Monday, 18 April 2016

Internal Control Framework - Part 1

software companies in India


New and rapidly changing business models developed by software companies in India, economic and competitive environments, globalization, greater use and dependence on technology, increasing regulatory requirements and scrutiny, shifting customer demands and priorities, and restructuring for future growth which drives senior executives thinking towards Internal Control—Integrated Framework helps entities to achieve their goals and objectives and, to sustain and improve the performance at operational level by changing business and operating environments, mitigating risks to acceptable levels, and supporting sound decision making at higher level.

Internal Control-Integrated Framework by COSO:

COSO stands for “Commission of Sponsoring Organizations” a private commission chartered to research and report on improving quality of financial reporting through business ethics, effective internal controls and corporate governance. COSO has prepared a document in 1992 on the Internal Controls-Integrated Framework. Because, Internal control has different meanings to different parties, COSO tries to establish a common definition and standard that can serve such parties. Under COSO’s report, (quoted from July 1994 Edition of COSO Internal Controls-Integrated Framework, “COSO Report”), “Internal Control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations
Internal control is:
  • Geared to the achievement of objectives in one or more categories-operations, reporting, and compliance
  • A process consisting of ongoing tasks and activities-a means to an end, not an end in itself
  • Effected by people-not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control
  • Able to provide reasonable assurance-but not absolute assurance, to an entity’s senior management and board of directors
  • Adaptable to the entity structure-flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process
An effective internal control system helps an organization to:
  • Promote orderly, economical, efficient and effective operations and use of the Organization’s resources.
  • Deliver programs and services consistent with the Organization’s mission.
  • Safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud.
  • Promote adherence to statutes, regulations, policies and procedures, and ethical values.
  • Identify risks and develop effective strategies and procedures to control or manage them.
This definition is intentionally broad. It captures important concepts that are fundamental to how organizations design, implement, and conduct internal control, providing a basis for application across software companies in India that operate in different entity structures, industries, and geographic regions.

COSO stated that internal control consists of five interrelated components which are derived from the way management runs a business and are integrated with the management process. They apply to entities of all sizes, although smaller organizations are likely to implement them in a more informal manner. The components are:
  • Control Environment: This sets the tone for the organization, providing the foundation for all other components of internal control. It includes integrity, ethical values and the competence of the people.
  • Risk Assessment: This is the identification and analysis of relevant risks, internal and external, to the achievement of the objectives, forming a basis for determining how the risks should be managed.
  • Control Activities: These help ensure that the necessary actions are taken to address risks relating to the achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions.
  • Information and Communication: Internal and external information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also must occur in a broader sense, flowing down, across and up the organization.
  • Monitoring: Internal control systems need to be monitored, a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two.
COSO states that:
“There is synergy and linkage among these components, forming an integrated system that reacts dynamically to changing conditions. The internal control system is intertwined with the entity’s operating activities and exists for fundamental business reasons. Internal control is most effective when controls are built into the entity’s infrastructure and are a part of the essence of the enterprise. “Built in” controls support quality and empowerment initiatives, avoid unnecessary costs and enable quick response to changing conditions.”

Relationship of Objectives and Components:
A direct relationship exists between objectives, which are what an entity strives to achieve, components, which represent what is required to achieve the objectives, and the organizational structure of the entity (the operating units, legal entities, and other). The relationship can be depicted in the form of a cube.
  • The three categories of objectives-operations, reporting, and compliance-are represented by the columns.
  • The five components are represented by the rows.
  • An entity’s organizational structure is represented by the third dimension.
Internal Governance for Internal Control Framework:
To ensure effective, systematic and coordinated implementation of the internal control framework, a Steering Committee has been established by software companies in India.  The Committee consists of the Assistant Directors-General (ADGs) specifically of GMG, Director of Compliance, Risks and Ethics CRE, Director of GSC, Directors of Administration and Finance (DAFs), and the Director of Finance.  On an “as required” basis the following directors will provide subject matter expertise of their functional areas:  Directors of Human Resources (HR), Planning, Resource Coordination and Performance Monitoring (PRP), and Information Technology and Telecommunication (ITT).  The Director of Internal Oversight Services Office (IOS) will serve as an observer and resource for information regarding internal oversight. 
The responsibilities of this Committee include: 
  • Overseeing the effective implementation of the internal control framework, including ensuring the effective implementation of the five components and the associated principles.
  • Overseeing that policies, procedures and tools are developed, communicated and deployed to effectively implement the internal control framework.
  • Recommend to the Director-General and senior management committee (GPG) priorities and objectives for effective and efficient implementation of the internal control policies and procedures.
  • Communicating to the Director-General and senior management committee the emergence of opportunities, risks, control weaknesses and correcting measures.
  • Ensuring that the direction of the senior management, the recommendations from auditors and other reviewers are followed in an effective and efficient manner.
 Limitation of Internal Control – Concept of Reasonable Assurance:
The Framework recognizes that while internal control provides reasonable assurance of achieving the entity’s objectives, limitations do exist. Internal control cannot prevent bad judgment or decisions, or external events that can cause an organization to fail to achieve its operational goals. For example, human mistakes, judgment errors, undetected acts of collusion to circumvent control, and events beyond the Organization’s control can affect meeting the Organization’s objectives.
These limitations preclude the board and management from having absolute assurance of the achievement of the entity’s objectives—that is, internal control provides reasonable but not absolute assurance. Notwithstanding these inherent limitations, management should be aware of them when selecting, developing, and deploying controls that minimize, to the extent possible, these types of limitations.

No comments:

Post a Comment