Control Self Assessment - An effective IFC tool to increase operating effectiveness of Internal Audit
Preamble
For long internal audit professional and practitioners have faced with the challenge of ensuring value added internal audit service to justify the cost associated with maintaining a proper internal audit system. Corporate Boards also view this service as not only to comply with the provisions of Companies Act but as a true value provider to support the business so that organization can be run in an efficient manner ethically and complying with all rules, regulations and governance standards . The objective of internal audit also has changed in so far as it not only to evaluate internal control but a sound audit system must focus on its ability to assess and manage business and control risk to support efficient running of business in this ever changing complex and volatile business environment . The challenge is obvious as the business environment is full of complexities and uncertainties now as compared to may be a decade ago.
Companies Act 2013 has introduced a provision through sec.134 which has made Corporate Board of listed companies responsible for reporting on Operating effectiveness of Internal Financial Control.
Hence the question before us is how to ensure operating effectiveness and make internal control and audit process more efficient and value added.
Control Self Assessment has proved to be a powerful tool to improve the efficiency of Internal Audit process and bring necessary operating effectiveness in Internal Financial Control.
Control Self Assessment - what it is
To understand this lets go back to late 80s or may be early 90s, i.e. before the era of liberalisation started by ex- Prime Minister, Dr. Man Mohan Singh, India was really confined to its own world. The quality of Indian products and services was never challenged. But as liberalisation process started and Indian products got exposed to the world, the shortcomings of quality of Indian products and services got challenged. In fact more so, the process of making quality of Indian products and services were questioned. It was found that the responsibility of ensuring good quality product lies with Quality Department only. It was never felt till then that a product could be a world class product (or services) only if the entire value chain is quality driven. It was felt thus the Quality department is not solely responsible for ensuring product quality. The entire value chain ,right from preparation of business plan till a product or service is delivered to customer, has to be quality driven. And all these processes certainly do not come under the domain of Quality Department only. Each process owner in the entire value chain is responsible for maintaining quality of its own sub-process.
Control Self assessment(CSA) also assumes similar principles in its objective of providing enterprise wide sound Internal audit system. Indeed management believes that the responsibility of ensuring internal control lies with various process owners because the transactions are conceived , approved and executed by them and not by internal auditors. Internal auditor's responsibility is to ensure periodic verification of various processes in terms off set policies and procedures and reporting on control lapses
When statutory auditors have to give their opinion on internal control system on fixed assets, purchase, sales ,stores and inventory or whether any fraud has occurred , it is the entire management and not Internal Audit department alone, who is responsible for ensuring that there is an effective internal control and audit system commensurate with size and nature of business.
Through CSA the corporate internal audit department , whether in house or outsourced, develops a joint responsibility statement along with various process owners across the entire value chain , develop and monitor sound internal control system in planning ,procurement , production, inventory, dispatch, sales, collection, accounting, IT and HR process.
CSA methodology
CSA methodology is built on the principle that internal auditors would facilitate and coach process owners in setting and ensuring controls at each process. Internal Auditors are also responsible in
- Designing the whole process along with process owners
- Document the process
- Ensure implementation
- review effectiveness of this process through continuous Control mechanism
- bring lapses to the notice of concerned process owner
- ensure timely action by process owners to ensure process
- Periodically report to management /audit committee on CSA.
Lets discuss all these one by one.
Types of CSA
CSA could be of two types.
A. Management risk assessment and control certification.
B. Process risk assessment & control certification.
Management risk assessment helps in meeting business objectives through control over business performance. This is done at entity level.
Process risk assessment aims at process effectiveness and carried out at BU level. Effectiveness of key business processes like Order to Cash, Procure to Pay, Finance, HR, logistics and legal processes are of paramount importance for sustainable business growth.
CSA steps
- Carry out risk assessment and document Risk And Control Matrix(RACM). This is most important step and explained in detail later
- Design CSA questionnaire
- Periodic audit of certified controls
- Reporting
Process design - Risk and Control matrix
The first step of CSA is carrying out risk assessment and designing a Risk and Control matrix (RCM) for each key business process. This involves following steps and activities
- Define key business processes like planning, procurement , production, HR, Finance, dispatch & sales etc. and respective process owners
- Ascertain activities (manual/automated )of each business process. This could be already available in terms of SOPs. However it needs to be ensured that SOPs represent current business process.
- Ascertain risk associated with each key activity as "What Can Go Wrong" (WCGW). It is critical to ascertain WCGW. Past internal audit reports must be referred. Also interviews of process heads /workshops with functional process owners should be held to ascertain as much risk as possible.
- Categorize the risk as High/Medium/Low based on risk appetite i.e. to what extent the organization can absorb risk of various process/event/activity
- Determine desired controls against each WCGW. The success of determination of desired controls depends on the depth of understanding of critical IT enabled controls existing in various processes or if there is adequate manual control exist to offset the absence of IT controls.
- Perform test and determine actual control against desired control. Actual control can be determined based on process understanding and process walk through of IT enabled controls embedded in the process. Existence of manual controls need to be determined based on usual audit procedures. Existing SOPs ,if any should also be referred to determine what are IT enabled /manual control embedded in business process.
- Based on test conducted ,ascertain control gaps and risk associated if the controls are not met.
- Fix responsibility to adherence of controls including periodicity. This need to be finalized based on thorough discussion and agreement with process owners.
Develop CSA questionnaire
CSA questionnaire is an assurance , in a statement form , from the control owners that desired controls as determined in Risk Control Matrix are fully met in all transaction and in each process. It is based on the principle that primary responsibility of ensuring internal control lies with the management. Hence it is absolutely necessary to make the questionnaire as comprehensive as possible to include all key controls.
Some examples are given (see chart 1) below to clear the concept
Chart - 1
Process |
Sub-process |
Activity (manual/automated) |
Risk (WCGW) |
Desired control |
CSA related question/confirmation from process owner |
Procure to Pay |
Vendor master management |
Vendor creation form (VCF) - (manual) |
VCF may not be authorized by HOD-Purchase |
Authorized VCF |
I confirm that the Vendor Creation Form is authorized by the HOD-Purchase |
Authorize VCF (manual) |
Employee supplying material to company as vendors |
Employee can not be vendor |
I confirm that - no employee is allowed to supply material to the company |
||
Employee PAN /Aadhaar no. matched with vendor PAN/Aadhaar no. and no duplicate found |
|||||
Vendor Master Record (VMR) - Creation |
Automated - SAP |
Vendor Master Record(VMR) may be created without the approval of HOD-Purchase |
Approved VMR by authorized person |
I confirm that
|
|
Vendor Master Record (VMR) - Creation |
Manual |
Vendor master created without verifying the completeness of VRF and without collecting all the relevant documents like - proof of registration with regulatory authorities, - copy of address proof, - copy of PAN No for TDS Compliance , - GST no. for availing Input Tax credit and payment of tax. - Proof of orders from other customers and - Financials Statements (say past 3 years for big orders) |
Supporting documents to be collected from vendors |
I confirm that - All the supporting are collected from the vendors and documented |
|
Procure to Pay |
PR /indenting process |
Create PR as per procurement Plan |
PR Quantity may not be as per Production Plan or as per the business requirement (where SAP MRP is not in use) |
PR Quantity Vs. Production Plan should have parity |
I Confirm that:
|
PR from SAP |
All PR may not be from SAP |
Check Manual PRs raised during the period |
|||
Approve PR |
PR may not be released as per SAP release strategy |
Check Release strategy and generate exceptions from SAP |
I confirm that
|
||
Release strategy may not be as per latest Delegation of Authority |
Check RS as per latest DOA |
||||
Manual PR may not be properly authorized |
Check delay |
||||
PR may not be timely raised |
PR raising is monitored on weekly basis |
I ensure that all PR beyond approved days have been disabled |
|||
Significant unused non converted PR |
Check PR validity |
||||
Procure to Pay |
Purchase Order placing |
Create Purchase order/ Service Order in SAP |
Service order raised may not be as per Standard operating rates finalised for executing regular services |
Check Service order rates in SAP with Service Order |
I confirm that all relevant service order released as as per Approved Standard Operating Rates defined for the purpose |
P. O may not be placed at the least cost OR to L1 bidder. Order may not be vetted by the Legal Department. Multiple POs for same material on same day may be raised to the same vendor (i.e. PO Splitting) Terms & conditions in the order may not be the standard one or excludes important clauses like: - Bank Guarantee - Payment Terms (incl. advance) - delivery, destination and as per spec. |
SAP enabled control is ensured Vetting by legal department beyond a certain value limit Order placing as per SAP release strategy. Ensure System do not allow multiple PO against single PR Check Quality, cost, Delivery and pricing conditions as set in SAP |
I confirm that: - Taxes and duties levied in the order are correct - PO is released against approved PR - All the POs are issued to the vendors only after the same is approved under the released strategy - Necessary vetting have been done by legal dpt. Where applicable and terms and conditions have been modified as necessary. - Release strategy is uploaded in SAP and the same is as per approved DOA - PO have been released and approved as per standard terms and conditions. Deviations also have been approved from relevant authority as per DOA |
Frequency of certification by control /process owner
The frequency of certification as mentioned in the last column of chart 1 would depend upon the complexity, materiality and control ( system based/manual) of each activity/transaction. For example , if the entire purchase process i.e. procure to Pay is IT enabled with sound ERP system, which can be assessed only after system walk through , then the frequency of confirmation of control may be fixed quarterly. It is also recommended that while process level control confirmation can be taken quarterly, transaction level should be taken on monthly basis. Confirmation on statutory Compliance (VAT, TDS, Service tax, PF, ESI etc.) should be taken on monthly as well as quarterly basis. However it entirely depends on the risk appetite of the entities concerned.
The questionnaire after certification /confirmation in last column must be reported back to Internal Audit department within 10 days of the month following the relevant month/quarter.
Periodic Audit of certified Controls
The next step in CSA is audit of certified control on periodic basis by Internal Audit. This process ensure accuracy in certification of controls by process owners and thereby make the control mechanism leak proof and accountable. The audit can be conducted by In house audit department or an outsourced internal auditor. However the key issue is that the internal auditor must be fully aware of the business process and must have reasonable understanding about the IT enabled process
The audit involves following steps
- The audit period should be planned in consultation with auditee/process owner
- Fix a meeting with process owner. The concept should be understood by process owner.
- Get a list of all certified controls which needs to be tested.
- Ascertain the details of information to be downloaded from ERP system to perform the test. For example to verify that all PO have been generated from system generated PR, as certified by process owner , auditor need to download month wise PR and POs generated. The information need to be generated business area wise and process wise.
- Ascertain other information details requirement like policies, SOP, contracts , DOA etc.
- Perform test , right audit observations alongside certification and ascertain deviation from certified controls. If auditors observation matches with certification ,then auditor should report "no deviation observed". Otherwise the auditor should report deviation with facts and figures.
- Discuss deviation with process owners who certified the controls. Note down the reasons for deviation and corrective actions proposed.
- If the deviations are observed in high risk areas , then corrective actions must be taken at the earliest by the process owner so that it does not re-occur during next certification process.
- Report Deviation and corrective action taken as well as proposed to Sr. Management and Audit Committee on a quarterly basis. The Report may be named as "Control Self Assessment Audit Report." The distribution of copies of Audit report may be decided by Sr. Management.
Meeting overall objective
Its clear to the reader now that the basic objective of CSA process is to reach highest level of internal controls through continuous monitoring and reduce the control risk gradually from high to low thereby achieving IFC objective. This is extremely important to support Top management in meeting overall business objective of sustainable growth. CSA is perhaps the most effective way to add value in internal audit process today and bring much needed operative effectiveness in financial reporting as required by Companies Act 2013.
Implementation challenges
However there are challenges in successfully implementing the CSA process. The most important challenge could be mind set challenge from Business Units and process heads as the process tends to shift the internal control responsibility on the process heads in a more objective manner. Also the process is best implemented through a computerized workflow system as manual monitoring on a continuous basis with all business process owners/ BHs/Sr. management is virtually impossible. This would make the process ineffective and has the danger of being considered redundant. Like any new initiative, CSA also needs support from Top management and continuous communication with BU/Process heads.
Conclusion
Business environment and business processes are now more complex, global, digitized and volatile. These is continuous challenge on auditors to add value and support business growth. Legal framework also demands operative effectiveness on internal financial control. Under the circumstances, ensuring effective control and assurance process is extremely challenging and need much more focused approach. CSA and Continuous Control Monitoring (CCM) is the answer to all these issues. An automated CSA and CCM would make the auditors and auditee to approach internal audit in a more objective way as the new approach would bring them close together to fight fraud and corrupt practices in business transaction in a much more cohesive manner.
So ladies and gentlemen lets implement CSA. I also look forward to your valued feedback to improve the effectiveness of Control Self Assessment.