Please enable JavaScript.

Coggle requires JavaScript to display documents.

Internal control systems - Coggle Diagram

- - - - a means to an end
      - not an end itself
    - - an entity’s board of directors
      - management
      - and other personnel
    - - • COSO is a US framework for SOx compliance with five objectives: RORCS.
        
        risk management
        
        operations
        
        reporting
        
        compliance
        
        safeguarding assets
      - • FRC is a UK guidance for risk management and internal control systems
        
        helps facilitating effective and efficient operation, reducing the likelihood and impact of errors or fraud, ensuring the quality and compliance of reporting, and reflecting the values and culture of the company.
        
        considers the operation, effectiveness, impact and culture of the company.
    - - the universal objectives and benefits
        
        universal concept that applies to any organization, regardless of its industry or sector.
        
        based on the same set of principles of identifying and managing risks, achieving objectives, and ensuring reliability, compliance, and safeguarding.
        
        These principles are relevant for any organization that wants to operate effectively and efficiently.
      - the specific types and systems of controls
        
        that an organization implements may vary depending on its industry or sector.
        
        For example:
        
        a manufacturing company may have different controls for its production process, inventory management, and quality assurance than a service company.
        
        a financial institution may have different controls for its lending, investing, and reporting activities than a non-profit organization.
        
        should be tailored to the nature and needs of the organization and its environment.
  - - - • Manage risks
        
        Running the business effectively and efficiently with less risk or disruption and more value for shareholders
        
        This involves achieving the strategic goals of the organization and avoiding losses or damage from fraud or errors in operations or finances, such as off-balance sheet financing or unauthorised accounting policies
      - • Improve operations
        
        Challenge: Train and familiarize the staff with the operations and culture of Hayho
        
        If the staff are not well-trained or familiar with Hayho's culture, they may not perform their tasks properly or follow Hayho's policies and procedures.
        
        This may lead to errors, waste or fraud that could harm Hayho's assets, reputation or performance.
        
        Rebuild a culture with strong ethical practices and zero-tolerance of bribery and corruption
        
        This measure relates to the operations objective, as it affects the effectiveness and efficiency of the NFA's business operations.
        
        If the NFA has a strong ethical culture, it will be able to respond to the risk of match fixing and restore the reputation of the game and the NFA.
        
        It will also prevent fraud and error that could harm the NFA's assets or performance.
        
        Educate and train the referee sub committee and other staff on their roles and responsibilities
        
        This measure relates to both the operations and reporting objectives, as it affects the effectiveness and efficiency of the NFA's business operations and the quality and timeliness of its reports.
        
        If the NFA educates and trains its staff on their roles and responsibilities, it will be able to improve their skills and performance.
        
        It will also ensure that they provide accurate and complete information for internal and external reporting and decision-making.
        
        Consider a more centralised approach for training and disciplining referees and local associations
        
        This measure relates to both the operations and compliance objectives, as it affects the effectiveness and efficiency of the NFA's business operations and the adherence to external standards and regulations.
        
        If the NFA considers a more centralised approach for training and disciplining referees and local associations, it will be able to ensure that they meet the required standards for refereeing football matches
        
        It will also comply with any external rules or requirements that apply to refereeing football matches
        
        Perform risk assessments and respond appropriately to risks such as match fixing
        
        This measure relates to both the operations and reporting objectives, as it affects the effectiveness and efficiency of the NFA's business operations and the quality and timeliness of its reports.
        
        If the NFA performs risk assessments and responds appropriately to risks such as match fixing, it will be able to manage and mitigate the potential impact of such risks on its operations or reports. It will also provide accurate and complete information for internal and external reporting and decision-making.
        
        Use technology to monitor and verify refereeing decisions:
        
        This measure relates to both the operations and compliance objectives, as it affects the effectiveness and efficiency of the NFA's business operations and the adherence to external standards and regulations.
        
        If the NFA uses technology to monitor and verify refereeing decisions, it will be able to ensure that the refereeing decisions are fair and consistent. It will also comply with any external rules or requirements that apply to refereeing football matches.
      - • Ensure reliable reporting
        
        Ensuring reliable and timely financial reporting for internal and external users.
        
        This involves:
        
        • maintaining accurate and complete accounting records of transactions, assets, liabilities, costs and revenues. (not allow subjective and ‘best guess’ figures to be fed into the reporting process)
        
        • creating systems that produce accurate, reliable, and timely financial information for statutory and management reporting and decision-making. Make investors trust us
        
        • assigning specific people and functions to control each part of the reporting process.
        
        • making the process visible and easy to audit by internal or external auditors.
        
        • Collect and measure environmental data, such as water, energy, and emissions
        
        • Compare data over time and with targets
        
        • Improve processes to reduce environmental impact
        
        Challenge: Find skilled quality control and accounting staff to ensure product standards and accurate records
        
        If the quality control and accounting staff are not skilled enough, they may not be able to ensure that Hayho's products meet the required standards or that Hayho's records are accurate and complete.
        
        This may lead to inaccurate or incomplete reports that could misinform Hayho's management or external users, or violate external rules that could expose Hayho to penalties or sanctions.
        
        Challenge: Report exceptions or problems to the management at head office
        
        If the exceptions or problems are not reported timely or accurately to the management at head office, they may not be aware of or able to address the issues that could affect Hayho's performance or reputation.
        
        This may also prevent Hayho from complying with external laws, standards or regulations that require disclosure or remediation of certain issues.
        
        Develop and reinforce new policies and codes of ethics for all employees
        
        This measure relates to both the reporting and compliance objectives, as it affects the reliability and transparency of the NFA's reports and the adherence to external standards and regulations.
        
        If the NFA has clear and consistent policies and codes of ethics, it will be able to ensure that all employees follow them and report any exceptions or problems.
        
        It will also comply with any external rules or requirements that apply to the NFA as a football regulator.
        
        Communicate its ethical agenda openly and transparently to its stakeholders
        
        This measure relates to both the reporting and compliance objectives, as it affects the transparency and accountability of the NFA's operations.
        
        If the NFA communicates its ethical agenda openly and transparently to its stakeholders, it will be able to build trust and confidence among them.
        
        It will also disclose any issues or actions that may affect its reputation or performance.
        
        Establish procedures for reporting the suspicion of corruption
        
        This measure relates to both the reporting and compliance objectives, as it affects the reliability and transparency of the NFA's reports and the adherence to external standards and regulations.
        
        If the NFA establishes procedures for reporting the suspicion of corruption, it will be able to detect and prevent any fraud or misconduct that may affect its operations or reports.
        
        It will also comply with any external rules or requirements that require disclosure or remediation of corruption.
        
        Reporting
        
        Financial reporting integrity
        
        Shareholders and others use this information to make decisions and value the company.
        
        Many governance codes require a report on how well internal controls work for financial reporting.
        
        Internal audit and audit committee can check this.
        
        Some jurisdictions make internal controls mandatory through standards.
        
        is vital for good corporate governance
        
        Environmental reporting
        
        a new challenge for many companies
        
        shows how a company uses resources and affects the environment
        
        To make sure the reports are accurate and useful, they need internal controls and audit
      - • Safeguard assets and investments
        
        Protecting the assets and investments of the business from misuse, fraud or theft.
        
        This involves using the assets optimally (Avoid waste, fraud, accidents, and errors) and safeguarding them from internal or external threats.
        
        Challenge: Secure the assets from sabotage, damage, theft or misuse
        
        If the assets are not secure from internal or external threats, they may be damaged, stolen or misused by unauthorized parties.
        
        This may result in losses, liabilities or legal issues for Hayho.
      - • Comply with laws and regulations
        
        Complying with external laws, standards or regulations that apply to the business.
        
        This involves following the rules and requirements of relevant authorities or bodies such as companies' legislation, listing rules or sector-specific regulators.
    - - • Human factors:
        
        This includes
        • (1) poor judgement in decision making,
        • (2) the potential for human error or fraud, and
        • (3) collusion between employees.
        
        (1) Poor judgement in decision making:
        
        applies to problems that result from ignoring or neglecting the potential impact of Human judgement (decisions) on safety and performance.
        
        Example:
        
        Misclassify expense or approve unauthorised transaction
        
        Ignored advice on structural changes needed for the company
        
        Failed to insure full value of Mary Jane's liabilities
        
        Board's emphasis on cost reduction over safety
        
        Using the control wrongly or unsafely, such as using a machine tool or a vehicle too fast or with the wrong material.
        
        sending membership cards and booklets before payment clears
        • makes some members think they don't need to pay.
        • causes lost income and no renewal invoice next year.
        
        • Notify sales and marketing only after payment clears.
        :pencil2: ensures only paying customers get cards and booklets.
        :pencil2: increases income and reduces errors. No system or department changes needed.
        
        sending delivery and payment details too late:
        • makes some customers lose interest or change their mind.
        • causes lost sales opportunities and wasted time and money.
        => Solution: get customer commitment sooner.
        
        not have clear legal responsibilities with our joint venture partners:
        • not defining the roles and liabilities of each partner in the joint venture
        • unclear who was responsible for failures and how to deal with it
        
        The QC department was isolated and neglected by other activities and management, which was a poor decision.
        
        Ben Janoon designed a system with many flaws and weaknesses, which was also a poor decision.
        
        • Staff injuries: More staff got hurt last year due to poor safety and training procedures. This increases costs and risks lawsuits and bad publicity. This problem falls under poor judgement in decision making, as it involves the chief executive neglecting to invest in staff training and safety procedures.
        
        • Online booking: Rail Co does not offer online ticket facilities, unlike its competitors. This lowers customer satisfaction and loyalty and limits market share.
        This problem falls under poor judgement in decision making, as it involves the chief executive resisting to adopt a technology that could improve customer service and revenue.
        
        • Pay structure: Staff are underpaid and unhappy, which may lead to turnover or strikes. This affects service quality and reliability.
        This problem falls under poor judgement in decision making, as it involves the chief executive refusing to pay staff fairly and competitively.
        
        The club manager who did the swimming pool work without following the rules made a poor judgement in deciding to approve the work by themselves and with their husband's company. This breached the management controls and the segregation of duties.
        
        The buying department that did not challenge the unethical practices of some suppliers made a poor judgement in ignoring the contract terms and the company's mission and values. This breached the social responsibility controls and exposed the company to reputation risk.
        
        (2) The potential for human error or fraud:
        
        applies to problems that result from a lack of feedback or verification mechanisms that could prevent or detect errors or misconduct.
        
        the control being corrupted, circumvented or ignored by human or technical factors, and the control being less effective if someone acts against it or if something breaks down.
        
        Example:
        
        Enter wrong amount or inflate sales figures
        
        Mistakenly loaded vehicles onto car deck
        
        Exceeded speed limit and created swell
        
        Mr Mineta breaching trading rules
        
        Mr Evora not enforcing trading rules and withholding compliance information
        
        Kathy's silence and compliance.
        
        Ignored crash test result
        
        Abandoned readiness for sea departure system
        
        Lacked annual review and board recommendation of insurance policies
        
        The controls fail to send renewal invoices to some members who did not pay or whose payment did not clear. This could be due to:
        • human error in entering or updating the membership system, or
        • fraud by employees who manipulate the system for personal gain or other motives.
        
        The controls fail to check the credit status of customers before processing their orders
        • wastes time and money
        • risks losing income from rejected orders.
        
        => Solution: do payment and credit check earlier, Validate payment as soon as possible.
        • done by allowing credit card payment over the Internet.
        • eliminates errors, improves cash flow and reduces finance requests.
        • requires e-commerce solution and transaction fees.
        
        The engineers from Well Services did not follow the proper procedures or use the appropriate parts for testing and installing the valve.
        
        due to negligence, incompetence or dishonesty
        
        caused the valve to break and leak oil into the sea
        
        fake compliance reports: intentionally falsified the reports to sell faulty products, which is a form of fraud
        
        negligence: failed to monitor or notice the product failure rates, which is a form of error.
        
        Three records of marks are input manually, which may cause errors and confusion. A student got a different mark in the end-of-year results. Solution: Input marks only once on the VLE and link it to other systems.
        
        • Ticket fraud: Many stations have no ticket barriers, allowing passengers to travel for free. This reduces revenue and violates trust rules.
        This problem falls under the potential for human error or fraud, as it involves passengers cheating the system and staff not checking tickets properly.
        • Install ticket barriers at stations with high fraud risk. This will deter fraud and increase revenue. Rail Co should do a cost-benefit analysis first.
        • Review ticket prices and offer more affordable options for different customer groups. This will make tickets more accessible and fair for customers.
        
        The unqualified and untrained fitness instructors are a result of human error or fraud by either the staff themselves or the human resource staff who did not check their qualifications or references. This breached the personnel controls and exposed the company to legal and reputational risk.
        
        The security breaches at some clubs are a result of human error or fraud by either the members who shared their passes or the club managers who did not fix the security systems. This breached the physical controls and exposed the company to revenue and security risk.
        
        The poor working conditions and low morale of our staff at the maintenance encampments along the pipeline:The staff may be dissatisfied, demotivated, or careless in their work, which could lead to mistakes, negligence, or misconduct. This could affect the reliability and effectiveness of the internal controls and the maintenance of the pipeline.
        
        (3) Collusion between employees:
        
        applies to problems that result from employees working together for personal gain or other motives to bypass or override controls.
        
        Example:
        
        Purchasing officer and supplier inflate prices or quantities
        
        Mrs Keefer/head office denying board responsibility for the loss.
        
        Jane Goo and John Zong agreed to share the profits from selling faulty products, which is a form of collusion.
        
        • Pay structure: Staff are underpaid and unhappy, which may lead to turnover or strikes. This affects service quality and reliability.
        It also falls under collusion between employees, as it involves the unions threatening to take strike action against the management.
        
        The club manager who hired their husband's company for the refurbishment work colluded with their spouse to bypass the tendering process and possibly gain personal profit. This breached the management controls and the segregation of duties and exposed the company to fraud and ethical risk.
        
        The poor industrial relations between workers and management, which have affected trust and communication: The workers and managers may have conflicting interests or agendas, which could result in them working together to bypass or override internal controls for personal gain or to hide errors or fraud. This could undermine the accountability and transparency of the internal controls and the operations of the pipeline.
        
        This violates the system and exposes it to risks.
        
        These limitations
        • arise from the people who design, implement or operate the controls and
        • may affect their effectiveness or reliability.
      - • Control design:
        
        This includes
        • (4) the costs of control outweighing their benefits,
        • (5) controls only being designed to cope with routine and
        not non-routine transactions, and
        • (6) controls depending on the method of data processing
        • (7) controls being over or under-specified
        
        (1) Control design and cost-effectiveness:
        
        applies to problems that result from spending too much money or resources on controls that do not provide sufficient value or effectiveness.
        
        Example: CCTV for small inventory not worth it.
        
        Not: the design of the control being more important than the cost, the control being over-specified and poor value for money => the cost-effectiveness being a key criterion for choosing a control.
        
        The controls involve unnecessary steps and handoffs that delay the delivery of the computers to the customers.
        • reduces customer satisfaction and loyalty
        • may affect future sales.
        => Solution: reduce the delivery time. use EIM to deliver directly to customers.
        
        The system is too expensive or too strict for its purpose. This makes people distrust or ignore it.
        
        The supervisor's role is a form of control that may cost more than it benefits, as it adds an extra step in the process without adding any value for SE customers. It may also be too strict, as it filters out other types of queries that may be important for other customers or stakeholders.
        
        It also falls under the costs of control outweighing their benefits, as the chief executive claims that installing ticket barriers would be too expensive and ineffective.
        
        (2) Controls are designed for specific processes only and cannot handle unexpected situations.
        
        Example: Duplicate invoice split into parts or forged signature on cheque.
        
        applies to problems that result from failing to consider the variability and complexity of real-world situations and scenarios that may require different or additional controls.
        
        The controls involve renewing automatically unless customer opts out
        • may not suit all customers' preferences or circumstances
        • may reduce customer choice and control and affect customer satisfaction and loyalty.
        
        This requires the system to be adapted or circumvented.
        
        The handoffs are a form of control that may work well for routine transactions, but they may cause delays or errors when there are non-routine transactions, such as high volume of calls, complex queries, or customer complaints.
        
        Similar deadlines for different subjects cause stress and low quality work. Solution: Coordinate deadlines at the start of the course and balance the workload.
        
        No re-submission option may cause unfair assessment. Solution: Allow multiple submissions until the final deadline and verify the correct file.
        
        It also falls under controls only being designed to cope with routine and not non-routine transactions, as it involves staff not being able to handle emergencies or accidents.
        
        The rough and remote terrain of our 1,000 km pipeline, which makes it hard to monitor and maintain: The pipeline may face unpredictable or unusual risks or events that the existing controls are not prepared for, such as natural disasters, sabotage, or vandalism. This could compromise the quality and safety of the pipeline and its operations.
        
        (3) Controls vary depending on how data is processed (manual, electronic, different software or hardware).
        
        Example: Arithmetic error control not applicable for electronic calculation or accounting system control not work for another system.
        
        applies to problems that result from relying on specific technologies or platforms that may not be compatible, reliable or secure.
        
        The controls involve using an e-commerce solution for credit card payment over the Internet
        • may introduce new risks such as hacking, fraud or system failure.
        • may affect the security and privacy of the data and transactions
        • may require additional safeguards and backups.
        
        The internal control system did not have a mechanism to automatically signal to management that the failure rate had increased, which is a form of dependence on data processing.
        
        The handoffs and the request depend on the phone system, which may be slow, unreliable, or incompatible with other systems. They also depend on the customers having the correct data ready, which may not be the case.
        
        Coursework requirements are released before lectures cover the topic. Students may complete work without enough information. Solution: Use a timed release on the VLE to match the lecture schedule.
        
        • Online booking: Rail Co does not offer online ticket facilities, unlike its competitors. This lowers customer satisfaction and loyalty and limits market share.
        It also falls under controls depending on the method of data processing, as it involves relying on outdated and inefficient ticket buying facilities.
        • Expand ticket offices and hire more staff to sell tickets. This will reduce queue time and frustration for customers.
        • Offer on-train ticket purchase by having more ticket inspectors. This will be costly, but Rail Co could do it only on peak trains.
        • Introduce online booking to match competitors and meet customer demand. This will be a major investment and project, but it will boost customer satisfaction and loyalty and revenue.
        
        The language barriers with some of our foreign workers, which have hindered clear and accurate information exchange: The foreign workers may use different languages or systems to process data or information related to the internal controls and the pipeline. This could create compatibility, security, or accuracy issues that could affect the quality and reliability of the data and information.
        
        (4)
        • under-/over-specified controls: designing controls that are either too strict or too loose, leading to inefficiency, waste or risk.
        • Controls that are not supported may be ignored or bypassed.
        
        Shortened development time
        
        Over-specified controls:
        
        Ben Janoon designed a system that was too complex and rigid for the quality control process, which is a form of over-specification.
        
        • Confused responsibility for closing rear doors => two people were responsible for this task, which seems redundant and unnecessary.
        
        • Sending reminders to people who paid already => wastes money and makes members think the charity is inefficient
        
        => Solution: Update the system when payment is received, not cleared.
        • prevents reminders to customers who paid but are waiting for clearance.
        • reduces waste and improves perception.
        • But it requires system change and more work for Membership Department.
        
        The supervisor's role is a form of control that may be too detailed, as it specifies a single person to handle all the calls and route them to different sections. This may cause confusion for the customers and the staff, inefficiency in the process, and inconsistency in the service quality.
        
        Guidance is too general and does not help the staff understand the risks involved
        => The guidance should give more examples and details, and the staff should get better training on controls.
        
        Under-specified controls:
        
        the lack of control to alert management and the weak link between QC and Mr Janoon: The internal control system did not specify how to measure, report, or communicate the product failure rates, which is a form of under-specification.
        
        • The culture on the rig was not rigorous enough: The controls on the rig did not require or enforce the reporting of exceptions or problems to the land-side management.
        
        This depended too much on human judgement and discretion, which could have been influenced by personal or social factors.
        
        This prevented the detection and correction of issues that could have affected the safety and performance of the rig and its staff.
        
        The request and the support section are forms of control that may be too vague, as they do not specify when or how to obtain or verify the customer data or how to allocate or manage the staff resources. This may cause confusion for the customers and the staff, inefficiency in the process, and inconsistency in the service quality.
        
        Coursework requirements have errors and are changed later. Students waste time on unnecessary work. Solution: Proofread and check requirements by another lecturer before publishing.
        
        Marking guideline is vague and allows lecturers to delay marking. Students complain about slow feedback. Solution: Drop hard copy submission and use online marking with annotation on the VLE. Set a fixed deadline for marking based on submission date.
        
        Feedback is on a separate document and hard to relate to the coursework.
        
        The lack of clear and regular reports from the buyers is a result of under-specifying what they need to report and how often. This breached the management controls and prevented senior management from monitoring and managing the supply chain effectively.
        
        The vague definition of 'serious' issues that need to be escalated is a result of over-specifying what needs to be reported without giving clear criteria. This breached the management controls and allowed low level staff to decide what matters need to be escalated.
        
        These limitations
        • arise from the way the controls are planned, developed or configured and
        • may affect their efficiency or suitability.
      - • Control operation:
        
        This includes the possibility of
        • (8) controls being bypassed or overridden by management or employees,
        • (9) controls being unable to cope with unforeseen circumstances, and
        • (10) controls not being updated over time.
        
        (7) Controls are ignored/ changed (not followed/ enforced) by authorised officials.
        
        The management decides to merge Finance and Membership Departments for this process
        
        Benefits:
        
        • prevents reminders to customers who paid and cleared.
        • reduces waste and improves perception.
        
        Drawbacks:
        
        • may reduce the checks and balances that ensure the quality and accuracy of the data and transactions.
        • may also affect the roles and responsibilities of the staff and create confusion or conflict.
        • requires system access, training and redefining jobs.
        
        • Example: Senior manager override control or employee use password to access system.
        
        Jane Goo and John Zong did not follow the procedures or policies for quality control and compliance reporting, which is a form of bypassing or overriding.
        
        • Chief executive: The chief executive is incompetent and dishonest. He ignores targets, misrepresents facts, resists changes, and clashes with unions and media. He fails his fiduciary duty to the trust board.
        
        The club managers who did not review their monthly reports bypassed their management controls and failed to use their performance information to improve their club's performance.
        
        The human resource staff who did not check the staff CVs and references overrode their personnel controls and failed to ensure that all staff are qualified and trained.
        
        (8) failing to anticipate or prepare for and adapt to changes in environment, technology, regulations or business conditions (potential events or situations that may affect the controls or require alternative responses).
        
        • Example: Physical document control not handle electronic document or exchange rate control not handle currency fluctuations.
        
        The controls on the rig did not include any backup or emergency/ contingency plans to deal with a possible valve failure or oil spill.
        
        unprepared and unable to respond quickly and effectively to the crisis.
        
        resulted in environmental and economic damage that lasted for months.
        
        (9) failing to monitor, review and revise the controls as needed to reflect changes in the environment, requirements or expectations.
        
        • Example: Small business control not suitable for large business or assumption-based control not valid anymore.
        
        Obsolete controls make the system ineffective or irrelevant
        
        The outdated access and security systems at some clubs are a result of not updating the physical controls to match the current technology and security standards.
        
        The long contract periods with the suppliers that are not renegotiated are a result of not updating the management controls to reflect the current market and cost conditions.
        
        Why controls get bad if not checked
        
        we need to
        
        internal audit to give us information and proof on how our controls are working or not
        
        know which controls to check and how to check them.
        
        balance the number and difficulty of controls so that they are useful and not too costly or hard to use
        
        update our controls as our activities, risks, goals, or environment change.
        
        If we don't check them, they may not work well or fit our needs as things change over time.
        
        These limitations
        • arise from the way the controls are executed, monitored or maintained and
        • may affect their compliance or adaptability.
    - - • Shareholders: Balance of control costs and benefits; have good quality information to monitor their funds and to decide if they want to withdraw, maintain or invest more.
      - • Debt providers: Adequacy of controls to protect capital and interest
      - • Employees: Job security, pension safety and reputation protection
      - • Customers: Pleasant dealings and product assurance, Deliver products/ services on time and within budget
      - • Government and regulators: Compliance with laws and regulations for safety and quality
        
        Eg. Internal control is important for environmental footprint to:
        
        • Measure input consumption and emissions
        
        • Manage plant and equipment
        
        • Produce accurate information
      - Suppliers: build good relationships
        
        • Having a formal process for choosing the best suppliers based on their quality, reliability and price
        
        • Sharing information with suppliers about its production plans, demand forecasts and quality standards
        
        • Paying suppliers promptly and accurately based on the invoices and contracts
        
        • Working with suppliers to find ways to reduce waste, increase yield and develop new products
      - Gain confidence from stakeholders, Protect our reputation and trustworthiness
  - - - how the company and its people deal with risk
      - risk appetite
        
        high for a pharmaceutical company that does costly research.
      - the integrity and ethics of the board and the staff, and how they delegate authority and responsibilities
        
        The board sets the tone and culture of the company by showing its commitment to a sound internal control system.
        
        The board should get more non-financial information to check if control systems work well
        
        • Governing body: headteacher, parent reps, local authority reps. Meets quarterly. Responsible for budget, staff, standards. Reviews financial and non-financial reports. Approves purchases over $1k. Accountable to parents and local authority.
        
        • Audit committee: none, could be responsible for detailed scrutiny of expenditure and liaising with auditors.
        
        • Audit committee: establish an audit committee with financial expertise to scrutinise expenditure and liaise with auditors. Review reliability of monthly financial report.
        
        • Membership: include staff and pupil representatives to enhance stakeholder involvement and feedback.
        
        • Membership: includes parents and local authority reps, but lacks staff and pupil reps.
        
        • Committee system: none, full governing body considers all items at every meeting, may not be efficient or focused.
        
        • Committee system: establish committees for key aspects of running the school such as audit, staff recruitment, curriculum etc. Report to main governing body.
        
        This tone may be affected by the performance of line managers, who may not fulfil their duties properly.
        
        the managers should be more responsible and accountable for their actions.
      - The control environment covers all primary business areas of an organisation
    - - evaluating the likelihood and impact of risks on the company, using both qualitative and quantitative methods.
      - defining the risk and return profile that shareholders expect
      - considers the changes in the internal and external environments that may affect the risks.
      - investing in research to create valuable products
      - ensuring that the residual risks are within the company's risk appetite.
    - - setting and implementing policies and procedures to execute the risk responses
      - involve a variety of controls, such as prevention and detection, manual and automated, authorisation and review. also known as internal controls.
      - The board should ensure that these control activities are appropriate and effective at all levels, stages and technology of the company
    - - helps people perform their roles and responsibilities, and make informed business decisions.
      - By communicating information such as project progress reports, an organisation can also enhance its control environment and risk awareness.
      - creating and maintaining systems to collect and share relevant and quality information, both internally and externally, in a timely and effective manner.
      - especially important for a company where the quality of its information systems is critical for its internal control.
    - - overseeing and adjusting the internal control system as needed, with the participation of the board and senior management, and the support of strong information systems.
      - involves differentiating between regular review (ongoing monitoring) by management, which allows for timely corrections, and periodic review (separate evaluation) by the internal audit function, which identifies the root causes of problems.
      - requires reporting, assessing and correcting any weaknesses or issues in the internal control system.
    - - • Risk alignment and balance:
        
        aligning risk appetite with strategy, linking growth, risk and return, and rationalising capital.
        
        the organisation sets, balances and allocates its resources according to its risk tolerance and goals.
      - • Risk response and management:
        
        choosing best risk response, minimising surprises and losses, identifying and managing risks across the organisation, and providing responses to multiple risks
        
        the organisation selects, reduces, coordinates and considers all types of risks that may affect its objectives.
      - • Risk exploitation:
        
        seizing opportunities
        
        the organisation exploits the positive aspects of risks or uncertainties.
    - - • External neglect:
        
        internal focus
        
        the framework ignores the external environment and the stakeholders' involvement in risk management.
      - • Risk identification and assessment:
        
        the framework prioritises sudden events over gradual risks and makes risk assessment appear too simplistic or easy.
  - - - reflects the idea of a pyramid of controls, where different levels of controls are applied at different levels of the organisation, from corporate, management, business process to transactional.
        
        Corporate controls: set policy, culture, monitoring. Eg. audit committee, corporate book, training.
        
        • A code of ethics and a culture of high care standards for all carers
        
        Management controls: plan and monitor performance, report and evaluate risk. Eg. performance vs target.
        
        Business process controls: check authorisation, input, data. Eg. budget approval, data reconciliation.
        
        Transaction controls: follow procedures, ensure accuracy. Eg. invoice figures checked by official.
    - - reflects the idea that internal controls can be divided into two main functions: administrative and accounting.
        
        Administrative controls (wider focus)
        meet objectives, follow policies. e.g. set structure, authority, reporting, communication
        
        Accounting controls (narrower focus)
        keep accurate records, ensure accountabilities. e.g. record transactions, assign responsibilities.
    - - reflects the idea that internal controls can be classified according to their objectives: prevent, detect, correct, or direct errors or frauds.
        
        • Prevent and detect controls: stop or find errors before or after happening. Eg. match invoices with GRNs, software checks, bank reconciliations, inventory checks.
        
        • Correct and direct controls: reduce negative impacts or guide activities and employees to meet objectives. Eg. back-up, cloud storage, manuals, training.
        
        human error
        
        Prevent human error: finance manager reviews supplier payments before authorisation.
        
        Detect human error: bank reconciliation finds transposition errors in accounting records.
        
        Correct human error: daily back-up of data reduces disruption from virus email.
        
        Direct human error: machinery requires operator to use safety guards.
        
        waste
        
        Prevent waste: inventory and resources are counted and checked before use.
        
        Detect waste: factory manager compares raw material usage to budget or cost card.
        
        Correct waste: warehouse manager reviews inventory for obsolescence.
        
        Direct waste: lorry drivers have to undergo sobriety or drugs test before delivery.
        
        environmental harm
        
        Prevent environmental harm: factories use catalytic oxidisers to render air pollutants harmless.
        
        Detect environmental harm: factories conduct water quality audits to measure pollution levels.
        
        Correct environmental harm: oil company has emergency procedure for oil spill.
        
        Direct environmental harm: firm specifies that suppliers do not use toxic raw materials.
        
        • Environmental harm: damage to the environment caused by pollution or toxins. Environmental harm can lead to legal fines and reputation damage.
        
        • Human error and waste: unintended action or loss of resources that causes bad outcome.
        
        Human error is often caused by carelessness, distraction or fatigue.
        
        Waste is often associated with loss of physical materials or inventory but can also extend to loss of employee time.
        
        E.g. switching figures when entering invoices, inventory and resources are counted and checked before use.
    - - reflects the idea that internal controls can be distinguished by their source of authority: discretionary or non-discretionary.
        
        Discretionary controls: depend on human choice. Eg. not increase credit limit, require signatures. E.g. goods not dispatched to overdue customer may be discretionary.
        
        Non-discretionary controls: done by system, human can't influence. Eg. automatic sequence check of invoices. E.g. inputting PIN number is non-discretionary control.
    - - reflects the idea that internal controls can be differentiated by their degree of compliance: voluntary or mandated.
        
        These controls are split between required and chosen. Choosing which to prioritise is a challenge for some industries.
        
        Voluntary controls: chosen by the organisation. Eg. authorisation controls, key transactions approved by signatories.
        
        Mandated controls: required by law or external authorities. Eg. financial services firms must be advised by authorised body only.
    - - reflects the idea that internal controls can be categorised by their use of technology: general IT or application.
        
        general IT controls apply to the overall IT environment, such as security, backup, and access controls
        
        problems with general controls:
        
        • The computer centre is not secured and allows unauthorised access by temporary staff and others.
        
        • The user id and password system is too simple and easy to hack.
        
        • The firewall is turned off and exposes the systems to hackers.
        
        • The backup system is in the same location and has a direct link with the main servers, making it vulnerable to disasters and data corruption.
        
        solutions:
        
        use the fingerprint access system, remove the 'administrator' user
        
        assign unique user ids and passwords to all staff, remind users to change passwords regularly and not write them down, enforce these rules in training and a procedures document
        
        turn on the firewall and fix any problems with the application
        
        move the backup system to a different location and have a time delay in the link with the main servers.
        
        application controls apply to a specific system or process, such as input, output, and processing controls. either manual or computerised
        
        problems with application controls
        
        • The intelligent software may provide out-of-date information and there is no verification check for that.
        
        • The reviews by users may not be fair or true and SRO does not check their correctness or identity.
        
        • The users can post anonymously and may work for or against the stores being reviewed, compromising the reliability and independence of the reviews.
        
        • The stores do not have the opportunity to respond to the reviews and there is no transaction identifier to link them.
        
        solutions:
        
        use a verification check to compare the date of the information from the intelligent software with what is already held
        
        check the correctness and identity of the users and stores before allowing them to post or read reviews
        
        do not allow anonymous posting and prevent users from working for or against the stores being reviewed
        
        give the stores the opportunity to respond to the reviews and use a transaction identifier to link them
        
        • Carer reporting systems that record the time and quality of each visit
        
        • Service user feedback that affects the reward and promotion of carers
        
        • A dedicated helpline for complaints and immediate action
    - - internal controls can be grouped by their scope of coverage: financial or non-financial.
        
        Financial controls: key transactions, protect assets, keep accurate records and information. Eg. approve budget or statements. focus on the key transaction areas and need to ensure that records, entries, cut-off and data are complete, accurate and reliable.
        
        non-financial controls: focus on wider performance issues and include Quantitative non-financial controls Eg. indicators, scorecard, activity-based management, and Qualitative non-financial controls eg. structure, policies, authority and responsibilities.
  - - - • Authorisation: suitably responsible official approve transactions or activities before they happen to ensure transactions are genuine. Eg. signing a purchase order, entering a password.
      - • Performance reviews: comparing actual results with expected results or standards. Eg. variance analysis, budgeting.
      - • Information processing: checking the accuracy and completeness of data and records. Eg. reconciliations, edit checks, batch totals.
      - • Physical controls: protecting assets and records from theft or damage. Eg. locks, safes, alarms, cameras, computer programs
        & data files with passwords.
      - • Segregation of duties: dividing tasks among different people to reduce errors or frauds. Eg. separating recording, authorising and custody functions.
- - - - Strategic
        
        Used to plan and check the organisation's goals
        
        • High-level summary from inside and outside sources
        
        • Long-term and whole organisation focus
        
        • Made when needed with numbers and words
        
        • Uncertain about future
      - Tactical
        
        Used to decide and monitor how to use resources
        
        • Lower-level summary mostly from inside sources
        
        • Short and medium-term and activities or departments focus
        
        • Made regularly with numbers only
      - Operational
        
        Used to plan and do specific tasks
        
        • Detailed data from inside sources like transactions
        
        • Immediate-term and task-specific focus
        
        • Made very often with numbers only
      - Purposes
        
        • To check and manage the internal control systems in company A.
        
        This includes information about the regulated environment, the competitors and the product developments.
        
        related to the strategic level of information, which is used for long-term planning and decision making.
        
        helps the board to set the goals and objectives of the company and to evaluate its performance and position in the market.
        
        • To run the daily activities in company A.
        
        This includes information that is detailed and frequent from different functions.
        
        related to the operational level of information, which is used for routine tasks and processes.
        
        helps the managers and employees to carry out their duties and to monitor and control the operations of company A.
        
        • To make reports to shareholders and other external stakeholders.
        
        This includes financial information that shows the safety and profitability of the investments.
        
        related to the tactical level of information, which is used for short-term planning and problem solving.
        
        helps the board to communicate with the shareholders and other stakeholders and to address any issues or concerns they may have.
    - - Accurate
        
        no errors or biases, right level of detail, clear assumptions.
        
        the information is true, correct, fair and reliable.
        
        Whether the news is good or bad, we expect you to be honest and clear.
        
        This would help senior managers to spot any suspicious performance by fund managers and avoid losses and damage to clients' investments.
      - Complete
        
        should not be missing or concealed., eg. external, comparative, qualitative, quantitative data.
        
        Uses forecasts with assumptions or extrapolations if necessary
        
        the information has everything that we need to know and that you can provide
        
        You should not leave out any information that is important for risks or controls, even if it may cause trouble for some colleagues.
        
        This would help senior managers to see the whole picture of the business and make the right decisions.
      - Cost-beneficial
        
        worth more than its cost.
        
        Easy to collect and analyse.
        
        No wasted time.
        
        Eg. simple reports on anything should be cheap and useful, rather than expensive and useless.
      - User-targeted
        
        meets user needs.
        
        Eg. strategic summaries for senior managers, details for junior managers.
      - Relevant
        
        information should be communicated to the right person and be useful for decision making
        
        You should tell us everything that we need to know to make decisions or take actions.
        
        For example, if there are safety issues or problems with ports, you should tell us as soon as possible.
        
        For example, Jane Goo should tell Mr Janoon everything he needs to know, such as changes in quality, problems in the QC lab or product failure rates.
        
        Eg. the board should get more external and internal data on client service quality and satisfaction to know how well company is serving its clients and meeting their needs.
      - Authoritative
        
        from reliable source
        
        May include subjective information (eg. expert opinions) as well as objective data.
      - Timely
        
        information should be communicated in time so that the receiver of the information has enough time to decide appropriate actions based on the information received.
        
        Covers relevant past and future periods.
        
        the board should be informed as soon as possible of any issues or risks that may harm company's reputation or relationship with its clients.
      - Easy to use
        
        clear, short, right medium and channel, eg. email, phone, report.
        
        information should be understandable and accessible to the users
        
        Not all directors of Sea Ships know the technical and nautical terms that you use on board the ships. You should avoid jargon and explain things clearly.
        
        the board should summarize e-marketing findings and actions for every board meeting to get a clear and concise summary of the e-marketing results and the actions taken in response to them.
      - • Getting more frequent and regular reports on QC failure rates with a fixed format to control the information.
        
        This is related to the timely and easy to use qualities of good information.
        
        By getting more frequent and regular reports, Mr Janoon can get the information when he needs it and see any changes over time.
        
        By having a fixed format, Mr Janoon can get the information that is clear, short and consistent.
      - • Getting better and more detailed information on product compliance with specific data to catch the fraud sooner.
        
        This is related to the accurate and complete qualities of good information.
        
        By getting better and more detailed information, Mr Janoon can get the information that is true, correct, fair and accurate.
        
        By getting specific data on product compliance, Mr Janoon can get the information that has everything he needs to know and catch the fraud sooner.
      - • Having more face-to-face contact with QC employees and moving the QC lab closer to the main operations or making a clear reporting system.
        
        This is related to the relevant and authoritative qualities of good information. Relevant
        
        By having more face-to-face contact, Mr Janoon can get the information that is useful and reliable.
        
        By moving the QC lab closer or making a clear reporting system, Mr Janoon can get the information that is needed for a decision and may include subjective and objective data.
      - • The current system at Fortune Investments makes investors depend on their fund managers for information. This allows fund managers like Stefan Krank to filter information and only report positive results.
        
        The current system at Fortune Investments does not provide good quality information to investors.
        
        It is inaccurate because it has errors or biases.
        
        It is unreliable because it is not true, correct, fair or accurate.
        
        It is incomplete because it leaves out important information.
        
        the information is not useful for investors to monitor their funds and make decisions.
        
        The information is not accurate, reliable or complete.
      - senior managers need real time access to data to track the performance of the funds and set alerts for any problems
        
        the information is timely and user-targeted for their needs.
        
        Timely: updated, current information.
        important for senior managers who need to make quick and informed decisions based on the latest data.
        
        User-targeted: information is tailored to the specific needs and preferences of the senior managers, and not generic or irrelevant.
        important for senior managers who need to monitor the performance of the funds and set alerts for any problems that may arise.
      - Use key performance indicators focusing on client service, such as response times, meetings, additional services, and flexibility
        
        Accurate: the board needs to use measurable and objective indicators of company's performance in delivering client service.
        
        Complete: the board needs to use a range of indicators that cover different aspects of client service.
  - - - We should review:
        
        • Our risks and how we manage them
        
        • How well our controls work and how we fix problems
        
        • How we reduce our risks
        
        • How often we check our controls
      - How to review
        We should use these sources
        to review our controls:
        
        • Our Code of Business Conduct: our ethical and legal standards and how we enforce them.
        
        • Our managers' objectives and self-assessments: our operational and strategic goals and how we measure and report our performance.
        
        • Letters from managers on controls: our managers' confirmation and evidence of the operation and effectiveness of their controls.
        
        • Audit committee's report on key controls: the audit committee's oversight and evaluation of the design and implementation of our key controls.
        
        • Internal audit's reports and opinion on controls: the internal audit's independent and objective assessment and testing of our controls and their recommendations for improvement.
        
        • Audit committee's special reviews: the audit committee's investigation and resolution of any specific issues or concerns related to our controls.
        
        • External auditors' report on control deficiencies: the external auditors' identification and reporting of any material weaknesses or significant deficiencies in our controls and their impact on our financial statements.
        
        • Board members' intelligence: the board members' personal knowledge and insight on our controls based on their interactions and observations throughout the year.
        
        • Finance director's report on avoidable losses: the finance director's analysis and reporting of any losses that could have been prevented or reduced by better controls.
        
        • Report on recent developments: any changes or events that have occurred since the balance sheet date that may affect our controls or require new or revised controls.
        
        • Board's draft report on controls: the board's summary and disclosure of our controls for publication.
    - - Board review its internal control systems every year.
      - cover all significant risks for the company until the date of approving the annual report and accounts.
      - document how it did the review and what evidence it used
      - review includes:
        
        • How risks have changed and how the company can adapt.
        
        • How well management monitors risk and internal control and whether internal audit is needed or effective.
        
        • How often and how well the board gets reports on risk and control.
        
        • Any major control failures or weaknesses that affect the accounts.
        
        • How good the public reporting processes are.
    - - What to report:
        
        • A statement of board responsibility for internal control and its effectiveness
        
        • We (the Board) are responsible for our controls and how well they work
        
        • Management's responsibility statement for internal control over financial reporting
        
        • Our controls can only reduce, not eliminate, the risk of failure to achieve goals or the risk of having errors in accounts
        
        The spreadsheet also calculates unpreventable fraud at 1·28%, based on average of stations with ticket barriers. This assumes some fraud cannot be prevented with ticket barriers. There will always be some hard-to-control fraud.
        
        There is an assumption about preventable vs unpreventable fraud. More information may be needed to understand this estimate and whether it is same at all stations and regions.
        
        • A summary of the processes used to review internal control
        
        • We have reviewed our controls and considered if we need internal audit
        
        These may or may not satisfy shareholders and weak systems and processes would be a matter of discussion at AGMs for non-executives to strengthen.
        
        • Framework used by management to evaluate internal control effectiveness
        
        involve a description of the key metrics, measurement methods (e.g. rates of compliance, fair value measures, etc) and tolerances allowed within these.
        
        Within a rules-based environment, these are likely to be underpinned by law.
        
        • A disclosure of any weaknesses or errors in internal control that have resulted in error or material losses as at the end of the company’s most recent fiscal year.
        
        • We have fixed any big problems with our controls that affect our accounts or audit
        
        • Management's assessment of internal control effectiveness at fiscal year end
        
        involve reporting on rates of compliance, failures, costs, resources committed and outputs (if measurable) achieved.
        
        • Auditor's attestation report on management's assessment
        
        Any qualification to the attestation should be reported in this statement.
      - How to report:
        
        • report in a clear and reliable way
        
        • Provide accurate and relevant information
        
        • use a high-level view
        
        • A high level information that is not misleading
        
        • use internal audit and audit committee to check our information and help with reliability of information.
      - Why to report:
        prevent fraud
        
        • ensuring accountability, transparency, and trust in the company's internal control system.
        
        • The board has to identify and address the control issue/ areas for improvement
        
        • The shareholders and regulators could hold the board accountable for its performance
        
        • The auditors could check and verify the data and information
        
        • The company could face legal consequences for making false or misleading statements
      - • An external report on internal controls is a document that shows how a company manages its risks and operations
      - It is reviewed by an auditor and required by some regulations.
      - external reporting requirements on internal controls were 'too ambitious' for small and medium companies.
        
        • SMEs have fewer spare resources to conduct internal reviews
        
        • SMEs face extra attestation fee for internal control report
        
        • SMEs lack expertise to audit and perform internal activities
        
        • SMEs have fewer and less complex activities, hence less need for information
    - - requires directors to say if internal controls over financial reporting are effective or not.
      - Directors cannot say controls are effective if there are material deficiencies: serious weaknesses that could lead to big errors in the accounts.
      - stricter than The UK regime: directors should say they have checked internal controls in general
      - requires disclosures about management responsibility, framework, material deficiencies, and external auditor opinion.
      - Benefits: more useful for big companies with complex control systems and many external shareholders.
      - Drawbacks: too hard and not worth it for all companies.
  - - - related to financial reporting and auditing:
        
        • They improve the quality of financial reporting by reviewing the financial statements
        
        • They strengthen the position of the external auditor by providing a channel of communication and a forum for issues
        
        • They provide a framework for the external auditor to assert their independence in case of a dispute with management
        
        • They increase public confidence in the credibility and objectivity of financial statements
      - related to internal control and fraud prevention:
        
        • They create a disciplined and controlled environment that reduces fraud opportunities
        
        • They strengthen the position of the internal audit function by providing more independence from management
      - related to governance and management:
        
        • They enable the non-executive directors to contribute an independent judgement and play a positive role
        
        • They help the finance director by providing a forum to raise and resolve issues
    - - related to transparency and accountability
        
        • Their findings are rarely made public, so their effectiveness is unclear
        
        • They may act as a barrier between the external auditors and the main board
        
        • They may allow the main board to abdicate its responsibilities in the audit area
      - related to innovation and performance
        
        • Their approach may hinder the drive and entrepreneurial flair of senior executives
      - related to quality and currency
        
        • They may be compromised by a dominant board member or by not being updated over time
    - - • The board should establish an audit committee of at least three (two for smaller companies) independent non-executive directors
      - • At least one member of the audit committee should have recent and relevant financial experience
    - - • Financial statements
      - • Price-sensitive information
      - • Internal financial controls
      - • Independence of external auditors
    - - • The audit committee should have written terms of reference (or Audit Committee Charter)
      - • The audit committee may take over some of the board's duties related to audit and risk
      - • Audit committee must respond to internal or external auditors' requests for information, visits, or questions
      - • Audit committee will ensure that responses to auditors' recommendations are appropriate and actions are taken when needed
  - - - To make sure the Environmental reports
        are accurate and useful, they need Internal audit helps to:
        
        • Check the quality and consistency of data collection and measurement
        
        • Verify the reliability and integrity of reporting
        
        • Build trust and credibility with shareholders and stakeholders
      - Definition:
        
        • A control by the board to help meet company goals
        
        • A process of checking and verifying the data and information
        
        • A part of the internal control system with similar goals: safeguard assets, improve operations, report accurately, comply with rules
        
        • Independent appraisal function within organisation
        
        • Examines and evaluates organisation's activities
        
        • Assists organisation members in their responsibilities
        
        • Provides analyses, appraisals, recommendations, advice and information
        
        • Reviews internal controls, risk management, compliance and value for money
      - Role:
        
        • Check operational controls and report problems or risks
        
        • Limited role in strategic controls, which are the board's responsibility
    - - • Scope: how wide their work is
      - • Authority: how broad their terms are and how their reports are used
      - • Resources: hours, equipment, and skills
      - • Independence: auditors should be separate from what they audit
      - • If no internal audit, audit committee considers if one is needed
    - - • Qualities for independence:
        
        related to the structural and operational aspects of internal audit that enable independence.
        
        • Report to board or audit committee, not finance director
        
        • Have free access to records, assets, and personnel
        
        • Avoid auditing areas where they have worked or designed systems
        
        • Rotate staff over different audits
        
        related to the scope and coverage of internal audit that ensure independence.
        
        • No no-go areas: no areas off-limits
        
        • Sensitive areas audited: able to audit complex areas
        
        • Senior management audited: cover management process and operations
        
        related to the personal and professional attributes of internal auditors that demonstrate independence.
        
        • Objectivity: detached judgement
        
        • Impartiality: no sides or politics
        
        • Unbiased views: no perception of bias or agenda
        
        • Valid opinion: based on facts, not pleasing everyone
        
        • No spying for management: serve the whole organisation
        
        • No backing off: pursue audit objectives fully and professionally
      - • Ways to achieve independence:
        
        • Report to board or audit committee, not finance director
        
        • Avoid auditing areas where they have worked or designed systems
        
        • Have free access to records, assets, and personnel
        
        • Rotate staff over different audits
    - - • Factors that affect the need:
        
        External factors
        
        • Unexpected risk events
        
        e.g., cyberattack, natural disaster, pandemic, fraud
        
        internal or external changes in activities, structures, or risks
        
        Changes arising from new products or internal activities can change the need for internal audit and so can external changes such as PESTEL factors.
        
        assess the impact, identify the root causes, recommend corrective actions, and monitor the recovery.
        
        • Compliance: external requirements from regulations or laws e.g stock market regulations or laws
        
        • Cost/benefit
        
        costs and benefits of internal audit activities and resources that need to be balanced
        
        e.g., salaries, training, equipment, software, travel, outsourcing vs. improved performance, reduced errors or fraud, increased compliance, enhanced reputation, satisfied stakeholders
        
        balance between internal control and audit costs and benefits
        
        why review and audit of control systems important for school governing body:
        
        Independent and objective assurance
        
        External review gives unbiased view of school performance. Reassures stakeholders like parents and local authority that school provides quality education and controls expenditure.
        
        stakeholders are different from company's, but still need assurance from objective review.
        
        Aid to monitoring
        
        Like board of directors, governors responsible for internal control and risk management.
        
        Review gives feedback to headteacher and governors to set priorities for improvements based on risk. Also shows where headteacher and governors should focus their monitoring.
        
        Expert opinion
        
        External reviewers can recommend best practice from other schools. This can provide benchmarks for financial and non-financial performance indicators.
        
        Benchmarking may be important for audit, as governing body responsible for education standards.
        
        Internal factors
        
        • Operations: sector, strategy, and activities
        
        • Company size and complexity: Larger (number of employees) and more complex companies with more risks, processes, systems, and stakeholders that need assurance and advice; e.g., multinational company vs. local company
        
        • Cost/benefit: balance between internal control and audit costs and benefits
        
        • Problems in internal control: existing issues with systems, products, or procedures e.g., missing, outdated, or ignored controls
        => evaluate the effectiveness and efficiency of the internal control and report any problems or weaknesses
        
        Internal audit role in regulated industry
        
        • More important in highly regulated industries (utilities, pharmaceuticals, etc)
        
        • Ensures compliance with external requirements (legal or regulatory)
        
        • Provides compliance information to external regulator
        
        • Establishes systems for collecting, analysing and reporting data
        
        • Independent of those being audited
        
        • Strategic asset for company's success
        
        • Prevents compliance failure and its consequences (loss of licence, fines, etc)
        
        • Internal audit has four main roles: to check and improve internal controls, risk management, compliance and value for money. I think these roles are linked and will benefit us a lot in the future.
        
        • Our internal controls need internal audit because HEC is big and complex. Our risk manager has started to register and assess risks, but internal audit will make sure this is done regularly and properly. This will give us confidence that we are not missing anything.
        
        • Internal audit roles and benefits:
        
        Internal audit checks and improves SBF's compliance, risk management, internal control and value for money. It reassures shareholders, regulators and other stakeholders. It sets the tone and culture for the organization. It monitors and assesses risks and controls regularly and systematically. It reports to the board directly.
        
        Role of internal audit in ensuring effective internal controls
        
        • Reviewing and reporting on the controls for key risks in operations.
        
        • Checking the design and effectiveness of internal controls and following up on weaknesses or failures.
        
        • Examining financial and operating information for accuracy, timeliness and adequacy.
        
        • Reviewing operations for compliance against standards and measuring performance against them.
        
        • Reviewing internal systems and controls for compliance with regulations and external targets.
      - • Work can include:
        
        • The next work is related to the strategic function of internal audit, which is to provide insight on how well the company is achieving its goals and objectives and aligning with its vision and mission.
        
        • Reviewing implementation of corporate objectives, planning, standards, policies, governance, communication, and CSR aims
        
        • The first work is the most fundamental and overarching one, as it sets the basis for identifying and prioritizing the areas that need internal audit attention.
        
        • Identifying significant business and financial risks and monitoring risk management policy and strategies
        
        Internal audit testing:
        
        This is the internal check of internal controls by an internal auditor using audit methods based on set measures and outcomes.
        
        It is a control over other controls and ensures they comply and conform.
        
        • The last work is related to the special function of internal audit, which is to respond to specific requests or situations that require investigation or verification.
        
        • Conducting special investigations, e.g. suspected fraud
        
        • The next three works are related to the core functions of internal audit, which are to provide assurance on the reliability and integrity of financial and operational information, systems, and processes.
        
        • Reviewing and improving accounting and internal control systems
        
        • Reviewing safeguarding of assets
        
        • Examining financial and operating information and testing transactions, balances, and procedures
        
        report directly to the board and help us reassure the Wyland government and other stakeholders.
        
        • The next two works are related to the value-added functions of internal audit, which are to provide advice on how to improve the performance and efficiency of the company's operations and compliance.
        
        • Reviewing compliance with laws, regulations, policies, and authorisations
        
        • Reviewing economy, efficiency, and effectiveness of operations and value for money