Importance of Internal Controls

Internal Auditors focus beyond financial statements and risks to consider wider scope, such as the identification of control lapses and violations, process inefficiencies, revenue leakages, and evaluation of the organization’s risk management process, including the fraud risk.

Internal Auditors perform these activities through a combination of continues assurance verification and consultancy process. Therefore, the Internal Audit function always help organizations to succeed and maintain governance.

What are Internal Controls?

Any organization can be subjected to intentional or unforeseen internal or external threats which may unfavorably impact the organization and its assets. Internal Controls by way of policies, procedures, rules and regulations are the mechanisms implemented by the organizations to minimize or avoid the vulnerabilities and unnecessary risks.

There are three types of internal controls, namely detective controls, corrective controls and preventive controls.

Detective Controls

Used to identify the existence of errors, inaccuracies or frauds that has already occurred.

Eg. Audit, Investigations, Quality control checks, legal procedures, compliance checks

Corrective Controls

Designed to correct errors or risks and prevent the recurrence of further errors.

Eg. Tone at the top, dual authorization, segregation of duties, password protection

Preventive Controls

Designed to prevent errors, inaccuracy or any fraud before it occurs.

Eg. Segregation of duties, physical protection of assets, password protection, dual authorization, policies, procedures, guidelines, set standards, encryption, firewalls & physical barriers

Why Internal Controls are so important?

With the expansion of business activities and volumes and high dependence on manual intervention, there could be more human mistakes, omissions, and also manipulations with/without fraudulent intent.

Internal controls minimizes / avoids the risk of unexpected losses, frauds, and possible damage to the reputation of the organization. It helps to safeguard the interest of the general public, and all other stakeholders of the organization. It ensures that the legal, regularity and other governance requirements, internal policies, procedures and guidelines are properly followed by the organization. It ensures that the internal processes are effective and efficient to meet the goals and objectives of the company. Ultimately it helps the organization to eliminate the inefficiencies and strengthen the business functions and processes towards the business growth, better customer orientation and profitability.

Can the business growth initiatives be managed / sustained without internal controls & procedures?

It may be managed and show a business growth in the very short-term, however, it cannot be sustained in the long-term.

Lack of focus on the internal controls, laid down policies and procedures, may expose the entire organization to certain risks, including the fraud risk, which also may lead to severe losses and reputation damages. Therefore, the business growth initiatives should be always aligned with the internal control perspectives, company policies and procedures. Any deviations to the procedures and internal controls, based on certain business requirements, should be referred to the higher management for evaluation of risks and approval.

Why Internal Controls are overlooked?

? Lack of knowledge about the policies, procedures and guidelines

? Lack of interest and knowledge about the seriousness of the control violations and consequences

? Pure negligence

? Individual pressure to meet targets / profits / competition

? Increased volume of business activities, transactions / lack of interest on supervision & monitoring

? Disappearing ethics / lack of honesty

? Financial stress and unsuitable lifestyle patterns, which may lead to frequent violations with fraudulent intent

How can we prevent control violations / frauds in the organization?

? Cultivate an ethical business culture / anti-fraud culture within the organization

? All employees to have a thorough knowledge in policies, procedures and guidelines of the organization

? Continues supervision, regular monitoring with a Bird's Eye View

? Implementation of sound internal control systems and a governance structure

? Effective risk and compliance awareness among all the staff members of the organization

? Be honest at all times / maintain integrity and reliability

? Whistle-blowing - keep the Internal Audit / Board of Directors informed of any suspicious activity and when in doubt or justifiable suspicion.

Three Lines of Defense in effective Risk Management & Control

According to the international standards (IIA), three lines of defense model has been established. In the three lines of defense model, the business & direct operational function is the first line of defense, the risk and the compliance oversight functions by the Risk Management & Compliance are the second line of defense, while the independent assurance by the internal audit is the third line of defense.

The business line and the operational management, being the first line of defense are responsible for implementing the corrective actions to address the process and control deficiencies and maintain an effective internal controls, policies and procedures on a day-to-day basis. Initially, the business and the operational management should identify, assess, control and mitigate risks by implementing internal policies and procedures in line with the goals and objectives of the organization, while ensuring the proper adherence by the business and operations staff.

The risk function, being the second line of defense, is responsible for an effective and adequate risk management within the organization, including the risk identification, risk assessment, risk measurement and the implementation of the risk mitigation measures, covering the identified processes of the organization and the possible unforeseen risk events. The compliance function, also being the second line of defense, monitors various specific risks such as non-compliance with applicable laws and regulatory requirements.

The internal audit function, being the third line of defense, provides an assurance on the effectiveness and the adequacy of the governance, risk management, and internal control environment, based on the highest level of independence and objectivity within the organization.