|
© Matti Mattila, CPFA, CISA, CIA |
|
Definition
|
|
|
When building a process its internal control structure is planned and built, too.
Risks of the process are identified, analysed, and evaluated.
Risks worth noticing are taken into account in the internal control plan of a process.
Determination of risks should not, however, stop here.
A risk exists that the internal control plan [of the process] is not followed,
that the plan is not kept up-to-date, or that an elements of internal control in place
impact performance of the process more negatively than one expected.
Determination of risks exists because of those things, inherently.
It is comprised of the following steps.
|
|
| - |
Risk identification.
All the time, during the normal course of actions, managers and other staff
make observations about the control environment, controls, and accounting systems,
and how they impact process.
When they see that internal control does not work as planned,
they identify a weakness or inefficiency.
When they realize how the weakness can be exploited, they identify a risk.
Respectively, when they realize how the inefficiency can be overcome,
they identify an opportunity for a process improvement.
|
| - |
Risk analysis. The identified risk or inefficiency is analysed next.
What causes it? How likely is it? What are its financial and other consequences?
Does the risk or inefficiency contribute to realization of other risks or inefficiencies?
How well can the risk be compensated with existing elements of internal control?
Are there alternative ways to arrange internal control in order to make the process more efficient?
|
| - |
Risk evaluation. Based on the outcomes of risk analysis one evaluates,
whether the process can bear consequences of the risk or inefficiency
- taking into account likelihood of risk or inefficiency?
Whether to react to the risk or inefficiency or not?
Determination of risks ends in making this decision.
After determination of risks the manager concerned can e.g.
resort to an ad hoc control and propose a new indicator to be included in the accounting system
to warn about the situation encountered.
|
|
|
An Example
|
|
|
A manager accountable for payment of wages and salaries learns
that the clerk responsible for the check of payroll and her deputy are sick, thus absent.
As a result the payroll document cannot be checked, as the internal control plan requires.
However, wages and salaries must be paid in time.
The manager analyses and evaluates the risk regarding absence of the clerks:
possibility of bad errors in the payroll.
He takes account of the compensating controls in place and forms an opinion about the current situation.
Based on it he might - as an ad hoc control -
e.g. check the payroll document himself,
and have it checked afterwards by the clerk responsible for the check.
|
|
|
| |
Importance Of The Element
|
|
|
Determination of risks is prerequisite
that a process remains efficient and its internal control continuously effective.
Identification of unacceptable risks and inefficiencies serves continuous improvement of the process.
When risks and inefficiencies are considered early enough,
the process will be fixed, and basic objectives of the process will be achieved in an acceptable way.
Together with ad hoc controls determination of risks
removes inflexibility from the permanent internal control structure of the process.
If the process or its internal control elements have changed significantly,
and ad hoc controls were needed time after time,
then the process's internal control structure should be revised or reformed in stead.
|
|
|
We should be suspicious in a healthy way towards internal control structure. Why?
It is impossible to make a foolproof internal control structure;
e.g. most controls can be circumvented with good preparation.
Internal control lies on unreliable basis if we do not admit this fact.
Sometimes a failure in controls is unduly blamed for realization of risks,
when the real reason is a failure in determination of risks.
The only credible precaution against inherent deficiencies of internal control is due determination of risks.
To be effective in it we should recognize limitations in our thinking.
We should not be used to ignore things and accept procedures without understanding them well enough.
And we should not be afraid to ask for help if there is something that we don't understand.
|
|
|