The Audit Committee plays a prominent role in overseeing the internal control processes of an organization, the issue we address today in this new article in the Audit Committee series : key issues for effective supervision.
In carrying out this function, those that do it efficiently carry out their control work requesting relevant, pertinent and precise information from the management team, internal and external auditors, as well as asking direct and complex questions.
Management is responsible for establishing and maintaining an effective Internal Audit and control system reviews in UAE. The Audit Committee must supervise these controls and review the effectiveness of the system as a whole. An effective internal control system provides reasonable assurance that the policies, processes, tasks, behaviors and other aspects of an organization — considered as a whole — promote its effective and efficient operation, and contribute to guaranteeing the quality of the information presented at the level. Internal and external, and help ensure compliance with applicable legislation.
Internal controls should be used to keep the risks faced by the organization within the tolerance levels defined by the board, taking into account the cost / benefit ratio. The Audit Committee must verify that adequate policies, activities and procedures have been established and that they function as planned. An effective internal control system revolves around the guidelines set by the company’s management, and in this sense, both the board and the Audit Committee must send the clear message that internal control responsibilities must be taken very seriously. Serious in the organization.
The Audit Committee plays an important role when it comes to supervising the internal control processes of an organization
The performance of the internal control system must be assessed by monitoring activities ongoing, separate evaluations and internal audits or a combination of both. The procedures to monitor the adequacy and effectiveness of the identified controls must be integrated into the normal operations of the organization. Although monitoring procedures are part of the overall control system, they are largely independent of the items they check. While effective monitoring throughout the organization is an essential component of a robust internal control system, the board cannot rely solely on integrated monitoring processes to fulfill its responsibilities. The board, with the help of the Audit Committee, should receive and regularly review reports on internal control and be informed about how the checks on which the reports are based have been carried out.
Management reports should provide a balanced assessment of the effectiveness of the internal control system for the areas covered. Any significant deficiencies or control failures identified should be addressed in the reports, including the effect they have had, could have had or could have on the organization, as well as the actions that are being taken to correct them. It is essential to maintain a direct, continuous and open dialogue between the management and the Audit Committee on the risks and controls of the organization.
The Audit Committee should define the process to be adopted for the (annual) review of the effectiveness of the internal control and risk management systems. The annual review exercise should consider the issues addressed in the reports that are reviewed during the year, along with the additional information necessary to ensure that the board has considered all important aspects of internal control Auditors in Dubai.
Here are some signs that internal control is not working as intended and should act as red flags:
Executives and business teams do not participate in risk and control assessment processes
- Formal discussions about risks and controls are often postponed
- Risk and control processes are not part of normal activity
The development of the internal control system is perceived as the ultimate goal
- Little discussion or additional input
- The information presented focuses only on the risk covered
Supervision and questioning are not robust
- Risk and control assessments and reports / processes hardly change
- Business owners are not questioned and they receive little feedback
The role of the risk function is unclear; misunderstood at best and ignored at worst
- Little power to question the strategy and related risks
- They are perceived as simple consolidators of information
Unclear accountability for risk
- Risks are not addressed in time and it is difficult to determine where to fit them
- Internal audit ‘dominates’ the process too much
Guarantees are uneven: high for traditional risks and insufficient for emerging risks
- There is no clear roadmap regarding guarantees
- Internal audit plans revolve around the same topics
- Executive teams rely heavily only on the guarantees given by their own management
Key questions for the Audit Committee
Identification and monitoring of controls
- Does management have clear strategies to address the identified significant risks ? Have internal control actions been defined for all the significant risks identified?
- How processes are adjusted / you control to reflect new risks or operational deficiencies or change process?
- Are the company’s resources sufficient to adequately carry out all internal control activities? what specialists will participate in the evaluation of controls complex processes involving value judgments and depend on technology?
- Do the organization’s culture, code of conduct, human resource policies, and incentive systems support its objectives and internal control system?
- Through its actions and policies, does management demonstrate the necessary commitment to competence and integrity in the organization?
- Is authority and responsibility clearly defined and segregated? Are the decisions and actions of the different parts of the company properly coordinated? Are there adequate controls over the approval and monitoring of special or extraordinary transactions?
- Do management and the board receive timely, relevant, and reliable reports on risk and internal control? Have key risk indicators been configured to monitor significant risks and mitigating actions?
- Are there areas in company operations that internal audit or other parties charged with providing assurance do not fully understand?
Is the management self-assessment process properly managed, formalized and verified by internal audit? Is the appropriate level of independent questioning incorporated into the process?
Are cyclical internal audit visits and / or special external auditor reviews used to the greatest extent possible in the monitoring process?
Review and Assessment of internal control
- Are there ongoing review processes integrated into the organization’s operations, with a view to monitoring the effective application of policies, processes and activities related to internal control and risk management?
- Do these processes monitor the organization’s ability to reassess risks and adjust controls effectively in response to changes in its objectives, business, external environment, and other changes in risk and control assessments?
- Is there adequate communication to the board (and committees) about the effectiveness of the ongoing monitoring processes on risk and internal control aspects, including information on any significant weakness or failure in a timely manner?
- Do any internal control findings or weaknesses reflect the need for more comprehensive monitoring of the system?
- Is there inconsistent information on risk and internal control received from various opposing functions and, where appropriate, are measures required to ensure that management provides a single view on this?
Read also: What is a systems audit?