|
© Matti Mattila, CPFA, CISA, CIA |
| | | |
|
The ECAR Model Framework
|
|
|
It is the board of directors (board) or other such body or person and top management
that plans what an organization shall do.
Management on all levels
(1) designs and structures tasks and roles within the organization;
(2) takes care that there are processes and accountable persons working in accordance with the objectives of the organization;
(3) ensures that internal control of the processes of the organization is effective and efficient
[to support production of products and services and provision of information and reports];
(4) directs the organization and manages risks in attainment of the organization’s objectives; and
(5) controls that rules of the society and the organization are complied with.
|
|
 |
|
Figure 2: An illustration of the ECAR model framework |
| |
|
| Objectives Of Internal Control |
|
|
Internal control exists to provide reasonable assurance that
basic objectives of a process are achieved, respecting rules, and
there is adequate [control] information about this.
Basic objectives are objectives for achievement of which the process primary exists.
Rules include all direction meant to affect people's behaviour in a process
- such as laws, regulations, codes of conduct, agreements, standards, values, budgets,
and even established manners of the society.
[Control] information is limited to information about attainment of objectives
and compliance with rules in a process.
|
| |
| Internal Control Structure |
|
Internal control of any goal-oriented process has a structure built with internal control elements.
The structure is planned and the plan put into effect
so that the elements altogether contribute effectively to attainment
of the internal control objectives mentioned above.
Arrangements of permanent nature are planned and built into the process
to mitigate the noteworthy risks. By virtue of these arrangements the process,
with reasonable assurance, after all, proceeds as planned also when risks identified come true.
|
|
| Elements of Internal Control |
|
|
|
Elements of internal control are [Control] Environment;
Controls; Accounting Systems; and Determination of Risks.
|
|
|
The ECAR model is illustrated in the figure to the right.
|
| - |
[Control] environment, part of controls (soft controls) and part of accounting systems
(system of expectations) are related to direction,
while some controls (application controls) and part of accounting systems
(information how expectations have realized; audit trail) are related to control.
|
| - |
Determination of risks addresses [control] environment, controls and accounting systems (indicated with arrows).
It keeps internal control as a living structure.
Determination of risks exists inherently where people are present.
|
| - |
Dotted lines describe the vagueness that exists in boundaries on one hand between direction
and control and on the other hand between control environment, controls and accounting systems.
|
|
|
The [internal control] plan cannot be built with perfect information about
all events and conditions that are due to come and exist.
As a result internal control cannot provide full assurance
about achievement of process's basic objectives, compliance with rules within the process,
and collection of adequate [control] information.
Another implication is that the structure must contain a self-adjustment mechanism
(determination of risks) in order to keep the structure effective
when the risks of the process are changing.
When vulnerabilities or inefficiencies in the elements of internal control are found
internal control structure is supplemented by new controls or internal control is restructured.
|
|
| |
Designing and building internal control is not included in the concept of internal control.
|
|
|
