Upload
asgharrana78
View
214
Download
0
Embed Size (px)
Citation preview
7/29/2019 Internal Control and RCSA Programm
1/75
Understanding& Effectivenessof
Internal Controls
& RCSAFramework
7/29/2019 Internal Control and RCSA Programm
2/75
Understanding
&E
ffectivenesso
f
Interna
lControls
What is Control?
Traditional View of Controls
What is Internal Control?
COSO Framework (An Internal ControlFramework) and OversightRepresentative
Components of Internal Control
1- Control Environment 2- Control Activities
3- Risk Assessment
4- Information and Communication
5- Monitoring
Why Controls Dont Always Work
What you can do;
Definition & Objective- Control Self-Assessment
Objectives of RCSA
How to Identify Risk
Condition that Increase Risks
Characteristics- Control Self-Assessment
RCSA the Early days & Internal Audit Involvement
CSA compared with Traditional IA Approach
Core CSA Process
CSA Methodology and Practical Considerations
Advantages / Disadvantages of RCSA
Utility of RCSA
RCSA Reference
Our Beliefs
Limitations
7/29/2019 Internal Control and RCSA Programm
3/75
What is Control -Real life examples COSO Framework Its Oversight, Requirements and Application Internal Controls Who needs them 5 Internal Control Components In detail 5 Types of Risk 5 Types of Controls RCSA Framework Back ground and application RCSA Methodology Advantages and limitation of RCSA
What you can should do as an auditors
7/29/2019 Internal Control and RCSA Programm
4/75
7/29/2019 Internal Control and RCSA Programm
5/75
The combination of many factors
which support people in their effortsto achieve their business objectives.
e.g. skills, culture, information, resources, measurements, policies, cteamwork, procedures.
7/29/2019 Internal Control and RCSA Programm
6/75
A process is the method or task performed to achiev
objective.
A control is a mechanism to ensure the objective of p
achieved.
7/29/2019 Internal Control and RCSA Programm
7/75
Controls seen as the responsibility of auditors and financial per
Controls perceived as limited to financial areas.
Controls seen as bureaucratic & burdensome.
7/29/2019 Internal Control and RCSA Programm
8/75
Committee of Sponsoring Organizations ofthe Treadway
Commission (COSO)
1. AICPA (American Institute of Certified PublicAccountants)
2. AAA (American Accounting Association)3. IIA (The Institute of Internal Auditors)
4. IMA (Institute of Management Accountants5. FEI (Financial Executives Institute)
7/29/2019 Internal Control and RCSA Programm
9/75
Keeping an eye on entitys assets and resourc
Finding ways to make sure people dont do bathingsProtecting the entity from being accused of dbad thingsGood, sound business practiceCommon Sense!
7/29/2019 Internal Control and RCSA Programm
10/75
Think about whatyou do;
Lock you home and vehicle
Keep you ATM, CR/DR Pin number separate from your cardReview bills and credit card statement before paying them
Reconcile your bank statement
Dont leave blank cheques or cash just lying aroundExpect your children to ask permission to do certain things
Other examples
7/29/2019 Internal Control and RCSA Programm
11/75
Vehicles are kept locked when not occupied.
Hierarchies to build the structure and mechanism of accountabComputer Passwords are periodically changed and shouldnt bwritten down or kept by the PCChecking purchase card charges against source documents.
Checking management reports against source documents
Locked cash drawers and secure storage for checksAuthorization required for certain activities
Other Example
7/29/2019 Internal Control and RCSA Programm
12/75
Internal control is broadly defined as a process, effected by an edirectors, management/administration, council and individuals, desig
reasonable assurance regarding the achievement of three objectives:
Which are;
Effectiveness and Efficiency of Operations.
Reliability of Financial Reporting.
Compliance with applicable laws and regulations.
7/29/2019 Internal Control and RCSA Programm
13/75
Intertwined with entitys operating activities.
Built into the entitys infrastructure.
"Built in' Controls support quality
empowerment initiatives avoid unnecessary costs
enable quick response to changing conditions..
7/29/2019 Internal Control and RCSA Programm
14/75
Fairly presented in conformity with (GAAP)
Other relevant / appropriate accounting principles
Regulatory requirements for external purposes
Existence or Occurrence Completeness
Rights and Obligations
Valuation or Allocation
Presentation and Disclosure
7/29/2019 Internal Control and RCSA Programm
15/75
Compliance to applicable laws is the most essential element of any busi
Ensure compliance to
- Entitys Operations / Admin Manual
- Entitys Personnel Policies
- Prudential Regulations
- F.E Manual
- AML & KYC Hand Book
- Operations Manual
- Accounting Manual
- Audit Manual
- Other relevant circulars/manuals i.e. Compliance Newsletters
- Regulatory Guidelines
- Audit Manual
7/29/2019 Internal Control and RCSA Programm
16/75
1. Control environment.
2. Risk assessment.3. Control activities.
4. Information and communication.
5. Monitoring.
Internal control consists of five main interrelated compone
derived from the way management runs a business, and arintegrated with the management process.
The components are:
7/29/2019 Internal Control and RCSA Programm
17/75
Key factors:
Managements attitude:Tone at the Top
Individual attributes: integrity,ethical values, competence,
culture, vision, leadership.
Control Environme
1. Control Environment
The foundation on which everythingrests.
7/29/2019 Internal Control and RCSA Programm
18/75
1. Control Environment
A control environment has:- Appropriate hiring policies- Assignment of authority and responsibility- Up to date job descriptions- Appropriate training
- Meaningful review of performance- Punctuality and discipline- Hierarchical structure
7/29/2019 Internal Control and RCSA Programm
19/75
Anything that could negatively impact the entitys
to meet its operational objectives.
Risks are things that will stop an organization from
meeting its objectives.
What could keep your entity from reaching its goa
What keeps you up at night?
What is Risk?
7/29/2019 Internal Control and RCSA Programm
20/75
Strategic risk that would prevent a department from accomplishingobjectives (meeting its goals).
Financial risk that could result in a negative financial impact to the E(waste or loss of assets).
Regulatory (Compliance) risk that could expose the Entity to fines apenalties from a regulatory agency due to non-compliance with laws anregulations.
Reputational risk that could expose the Entity to negative publicity
Operational risk that could prevent the department from operating
most effective and efficient manner or be disruptive to other Entity ope
7/29/2019 Internal Control and RCSA Programm
21/75
Understanding objectives Identification of Risks Assessing Risks
Significance Likelihood Risk Assessmen
2. Risk Assessment
7/29/2019 Internal Control and RCSA Programm
22/75
For content, three factors will assist you in determining thesignificance of the risks you have identified:
Managements risk appetite and risk capacity
The magnitude of the impact of the risks
The likelihood of occurrence
2. Risk Assessment
7/29/2019 Internal Control and RCSA Programm
23/75
Variety of risks from external and internal sources
Pre-condition to risk assessment - establishment of objectives
The broad categories of objectives used for risk assessment are:
Operations objectives. Financial Reporting Objectives. Compliance Objectives.
2. Risk Assessment
7/29/2019 Internal Control and RCSA Programm
24/75
Business RiskFramework
IntegrityGovernance
Authority Leadership Performance Incentives Limits
Management Fraud Employee Fraud Illegal Acts Unauthorized Use Reputation
Taxa Envir Healt Lega Regu
Information Management Financial Management Hu
Technology Quality Customer
Satisfaction Customer
Accept./Credit
Obsolescence Shrinkage Efficiency Capacity Pricing Cycle Time
Sourcing Product Development
& Life Cycle Mgmt. Product Failure Business Interruption Strategic Alliances
Contracting Performance
Measures Health and Sa Trademarks/B Marketing
Management Info. System Dependence on IT Reliability External IT Access/Availability Completeness/Assurance Relevance
Sufficiency
Budgeting & Planning Cash Flow Investment Evaluation Financial Reporting Financial Instruments Funding Accounting Information
Cost control
HR M Com Recr Reco
Com Perfo Lead
Train
Operational
External Risks
Internal Risks
Legal (regulation, legislation, etc) Economic (interest rates, currencies,
inflation, GDP, unemployment, etc) Social (trends, values, population growth,
consumer psychology, etc)
Technology New Entrants Suppliers Substitutes Competition
C P D R T
7/29/2019 Internal Control and RCSA Programm
25/75
Insignificant No impact on reputation
Minor
Consequences can be absorbed undenormal operating conditions
Potential impact on reputation
Moderate There is some impact on reputation
Major Reputation is impacted in the short t
Catastrophic Serious damage to reputation
2. Risk Assessment - Magnitude of Impact
7/29/2019 Internal Control and RCSA Programm
26/75
Rare or Remote Event may only occur in exceptional circums
Unlikely Event could occur in rare circumstances
Possible Event could occur at some time
Likely Event will probably occur in most circumsta
Almost Certain Event is expected to occur in most circumsta
2. Risk Assessment - Likelihood of Occurrence
7/29/2019 Internal Control and RCSA Programm
27/75
2. Risk Assessment
Quantitative Assessment
gathers data in numerical form which can beput into categories, or in rank order, ormeasured in units of measurement. This typeof data can be used to construct graphs andtables of raw data.
Examples:DepositsAdvancesActual Reported FraudsFinancial StatementsSystem DowntimeUn-reconciled Transactions (Amount)Un-reconciled Transactions (days)
Qualitative Assessment
gathers information that is not in nuform. For example, diary accounts, questionnaires, unstructured interviunstructured observations.
Examples:Internal AuditExternal AuditSBP Audit (where applicable)Customer ServiceComplexity of OperationsCore Banking Systems / ERP ApplicEntitys operating software
7/29/2019 Internal Control and RCSA Programm
28/75
Like
lihoodofOccurrence
Magnitude of Impact
Almost
Certain
Likely
Possible
Unlikely
Rare
Insignificant Minor Moderate Major Catastroph
2. Risk Assessment
7/29/2019 Internal Control and RCSA Programm
29/75
Policies Procedures Safeguards
Authorities
ControlActivities
Actions supported by
assure management directives toaddress risks are carried outproperly and timely.
7/29/2019 Internal Control and RCSA Programm
30/75
Controls can be automated or manual;
To be effective, control activities must be:
Directly related to the Control objective
Appropriate
Functioning consistently according to plan throughout the pCost effective
Comprehensive
Reasonable
7/29/2019 Internal Control and RCSA Programm
31/75
Information Technology Control Activities
-General Controls are the structure, policies and
proceduresthat apply to the information systems and
help to ensure proper operation.
-Application Controls are Programmed procedure in
application softwaredesigned to ensure completenes
and accuracy of information..
7/29/2019 Internal Control and RCSA Programm
32/75
Reviews of processes and
Numerical sequence of ensure completeness;
Exceptions reporting reviews;
Performance indicators;
Information system contapplication controls);
System Access;
System Configuration Mapping;
Exception/Edit Reports;
Authorization and approvalprocedures;
Reviews of operating performances;
Supervision (assigning,reviewing/approving, guidance,training);
Segregation of duties (authorizing,
processing, recording, reviewing);
Controls over access to resources andrecords;
Reconciliations;
Verifications;
7/29/2019 Internal Control and RCSA Programm
33/75
General Controls:
- Access security- Data and program security- Physical security- Software development and
program change controls- Data center operations-Service continuity (disasterrecovery)
Application Controls :
- Designed to prevent, detecorrect errors and irregularinformation flows throughinformation systems:
Input controls (data entryauthorization; validation; enotification and correctionProcessing controlsOutput controls
7/29/2019 Internal Control and RCSA Programm
34/75
Directive Controls
Entity Operation, Admin Manual;Personnel Policies; Policy on
Sexual Harassment; Govt.Accounting Standards Board
(GASB), UCP 600, Manuals,Instructions, Regulations,Circulars , public notices, CDD /
AML Procedures Hand Book andOps Manual, AML / CFT
Regulations / AML Act 2010,FATF (40) , SECP Guidelines ,
FMU Regulations, Symbols usermanuals, CTR user manuals
Preventive Controls
- Annual budget
- Inventory of assets
- Periodic performance evaluation
- Segregation of incompatible
duties ( a person is not in aposition to both commit andconceal), Limits to authority (link
to specific dollar levels)
Original documents to support atransaction, Security Access(CCTV and Guards), point
Custodianship, Physical controlsover assets (Lock and Key),
Authorized signers (Smart Cards)
Detective Controls
Review of computer/applicationuser access log
Periodic (annual) inventory count
Account reconciliations (HO andBank Statements)
Physical inventories (Stock Reports )
Card logging, and approval (Layers,Review of reports, Card and Pin
Checking)
Internal auditors, RCSA
Corrective Controls
Adjusting Journal Entries;terminations; training,
Documentation systems orprocesses (Gap Analysis)
Improvement i nitiatives (Serviceweeks)
Discipline actions (Demotionsand Transfers), Error
communication and reporting(Issue Resolution and P & V)
7/29/2019 Internal Control and RCSA Programm
35/75
Pertinent and reliable information should beidentified, captured and communicated in form andtimeframe that enables staff to carry out theirresponsibilities.
o Managements ability to make appropriatedecisions is affected by the quality of information;
that implies that the information should beappropriate, timely, current, accurate andaccessible.
o Information systems need to produce reportsthat contain operational, financial and non-
financial, and compliance-related information.
4 - Information and Communication
7/29/2019 Internal Control and RCSA Programm
36/75
Right information Right place Right time Frankness Openness
4 - Information and Communication
Cost Effective controls are madepossible by the right information
Communication of Plans,
Performance Indicators, and
Expectations.
7/29/2019 Internal Control and RCSA Programm
37/75
Transactions and events must be recordedpromptly when they occur if information is toremain relevant and valuable to managementin controlling operations and making decisions.
Documentation should be updatedpromptly, including policies andprocedures.
Information is the basis forcommunication.
Information
7/29/2019 Internal Control and RCSA Programm
38/75
Effective communication should occur in alldirections flowing down, across and up theorganization, throughout all departments anddivisions.
Management should be kept up-to-date on
performance, development, risks and otherrelevant events and issues.
Management should communicate to its staffwhat information it needs to be effective; andprovide feedback and direction.
Communication
7/29/2019 Internal Control and RCSA Programm
39/75
Monitoring ensures that the Internal controls operateas intended over time, and is accomplished through
routine (on-going) activities, separate evaluations or
a combination of both.
Ongoing monitoring activities cover each of the
Internal control components, and involve action
against irregular, unethical, uneconomical, inefficientand ineffective Internal controls.
Separate evaluations are conducted by Internaland/or external auditors; findings/recommendations
are reported to the appropriate level of management
for resolution.
5 - Monitoring
Monitoring
7/29/2019 Internal Control and RCSA Programm
40/75
Benchmarking Exceptions Analysis of results Effective change Internal & External Audits
5- Monitoring
5 - Monitoring
7/29/2019 Internal Control and RCSA Programm
41/75
Supervision
Observations
Raising queries
Exception Reports
Inspections
Reviews of Reconciliations/ Variance Analysis
Performance Data
Trend Analysis
Audits
Self-assessments
Communication from Customers, Regulators, etc.
5Monitoring - Examples
7/29/2019 Internal Control and RCSA Programm
42/75
CONTROL ENVIRONMENT
RISK ASSESSMENT
CONTROL ACTIVITIES
MONITORING Ongoing Monitoring Separate Evaluations Reporting Deficiencies
Policies Procedures Hard control activities
Organisation-wide Objectives Activity-level Objectives Risk Management Managing Change
Integrity & Ethical Values Commitment to Competence Board of Directors & Audit Committee Management Philosophy & Operating Style
Organisational Structure Assignment of Authority & Responsibil Human Resource Policies & Practices
Downwards Upwards Horizontal Departmental External
M P In
7/29/2019 Internal Control and RCSA Programm
43/75
1. Inadequate knowledge of policies or governing regulations. I didnt kn
2. Inadequate segregation of duties. We trust A who does all of those th
3. Inappropriate access to assets. Passwords shared, cash not secured
4. Form over substance. You mean Im supposed to do something besidesit?
5. Control override.I know thats the policy, but we do it this way. Just gdont care how!
6. Inherent limitations. People are people and mistakes happen. You cannoeliminate all risk.
7/29/2019 Internal Control and RCSA Programm
44/75
When thinking about Internal controls, consider the following:
Compliance with policies and government regulationsare you folestablished procedures/instructions?
Propriety of transactionsisthis legal and right? Does it feel or lookWould someone else think so?
Reliability and integrity of informationis the information/form/daaccurate and complete?
Safeguarding assetscould anyone take or gain access to items undcontrol without being observed?
Economy and efficiency of operationsis there a better way to do t
7/29/2019 Internal Control and RCSA Programm
45/75
o Make sure they have up-to-date policies and procedures;
o Ensure authorization limits are communicated within the departm
o Ensure all assets (especially cash) are safeguarded at all times;o Establish document control (especially for spreadsheets);
o Ensure approval signatures are visible (legible) on all requireddocumentation;
o Make sure data is only accessible by authorized personnel;
o
Understand the department/functions risks;o Ensure adherence to Entity's policy and Entity's code;o Establish objectives and measures for your department/function
major programs; and
o Evaluate performance to gauge the efficiencies
7/29/2019 Internal Control and RCSA Programm
46/75
7/29/2019 Internal Control and RCSA Programm
47/75
7/29/2019 Internal Control and RCSA Programm
48/75
C t l S lf A t S D fi iti
7/29/2019 Internal Control and RCSA Programm
49/75
Control Self Assessment Some Definitions
A CSA programme is a process which allows individual line maand staff to participate in reviewing existing controls for adequ
and recommending, agreeing and implementing improvemen
A formalised, documented and committed approach to the refundamental and open review by managers and staff of the strcontrol systems designed and operated to achieve business oband guard against risks within their sphere of influence (CIPFA
..would one day completely replace the traditional audit as thprimary assurance tool in the auditors toolkit (Gulf Canada)
A process through which any entitys Internal Control effectiveexamined and assessed.
7/29/2019 Internal Control and RCSA Programm
50/75
For each department/division objective, ask:
What could go wrong? How could we fail? What must go right to succeed? What decisions require the most judgment? What activities are most complex? What activities are regulated?
On what do we spend the most money? How do you bill/collect related revenue? On what information do we most rely? What assets do we need to protect? How could someone or something disrupt our operations?
7/29/2019 Internal Control and RCSA Programm
51/75
Lack of segregation of duties Too much trust
- Approval of documents without review - Lack of verification of transactions after they have
entered in the system
- Lack of reconciliations
No follow-up when things appear questionable or no
reasonable Lack of control over physical assets / inventories
Lack of control over logical access, system/application a
Lack of control over purchasing of materials/supplies
Lack of knowledge of policies and procedures
RCSA Objectives
7/29/2019 Internal Control and RCSA Programm
52/75
The objective is to provide reasonable assurance that all busiobjectives will be met. (Institute of Internal Auditors)
Proactive management of risk
Problems identification and its correction
Awareness of risk and control
Upward timely communication to the senior management fo Significant risks and control issues
Remedial action plans
RCSA- Objectives
RCSA Objectives
7/29/2019 Internal Control and RCSA Programm
53/75
RCSA Objectives
Assist employees in assuming responsibility for effectiverisk and control management
Teach staff to analyse, evaluate and report on theapplication and effectiveness of control mechanisms
Improve control awareness and the cost effectiveness ofproducts/services
Complements performance reporting regimes
Enables managers to certify corporate governancestatements with more certainty
CHARACTERISTICS Control Self Assessment
7/29/2019 Internal Control and RCSA Programm
54/75
An ongoing process to ensure controls are adequate and funcorrectly.
A process to notify management timely, when things are go
A mechanism to record and monitor issues and the status ofactions.
CHARACTERISTICS- Control Self-Assessment
RCSA-The Early days
7/29/2019 Internal Control and RCSA Programm
55/75
RCSA The Early days
Perceived as a threat to Internal Audit
Sluggish start even in the US (only 17% of
bodies were using it by 1995) Seen as exporting systems based audit to staff
Less than 30% of processes/functions usedRCSA and most of the applications were drivenby Directors of Finance
Supporters saw it as a useful control awarenessinitiative
Audit critics believed it could be a new injectionof life into flagging tick and turn auditing
Potential Internal Audit Involvement
7/29/2019 Internal Control and RCSA Programm
56/75
Potential Internal Audit Involvement
Advice on design, implementation & maintenance of riskmanagement system
Advice on risk, control and governance
Undertake audits of business unit schedules using COSO model
Review periodic reports of business units
Membership of Risk & Control Panel
Reporting on its own plans, activities and outcomes Contribute to overall assessment on Corporate Governance
Other Considerations
7/29/2019 Internal Control and RCSA Programm
57/75
Other Considerations
Few organisations cover more than 30% of risk functions
70% of sponsors are Internal audit After implementation, 60% of Internal audit functions
remain involved
50% use COSO, 50% use proprietary software or Internalaudit designed documentation (US experience)
Time involvement may have to be rationed
68% of audit functions claim RCSA is one of its products
CSA compared with Traditional Audit Approach
7/29/2019 Internal Control and RCSA Programm
58/75
CSA compared with Traditional Audit Approach
Traditional Approach RCSA Approach
Assign duties, supervise staff Empowered, accountable employees
Policy/rule-driven Continuous improvement/learning curve
Limited employee participation Extensive employee participation and trai
Narrow stakeholder focus Broad stakeholder focus
Auditors and other specialists Staff at all levels, in all functions, as prima
Core RCSA Process
7/29/2019 Internal Control and RCSA Programm
59/75
Core RCSA Process
Identify and document all significant processes of the bank/entity,
Evaluate risks (inherent/ specific) in each process,
Assess controls used to manage / mitigate risks,
Pointed out gaps & make Actions plans to correct weaknesses,
RCSA Methodology
7/29/2019 Internal Control and RCSA Programm
60/75
To begin a process assessment, appoint someone who isknowledgeable about the process but not the process owneevaluate if adequate controls exist.
Do a walk through of the process and verify controls exist to v
Existence or occurrence
Completeness
Valuation or allocation
Rights and obligations
Presentation and disclosure
RCSA Methodology
RCSA Methodology
7/29/2019 Internal Control and RCSA Programm
61/75
Evaluate if there are:
Enough controls to mitigate key risks there may be a gap
Controls that essentially do the same thing it is possible tover-control a risk
RCSA Methodology
RCSA Methodology
7/29/2019 Internal Control and RCSA Programm
62/75
Evaluate the design of eachcontrol.
Does it mitigate a key risk?
Can it do what it is supposed todo every time without fail?
Does it prevent or detect errorsor fraud?
RCSA Methodology
RCSA Methodology
7/29/2019 Internal Control and RCSA Programm
63/75
Evaluate the effectiveness of each control.
Does it operate as it was designed?
Is it efficient?
Ways to evaluate controls:
Observation
Re-performance
Inspection Knowledge assessment
Corroborative inquiry
gy
Practical Considerations
7/29/2019 Internal Control and RCSA Programm
64/75
Must set objectives
Decide on most appropriate approach
What topics, processes, systems should be covered
Amount of time to be invested
COSO model or your own model
Facilitation skills available
Outputs from the workshop
Reporting protocols
Ongoing application
RCSA S f W k h A M d l t Sh !
7/29/2019 Internal Control and RCSA Programm
65/75
Profile of the System(key stages)
Objectives Risks Controls
Expected
Controls
Actual
Opinion Testing Evaluation/
Improvemen
1.
2.
3.
4. Etc.
Objectives of the Activity/Process:Strategy/Control Environment:Policies, Laws, Plans, Budgets, Procedures, Standards, Responsibilities, Structures, APolicies, market conditions, training, guidance, management information, IT systems, interfaces, monitoring arrangemen
regimes, performance measurement, external factors, best practice etcOperations:
RCSA Scope of Workshops A Model to Show!
7/29/2019 Internal Control and RCSA Programm
66/75
Line management becomes fully involved in risk & control
Ownership creates greater awareness
Corrective action can be taken more speedily
The concept fits with neatly with empowerment models
Facilitates embedding and reporting requirements
Cheaper than employing more auditors
7/29/2019 Internal Control and RCSA Programm
67/75
Helps employees to understand and assume responsibility focontrol,
Places front line responsibility with management fooperational risk management,
More effective corrective actions because participants ownthe results,
Improve communication at all levels,
Increase control consciousness of the entire institution,
Cultural change embedding operational risk management aall levels.
Possible RCSA Disadvantages
7/29/2019 Internal Control and RCSA Programm
68/75
g
Relies too much on honesty
May be too subjective (not related to business objectives)
In practice, applied to traditional financial areas
Time consuming
Does not lend itself easily to cross functional systems
Could become unreliable as an add on to normal duties
Filling in documentation could become an end in itself
RCSA References
7/29/2019 Internal Control and RCSA Programm
69/75
Still the best UK publication (in my opinion)
Control Self Assessment edited by Keith Wade and Andy W1999 (published by Wiley)
In addition to explaining the reasons for RCSA and the varioapproaches, it examines about 20 different public and private
practices which are written by different experts and practitio
Utility of RCSA
7/29/2019 Internal Control and RCSA Programm
70/75
Utility of RCSA
IC
BOD & Senior. Management
Oversight
Frequent & comprehensive reporting ofcontrol deviations to the BOD / Senior
Management
Effectiveness of existing controls
Adequacy of controls
(Operational, Financial Reporting & Compliance)
COSODocumentation
ITAMProcess
Our Beliefs
7/29/2019 Internal Control and RCSA Programm
71/75
People are more important than systemsas;
They can make bad systemsworkable,
They can make good systems fail, They make the difference in the midst
of change, Understanding how controls work
leads to better change management,
Shared information leads to fasterimprovement and lower risks.
Limitations
7/29/2019 Internal Control and RCSA Programm
72/75
Internal controls cannot ensure success when there are
Bad
Governance
WrongDecisions
Poor
managers
Unethicalbehavior
Collusion /
Conflicts
Override /Breach ofcontrols
7/29/2019 Internal Control and RCSA Programm
73/75
7/29/2019 Internal Control and RCSA Programm
74/75
7/29/2019 Internal Control and RCSA Programm
75/75
Name: Ms. Saima Riaz
Email Address: [email protected]