When auditors plan an audit, one of the first things they assess is the adequacy and effectiveness of the internal controls in the company since it is one of the most important determinants of the audit risk. Weak internal controls increase audit risk and consequently the cost of audit.
Simply speaking, internal controls are processes that protect assets and other resources (eg. human resources) from misappropriation, inefficient use or exposure to unwarranted risks.
Internal control provides reasonable assurance to the companys management and the board of directors that the companys objectives are achieved in terms of the effectiveness and efficiency of operations, the reliability of financial reporting and compliance with applicable laws and regulations.
Internal control of financial reporting covers maintaining records; provides assurance that transactions are recorded as necessary to prepare financial statements in accordance with generally accepted accounting principles (GAAP) and that receipts and expenditures are only made under proper authorisations.
It also provides reasonable assurance for the prevention or timely detection of unauthorised acquisition, use, or disposition of assets that could materially affect financial statements.
Internal audit is a part of the internal control system. It is a function that provides reasonable assurance that internal controls are adequate and are operating efficiently and effectively.
Therefore, internal audit is said to be control of controls. The Audit Committee of the Board of Directors provides a communication channel to the internal auditor and protects the independence of the internal audit function. A weak internal audit function that does not have the ability to detect and report improper behaviour provides temptation to employees to engage in improper acts.
It is the responsibility of the Board of Directors and the management to establish an internal control system and to ensure that this system operates effectively.
Clause 49 of the Listing Agreement requires the CEO and CFO to certify, among other things, that they accept the responsibility for establishing and maintaining internal controls, and that they have evaluated the effectiveness of the internal control systems of the company and they have disclosed to the auditor and the Audit Committee, deficiencies in the design or operation of internal controls, if any, of which they are aware and the steps they have taken or propose to take to rectify these deficiencies.
The effectiveness of the internal controls is significantly influenced by the integrity and ethical values of the people who design, install, administer and monitor them. Internal control systems will fail unless a proper control environment is created within the corporation. Individuals may engage in dishonest, illegal or unethical acts, if there are strong enough incentives or temptations to do so.
A study shows that the most common incentives for improper behaviour are pressure to meet unrealistic performance targets, particularly for short term results; high-performance dependent rewards; and higher and lower cutoffs on bonus plans.
Also, when a company is in the growth trajectory and managers stretch to achieve targets, internal controls come under stress and may break down unless the company installs a strong monitoring system. In those situations managers often perceive the internal control system as an unnecessary burden and subvert internal controls even if they have no ulterior motive.
This exposes the resources of the company to unwarranted risks. For example, to achieve the sales target, managers may relax the credit rating norms and thus expose the company to undue credit risks. On January 24, 2008, Socit Gnrale, one of the main European financial institutions, announced that a single futures trader at the bank had fraudulently lost the bank 4.9 billion Euros (an equivalent of 7.2 billion dollars), the largest such loss in history. This is the result of the failure of the internal control system.
It is said that the tone should be set at the top. The behaviour of the top management sets the control environment within the organisation. Communication through behaviour is more effective than communication through written documents like code of conduct or company policy. For example, if the top management disregards applicable laws and regulations, the culture percolates down across the organisation.
If the Board of Directors does not take the responsibility for internal control, shareholders cannot be protected from management fraud and waste of free cash flows.
For example, the accounting fraud at WorldCom is a failure of the board of directors and the Audit Committee. The management committed fraud against shareholders at a time when WorldCom was struggling because of the vast overcapacity of bandwidth, combined with a consumer price war and the rise of mobile telephones. There were huge temptations for the management to resort to the earnings management because the top management could not formulate right strategies to face the new challenges.
Arthur Anderson, in its internal documents, classified WorldCom in the high risk category, but did not modify the audit procedure because that would have increased the cost of audit. The audit failure is the result of temptation of partners to retain a client which contributes significantly to the earnings of the audit firm and to cut cost of providing services.
The audit failure in the case of WorldCom shows that improvement of audit techniques does not necessarily improve the quality of audit because audit involves people; and human beings are inherently greedy. Therefore, the Audit Committee and the board, which is in fiduciary relationship with shareholders, have to be extra cautious, particularly when the company or the industry is passing through a bad phase.