Internal Control Policies and Procedures
Auditing Standard ASA 315 sets out the five (5) basic components relating to policies and procedures that management should design and implement to ensure internal control objectives are realised, namely:
- The control environment
- Entity’s risk assessment process
- Information system
- Control activities relevant to an audit
- Monitoring of control
The following are work practices and routines relevant to internal control procedures:
- Separation of duties - This refers to assigning different people within the organisation to work specifically on tasks such as:
- Bookkeeping
- Financial reporting
- Auditing
This practice reduces the chances of an employee committing acts of fraud.
- Security of assets - This protects the loss or misuse of physical and non-physical assets. Security for physical assets may include:
- Securing goods and equipment in a restricted area.
- Assigning authorised personnel to access these goods and equipment.
Security for non-physical assets may include restricting access to the database.
- Financial reporting - Internal control procedures must ensure that the collection, preparation and presentation of financial reports are accurate and timely. Many organisational decisions are based on financial reports, so these must be managed properly.
These work practices and routines are set in place to maintain the integrity of the accounting system, prevent fraudulent acts and identify errors.
Control Environment
Procedures and policies should be implemented to:
- Communicate values and required standards of ethical behaviour, e.g. code of conduct
- Evaluate and reward employee performance, e.g. performance appraisal system
- Hire employees with the required experience and expertise, e.g. human resource policies concerning recruitment
- Ensure compliance with corporate governance requirements
- Inform employees of organisational practices and procedures, e.g. accounting manual, organisational chart setting out areas of responsibilities and lines of authority; job descriptions for employees
- Ensure adequate training for employees
- Conduct internal audits, e.g. audit committee
Risk Assessment Process
Procedures and policies should be implemented to identify and manage risks, including:
- Induction programs for new employees
- Installation of new information systems and technology
- Maintenance and development of application systems
- Segregation of duties of personnel
- The introduction of new products and services
- Foreign exchange transactions
- New accounting principles, legislation, regulations, and standards
Information Systems
Procedures and policies should be implemented to identify and record all valid transactions, including:
- A clearly defined audit trail
- Specific authorisation and approval for the recording of valid transactions
- Recording and processing of transactions
- Identify and document invalid transactions
- The authorisation and approval of adjustments to transactions before processing
- The detection of errors and irregularities in processing
- Authorisation and approval for purchases of capital equipment
- Classification, summarising and reporting of transactions
- Numbering of documentation
- Recording of non-current assets
- Allocation of transactions to the appropriate accounting period
- Ensuring all valid transactions are recorded and disclosed in financial reports
Monitoring of Controls
Procedures and policies should be implemented to monitor the design and operation of controls, including:
Comparisons made between budgets and accounting data
Bank reconciliations performed on a timely basis
Internal audit reports prepared and submitted to the audit committee
Confidential and sensitive information restricted to authorised personnel
Handling complaints from customers
Communication with external auditors regarding the evaluation of organisational policies and procedures
A strong internal control structure is cost-effective.1
Disclosure of Corporate Governance Practices
The ASX Corporate Governance Council’s principles and recommendations are designed to enhance corporate performance and accountability in the interests of both shareholders and other stakeholders. The recommendations adopted will depend on the size of the company, and some smaller companies may face difficulties in following all recommendations. A guide to reporting is set out at the end of each principle and provides the disclosure obligations with respect to the recommendations contained in the principle.
Under ASX Listing Rule 4.10.3, companies are required to provide a statement of their annual report disclosing the extent to which they have followed the recommendations in the reporting period. Where companies have not followed all recommendations, they must identify the recommendations that have not been followed and give reasons for their omission. A company is still obligated to provide disclosure under ASX Listing Rule 3.1. – Continuous disclosure. Both the ASIC and ASX have the capacity to enforce continuous disclosure provisions that apply to listed entities. ASIC has been given the power to impose financial penalties and issue infringement notices in relation to contraventions of the continuous disclosure regime. Principle 5 of the Corporate Governance Council principles and recommendations state that companies should promote timely and balanced disclosure of all material matters concerning the company.
The Corporate Governance Council states that effective corporate governance structures encourage companies to create value through entrepreneurialism, innovation, development and exploration and provide accountability and control systems to counteract the risks involved.
In line with continuous disclosure, companies are expected to manage and handle organisational files and records in accordance with the Australian Privacy Principles (APP). Corporations, as defined by the Corporations Act, are referred to as an APP entities. An APP entity must comply with the following Principles:
- Australian Privacy Principle 1 — open and transparent management of personal information
- Australian Privacy Principle 2 — anonymity and pseudonymity
- Australian Privacy Principle 3 — collection of solicited personal information
- Australian Privacy Principle 4 — dealing with unsolicited personal information
- Australian Privacy Principle 5 — notification of the collection of personal information
- Australian Privacy Principle 6 — use or disclosure of personal information
- Australian Privacy Principle 7 — direct marketing
- Australian Privacy Principle 8 — cross-border disclosure of personal information
- Australian Privacy Principle 9 — adoption, use or disclosure of government-related identifiers
- Australian Privacy Principle 10 — the quality of personal information
- Australian Privacy Principle 11 — security of personal information
- Australian Privacy Principle 12 — access to personal information
- Australian Privacy Principle 13 — correction of personal information10
Ethical Considerations When Managing and Handling Corporate Files and Records
The organisation’s recordkeeping management system must determine the persons who are authorised to access corporate records. Where possible, records should be classified according to the level of confidentiality. Procedures should be in place in case someone outside the organisation requests access to these records.
Corporate records must ensure to meet the legal requirements and the policies and procedures of the organisations. Records need to be complete, accurate and reliable to avoid legal and workplace issues in the future.
There must be protocols in place to safeguard records and make sure that only concerned and authorised parties are able to access them. Backup records should be available off-site to minimise data loss should the main storage be compromised.
It is essential that an organisation has systems to keep track of the personnel who are authorised to access the records. Ideally, the system must also account for details such as the date and time the records were accessed and if any changes were made in order to discourage malicious activity and indiscriminate work practices.
Confidentiality in Managing and Handling Corporate Records
Confidential information acquired from business and professional relationships must not be disclosed to anyone without proper authorisation or unless required for professional or legal duty.
An accountant must not disclose information regarding the client or business even after the professional or business relationship has ended.
Corporate records may be produced for disclosure as required evidence for legal proceedings.
Annual General Meeting (AGM)
Public companies must hold an AGM at least once each calendar year and within five (5) months of the end of their financial year. An AGM is usually called by directors and is held in addition to other meetings of the company. Other meetings include general meetings and directors’ meetings. Directors’ meetings can only be called by directors, and only directors attend. General meetings can be called by both directors and members. Proprietary companies are not required to hold AGMs and are able to pass resolutions if all members entitled to vote on the resolution sign a document stating they are in favour of the resolution. Generally, twenty-one (21) days notice is required to be given for an AGM or meeting of members; however, companies incorporated in Australia and listed on the ASX are required to give twenty-eight (28) days’ notice.1
Financial Reports
At the AGM, the directors must present before the shareholders the financial report, the directors’ report and the auditors’ report. The financial report includes the financial statements for the year, the notes to the financial statements and the directors’ declaration about the statements and notes. The financial statements and notes for the financial year must give a true and fair view of the financial position and performance of the company and the financial position and performance of any consolidated company. The financial statements include:
- The balance sheet as of the end of the financial year
- The income statement at the end of the financial year
- The statement of cash flows for the financial year
- The statement of changes in Equity/Statement of Income and Expense
- Consolidated financial statements, if required by Accounting Standards
The focus of a Sound Corporate Governance System
The main focus for most definitions of corporate governance is on the role and function of the board of directors as the body responsible for the decisions and performance of the organisation. Corporate governance, however, also includes the following:
- Maintaining a sound system of internal control over accounting records and assets.
- The implementation of efficient operational systems and compliance with organisational policies and procedures.
- A system of audit verification to ensure the organisation is functioning efficiently and fraud and irregularities are detected and prevented. The internal audit is an independent function conducted within the organisation by an internal audit committee. The external audit function is conducted outside the organisation by independent experts.1
Organisational policies and procedures relating to corporate governance should consider the following key requirements:
- Managing conflicts - Directors of the company are subjected to transparency regarding their personal interests related to the organisation. Other directors of the organisation must be notified of this interest.
Directors with personal interests in the company are also excluded from attending meetings and voting on matters regarding these interests. This is to prevent any biases that may affect the decision-making of the organisation.
Company directors are responsible for identifying and managing risks within the organisation, such as changes and trends in technology and the market.
Annual general meetings (AGM) are requirements under the Corporations Act. It provides an opportunity for the shareholders to be informed of the current performance of the organisation and its strategic plans for the year ahead.
Directors and audit committees are responsible for ensuring the accuracy and integrity of the company’s financial information.
Listed companies have continuous disclosure obligations under the Corporations Act. It includes timely disclosure of price-sensitive information and compliance with the listing rules of the relevant market.
Such information may include confidential information, which requires proper management and handling in line with the Australian Privacy Principles (APP) and the Privacy Act.
This refers to the salaries and incentives received by executive employees of a company. An executive remuneration report must be presented to shareholders in AGMs to discuss the nature and amount of payment paid to the executive employees. Such decisions should be in line with the company’s financial performance and shareholders’ interests.
Directors take part in developing the organisational culture, including its corporate governance frameworks and practices.
These refer to actions initiated by a public company that may have a direct financial impact on the shareholders. These changes may require approval from the shareholders.
Directors and company officers must ensure to maintain the integrity of the financial market. Directors may be held liable to breach of their legal obligations if they fail to oversee the risk within the company.
The Main Participants
The participants in the corporate governance system include:
- Individual directors
- Board of directors
- Shareholders
- Auditors
- Other stakeholders include creditors and employees.1
The Duties of Directors and the Board of Directors
Directors are appointed by shareholders to direct the company on their behalf and are responsible for the conduct and performance of the company. The directors’ duties include:
- Avoid conflicts of interest, e.g. making personal profits from the business.
- Act in good faith and in the best interests of the company at all times.
- Keep informed of the company’s activities.
- Attend board meetings regularly.
- Ensure proper financial and company records are kept.
- Regularly review financial statements.
- Complete annual requirements for the ASIC.
- Ensure the company is able to meet its debts.
The duties of good faith and loyalty arise under common law, and Part 2D.1 of the Corporations Act and legal action against a director for breach of his or her duties can be brought under this legislation. A director may be sued by the company, a liquidator, a shareholder, a creditor or the ASIC. Remedies are available under common and statutory law for a breach of directors’ duties. Criminal and civil penalties can be enforced against a director who breaches his or her duties under ss180-183 and 588G of the Corporations Act.
Principle 3 of the ASX Corporate Governance Council principles and recommendations state that companies should actively promote ethical and responsible decision-making.
Sections 1042A and 1042H of the Corporations Act contain provisions with respect to what is described as “insider trading”. The provisions prohibit anyone who is in possession of non-public or price-sensitive information from dealing in or engaging others in dealing in the shares of a company. Severe penalties may be imposed for contravention, and the offender may be liable to compensate the other party and to account for any profit made on the deal.
The committee comprising the directors of a company is known as the “board of directors” and is the body responsible for managing the business of the company. The duties of the board of directors involve formulating strategies, making policies, monitoring and supervising senior management and providing accountability. The board should provide a set of internal rules based on corporate governance policies. These rules should be set out in the company’s constitution.1
Principle 1 of the ASX Corporate Governance Council principles and recommendations states that companies should establish and disclose the respective roles and responsibilities of the board and management and that companies should have a board of an effective composition, size and commitment to adequately discharge its responsibilities and duties.
Shareholders
The most usual way for persons to become a member is through the issue of shares to them or the transfer of shares from an existing member. A company’s internal rules may place restrictions on who is eligible for membership. A member of a company is not bound with respect to any modifications made to the constitution after the date of membership.
Shareholders delegate responsibility for overseeing the management of the company to the directors. Directors have a duty to act in the best interests of shareholders at all times. A share entitles a shareholder to receive a portion of the company’s profits in the form of dividends, and they have the right to company information and voting rights and are able to make decisions in relation to directors and the company.
The Corporations Act provides a statutory remedy to members of a company who believe that the affairs of the company are being conducted in a manner that is oppressive or unfairly prejudicial to or unfairly discriminatory against one or more members of the company.
The court may make an order if the conduct of a company’s affairs, an act or omission or a resolution is either:
- Contrary to the interests of members as a whole;
- oppressive, unfairly prejudicial or discriminatory against a member.
Principle 6 of the ASX Corporate Governance Council’s principles and recommendations states that companies should respect the rights of shareholders and facilitate the effective exercise of those rights. Companies should also design a communications policy for promoting effective communication with shareholders and encouraging participation at general meetings.
If the court is of the opinion that the affairs of the company are being conducted contrary to the best interests of its members, it may, in certain cases, make an order as it thinks fit to rectify the situation.
Register of Members
A company must set up and maintain a register of its members, which contains the following information about each shareholder:
- The member’s name and address
- The date the member’s name was recorded on the register
- The date on which allotment of shares takes place
- The shares held by each member
- The class of shares
- The share number or share certificate numbers
- The amount unpaid on the shares (if any)
- In the case of a non-listed company, e.g. a company not listed on the ASX, any shares that a member does not hold beneficially
Section 176 of the Corporations Act states that a register provides proof of the matters shown in it. Registers must be open for inspection by members, option and debenture holders without charge and for other persons on payment of a fee.
Internal Auditors
An internal audit is conducted to ensure the organisation is performing effectively and to detect any instances of fraud, malpractice, errors or irregularities. The internal audit function is performed separately from other operating activities of the organisation. The internal audit function involves making systematic reviews and examinations of all operational activities of the organisation, performing an evaluation and making recommendations. A report is then prepared to assist management in making improvements to the operational activities of the organisation.
The Institute of Internal Auditors (IIA) has issued globally recognised International Standards for the Professional Practice of Internal Auditing (Standards). Principle 4 of the ASX Corporate Governance Council principles and recommendations state that the board should establish an audit committee.8
The key principles of internal audit are based on the Core Principles for the Professional Practice of Internal Auditing. Effective internal audit:
- Demonstrates integrity
- Demonstrates competence and due professional care
- Is objective and free from undue influence (independent)
- Aligns with the strategies, objectives, and risks of the organisation
- Is appropriately positioned and adequately resourced
- Demonstrates quality and continuous improvement
- Communicates effectively
- Provides risk-based assurance
- Is insightful, proactive, and future-focused
- Promotes organisational improvement11
External Auditors
The reforms introduced by CLERP9 were in relation to audit reform. The role of the external auditor is to give an independent opinion on the company’s financial statements and notes to the accounts. The auditor must be independent, and independence in auditing means taking an unbiased view of the performance of the audit. It is important that investors and users of financial statements have confidence in the auditor’s independence. Investors and other users make investment, and business decisions based on audited financial reports and an unqualified audit report gives them assurance as to the credibility of the financial information.
External auditors are required to attend the annual general meeting and answer questions regarding the conduct of the audit. External auditors meet with the audit committee of the company to discuss relevant compliance matters, including the adequacy and effectiveness of the company’s internal controls over the accounting and financial reporting systems and to review the interim and annual financial statements to ensure completeness with disclosures and the appropriate accounting principles have been used.1
Principle 4 of the ASX Corporate Governance Council principles and recommendations state that companies should have a structure to independently verify and safeguard the integrity of their financial reporting.
Other Stakeholders
While the Board’s primary responsibility is to its shareholders, it has legal responsibilities and liability with respect to other stakeholders.
A company establishes a relationship with other stakeholders, including:
- Suppliers of goods and services
- Customers who purchase the company’s goods and services
- Employees who provide labour to the company
- Lenders who provide funds to the company
- Governments who provide laws, e.g. Corporations laws and tax law
A company being a separate entity, must act through its directors, officers and other agents who have the power to bind the company. People dealing with a company have the power to make certain assumptions as to the powers of the company and the authority of its officers.
Under s129 of the Corporations Act, the following assumptions may be made as follows:
- The constitution and replaceable rules have been complied with.
- The director/s or secretary of the company has been duly appointed and has authority to exercise the powers and perform duties relating to the company.
- A person who is held out to be an officer or agent of the company has been duly appointed and has the authority to exercise the powers and perform the duties customarily exercised or performed by that kind of officer or agent.
- The officers and agents of the company properly perform their duties to the company.
- Relevant documentation has been signed or sealed in accordance with proper procedures.
- An officer or agent of the company who has the authority to issue, sign or certify a document on its behalf has the authority to certify that the document is a true and correct copy.
These assumptions assist other stakeholders with the enforcement of contracts that might otherwise fail because the company or its agent failed to comply with the company’s internal rules or has acted in breach of its powers or duties.2
Communicating and sharing information
You will use a variety of communication methods when interacting with stakeholders. For example, you can use email, written, or oral communication. When choosing the communication form you want to use, always consider who your audience is and the importance of the materials.
Verbal Communication skills
Your written and verbal communication skills are vital when interacting with other stakeholders. Especially important is understanding how to use questioning effectively. You may have completed some workplace communication units or studied verbal communication skills at school. Here's a quick reminder of the importance of open and closed questions, active listening and paraphrasing.
Open Questions
Open questions demand further discussion and elaboration. They broaden the scope for a response. While open questions can take longer to answer, they provide the other person far more scope for self-expression, encouraging involvement in the conversation.
They usually include What, Where or how. For example, "How was the traffic this morning?" or "What do you think about this solution?"
Closed Questions
Closed questions limit possible responses to one or two words (often simply 'no' or 'yes'). They limit the scope of responses. These questions allow the questioner to remain in control of the communication. Unfortunately, this is often not the desired outcome when encouraging verbal discussion; many people try to focus on using open questions to gather information and build rapport.
However, closed questions can be useful for focusing discussion and obtaining clear, concise answers when needed.
Examples of closed questions include: "Did you come by car today?" and "Did you see the football game yesterday?"
Active Listening
Active listening involves listening attentively to a speaker to understand their concerns, reflecting on what's being said, then responding to let them know you have heard them; this keeps both listener and speaker engaged in the conversation.
You can demonstrate your understanding by nodding, using verbal nods such as "Yes", "I see", "I hear what you're saying," or paraphrasing the things that just said.
Reflecting and Clarifying or Paraphrasing
- Reflection is feeding back your understanding of what another person has just said
- Reflecting is a skill often that can also be applied to various communication contexts and is useful to learn.
- Reflective questioning often involves paraphrasing the message communicated to you by the speaker in your own words. Reflective questioning involves capturing the essence of the facts and feelings expressed and then communicating your understanding to the speaker. It is a useful skill because:
- The speaker gets feedback about how their message has been received and can then clarify or expand if they wish.
- You can ensure you have understood the message properly.
- It shows respect for what the other person says.
- You show you are considering the other person's views.
Summarising
A summary is an overview of the key points or issues raised. Summarising also serves the same purpose as 'reflecting', allowing both parties to review and agree on the message and ensuring that the communication has been effective for everyone. When used effectively, summaries may also serve as a guide to the next steps forward.
Written communication skills
Written communication will be used to inform and consult with stakeholders. It is important to remember any written communication can be called upon in a court of law in case of a dispute. You should take great care with your written communications, ensuring they accurately and unambiguously capture the information required.
To be sure that you communicate clearly in writing, you need to adjust your message - how you say and what information to include, by recognising that readers will respond differently to different contexts, information, and communication styles.
Ensure you make adjustments when you write for different audiences to consider the audience and the purpose of the text you are composing.
Techniques for Sharing Information Effectively
Use inclusive language | Avoid sexist or racist language (or language that may be interpreted as being that way), as it can often cause the individual to interpret your message negatively. |
Avoid jargon | Using complicated language can make a message difficult to understand. Therefore, ensure that you present your message as simply as you can. |
Get feedback | Feedback is crucial. Ask questions such as 'Do you understand?' as this can allow you to check that the receiver has correctly received your message, thus guaranteeing that your communication has been successful. |
When communicating with a client, meetings and phone calls will always benefit from planning; make sure to:
Set an agenda | An agenda involves establishing the desired outcome for your meeting. For example, determine if you are meeting stakeholders to update them on progress or if you are meeting them to discuss issues about delays or conduct complex negotiations. Doing so will help people know what to expect from the meeting and will help others prepare for your discussion. |
Stay on topic | When conducting meetings about your team's progress, keep it short and simple. Relay the information that needs to be relayed and ensure that you do not stray from your topic. Sticking to your topic will help ensure that your time is well-spent and that you have said what was required. |
Document the meeting | Keep a written summary of the discussion and the final solution that was agreed upon, and this will help remind others of what you discussed and help them remember if any changes were made to deadlines and goals. |
Communicating Technical and product information
Simplifying technical and product information and industry jargon is a crucial part of the job when communicating with some clients.
Avoid technical jargon when possible; we use loads of industry-specific jargon every day within the industry, but most people won't necessarily follow it. Be prepared to simplify your words and make them appropriate to your client's needs
Visual elements can be easier to understand for laypeople; use a lot of graphs and diagrams in your client communications.
Use email and your project management software to communicate with clients to give yourself more control over communication
From the project's start, make it clear what your official communication channels and processes will be.
Use word processing, spreadsheet and email software to allow you to:
- Verify the validity of your answers.
- Take ample time to formulate & proofread your answers.
- Set the frequency of exchanges to manage expectations.
If you have significant verbal exchanges, try to recap key points via email or in writing. Consider making a clear list of reminders & actionable items for both parties after each meeting or conversation. Then send this list to your clients every time
Leverage familiar technologies & simple analogies to communicate technical concepts more familiarly.
Use empathy & patience to build a relationship with your client
When discussing options and solutions, it's helpful to highlight what makes something a worthwhile investment. Offer choices to your client to involve them positively in the project, and to make the consequences of these choices clear, attach a business dimension to them:
- Solution A will give you more room to negotiate but will increase costs by 25%.
- Solution B will give you offers less wriggle room but will cost 15% less.
- Which option works best for you?
Employing these ways of communicating complex information with clients will help make your professional relationships successful.
Using Digital Technologies for research and writing
Digital technologies are an integral part of our lives. We use them to access, extract and share information to achieve required outcomes. For accountants, this means they can use software like excel, MYOB and online services to help them with their calculations. Digital technologies can save time and ensure accuracy. Additionally, you can use online resources to research specific topics or find case studies to help problem-solve. In short, digital technologies provide many benefits for accounting professionals.
Finance is all about making predictions. Whether you are budgeting for the future or trying to figure out what a stock will do, being able to make an educated prediction is an essential part of the process.
Your projections are best informed by sound research. Unfortunately, we often see what we want to see and ignore information that doesn't fit our preconceptions. Our cognitive abilities can also limit us. We can only process so much information at once, and we often rely on cognitive shortcuts (or heuristics) to make decisions. Unfortunately, these shortcuts can lead us astray if they are not based on accurate information. The following research steps will help you to make accurate predictions and create a budget that reflects your current and future financial status.
- Gather as much information as possible, including recent financial statements, past tax returns, credit reports, news reports, other business intelligence, and other related documentation.
- Analyse the data that you have collected. Look for trends and patterns in your income, expenses, and debts.
- Make predictions based on the data that you have analysed. Then, use your findings to estimate future income, expenses, and debt levels.
- Use your predictions to create realistic goals for the organisations your work with and make plans to achieve them.
Documenting Internal Controls
A flowchart or a checklist can be used to display the various internal control processes within an organisation. The advantages include:
- Provides clarity and a concise visual presentation
- Documents the process in a logical sequence
- Identifies major controls and operations
- Identifies weaknesses with respect to duties and segregation of duties
The internal control system should be documented in an Accounts Manual. Internal controls should be applied to the following functions:
- Cash accounts:
- Cash transactions are appropriately authorised
- Cash receipts are banked daily
- Credit card receipts are reconciled with invoices and receipts
- Cash transactions and bank accounts are properly recorded, classified and summarised in financial statements
- Cheques are pre-numbered and accounted for
- Adequate cash funds are available to meet operating expenses
- Cash surpluses are invested appropriately
- Petty cash imprest system is maintained appropriately
- Purchases and accounts payable:
- Purchase orders are placed with authorised suppliers
- Purchase orders are authorised and numbered sequentially
- Goods received are checked against a relevant purchase order before acceptance
- Purchases returns are recorded in the organisation’s accounting system
- Payments for credit and cash purchases are properly authorised and recorded
- Amounts owing to creditors are checked, recorded and classified in a timely manner, e.g. to take advantage of any discounts offered
- Tax invoice obtained to verify GST
- Accounts payable subsidiary ledger is reconciled with account payable control account
- Balance day adjustments are recorded in the appropriate time period
- Sales and accounts receivable:
- Customers have a satisfactory credit rating
- Invoice is prepared in accordance with authorised sales order
- Goods are not despatched without authorised sales order
- Receipts from credit sales and sales returns are properly recorded and authorised
- Accounts receivable subsidiary accounts are reconciled with accounts receivable control account
- Overdue accounts are monitored
- Bad debts and other balance date adjustments are recorded in the appropriate time period
- Non-current assets:
- Asset registers are appropriately maintained
- Acquisitions of non-current assets are approved and authorised
- All non-current assets are accurately recorded in the accounting records
- Depreciation and other related expenses are calculated and charged appropriately
- The appropriate authority is obtained with respect to the disposal of non-current assets and procedures recorded
- Inventory:
- No excessive holding of inventory, e.g. wastage
- Inventory movements are approved and recorded
- Inventory is accurately recorded and valued in the financial statements
- Inventory items are periodically checked and reconciled with records
- Payroll:
- Employees are employed under properly authorised procedures, e.g. checking qualifications and references and recording details.
- Legitimate employees only receive payment for services.
- Accurate records are maintained for hours worked or employees working hours monitored.
- Pay rates and payroll functions are authorised and accurate, e.g. calculation of gross pay, deductions, net pay, and distributing payments to direct bank accounts.
- Payroll figures are accurately recorded, and documentation is kept confidential and stored in a secure environment, e.g. payroll information, including PAYG tax, payroll tax, and superannuation, is accurately recorded in appropriate ledger accounts.
- PAYG, superannuation and payroll tax are distributed to appropriate agencies in a timely manner.
- Changes and records are authorised and updated in a timely manner, e.g. new employees and pay increases.
- Annual payment summaries are provided to employees in a timely manner.
Wherever possible, it is important there is a segregation of duties between personnel performing the above functions. A trial balance should be prepared monthly to balance ledger accounts and provide information for the preparation of financial statements. Approval and authorisation must be obtained for any loans or contracts entered into.
Organisational policies and procedures relating to corporate governance
Organisational policies and procedures relating to corporate governance should consider the following key requirements:
Directors of the company are subjected to transparency regarding their personal interests related to the organisation. Other directors of the organisation must be notified of this interest. Directors with personal interests in the company are also excluded from attending meetings and voting on matters regarding these interests. This is to prevent any biases that may affect the decision-making of the organisation.
Company directors are responsible for identifying and managing risks within the organisation, such as changes and trends in technology and the market.
Annual general meetings (AGM) are requirements under the Corporations Act. It provides an opportunity for the shareholders to be informed of the current performance of the organisation and its strategic plans for the year ahead.
Directors and audit committees are responsible for ensuring the accuracy and integrity of the company’s financial information.
Listed companies have continuous disclosure obligations under the Corporations Act. It includes timely disclosure of price-sensitive information and compliance with the listing rules of the relevant market. Such information may include confidential information, which requires proper management and handling in line with the Australian Privacy Principles (APP) and the Privacy Act.
This refers to the salaries and incentives received by executive employees of a company. An executive remuneration report must be presented to shareholders in AGMs to discuss the nature and amount of payment paid to the executive employees. Such decisions should be in line with the company’s financial performance and shareholders’ interests.
Directors take part in developing the organisational culture, including its corporate governance frameworks and practices.
These refer to actions initiated by a public company that may have a direct financial impact on the shareholders. These changes may require approval from the shareholders.
Directors and company officers must ensure to maintain the integrity of the financial market. Directors may be held liable to breach of their legal obligations if they fail to oversee the risk within the company.
Administrative and Accounting Controls in a Computer Information System (CIS)
The administrative controls in a CIS environment are designed to promote operational efficiency and comply with management policies. These objectives can be achieved by putting in place:
- An organisational chart to depict the personnel responsible for different areas within the CIS Department.
- A CIS procedure manual to detail the system and the controls within the system.
- A contingency plan in the event of breakdowns and failure of the system.
- Adequate personnel controls to ensure employees have the necessary skills and are properly screened before commencing employment.
Accounting controls in a CIS are designed to ensure that assets are safeguarded and transactions are authorised and promptly recorded. Accounting controls can be classified as general controls and application controls.
Controls in a CIS environment (Leeson, Di Sisto & Flanders, 2010 p.144) 1
The International Organisation for Standardisation (ISO) has published a set of standards that define a framework of minimum requirements for the implementation of quality systems. Standard ISO9001 sets out standards for operating within a CIS environment, e.g. quality management systems.
Many of the controls applicable to a manual system are not appropriate within a CIS environment. The segregation of incompatible duties is no longer possible as most CIS systems process journals and ledgers simultaneously. Functions, however, can be segregated within the CIS department and the relevant users.
CIS Application Controls
CIS application controls relate to the authorisation, conversion, testing and implementation and documentation of new and revised systems and applications as follows:
- Authorisation - the development and changes to new systems should only proceed after they have been properly authorised.
- Conversion - the systems conversion process involves converting master and transaction files from an old system to a newer system.
- Testing and implementation – should ensure all programs are operating in accordance with design specifications and are operating on an integrated basis. This will include carrying out pilot tests, e.g. processing transactions from the old system on the new system and comparing results and implementing parallel runs by using the new system and the old system simultaneously.
- All procedures with respect to both the new and the old systems should be documented to facilitate understanding.
Computer Operation Controls
Computer operation controls are designed to control the operations of a CIS. Day-to-day operations can be controlled using an audit log. An audit log automatically records the password user, date, time, equipment and programs used for each computer operation. The audit log should be regularly reviewed by the CIS manager or data control group to ensure the computer has been used by authorised personnel for authorised purposes. The audit log is important in detecting cases of fraud or misuse. The data control group is required to monitor input from user departments to review errors and exception reports and to monitor the distribution of all output.
Hardware and Software Controls
Hardware controls are controls that are built into the computer during its manufacture and are designed to detect equipment malfunctions. These controls include:
- Parity check – ensures data has been transmitted correctly to other areas within the computer.
- Dual arithmetic check – requires two (2) independent checks to be performed on the same operation, and the results are then compared.
- Echo check – authenticates the transmission was received by an output device, e.g. printer, back to the source unit.
System software programs control the functions performed by the computer, and controls include:
- Proper authorisation, approval, testing, implementation and documentation exist for all software programs
- Errors are detected within the application program
- Data files are protected from unauthorised use
- Access is restricted to authorised personnel
- Access is restricted to systems documentation
Data Entry and Program Controls
The process of entering source documents into machine-readable format is referred to as data entry. In large organisations, the data control group is responsible for ensuring data entry is authorised, complete and accurate. This can be achieved by requiring users to enter data in a properly authorised standard format. Protection against the use of unauthorised programs can be achieved by using passwords to restrict access. It is also important to change passwords at regular intervals. The audit log will also provide a means of controlling program usage.
Backup and Recovery
The objective of maintaining backup files is to provide a means of recovering the majority of the data already entered and processed in the event that it has become lost, destroyed or erased. Computer viruses represent a major threat to data integrity. Backup procedures should recover all data files, operating system programs and other application programs and documents. Backup recovery controls include:
- Backup and recovery arrangements
- Archival policies
- Off-site maintenance of data and computer programs
- Protection against fire, theft, loss, accidental destruction
- Agreements with third parties to provide alternative processing facilities
The traditional method of backing up files is the grandfather-father-son technique. The master file used to create the son becomes the father, and the old master file becomes the grandfather. Sound backup controls require that the three (3) generations of master and transaction files are stored in two separate locations: one on the premises and one off the premises. Detection and protection devices should be put in place to ensure the computer centre is protected against fire, flood, theft or vandalism. Cloud storage, magnetic tapes, hard disks, USB flash drives, CDs or DVDs may be used to backup data. Remote backup services can be achieved by backing up via the internet to a remote location to protect against worst-case scenarios.
Before data is entered into the system, it must be properly authorised. Input authorisation is achieved by using standard forms and signature authority.
Input data conversion controls can be implemented using online edit and validation routines, namely:
- Exception reports to identify problems and bring them to the attention of the data control group. Exception reports use a computer software program to examine data on files and print out a report for incorrect or out-of-date items.
- Computer editing controls – restrict inaccurate data from being entered into the computer system.
- Run to run totals – add the control total of the present processing run to the control total of the previous processing run to give an accurate total. The aggregate total is then compared with the total of the two separate processing runs. If the total does not reconcile, the error needs to be investigated.
- Before and after reports – summarise the contents of relevant master files before and after each processing run.
Virtually everything a business does is online, and it involves a lot of data. Data quantity, velocity, and value take precedence in goods or services distribution. There is a far-reaching threat posed to businesses if their data integrity is compromised repeatedly. That can have a widespread and impactful influence on supply chains.
As the world increasingly does business online, cyber security threats are a growing concern for businesses of all sizes. Data breaches can lead to the loss of customer information, payment data and intellectual property, while ransomware can cripple operations by encrypting important files and demanding a ransom for their release.
Businesses need to be proactive in managing these risks, with robust security systems and processes in place to protect their data and minimize the impact of any attacks. This includes maintaining regular backups of important files, as well as training staff on cyber security best practices. By taking these steps, businesses can help reduce the likelihood of becoming a victim of cybercrime.
Cyber security is a major strategic risk for businesses, not just a technology issue.
According to Zoe Thompson, director, cybersecurity and digital trust, PWC:
There’s a much more dynamic, busy threat environment, and the regulatory environment behind that is catching up quickly.
So, boards need to think about their reputational and compliance risk and be across laws such as the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) that came into effect on 2 April 2022.
The SLACIP Act amends the Security of Critical Infrastructure Act 2018 (SOCI Act). It outlines an enhanced cyber security framework for entities that operate systems of national significance and introduces a new obligation for responsible entities to create and maintain a critical infrastructure risk management program.
This means the company must be aware of the cyber risks it manages on a daily basis, confident communicating and reporting on them and able to attest to government about the way those risks are handled. Ensure there is an alignment across the enterprise including IT and other supporting systems and services about how cyber security is managed.3
Protecting the perimeter 2022, Australian Securities Exchange
Security Legislation Amendment (Critical Infrastructure Protection) Act 20224 requires that the responsible entities of critical infrastructure assets establish, maintain, and comply with a risk management program.
Whilst you may not consider your organisation as “critical infrastructure”, we do live in a constantly changing world, with supply chain threats affecting business operations globally. International conflicts, and outbreaks of diseases such as Covid 19, have impacted global supply chains, which has made many industries in manufacturing, construction, medical supply, and even those in the food industry could find themselves becoming defined as critical infrastructure. The federal minister responsible has the power to prescribe the nature of critical assets; if the minister is of the opinion that the business conduct activities that will impact critical infrastructure if certain thresholds are met, the minister must consult with the responsible entity before such a declaration.
For more information and factsheets on complying with the critical infrastructure protection act risk management programmes, see the link to the Australian Department of Home Affairs.
Cyber security considerations
Cyber security is a critical consideration for businesses when managing data on computerised systems. In order to protect financial data, organisations should implement internal control procedures for cyber security and the safe handling of payments and data, including the following:
- Restricting access to data to authorised users only
- Updating software and security patches regularly
- Employing firewalls and other security measures; and
- Educating employees about cyber security best practices.
Read this article from the Australian Securities and Investments Commission on cyber security strategy for small businesses:
Businesses must take steps to ensure that their computer systems are secure from cyber-attacks and that any data breaches are reported as soon as possible.
Organisations in Australia are required to comply with the Notifiable Data Breaches scheme, which requires them to notify individuals if their personal information has been compromised in a data breach. This scheme imposes severe penalties for organisations that fail to protect the privacy of individuals' personal information.
Notifiable data breaches scheme
A data breach happens when personal information is accessed or disclosed without authorisation or is lost.
If the Privacy Act 1988 covers your organisation or agency, you must notify affected individuals and us when a data breach involving personal information is likely to result in serious harm.
For more information, visit the website of the Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/notifiable-data-breaches 6
For more information, hints and tips, visit the website of the Australian Cybersecurity Centre: https://www.cyber.gov.au/acsc/view-all-content/publications/small-business-cyber-security-guide7
Managing Cybersecurity risks
The board could ensure that cyber risk is part of the broader risk framework and that exposure is recognised, assessed for impacts based on clearly defined metrics such as response time, cost and legal or compliance implications, and planned to attract investment commensurate to a risk-based assessment. The board could consider whether periodic reviews (that are more frequent than for other risks forming part of the risk management framework) could be adopted.
Different businesses can be exposed to different cyber risks and different potential consequences, so triggers may vary, but could include automated detection of breaches to firewalls, attempts to access protected files and areas of data storage without sufficient clearance or passwords, and denial of service attacks, or other irregular activity. The board could reflect on risks specific to the business of the organisation.
Without an understanding of the nature of the risk and its consequences, it is difficult for a board to set an appropriate risk tolerance for the risk and to ensure that cyber risks are effectively addressed by the organisation's risk management framework.
Not all boards require general technology expertise; however, for many organisations, it is advisable to have one or more directors who have specific knowledge of technology and its associated risks or who have a background in cybersecurity.
The board could consider the use of external cyber experts to review and challenge the information presented by senior management.
The board could ensure that third-party partners and service providers also maintain similar mechanisms to Identifying cyber risk or seek to do business only with those who do.
Malicious cyber activity can be devastating to an organisation's business operations; therefore, The board could consider what could lead to the provision of more detailed information on the risk to senior management and the board.
Identifying a cyber risk can pose particular challenges; some best practice organisations use Artificial intelligence-driven solutions to deal with this challenge.
The board could ensure that third-party partners and service providers also maintain similar mechanisms to Monitor cyber risk or seek to do business only with those who do.
Despite significant advances in cybersecurity technology, lack of staff awareness of safe cyber practices, social engineering or careless behaviours remains a major source of cyber issues.
A collective effort against cyber threats will best serve an organisation; Boards could ensure increased and sufficient investment in staff training, given it is a significant source of risk,
The board could ensure that the critical information assets of the organisation are suitably secure. The board could ensure transparency around the location of all critical assets, how they are protected and how protection is being assured.
The board could ensure that third-party partners and service providers also maintain similar Controls mechanisms or seek to do business only with those who do.
Boards could put practices in place to communicate and report effectively, internally and externally, and manage breach situations.
Boards could ensure that scenario planning and testing have been done, to ensure that response plans are valid and up to date,
Boards could ensure that third-party suppliers also have risk management and reporting plans in place around securing cyber assets
Boards could put security and customer trust as central considerations in their organisation's use of technology to deliver services.
Learning Activity
Read the following article from - Australian Securities and Investments Commission
Now examine your organisation through this lens and note down the answers to the questions posed.
Risk management framework
Question 1: Are cyber risks an integral part of the organisation’s risk management framework?
Question 2: How often is the cyber resilience program reviewed at the board level?
Identifying cyber risk
Question 3: What risk is posed by cyber threats to the organisation’s business?
Question 4: Does the board need further expertise to understand the risk?
Monitoring cyber risk
Question 5: How can cyber risk be monitored, and what escalation triggers should be adopted?
Controls
Question 6: What is the people strategy around cybersecurity?
Question 7: What is in place to protect critical information assets?
Response
Question 8: What needs to occur in the event of a breach?
Download a copy of the small business cyber security guide from the Australian Government's Australian cyber security centre, and read it, keeping a copy for your future reference.
https://www.cyber.gov.au/acsc/small-and-medium-businesses/acsc-small-business-guide