Thank you, folks
CA VIKRAM SHANKAR MATHUR
Name: CA Vikram S. Mathur
Course: Forensic Accounting and Fraud
Prevention (48th Batch – Ahmedabad)
Last Date of Submission: 15th
(was 7th) March 2016
TITLE: INTERNAL CONTROLS TO PREVENT FRAUDS (SOD, DOA, ETC)
INTRODUCTION
Insofar as accounting and auditing is
concerned, the course of action undertaken by an organization in order to
attain the objectives of the entity in such a way that it results in the
effectiveness and efficiency in the operations of the organization, as well as
lead to accurate and precise reporting of financial performance while complying
with all the laws, regulations and other statutory requirements applicable to
that organization is the main role of internal controls within that entity.
It is quite certain that internal controls
are implemented with the primary goal of mitigating the risks to the
organization.
The concept of Internal Controls goes back
in history from the ancient times going as far back as the Hellenistic Egypt
era wherein it was common practice to find a system of twin forms of
administration, with a set of government officials charged with collecting
taxes and another with supervising them. As an illustration, it is notable to
point out that even in a country like China, one of the five branches of the
government is an investigative agency that is used to monitor the other
branches.
One of the industry-wide standards for
internal control have been laid out by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) which specifies that there
should be a ‘Model for evaluating internal controls’ which should be formulated
keeping ‘Generally accepted framework for internal control’ in mind. This can
therefore be considered as a ‘Definitive standard against which organizations
measure effectiveness of internal control’.
The question that the aforesaid statement,
as it appears in the standard laid down by COSO is the definition of Internal
Control. According to Wikipedia, and I quote “A process, effected by an
entity’s board of directors, management and other personnel, designed to
provide reasonable assurance of the achievement of objectives in the following
categories: (A) Effectiveness and efficiency of operations (B) Reliability of
financial reporting, and (C) Compliance with applicable laws and regulations.”
Unquote.
Thus, it appears that there are broadly
five components that govern the applicability, effectiveness and efficiency of
internal controls in any given organization, which are:
(1)
CONTROL ENVIRONMENT
(2)
RISK ASSESSMENT
(3)
CONTROL ACTIVITIES
(4)
INFORMATION AND COMMUNICATION,
and
(5)
MONITORING. (Ref Slide 2)
This paper attempts to apply the aforesaid
concepts into an existing accounting process in any organization, corporate or
non-corporate, which can be stipulated as per the following paragraph.
There are principally three components of
the basic accounting process, which can be broadly categorized as being
inclusive of:
(1)
Collecting of raw data: The raw data in any organization can be classified as, and this is
just a list that can include other documents pertaining to the process, such as
(a) Reciepts, (b) Cheque Butts or Check Counterfolio, (c) Invoices or Bills,
including Delivery Challan-cum-Invoice(s), (d) Memos, which can include Credit
Memos, Debit Memos, Memorandum Notes, etc., and (e) Statement of Accounts, like
Journal Vouchers, Cash Payment/Reciept Vouchers, Third Party Ledger Accounts
etc.
(2)
Recording of Raw Data: The raw data that is collected in step 1 above, will subsequently
need to be recorded onto the books of account, which may include amongst others
(a) Cash Reciepts Journal / Register, (b) Cash Payments Journal / Register, (c)
Sales Journal / Register, (d) Purchase Journal / Register and (d) General
Journal / Journal Register.
(3)
Reporting of results: The third and possibly the final step of the entire accounting
process is the reporting to the relevant authorities / management in terms of
the financial reports required by them for decision making and statutory
compliance with the various rules, regulations and other laws of the land,
which may include the following (a) Income Statement or the Profit & Loss
Account / Income & Expenditure Account, (b) Balance Sheet / Statement of
Affairs at Close of the year and (c) Cash Flow Statement, which summarize the
inflow an outflow of the funds during the entire year or period that is covered
by the process of accounting for that organization.
The organizations resources, be it physical
resources like manpower, machinery or material etc., or even the intangible
resources such as Intellectual Property Rights such as trademarks, patents etc.
or even reputation are sought to be optimally used by way of measurement,
direction or monitoring. In fact they stronger the internal controls in an
organization, the lesser the chance of there being a fraud being committed
therein. (Ref Slide 3)
At this point, a brief discussion about how
the internal control structure may be defined in any organization would be in
order:
Essentially, the objective of an internal
control structure would be to provide a control environment which could covers
four very basic aspects, namely (a) Management philosophy, modeling &
operating style, (b) Effective Hiring policies and procedures, (c) Clear
Organizational structure which is unambiguous and lucidly understood from top
to bottom, and finally, (d) Effective Internal Audit, which we shall be taking
up subsequently in a later section.
The goal of any internal control structure
is quite obviously the accounting system that it is implemented to control,
which normally would control (a) valid transactions are being undertaken, (b)
these transactions are properly authorized, (c) the transactions are complete,
(d) Proper classification of the transactions are being ensured, (e) Timing of
the transactions is proper and in line with the rules and regulations of the
organization, (f) Valuation of the transactions is proper and is duly supported
by whatever evidences that are possible, looking to the nature of the
transaction and finally (g) transactions are being correctly summarized in
order to produce meaningful and supportive of whatever decisions management may
need to take from time to time.
The organization then would need to
implement control activities and procedures that ensure that the objectives and
goals are met by ensuring (a) proper Segregation of Duties (SOD) is being done,
(b) there is adequate Delegation of Authority (DOA) which is being practiced
amongst the various levels or the hierarchy of the management and other staff
of the organization, (c) Adequate document and records are being maintained
across the board within the organization, (d) there is sufficient physical
control over the assets and records owned by the organization and finally (e)
there are competent and sufficient independent checks on the performance of the
organization that is reflected by their financial performance. (Ref Slide 4)
Segregation of Duties (SOD) is a very crucial component of internal control within the
organization because it is necessary to ensure prevention of any one person
from completing all the steps required n any specific critical or sensitive
process. This would have the benefit of preventing frauds, errors and thefts
and would be possible if the accounting within the organization is designed to
intrinsically ensure duties are separated efficiently. Information Technology (IT)
would also need this kind of protection while designing any software or process
within the organization, because if there is an excellent system of SOD in
place, the IT processes can be planned smoothly and without any hitch. However,
as a rider, the management would be well advised to be careful of the concept
of the “all-powerful administrator” whether it be a Database Administrator
(DBA) or the generic “Administrator” that exists in any operating system, such
as in the Windows Operating System. (Ref Slide 5)
Delegation of Authority (DOA) is another very critical component of establishing an internal
control structure within the organization because it implies that the division
of authorities and powers should logically flow downwards from the senior management
to the middle level and lower level management and even to the supervisory
categories of other staff / subordinates. Let us also understand what the word
“authority” implies. When a person has been empowered and given the right to
use and allocate the resources that come with the responsibilities in an
efficient manner, in such a way that the proper decisions can be taken and the
necessary orders are passed to achieve the objectives and goals envisioned by
the organization as a whole, it can be said that the said person is
“authorized”. It is of course very much implied that the person so authorized
has a duty to complete the task assigned to him in such a way that has been
envisaged by the organization. Implicitly, the person is bound to give whatever
explanations are required where there are variations from the budgets or
expectations attached to that authority being so delegated, as they are held
accountable towards the final responsibility that rests on the top management.
(Ref Slide 6)
Adequate Documents and records in terms of the questionnaires being filled by the employee, if
any, which are typically or specifically standardized by the organization are
properly maintained. In addition, wherever the need arises, there ought to be
written narratives that adequately describe the actions taken by that employee,
so that they can be produced, if and when required by the top management. In
some cases, there would also be the requirement of well-written memo’s being
created which describe briefly and succinctly the flow of the transactions, by
the best means possible under the circumstances. Flowcharts and Systems
Flowcharts are often required to be maintained especially in a case where the
organization is required to maintain the same for a variety of purposes, like
planning the inventory cycle etc., under the International Standards
Organization (ISO). In certain organization, especially in case of
manufacturing or processing facilities being a part of the factory premises, a
walk-through document needs to be created that describe or give a virtual tour
of such facilities have often been found useful by the many users, customers,
financers and suppliers of the organization. In certain more complex scenarios,
the auditors, whether internal or external, as required by the top management
are requested to trace one or two transactions through the entire cycle of the
organization, which may be the manufacturing cycle, working capital cycle or
even the sales receivables cycle particular to that organization. (Ref Slide 7)
Physical control over assets and
records is another fairly important component
of the internal control structure of any given organization. It implies, for
example, in the case of a manufacturing facility that houses a number of
inventory items that are highly inflammable in nature or even highly poisonous
in nature to have some physical precautions in place, for example, the
installation of fire safety equipment, in-house first aid medical team on
standby at all times etc. Information Technology equipment, like computers,
servers and laptops of the top management, would also be required to be a part
of the internal control structure because the programs and data contained
therein, of the organization, like for example in the case of a banking
organization having Core Banking Solutions (CBS), would form a very critical
and crucial part of the organization. (Ref Slide7)
Physical
controls which would generally be governed by the four ‘R’s namely (a) Response, (b) Reliability, (c) Repairability, and (d) Resolution
assume very important and often quite critical roles within the organization. The
definition “Physical security is the protection of personnel, hardware,
programs, networks, and data from physical circumstances and events that could
cause serious losses or damage to an enterprise, agency, or institution. This
includes protection from fire, natural disasters, burglary, theft, vandalism,
and terrorism.” says a lot about the importance of the need for physical
control of the IT resources.
Access Control, in relation to any computing environment is the
security technique that has been adopted by the organization to regulate who or
what can view or use the resources owned by them. In many organizations where conferences
and seminars are arranged for a large body of individuals, there is a need for
people to access information, like documents, presentations etc, on a network
drive, especially when they come from out of state/country locations, and most
frequently they are not able to access those resources at the most inconvenient
of times. In such cases, there would be a large crowd of people seeking the
help of system administrator(s) to enable their access to those folders or
locations by granting them access privileges of the appropriate level. Much of
the time and effort of the organizational committees is spent in making such
people understand why complete and unrestricted access to those resources
cannot be given to them.
Backup &
Recovery procedures. In many
organization’s, especially in the service sector, it has been found that due to
any number of reasons, very little or worse, no attention is being given to the
backup and recovery procedures for the data that may reside on the server or on
the individual hard disks of the various staff deployed to complete the jobs
assigned to them. It is noteworthy to understand that backup can be full,
differential or incremental backup, which may be employed by the organization
as a strategy to cope with any recovery in case of loss of data or information.
(Ref Slide 8)
The last and final
step in the internal control system to maintain the level of internal control
within the organization is that independent checks on performance
be carried out periodically by suitable qualified staff or personnel.
Generally, this would be envisaged as being done by the internal audit or
supervisory staff employed by the organization. That the checks should be
independent is essential to the accuracy of the transactions being performed,
as this is a very significant component of internal control. Monitoring is the
fifth element of the COSO Internal Control model discussed earlier. The key
methods that can be employed by an organization to monitor performance can be
inclusively enumerated as (a) Effective supervision, (b) Responsibility
accounting and (c) Internal auditing. (Ref Slide 9)
The importance of the of
internal auditing cannot be understated here. Primarily because internal
audit has since times immemorial been considered to be a very effective
internal control as an independent check over the performance of any section or
staff of an organization. That the management can benefit immensely in the
utilization of its effective and efficient role in monitoring of performance in
various cadres of supervisory and other personnel must not be under stressed at
this point. It should be the endeavor of the management to ensure that internal
audit function does become a part of the operational controls, as the checks
that may thereby be required to be performed on an ongoing basis, would defeat
the independence, additional and separate checks which internal audit conducts
as a part of the audit and review of the lower management and other staff in carrying
out their roles properly. (Ref Slide 10)
It is clear from the
aforesaid discussion that the effectiveness of internal control systems within
an organization would definitely depend upon the emphasis that the management
pays to monitoring of performances. Monitoring should, therefore be done
in such a way that it ensures that the internal controls are operating in the
way that they have been intended by them, to bring out their efficiency and
effectiveness. Secondly, since most systems are constantly evolving with the
efflux of time and changing technology, there have to be continuous and
rigorous efforts to assure that they are not becoming obsolete, redundant or
outdated with reference to the performance. Lastly, the organization’s top
management would need to monitor during the course of daily operations, the
performance and accountability of the duties of the regular management, other staff
and supervisory activities of the organization. (Ref Slide 11)
THE INTERNATIONAL SCENARIO
Insofar as the international scenario is
concerned, while the Control Objectives for Information and Related Technology
(COBIT) version 5 Risk scenarios discuss the eventualities that the
organization faces in terms of the risks and probabilities involved in the loss
event occurring within the organization. It is quite well understood that the
initialization of this loss event is triggered by a threat event, the frequency
of which in turn is influenced by the vulnerabilities faced, which is usually
due to the state of that particular organization, which can have increased or
decreased impact by vulnerability events like controls strength or by the
threat strength. (Ref Slide 12)
The Sarbanes-Oxley Act (SOA) of 1972 and
the Foreign Corrupt Practices Act (FCPA) of 1977 both envisage the effective
implementation of internal controls as the key concept for curbing process
variations, leading to more predictable outcomes and in reducing significantly
corrupt practices within an organization, especially the United States Public
Corporations. By corollary, the same principles would also be applicable on the
Indian companies and public corporations as well. Section 302 of the act
The salient sections that are most
applicable to the subject of Internal Control are Section 302, which deals with
control activities and requires CEO & CFO to make disclosure certifications
mandatorily, Section 404 which deals with Management Assessment of internal
controls with specific emphasis on financial reporting and Section 409 which
deals with the risk assessment and control environment. The figure above brings
this out very clearly. (Ref Slide 13)
Which again brings us back to the COSO
Model discussed in the beginning, except that this time, we concentrate more on
the movement from the ICIF model to the ERM model. According to the site (https://na.theiia.org/standards-guidance/topics/Documents/Executive_Summary.pdf)
it would be pertinent to quote that document as follows:
“Internal
control helps entities achieve important objectives and sustain and improve performance.
COSO’s Internal Control—Integrated Framework (Framework) enables organizations
to effectively and efficiently develop systems of internal control that adapt
to changing business and operating environments, mitigate risks to acceptable
levels, and support sound decision making and governance of the organization.
Designing and implementing an effective system of
internal control can be challenging; operating that system effectively and
efficiently every day can be daunting. New and rapidly changing business
models, greater use and dependence on technology, increasing regulatory
requirements and scrutiny, globalization, and other challenges demand any
system of internal control to be agile in adapting to changes in business,
operating and regulatory environments.
An effective system of internal control demands more than
rigorous adherence to policies and procedures: it requires the use of judgment.
Management and boards of directors1 use judgment to determine how much control
is enough. Management and other personnel use judgment every day to select,
develop, and deploy controls across the entity. Management and internal
auditors, among other personnel, apply judgment as they monitor and assess the
effectiveness of the system of internal control. The Framework assists
management, boards of directors, external stakeholders, and others interacting
with the entity in their respective duties regarding internal control without
being overly prescriptive. It does so by providing both understanding of what constitutes
a system of internal control and insight into when internal control is being
applied effectively.” (Ref Slide 14)
While operational controls are the main
focus of internal controls in any business entity, application controls are
important for processing of transactions in an accurate and error-free manner.
In the same way, Internal Control goals at the organizational level deal with
the authenticity of the financial reporting, compliance with the laws, rules
and regulations and timely feedback on the attainment of strategic or
operational objectives. The Control Self Assessment (CSA) was formally
developed by the Institute of Internal Auditors (IIA) to identify business
processes and develop processes and controls to effectively and efficiently address
risks associated with those business processes (Tritter and Campbell 1996).
CSA is easily adapted to business units, divisions, or functions, and
encourages process owners to take responsibility for the achievement of
business objectives.
In the current scenario, Information
Technology (IT) is what drives the accounting and in some cases, the audit
process of that particular entity, so essentially the accuracy of the financial
reporting is extremely dependent on the reliability of their accounting systems
and procedures. By and large, most of the modern companies and other
organizations are having computerized accounting or even have implemented
enterprise resource planning (ERP) software’s, customized or ready-made.
As PCAOB Auditing Standard 2 states:
"The nature and characteristics of
a company’s use of information technology in its information system affect the
company’s internal control over financial reporting."
(Ref
Slide 15)
From the above, we understand that the control
environment envisages five basic things (a) demonstrating a commitment to
integrity and ethical values, (b) exercising overall responsibilities, (c)
establishing structure, authority and responsibilities, (d) demonstrating a
commitment to competence, and (e) enforcing accountability. Risk assessment
procedure envisages (a) specifying suitable objectives, (b) identifying and
analyzing risk, (c) assessing the risk of frauds, and (d) identifying and
analyzing significant changes. Control procedure envisages (a) selecting
and developing control activities, (b) selecting and developing general
controls over technology, and (c) deploying through policies and procedures. Information
System and Communication envisages (a) using relevant quality information,
(b) communicating internally, and communicating externally. Lastly, Monitoring
of Control envisages (a) conducting ongoing and/or separate evaluations,
and (b) evaluating and communicating deficiencies.(Ref Slide 16)
In the light of the above discussion and on
the basis of the various laws that are in place internationally and in the
domestic corporate and non-corporate enterprises as well, we can say that an
effective system of internal controls in any of these entities would require
the following activities to be conducted on a regular basis, be it on a yearly,
quarterly, monthly, weekly or daily basis, as per the weakness of the internal
controls existing in those organizations.
CONCLUSIONS
Thus, from the aforesaid discussion, we may
conclude that in order to fortify and make the internal controls in the
organization strong, following should form the agenda for the management.
(A) Understand the keys / indexes to Fraud Prevention
(B) Assess the Industry-wise Vulnerability to Fraud
(C) Recognize the motives of the fraud perpetrators
(D) Take necessary steps to make the internal controls in the
organization more effective. (Ref Slide 17)
First and foremost, let us understand that
there are certain keys or indexes to Fraud Prevention. Principally, the
management of every affected organization has to understand and evaluate each
of the following types of information:
(a)
Maintaining logs of access to
both systems and applications
(b)
Creating physical access logs
(c)
Availability of transactional
records and audit trails
(d)
Generation of data which can be
used to discover trends within
(e)
Use of Analytical and
monitoring tools
(f)
Use of Mobile records and CCTV
footage
(g)
Watch over behavioral and
cultural patterns
(h)
Use of Interview Techniques,
wherever applicable
(i)
Enabling Forensic Data and
Tools for data extraction.
Basically data can consist of the following
(a) Relational databases, (b) XML data, (c) Meta Data, (d) Big Data-Images,
videos and (e) Case studies. In order to understand and assimilate the above,
one would of course, have to depend on past experiences and learning, which
again may be of the employee themselves or other organizational ones. Finally,
the use of such information has to be known in terms of where and in what
context. (Ref Slide 18)
It would be pertinent to note that ACFE
Report to the Nations on Organization Fraud-2014 has shown that the maximum
number of vulnerabilities to fraud have been in the Banking and Financials
sector to the tune of 244, or 17.8% of the total cases, though the median loss
in terms of USD was only $ 200,000/-. On the other hand, the maximum median
loss in terms of USD was $ 900,000 in the Mining sector, even though the number
of vulnerabilities in that case were on 13 or 1% of the total. This gives a lot
of credence to 80%-20% Pareto principle, which is clearly brought out in this
report. (Ref Slide 19)
In the Indian scenario, it is noteworthy to
realize that Mumbai is the commercial capital of India and according to a
recent special report by DNA Investigations Bureau, it is also the number one
for banking frauds in the country. As per the report, the total number of
banking frauds reported in Mumbai every year is more than those of Delhi,
Chennai, Kolkatta and Bangalore taken together. (Ref Slide 20)
According to the Global Economic Crime
Survey, 2014; Key highlights from the US conducted by
PricewaterhouseCoopers LLC, USA, the most commonly reported economic crimes are
in the financial services, retail services and consumer, and communications
sectors, in which nearly 50% of the respondents mentioned they had been crime
victims. (Ref Slide 21)
Let us now understand what motivates the
perpetrator of fraud to break the internal controls system that usually would
faze any person not having a mala fide intention in the organization. Not
surprisingly, Greed occupies the highest spot, followed by pressure
placed due to profit and budget targets. In terms of age, it has
been observed that 41% (36-45 years) and 35% (46-56 years) are the two highest
age ranges to which the fraudster might belong. Gender-wise only about
13% of fraudsters were female, the balance 87% were obviously male. Frequency-wise,
it was found that 96% of the perpetrators defraud their victims repeatedly.
What is however, noticeable in these trends is that in as many as 56% of the
cases, the Red flags had been completely ignored, which timely
intervention could have prevented the fraud at it’s root. Department-wise, Finance would account for 32% of the total,
while 26% of the cases frauds may be committed by the CEO and 25% by the
Operational / Sales staff and in terms of management levels, 35% would
be found to be belonging to senior management, 29% middle management and the
balance equally divided between operational staff (18%) and the Board of
Directors (18%). (Ref Slide 22)
It is quite obvious that some stringent and
perpetuating measures need to be taken by each and every industry in making
their own respective organizations effective, especially with specific focus on
the clarity of roles to each employee, the proper selection of team members,
conducting regular meetings, secure data processing, proper training and good
team spirit. (Ref Slide 23)
A special mention is required to be made
here in understanding the importance of making delegation more effective,
because it is felt that in the Indian scenario, this is one area that has been
lacking in terms of the vastness of the scope of improvement therein. The most
important link is the unity of command. Meaning that a particular
employee reports to only one supervisor. Scalar Chain, referring to the
number of layers ranging from top to bottom in the hierarchy within the organization
is the second most important link. Thirdly, the principle of authority and
responsibility, principle of delegation by results expected, and so
on so forth. (Ref Slide 24)
In the corporate sector, the concept of Corporate
Governance Activities is and should be well followed and adopted readily by
top management. The most effective way of carrying this out may be by looking
first at the structure of the organization keeping in mind the competency in
the management framework. The HR Department must review the job description of
each of the personel and check out that the tasks and responsibilities are
balanced evenly. A regular review of the
Segregation of Duties (SOD) and Delegation of Authority (DOA) must be done
periodically. The Matrix of authorities must also be reviewed with equal
attention. Finally, there should be a very clear mechanism to monitor conflict
of interest. (Ref Slide 25)
Organizations should, as a normal course of
having the internal audit conducted, ensure that the internal audit team covers
the entire gamut of Fraud Risk Profiling which would take care of the
two critical aspects of their assessment of the organization’s goals of having
a good control environment and establishing proper control procedures. Insofar
as the organization of people, like the staff, middle management etc., are concerned,
matters like delegation and reporting to the required authorities is being done
in the desired manner. Segregation of the duties should be done in such a
manner that the work of one person is independent of another, especially during
times that the employee or the supervisor are on leave for some or the other
reason, which is to say that the supervisor should hand over charge of the
department to someone under the knowledge of the management. This becomes
critical especially as the management has to ensure that there is not a single
person who can authorize, execute and record a transaction in entirety. The HR
Department should during the course of recruitment and conducting training
ensure that the capabilities of the employee concerned are matched with the
functions that he/she has been asked to perform. Supervision by the senior
staff should also be asked to maintain a control over the day to day running of
the activities they oversee. Management on it’s part has to ensure that all
levels they are able to resolve any problems that may arise. This can be
achieved quite smoothly of the management makes it a practice to act promptly
on the information they receive, be very proactive and reactive at the same
time and internal audit function within the organization gets the complete
support of the top management in order to maintain their effectiveness.
Control procedures can be divided into
three basic segments, which may be in the following domains, (a) Physical,
which would essentially cover security of the assets, control over the access
to assets, conducting regular stock checks and maintaining the registers. (b) Authorization,
which would principally deal with which employee can do what and generally
following the hierarchical structure of signatories, as desired by the
management. Finally (c) Checking procedures, which would enable the
arithmetical accuracy of the records, ensure that all totals are checked,
control accounts are maintained and reconciled regularly and finally, the trial
balance of the organization is prepared as accurately as possible. (Ref Slide
26)
The question then arises that while the
corporate giants have access to immense resources and facilities, and can
therefore have expensive hardware and software available at their disposal, as
and when required, what would be the strategy that the small and medium sized
organizations should decide that the most optimal time the need for adopting
either a ready-made Enterprise Resource Planning (ERP) system, or have it
developed in case there are some or many specific requirements that are not
being met by the ready-made ones. The importance of the ERP system in the
organization need not be stressed, except to say that the software allows
integration of the various business processes in such a way that the functions
across the enterprise can be optimized without any great effort on the part of
the management, who can then concentrate on more and achieve greater success. (Ref Slide 27)
There would still be plenty of
recommendations that the auditor of the organization should be making to better
organization of internal controls. They would expect the management to follow
the proper steps in ensuring the same, beginning with having the description of
all the business processes of that organization on their permanent files. The
identification of the risks that the organization may face at any given point
of time in conducting its activities need to be identified. For example, in a
paint manufacturing company, the sufficiency of the fire risk cover must be
examined. The selection of the internal control procedure to be followed by the
organization need to be made with proper descriptions of the same being
recorded. Documentation of order of the organization and implementation of
internal controls at all levels of management are also very necessary. There
ought to be sufficient and timely notification being given to personnel about
the risks related to their area of responsibility and control procedures. For
example, the cashier of the company should know the cash handling risk cover
taken by the organization and ensure that there is never more cash at the
premises than the level specified therein. Finally the annual assessment of the
entire internal control system should be taken up at the proper level of
management, as decided by the senior management. (Ref Slide 28)
In the end, we have to admit that it is the
“Tone at the top” that affects the system of internal control within the
organization, and if the management fails n any count, whether it be the
monitoring and audit processes or the information and communication that it
receives in connection with the five levels of control activities under their
command, the petering down to the lowest levels would definitely have an impact
over the fundamentals and principles of the code of conduct followed by it’s
management and staff alike. (Ref Slide 29)
To make our conclusion more effective, let
us have a look at the global scenario of the conduciveness towards conduct of
business that is very well brought out by the Kearney Global Services
Location Index TM” conducted in 2016. From the chart contained
in Slide 30, it is quite obvious that India has the highest index (3.22)
insofar as financial attractiveness is concerned and not surprisingly, USA has
the lowest index (0.52). China (2.71) and India (2.55) are the two highest
rated for the availability of people and their skills, while Costa Rica (0.90)
is the lowest followed by Bulgaria (0.94). Insofar as the business environment
is concerned, Poland (1.90) and Malaysia
(1.89) are the two highest ranked, while Egypt (0.94) and Sri Lanka
(1.14) are the two lowest ranked. India here scores a lowly 1.19, just
marginally ahead of Sri Lanka.(Ref Slide 30)
Thus, we can safely conclude that in order
to improve the business environment within the country which is what is pulling
down our country to the lowly third last in these rankings, a lot needs to be
done by all the organizations across the length and breadth of India and herein
comes the importance of the role of strengthening the internal controls of
these organizations.
*_*_*_*_*_*_*_*_*_*