Please enable JavaScript.
Coggle requires JavaScript to display documents.
Elements of a risk management and internal control system - Coggle Diagram
Elements of a risk management and internal control system
The Turnbull Report
Provided additional guidance to boards on their responsibilities for the systems of risk management and internal control within their companies
Suggested that there should be financial, operational and compliance controls to deal with financial, operational and compliance risks identified by the company
Financial controls
Transactions are made only in accordance with the general or specific authorisation of management
Transactions are recorded so that financial statements can be prepared in accordance with accounting standards and generally accepted accounting principles
Transactions are recorded so that assets can be accounted for
Access to assets is only allowed in accordance with the general or specific authorisation of management
The accounting records for assets are compared with actual assets at reasonable intervals of time
Appropriate action is taken whenever there are found to be differences
Effective controls should ensure
The quality of external and internal financial reporting so that are no material errors in the accounting records and financial statements
That no fraud is committed (or that fraud is detected when it occurs)
That the financial assets of the company are not stolen, lost or needlessly damaged or that these risks are reduced
Operational controls
Controls that help to reduce operational risks or identify failures in operational systems when these occur
Designed to prevent failures in operational procedures or to detect and correct operational failures if they do occur
Operational failures may be caused by
Machine breakdowns
Human error
Failures in IT systems
Failures in the performance of systems (possibly due to human error)
Weaknesses in procedures
Poor management
Measures designed to prevent these failures form happening or identifying and correcting problems that do occur
Regular equipment maintenance, better training of staff, automation of standard procedures and reporting systems that make managers accountable for their actions are all examples of operational controls
Compliance controls
Concerned with making sure that an entity complies with all the requirements of relevant legislation and regulations
The potential consequences of failure to comply with laws and regulations vary according to the nature of the industry and the regulations
For a manufacturer of food products, food hygiene requirements are important
COSO
COSO Enterprise Risk Management
Governance and Culture
Defines as 'governance sets the organisation's tone, reinforcing the importance of, and establishing oversight responsibilities, for enterprise risk management. Culture pertains to ethical values, desired behaviours and understanding of risk in the entity'
Strategy and objective setting
Defined as 'enterprise risk management, strategy and objective-setting work together in the strategic planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing and responding to risk
Performance.
Defines as 'risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritised by severity in the context of risk appetite. The organisation then selects risk responses and takes a portfolio view of the amount of risk is has assumed'
Review and Revision
Defines as 'by reviewing entity performance, an organisation can consider how well the enterprise risk management components are functioning over time and in light of substantial changes and what revisions are needed'
Information, communication and reporting
Defines as 'enterprise risk management requires a continual process of obtaining and sharing necessary information from both internal and external sources which flows up, down and across the organisation'
COSO Internal Control - Integrated Framework
The control environment is a set of standards, processes and structures that provide the basis for carrying out internal control across the organisation
Risk assessment is the process for identifying and analysing risks to achieve the company's objectives. The assessment should form the basis for determining how risks should be managed
Control activities are 'actions established by the policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out'. Control activities should be performed at all levels of the organisation and at various stages within the organisations business process. They should include, wherever possible, the segregation of duties
Information and communication - Information is necessary for the organisation to carry out its internal control activities to achieve the orgaisation's objectives. Communication occurs both internally and externally and provides the organisation with the information needed to carry out the day-to-day internal control activities
Monitoring activities - The organisation should carry out evaluations and other monitoring activities to ascertain whether each of the five components of the internal control system are present and functioning. Any deficiencies in the internal control system should be communicated to management and the board in a timely manner.