FAFP 2016 - Slides

 Thank you, folks

CA VIKRAM SHANKAR MATHUR

My Paper for FAFP Course [INTERNAL CONTROLS TO PREVENT FRAUDS (SOD, DOA, ETC)]

Name: CA Vikram S. Mathur

Course: Forensic Accounting and Fraud Prevention (48^th Batch – Ahmedabad)

Last Date of Submission: 15^th (was 7^th)  March 2016

 

TITLE: INTERNAL CONTROLS TO PREVENT FRAUDS (SOD, DOA, ETC)

 

INTRODUCTION

 

Insofar as accounting and auditing is concerned, the course of action undertaken by an organization in order to attain the objectives of the entity in such a way that it results in the effectiveness and efficiency in the operations of the organization, as well as lead to accurate and precise reporting of financial performance while complying with all the laws, regulations and other statutory requirements applicable to that organization is the main role of internal controls within that entity.

It is quite certain that internal controls are implemented with the primary goal of mitigating the risks to the organization.

 

The concept of Internal Controls goes back in history from the ancient times going as far back as the Hellenistic Egypt era wherein it was common practice to find a system of twin forms of administration, with a set of government officials charged with collecting taxes and another with supervising them. As an illustration, it is notable to point out that even in a country like China, one of the five branches of the government is an investigative agency that is used to monitor the other branches.

 

One of the industry-wide standards for internal control have been laid out by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) which specifies that there should be a ‘Model for evaluating internal controls’ which should be formulated keeping ‘Generally accepted framework for internal control’ in mind. This can therefore be considered as a ‘Definitive standard against which organizations measure effectiveness of internal control’.

 

The question that the aforesaid statement, as it appears in the standard laid down by COSO is the definition of Internal Control. According to Wikipedia, and I quote “A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories: (A) Effectiveness and efficiency of operations (B) Reliability of financial reporting, and (C) Compliance with applicable laws and regulations.” Unquote.

 

Thus, it appears that there are broadly five components that govern the applicability, effectiveness and efficiency of internal controls in any given organization, which are:

 

(1)   CONTROL ENVIRONMENT

(2)   RISK ASSESSMENT

(3)   CONTROL ACTIVITIES

(4)   INFORMATION AND COMMUNICATION, and

(5)   MONITORING. (Ref Slide 2)

 

This paper attempts to apply the aforesaid concepts into an existing accounting process in any organization, corporate or non-corporate, which can be stipulated as per the following paragraph.

 

There are principally three components of the basic accounting process, which can be broadly categorized as being inclusive of:

 

(1)   Collecting of raw data: The raw data in any organization can be classified as, and this is just a list that can include other documents pertaining to the process, such as (a) Reciepts, (b) Cheque Butts or Check Counterfolio, (c) Invoices or Bills, including Delivery Challan-cum-Invoice(s), (d) Memos, which can include Credit Memos, Debit Memos, Memorandum Notes, etc., and (e) Statement of Accounts, like Journal Vouchers, Cash Payment/Reciept Vouchers, Third Party Ledger Accounts etc.

 

(2)   Recording of Raw Data: The raw data that is collected in step 1 above, will subsequently need to be recorded onto the books of account, which may include amongst others (a) Cash Reciepts Journal / Register, (b) Cash Payments Journal / Register, (c) Sales Journal / Register, (d) Purchase Journal / Register and (d) General Journal / Journal Register.

 

(3)   Reporting of results: The third and possibly the final step of the entire accounting process is the reporting to the relevant authorities / management in terms of the financial reports required by them for decision making and statutory compliance with the various rules, regulations and other laws of the land, which may include the following (a) Income Statement or the Profit & Loss Account / Income & Expenditure Account, (b) Balance Sheet / Statement of Affairs at Close of the year and (c) Cash Flow Statement, which summarize the inflow an outflow of the funds during the entire year or period that is covered by the process of accounting for that organization.

 

The organizations resources, be it physical resources like manpower, machinery or material etc., or even the intangible resources such as Intellectual Property Rights such as trademarks, patents etc. or even reputation are sought to be optimally used by way of measurement, direction or monitoring. In fact they stronger the internal controls in an organization, the lesser the chance of there being a fraud being committed therein. (Ref Slide 3)

 

At this point, a brief discussion about how the internal control structure may be defined in any organization would be in order:

 

 

Essentially, the objective of an internal control structure would be to provide a control environment which could covers four very basic aspects, namely (a) Management philosophy, modeling & operating style, (b) Effective Hiring policies and procedures, (c) Clear Organizational structure which is unambiguous and lucidly understood from top to bottom, and finally, (d) Effective Internal Audit, which we shall be taking up subsequently in a later section.

 

The goal of any internal control structure is quite obviously the accounting system that it is implemented to control, which normally would control (a) valid transactions are being undertaken, (b) these transactions are properly authorized, (c) the transactions are complete, (d) Proper classification of the transactions are being ensured, (e) Timing of the transactions is proper and in line with the rules and regulations of the organization, (f) Valuation of the transactions is proper and is duly supported by whatever evidences that are possible, looking to the nature of the transaction and finally (g) transactions are being correctly summarized in order to produce meaningful and supportive of whatever decisions management may need to take from time to time.

 

The organization then would need to implement control activities and procedures that ensure that the objectives and goals are met by ensuring (a) proper Segregation of Duties (SOD) is being done, (b) there is adequate Delegation of Authority (DOA) which is being practiced amongst the various levels or the hierarchy of the management and other staff of the organization, (c) Adequate document and records are being maintained across the board within the organization, (d) there is sufficient physical control over the assets and records owned by the organization and finally (e) there are competent and sufficient independent checks on the performance of the organization that is reflected by their financial performance. (Ref Slide 4)

 

Segregation of Duties (SOD) is a very crucial component of internal control within the organization because it is necessary to ensure prevention of any one person from completing all the steps required n any specific critical or sensitive process. This would have the benefit of preventing frauds, errors and thefts and would be possible if the accounting within the organization is designed to intrinsically ensure duties are separated efficiently. Information Technology (IT) would also need this kind of protection while designing any software or process within the organization, because if there is an excellent system of SOD in place, the IT processes can be planned smoothly and without any hitch. However, as a rider, the management would be well advised to be careful of the concept of the “all-powerful administrator” whether it be a Database Administrator (DBA) or the generic “Administrator” that exists in any operating system, such as in the Windows Operating System. (Ref Slide 5)

 

Delegation of Authority (DOA) is another very critical component of establishing an internal control structure within the organization because it implies that the division of authorities and powers should logically flow downwards from the senior management to the middle level and lower level management and even to the supervisory categories of other staff / subordinates. Let us also understand what the word “authority” implies. When a person has been empowered and given the right to use and allocate the resources that come with the responsibilities in an efficient manner, in such a way that the proper decisions can be taken and the necessary orders are passed to achieve the objectives and goals envisioned by the organization as a whole, it can be said that the said person is “authorized”. It is of course very much implied that the person so authorized has a duty to complete the task assigned to him in such a way that has been envisaged by the organization. Implicitly, the person is bound to give whatever explanations are required where there are variations from the budgets or expectations attached to that authority being so delegated, as they are held accountable towards the final responsibility that rests on the top management. (Ref Slide 6)

 

Adequate Documents and records in terms of the questionnaires being filled by the employee, if any, which are typically or specifically standardized by the organization are properly maintained. In addition, wherever the need arises, there ought to be written narratives that adequately describe the actions taken by that employee, so that they can be produced, if and when required by the top management. In some cases, there would also be the requirement of well-written memo’s being created which describe briefly and succinctly the flow of the transactions, by the best means possible under the circumstances. Flowcharts and Systems Flowcharts are often required to be maintained especially in a case where the organization is required to maintain the same for a variety of purposes, like planning the inventory cycle etc., under the International Standards Organization (ISO). In certain organization, especially in case of manufacturing or processing facilities being a part of the factory premises, a walk-through document needs to be created that describe or give a virtual tour of such facilities have often been found useful by the many users, customers, financers and suppliers of the organization. In certain more complex scenarios, the auditors, whether internal or external, as required by the top management are requested to trace one or two transactions through the entire cycle of the organization, which may be the manufacturing cycle, working capital cycle or even the sales receivables cycle particular to that organization. (Ref Slide 7)

 

Physical control over assets and records is another fairly important component of the internal control structure of any given organization. It implies, for example, in the case of a manufacturing facility that houses a number of inventory items that are highly inflammable in nature or even highly poisonous in nature to have some physical precautions in place, for example, the installation of fire safety equipment, in-house first aid medical team on standby at all times etc. Information Technology equipment, like computers, servers and laptops of the top management, would also be required to be a part of the internal control structure because the programs and data contained therein, of the organization, like for example in the case of a banking organization having Core Banking Solutions (CBS), would form a very critical and crucial part of the organization. (Ref Slide7)

 

 Physical controls which would generally be governed by the four ‘R’s namely (a) Response, (b) Reliability, (c) Repairability, and (d) Resolution assume very important and often quite critical roles within the organization. The definition “Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.” says a lot about the importance of the need for physical control of the IT resources.

 

Access Control, in relation to any computing environment is the security technique that has been adopted by the organization to regulate who or what can view or use the resources owned by them. In many organizations where conferences and seminars are arranged for a large body of individuals, there is a need for people to access information, like documents, presentations etc, on a network drive, especially when they come from out of state/country locations, and most frequently they are not able to access those resources at the most inconvenient of times. In such cases, there would be a large crowd of people seeking the help of system administrator(s) to enable their access to those folders or locations by granting them access privileges of the appropriate level. Much of the time and effort of the organizational committees is spent in making such people understand why complete and unrestricted access to those resources cannot be given to them.

 

Backup & Recovery procedures. In many organization’s, especially in the service sector, it has been found that due to any number of reasons, very little or worse, no attention is being given to the backup and recovery procedures for the data that may reside on the server or on the individual hard disks of the various staff deployed to complete the jobs assigned to them. It is noteworthy to understand that backup can be full, differential or incremental backup, which may be employed by the organization as a strategy to cope with any recovery in case of loss of data or information. (Ref Slide 8)

 

 The last and final step in the internal control system to maintain the level of internal control within the organization is that independent checks on performance be carried out periodically by suitable qualified staff or personnel. Generally, this would be envisaged as being done by the internal audit or supervisory staff employed by the organization. That the checks should be independent is essential to the accuracy of the transactions being performed, as this is a very significant component of internal control. Monitoring is the fifth element of the COSO Internal Control model discussed earlier. The key methods that can be employed by an organization to monitor performance can be inclusively enumerated as (a) Effective supervision, (b) Responsibility accounting and (c) Internal auditing. (Ref Slide 9)

 

The importance of the of internal auditing cannot be understated here. Primarily because internal audit has since times immemorial been considered to be a very effective internal control as an independent check over the performance of any section or staff of an organization. That the management can benefit immensely in the utilization of its effective and efficient role in monitoring of performance in various cadres of supervisory and other personnel must not be under stressed at this point. It should be the endeavor of the management to ensure that internal audit function does become a part of the operational controls, as the checks that may thereby be required to be performed on an ongoing basis, would defeat the independence, additional and separate checks which internal audit conducts as a part of the audit and review of the lower management and other staff in carrying out their roles properly. (Ref Slide 10)

 

It is clear from the aforesaid discussion that the effectiveness of internal control systems within an organization would definitely depend upon the emphasis that the management pays to monitoring of performances. Monitoring should, therefore be done in such a way that it ensures that the internal controls are operating in the way that they have been intended by them, to bring out their efficiency and effectiveness. Secondly, since most systems are constantly evolving with the efflux of time and changing technology, there have to be continuous and rigorous efforts to assure that they are not becoming obsolete, redundant or outdated with reference to the performance. Lastly, the organization’s top management would need to monitor during the course of daily operations, the performance and accountability of the duties of the regular management, other staff and supervisory activities of the organization. (Ref Slide 11)

 

THE INTERNATIONAL SCENARIO

 

Insofar as the international scenario is concerned, while the Control Objectives for Information and Related Technology (COBIT) version 5 Risk scenarios discuss the eventualities that the organization faces in terms of the risks and probabilities involved in the loss event occurring within the organization. It is quite well understood that the initialization of this loss event is triggered by a threat event, the frequency of which in turn is influenced by the vulnerabilities faced, which is usually due to the state of that particular organization, which can have increased or decreased impact by vulnerability events like controls strength or by the threat strength. (Ref Slide 12)

 

The Sarbanes-Oxley Act (SOA) of 1972 and the Foreign Corrupt Practices Act (FCPA) of 1977 both envisage the effective implementation of internal controls as the key concept for curbing process variations, leading to more predictable outcomes and in reducing significantly corrupt practices within an organization, especially the United States Public Corporations. By corollary, the same principles would also be applicable on the Indian companies and public corporations as well. Section 302 of the act

The salient sections that are most applicable to the subject of Internal Control are Section 302, which deals with control activities and requires CEO & CFO to make disclosure certifications mandatorily, Section 404 which deals with Management Assessment of internal controls with specific emphasis on financial reporting and Section 409 which deals with the risk assessment and control environment. The figure above brings this out very clearly. (Ref Slide 13)

 

Which again brings us back to the COSO Model discussed in the beginning, except that this time, we concentrate more on the movement from the ICIF model to the ERM model. According to the site (https://na.theiia.org/standards-guidance/topics/Documents/Executive_Summary.pdf) it would be pertinent to quote that document as follows:

 

“Internal control helps entities achieve important objectives and sustain and improve performance. COSO’s Internal Control—Integrated Framework (Framework) enables organizations to effectively and efficiently develop systems of internal control that adapt to changing business and operating environments, mitigate risks to acceptable levels, and support sound decision making and governance of the organization.

 

Designing and implementing an effective system of internal control can be challenging; operating that system effectively and efficiently every day can be daunting. New and rapidly changing business models, greater use and dependence on technology, increasing regulatory requirements and scrutiny, globalization, and other challenges demand any system of internal control to be agile in adapting to changes in business, operating and regulatory environments.

 

An effective system of internal control demands more than rigorous adherence to policies and procedures: it requires the use of judgment. Management and boards of directors1 use judgment to determine how much control is enough. Management and other personnel use judgment every day to select, develop, and deploy controls across the entity. Management and internal auditors, among other personnel, apply judgment as they monitor and assess the effectiveness of the system of internal control. The Framework assists management, boards of directors, external stakeholders, and others interacting with the entity in their respective duties regarding internal control without being overly prescriptive. It does so by providing both understanding of what constitutes a system of internal control and insight into when internal control is being applied effectively.” (Ref Slide 14)

 

While operational controls are the main focus of internal controls in any business entity, application controls are important for processing of transactions in an accurate and error-free manner. In the same way, Internal Control goals at the organizational level deal with the authenticity of the financial reporting, compliance with the laws, rules and regulations and timely feedback on the attainment of strategic or operational objectives. The Control Self Assessment (CSA) was formally developed by the Institute of Internal Auditors (IIA) to identify business processes and develop processes and controls to effectively and efficiently address risks associated with those business processes (Tritter and Campbell 1996). CSA is easily adapted to business units, divisions, or functions, and encourages process owners to take responsibility for the achievement of business objectives.

 

In the current scenario, Information Technology (IT) is what drives the accounting and in some cases, the audit process of that particular entity, so essentially the accuracy of the financial reporting is extremely dependent on the reliability of their accounting systems and procedures. By and large, most of the modern companies and other organizations are having computerized accounting or even have implemented enterprise resource planning (ERP) software’s, customized or ready-made.

 

As PCAOB Auditing Standard 2 states:

 

"The nature and characteristics of a company’s use of information technology in its information system affect the company’s internal control over financial reporting."

 

 (Ref Slide 15)

 

From the above, we understand that the control environment envisages five basic things (a) demonstrating a commitment to integrity and ethical values, (b) exercising overall responsibilities, (c) establishing structure, authority and responsibilities, (d) demonstrating a commitment to competence, and (e) enforcing accountability. Risk assessment procedure envisages (a) specifying suitable objectives, (b) identifying and analyzing risk, (c) assessing the risk of frauds, and (d) identifying and analyzing significant changes. Control procedure envisages (a) selecting and developing control activities, (b) selecting and developing general controls over technology, and (c) deploying through policies and procedures. Information System and Communication envisages (a) using relevant quality information, (b) communicating internally, and communicating externally. Lastly, Monitoring of Control envisages (a) conducting ongoing and/or separate evaluations, and (b) evaluating and communicating deficiencies.(Ref Slide 16)

 

 

 

 

In the light of the above discussion and on the basis of the various laws that are in place internationally and in the domestic corporate and non-corporate enterprises as well, we can say that an effective system of internal controls in any of these entities would require the following activities to be conducted on a regular basis, be it on a yearly, quarterly, monthly, weekly or daily basis, as per the weakness of the internal controls existing in those organizations.

 

CONCLUSIONS

 

Thus, from the aforesaid discussion, we may conclude that in order to fortify and make the internal controls in the organization strong, following should form the agenda for the management.

 

(A) Understand the keys / indexes to Fraud Prevention

(B)  Assess the Industry-wise Vulnerability to Fraud

(C)  Recognize the motives of the fraud perpetrators

(D) Take necessary steps to make the internal controls in the organization more effective. (Ref Slide 17)

 

First and foremost, let us understand that there are certain keys or indexes to Fraud Prevention. Principally, the management of every affected organization has to understand and evaluate each of the following types of information:

 

(a)   Maintaining logs of access to both systems and applications

(b)   Creating physical access logs

(c)   Availability of transactional records and audit trails

(d)   Generation of data which can be used to discover trends within

(e)   Use of Analytical and monitoring tools

(f)    Use of Mobile records and CCTV footage

(g)   Watch over behavioral and cultural patterns

(h)   Use of Interview Techniques, wherever applicable

(i)     Enabling Forensic Data and Tools for data extraction.

 

Basically data can consist of the following (a) Relational databases, (b) XML data, (c) Meta Data, (d) Big Data-Images, videos and (e) Case studies. In order to understand and assimilate the above, one would of course, have to depend on past experiences and learning, which again may be of the employee themselves or other organizational ones. Finally, the use of such information has to be known in terms of where and in what context. (Ref Slide 18)

 

It would be pertinent to note that ACFE Report to the Nations on Organization Fraud-2014 has shown that the maximum number of vulnerabilities to fraud have been in the Banking and Financials sector to the tune of 244, or 17.8% of the total cases, though the median loss in terms of USD was only $ 200,000/-. On the other hand, the maximum median loss in terms of USD was $ 900,000 in the Mining sector, even though the number of vulnerabilities in that case were on 13 or 1% of the total. This gives a lot of credence to 80%-20% Pareto principle, which is clearly brought out in this report. (Ref Slide 19)

 

In the Indian scenario, it is noteworthy to realize that Mumbai is the commercial capital of India and according to a recent special report by DNA Investigations Bureau, it is also the number one for banking frauds in the country. As per the report, the total number of banking frauds reported in Mumbai every year is more than those of Delhi, Chennai, Kolkatta and Bangalore taken together. (Ref Slide 20)

 

According to the Global Economic Crime Survey, 2014; Key highlights from the US conducted by PricewaterhouseCoopers LLC, USA, the most commonly reported economic crimes are in the financial services, retail services and consumer, and communications sectors, in which nearly 50% of the respondents mentioned they had been crime victims. (Ref Slide 21)

 

Let us now understand what motivates the perpetrator of fraud to break the internal controls system that usually would faze any person not having a mala fide intention in the organization. Not surprisingly, Greed occupies the highest spot, followed by pressure placed due to profit and budget targets. In terms of age, it has been observed that 41% (36-45 years) and 35% (46-56 years) are the two highest age ranges to which the fraudster might belong. Gender-wise only about 13% of fraudsters were female, the balance 87% were obviously male. Frequency-wise, it was found that 96% of the perpetrators defraud their victims repeatedly. What is however, noticeable in these trends is that in as many as 56% of the cases, the Red flags had been completely ignored, which timely intervention could have prevented the fraud at it’s root. Department-wise,  Finance would account for 32% of the total, while 26% of the cases frauds may be committed by the CEO and 25% by the Operational / Sales staff and in terms of management levels, 35% would be found to be belonging to senior management, 29% middle management and the balance equally divided between operational staff (18%) and the Board of Directors (18%). (Ref Slide 22)

 

It is quite obvious that some stringent and perpetuating measures need to be taken by each and every industry in making their own respective organizations effective, especially with specific focus on the clarity of roles to each employee, the proper selection of team members, conducting regular meetings, secure data processing, proper training and good team spirit. (Ref Slide 23)

 

A special mention is required to be made here in understanding the importance of making delegation more effective, because it is felt that in the Indian scenario, this is one area that has been lacking in terms of the vastness of the scope of improvement therein. The most important link is the unity of command. Meaning that a particular employee reports to only one supervisor. Scalar Chain, referring to the number of layers ranging from top to bottom in the hierarchy within the organization is the second most important link. Thirdly, the principle of authority and responsibility, principle of delegation by results expected, and so on so forth. (Ref Slide 24)

 

In the corporate sector, the concept of Corporate Governance Activities is and should be well followed and adopted readily by top management. The most effective way of carrying this out may be by looking first at the structure of the organization keeping in mind the competency in the management framework. The HR Department must review the job description of each of the personel and check out that the tasks and responsibilities are balanced evenly. A regular review of  the Segregation of Duties (SOD) and Delegation of Authority (DOA) must be done periodically. The Matrix of authorities must also be reviewed with equal attention. Finally, there should be a very clear mechanism to monitor conflict of interest. (Ref Slide 25)

Organizations should, as a normal course of having the internal audit conducted, ensure that the internal audit team covers the entire gamut of Fraud Risk Profiling which would take care of the two critical aspects of their assessment of the organization’s goals of having a good control environment and establishing proper control procedures. Insofar as the organization of people, like the staff, middle management etc., are concerned, matters like delegation and reporting to the required authorities is being done in the desired manner. Segregation of the duties should be done in such a manner that the work of one person is independent of another, especially during times that the employee or the supervisor are on leave for some or the other reason, which is to say that the supervisor should hand over charge of the department to someone under the knowledge of the management. This becomes critical especially as the management has to ensure that there is not a single person who can authorize, execute and record a transaction in entirety. The HR Department should during the course of recruitment and conducting training ensure that the capabilities of the employee concerned are matched with the functions that he/she has been asked to perform. Supervision by the senior staff should also be asked to maintain a control over the day to day running of the activities they oversee. Management on it’s part has to ensure that all levels they are able to resolve any problems that may arise. This can be achieved quite smoothly of the management makes it a practice to act promptly on the information they receive, be very proactive and reactive at the same time and internal audit function within the organization gets the complete support of the top management in order to maintain their effectiveness.

 

Control procedures can be divided into three basic segments, which may be in the following domains, (a) Physical, which would essentially cover security of the assets, control over the access to assets, conducting regular stock checks and maintaining the registers. (b) Authorization, which would principally deal with which employee can do what and generally following the hierarchical structure of signatories, as desired by the management. Finally (c) Checking procedures, which would enable the arithmetical accuracy of the records, ensure that all totals are checked, control accounts are maintained and reconciled regularly and finally, the trial balance of the organization is prepared as accurately as possible. (Ref Slide 26)

 

The question then arises that while the corporate giants have access to immense resources and facilities, and can therefore have expensive hardware and software available at their disposal, as and when required, what would be the strategy that the small and medium sized organizations should decide that the most optimal time the need for adopting either a ready-made Enterprise Resource Planning (ERP) system, or have it developed in case there are some or many specific requirements that are not being met by the ready-made ones. The importance of the ERP system in the organization need not be stressed, except to say that the software allows integration of the various business processes in such a way that the functions across the enterprise can be optimized without any great effort on the part of the management, who can then concentrate on more and achieve greater success.  (Ref Slide 27)

 

There would still be plenty of recommendations that the auditor of the organization should be making to better organization of internal controls. They would expect the management to follow the proper steps in ensuring the same, beginning with having the description of all the business processes of that organization on their permanent files. The identification of the risks that the organization may face at any given point of time in conducting its activities need to be identified. For example, in a paint manufacturing company, the sufficiency of the fire risk cover must be examined. The selection of the internal control procedure to be followed by the organization need to be made with proper descriptions of the same being recorded. Documentation of order of the organization and implementation of internal controls at all levels of management are also very necessary. There ought to be sufficient and timely notification being given to personnel about the risks related to their area of responsibility and control procedures. For example, the cashier of the company should know the cash handling risk cover taken by the organization and ensure that there is never more cash at the premises than the level specified therein. Finally the annual assessment of the entire internal control system should be taken up at the proper level of management, as decided by the senior management. (Ref Slide 28)

 

In the end, we have to admit that it is the “Tone at the top” that affects the system of internal control within the organization, and if the management fails n any count, whether it be the monitoring and audit processes or the information and communication that it receives in connection with the five levels of control activities under their command, the petering down to the lowest levels would definitely have an impact over the fundamentals and principles of the code of conduct followed by it’s management and staff alike. (Ref Slide 29)

 

To make our conclusion more effective, let us have a look at the global scenario of the conduciveness towards conduct of business that is very well brought out by the Kearney Global Services Location Index ^TM” conducted in 2016. From the chart contained in Slide 30, it is quite obvious that India has the highest index (3.22) insofar as financial attractiveness is concerned and not surprisingly, USA has the lowest index (0.52). China (2.71) and India (2.55) are the two highest rated for the availability of people and their skills, while Costa Rica (0.90) is the lowest followed by Bulgaria (0.94). Insofar as the business environment is concerned, Poland (1.90) and Malaysia  (1.89) are the two highest ranked, while Egypt (0.94) and Sri Lanka (1.14) are the two lowest ranked. India here scores a lowly 1.19, just marginally ahead of Sri Lanka.(Ref Slide 30)

 

Thus, we can safely conclude that in order to improve the business environment within the country which is what is pulling down our country to the lowly third last in these rankings, a lot needs to be done by all the organizations across the length and breadth of India and herein comes the importance of the role of strengthening the internal controls of these organizations.

 

*_*_*_*_*_*_*_*_*_*