customer, Estimation and Proposal Making, Submission of the Proposal, Negotiations, Bagging the Order, Detailed Engineering, Procuring (placing Purchase Orders), receiving materials at site, Erection, Installation, Commissioning and obtaining Project Closure from the customer. In the same business, support Processes are for functions like HR, Finance, Quality and Administration.
Clarity on processes is essential for all stakeholders, particularly in a set up where different departments are involved. If we look at material procurement process, an Indent is raised by a User department on Purchase, which in turn releases a Purchase Order. Material is received in Stores, where a Goods Receipt Note (GRN) is prepared. Vendor’s Invoice is received in the Accounts Department, which picks up the Purchase Order and GRN, matches them with the Vendor invoice, creates a Payable, and releases Payment. While this process is contiguous, different departments like the User, Purchase, Stores and Accounts are involved, and without proper clarity on the process, to all, it would not be feasible to execute transactions, and can leave potential control gaps.
Procedures
Procedures are developed from Processes, and serve as a guide or instruction to the operating personnel in discharge of their duties. Apart from training resources, they could help in practices like Job Rotation. Standard Operating Procedures (SOPs) as they are popular, are essential for all medium and large organizations. Well managed companies place lot of emphasis on documenting SOPs, ensure that all stakeholders get engaged in awareness and implementation, and even include SOP Compliance verification in the scope of Internal Audit. Statutory Compliances are invariably included in Procedure documents.
Practices
Even if the best of Policies, Processes and Procedures are in place, if they are not followed in practice, the purpose is not served, and the organization is exposed to potential control weaknesses. Apart from Operating Procedures, Information Security related procedures are generally compromised. Sharing passwords with other employees, leaving confidential material on tables unattended, and some of the employees engaged in bank payment related process sharing their access cards and passwords with others for executing bank transactions, are common security threats. Employee leaves the organization but his / her access card or signature is not withdrawn from the bank. In some cases other employees impersonate and continue executing transactions using the same access card. Internal Auditor needs to be alert in reviewing such practices.
People
Well, the last “P” is People, one way the most important of all the “P”s, since only People implement all the above. Two important elements here are awareness of the relevant Policy, Process or Procedure and willingness to implement it. If I am conducting any walkthrough, I make it a point to observe the case worker executing a task, and make enquiries to know the extent of his / her knowledge of the task the being handled and the attitude, whether proactive or is under compulsion. Negative signals here are a potential control weakness.
Concluding Remarks
In whatever role you are, whether an Accountant, a Manager or an internal Auditor, I hope that my article will prompt you to think of Internal Controls in the “P”s I have suggested. For more articles from me please see my Blog at www.operationstomoney.com
Thank you for your attention
Tulasi S Sastri
FCA, CISA
CAclubindia
