CGMA TOOLS ®

Audit committee toolkit: Internal control checklist Guidelines for the audit committee

Two of the world’s most prestigious accounting bodies, AICPA and CIMA, have formed a joint venture to establish the Chartered Global Management Accountant ® (CGMA®) designation to elevate and build recognition of the profession of management accounting. This international designation recognises the most talented and committed management accountants with the discipline and skill to drive strong business performance. CGMA designation holders are either CPAs with qualifying management accounting experience or associate or fellow members of the Chartered Institute of Management Accountants.

CONTENTS

Introduction

2

Internal control overview

3

Internal control effectiveness

4

Roles and responsibilities

5

Internal Control Over Financial Reporting (ICFR)

7

Conclusion

8

Internal control — checklist of COSO essentials for the board

9

INTRODUCTION The creation of an effective audit committee is an important way of enhancing organisational governance and oversight, and it can help reinforce developing the proper “tone at the top.” A key factor to ensuring good governance is dependent upon the audit committee’s effectiveness in executing both its prescribed and regulated responsibilities as well as its best practice duties. The board of directors is responsible for overseeing management’s development of an effective system of internal controls. Internal control frameworks are important tools for designing and implementing internal controls as well as assessing the effectiveness of the system. The frameworks provide management with a foundation to build internal control systems and provide the board with an added ability to oversee internal control. A widely used framework is the Committee of Sponsoring Organisations of the Treadway Commission (COSO) Internal Control – Integrated Framework. The COSO Framework has become widely used by U.S. and foreign companies, both public and private, as well as not-for-profit and government organisations.

Originally issued in 1992, the COSO Framework was updated and re-published in 2013 to reflect consideration of the dramatic changes in business and operating environments since its original release. The framework provides an updated and comprehensive principles-based approach to understanding internal control. This CGMA tool was derived from Chapter 9 of the AICPA Audit Committee Toolkit for Private Companies, 2nd Edition, which was published in 2014. The tool is intended to provide boards, governing bodies and audit committees basic information about internal control. A checklist is provided to help audit committee members engage with management regarding the development and maintenance of internal control systems.

INTERNAL CONTROL OVERVIEW The COSO Framework defines internal control as “a process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.”

2. R  eporting Objectives pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or the entity’s policies.

The COSO Framework sets forth three categories of objectives:

3. C  ompliance Objectives pertain to adherence to laws and regulations to which the entity is subject.

1. Operations Objectives pertain to the effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.

2

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

The COSO Framework states that internal control consists of five interrelated components as follows: 1. Control environment. The control environment is the set of standards, processes and structures that provide the basis for carrying out internal control across the organisation. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.

The five components of internal control, along with 17 corresponding principles representing the fundamental concepts associated with components, are linked together, forming an integrated system that can react dynamically to changing conditions. The internal control system is intertwined with the organisation’s operating activities, and is most effective when controls are built into the organisation’s infrastructure, becoming part of the very essence of the organisation.

2. R  isk assessment. Risk assessment involves a dynamic and iterative process for identifying and analysing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede the ability to achieve its objectives.

This tool is intended to provide guidance to audit committees to achieving effective internal control over financial reporting. The concepts are not complex, but sometimes the application of internal control can be a challenge in an organisation, depending on its size and the corporate culture. The audit committee plays an important role in establishing an appropriate control environment or the tone at the top of the organisation.

3. C  ontrol activities. Control activities are the actions established by policies and procedures to help ensure that management directives to mitigate risks related to the achievement of objectives are carried out. Control activities are performed at all levels of the entity and at various stages within business processes, and throughout the technology environment.

While the objective of reliable financial reporting may be paramount for the audit committee of any organisation, an effective internal control system also encompasses compliance, operational, and non-financial reporting objectives. An integrated process that includes all five components of the internal control framework and its 17 principles working together is the primary means of having reasonable assurance that these important goals are being met. Simply stated, a strong system of internal control, both in its design and operation, is good business.

4. I nformation and communication. Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communications occur both internally and externally, and provide the organisation with the information needed to carry out day-to-day controls. Communication enables personnel to understand internal control responsibilities and their importance to the achievement of objectives. 5. Monitoring activities. Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to affect the principles within each component, is present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board.

3

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

INTERNAL CONTROL EFFECTIVENESS Internal control can be judged as effective if the board of directors and management has reasonable assurance of the following: 1. Operations — The organisation achieves effective and efficient operations when external events are considered unlikely to have a significant impact on the achievement of objectives or when the organisation can reasonably predict the nature and timing of external events and mitigate the impact to an acceptable level. The organization understands the extent to which operations are managed effectively and efficiently when external events may have a significant impact on the achievement of objectives, and the impact cannot be mitigated to an acceptable level

2. Reporting — The organisation prepares reports in conformity with applicable laws, rules, regulations, and standards established by legislators, regulators and standard setters, or with the entity’s specified objectives and related policies. 3. Compliance — The organisation complies with applicable laws, rules, and regulations.

What internal control cannot do As important as an internal control structure is to an organisation, an effective system is not a guarantee that the organisation will be successful. An effective internal control structure will keep the right people informed about the organisation’s progress (or lack of progress) in achieving its objectives, but it cannot turn a poor manager into a good one. Internal control cannot ensure success, or even survival. Internal control is not an absolute assurance to management and the board that the organisation has achieved its objectives. It can only provide reasonable assurance, due to limitations inherent in all internal control systems. For example, breakdowns in the internal control structure can occur due to simple error or mistake, as well as faulty judgments that could be made at any level of management. In addition, controls can be circumvented by collusion or by management override. Otherwise, effective internal controls cannot be relied upon to prevent, detect, or deter fraudulent financial reporting perpetrated by senior management. The audit committee must evaluate whether there are oversight mechanisms in place and functioning that will prevent, deter, or detect management override of internal controls.

4

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

ROLES AND RESPONSIBILITIES Everyone in the organisation has some role to play in the organisation’s internal control system.

Board of directors and audit committee The board of directors and the audit committee are responsible for overseeing the system of internal control, and play a key role in setting expectations about integrity and ethical values, transparency, and accountability for the performance of internal control responsibilities. Board members should be objective, capable and inquisitive, with a willingness to commit the time necessary to fulfill their governance responsibilities. This is particularly important when the organisation is controlled by an executive or management team with tight reins over the organisation and the people within the organisation. The board should recognise that its scope of oversight of the internal control system applies to all three major areas of control: operations, reporting, and compliance. The audit committee plays a critical oversight role in the reliability of the financial statements, the system of internal control over financial reporting and the processes in place to design, implement, and monitor the company’s broader system of internal control. Audit committee members should understand how management is carrying out its internal and external reporting responsibilities and verify that timely corrective actions are taken, as necessary.

5

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

Senior management Senior executives lead key operating units and business enabling functions and are a key influence on the design and implementation of internal controls that address related objectives. CEO — The CEO has ultimate responsibility and ownership of the internal control system, with accountability to the board of directors. The individual in this role sets the tone at the top that affects the integrity and ethics and other factors that create the positive control environment needed for the internal control system to thrive. The CEO maintains visibility and control over the risks facing the entity, and reviews deficiencies that affect the system of internal control. The day-to-day design and operation of the control system is delegated to other senior managers in the company, under the leadership of the CEO. CFO — Much of the internal control structure flows through the accounting and finance area of the organisation under the leadership of the CFO. In particular, controls over financial reporting fall within the domain of the chief financial officer. The audit committee should use interactions with the CFO as one of several important factors in the basis for their comfort level on the completeness, accuracy, validity and maintenance of the system of internal control over financial reporting.

Business enabling functions

External parties

Certain functions exist to support the organisation through specialised skills such as finance, risk management, information technology and human resources. These functions also monitor trends, provide guidance, and keep the organisation informed of relevant requirements as important internal controls. Coordination and sharing of issues among these functions help the organisation achieve its objectives.

Third parties frequently play key roles in a company’s activities through outsourcing or other support. The company retains full responsibility for the internal control system, including activities performed by third parties on its behalf. Therefore, the audit committee should ensure that management has processes to evaluate the activities performed by others to assess the effectiveness of the third party’s system of internal control.

Controller — Much of the basics of the control system come under the domain of this position. It is key that the controller understand the need for the internal control system, is committed to the system and communicates the importance of the system to all people in the accounting organisation. Further, the controller must demonstrate respect for the system though his or her actions.

Internal audit A main role for the internal audit team is to evaluate the effectiveness of the internal control system and contribute to its ongoing effectiveness. With the internal audit team reporting directly to the audit committee of the board of directors and the most senior levels of management, it is often this function that plays a significant role in monitoring the effectiveness of the internal control system.

6

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

External Audit — The external auditor is engaged to audit the reliability of financial reporting and, in certain reporting jurisdictions, the effectiveness of internal control over financial reporting. In carrying out these responsibilities, the external auditor will communicate deficiencies in internal control to management to be acted upon and, depending on significance, to the audit committee.

All other employees The internal control system is only as effective as the employees throughout the organisation who must comply with it. Employees throughout the organisation should understand their roles in internal control, the importance of supporting the system through their own actions, and encouraging respect for the system by their colleagues throughout the organisation.

INTERNAL CONTROL OVER FINANCIAL REPORTING (ICFR) The purpose of this toolkit is not to explain the various compliance requirements that exist between different jurisdictions. It is paramount that the audit committees should become familiar with ICFR concepts as matters related to internal control over financial reporting will be included in external auditor communications to the audit committee as part of expressing or disclaiming an opinion on financial statements. The audit committee needs to be advised and updated regularly on the external auditor’s consideration of internal control as part of the financial statement audit, and should have a clear understanding of the expected outcome. In the event the auditor identifies internal control deficiencies, management should have a plan in place already to correct the weakness(es), and the audit committee should be engaged already in review and approval of that plan.

7

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

CONCLUSION This briefing is intended to provide an overview of what is meant by internal control, key terms, concepts and responsibilities of the audit committee, especially as they relate to internal control over financial reporting. The concepts are not complex, but sometimes the application of internal control can be a challenge in an organisation, depending on its size and the corporate culture. The audit committee plays an important role in establishing an appropriate control environment or the tone at the top of the organisation.

While the objective of reliable financial reporting may be paramount for the audit committee of a private company, an effective internal control system also encompasses compliance, operational, and non-financial reporting objectives. An integrated process that includes all five components of the internal control framework and its 17 principles working together is the primary means of having reasonable assurance that these important goals are being met. Simply stated a strong system of internal control, both in its design and operation, is good business.

See AU §325, Communicating Internal Control Related Matters Identified in an Audit, PCAOB AS No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements and International Standards on Auditing 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and Management.

8

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

INTERNAL CONTROL — CHECKLIST OF COSO ESSENTIALS FOR THE BOARD

Purpose of this tool — This tool provides an understanding of key board-level responsibilities within each of the five interrelated components of a company’s internal control system, as described in the COSO Internal Control — Integrated Framework (2013). The audit committee’s role within this system focuses on internal controls over financial reporting and the processes in place to design, implement, and monitor the company’s broader system of internal control. It also is responsible to aid the board in its oversight of internal controls, risk management and overall governance process. This can be achieved through the committee’s interaction with senior management, independent auditors, internal auditors, and other key members of the financial management team.

Instructions for using this tool — Within each component is a series of questions that the audit committee should evaluate to assure itself that board-level controls are in place and functioning. These questions should be discussed in an open forum with the individuals who have a basis for responding to the questions. The audit committee should ask for detailed answers and examples from the management team, which should include key members of the financial management team, internal auditors, and independent auditors. This board-level tool should be used in conjunction with the COSO Internal Control — Integrated Framework (2013) to determine if all components and related principles of a company’s internal control system are present, functioning, and operating together in an integrated manner. Evaluation of the internal control structure is not a one-time event, but rather a continuous process for the audit committee. The audit committee should always have its eyes and ears open to the ever-changing risks that the business faces, especially the risks to reliable financial reporting, and should continually probe the responsible parties regarding the operation of the system and potential weaknesses in internal control. These questions are written in such a manner that a “No” response indicates a weakness that must be addressed.

9

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

COSO Framework

YES

NO

NOT SURE

CONTROL ENVIRONMENT — Demonstrates Commitment to Integrity and Ethical Values 1. Do comprehensive standards of conduct exist addressing acceptable business practice, conflicts of interest, and expected standards of ethical and moral behaviour for the company? Is the board accountable for the definition and application of the standards? 2. Is the audit committee furnished routinely with the results of employee surveys regarding corporate behavior and similar information from external parties such as customers and vendors? See also chapter 10, “Fraud and the Responsibilities of the Audit Committee: An Overview,” in the toolkit (AICPA Audit Committee Toolkit: Private Companies, 2nd edition, 2014) 3. Are the standards of conduct communicated and reinforced regularly to all levels of the organisation, outsourced service providers, and business partners? Are management’s efforts to communicate the standards both sufficient and effective in creating awareness and motivating compliance? See also chapter 10, “Fraud and the Responsibilities of the Audit Committee: An Overview,” in the toolkit. (AICPA Audit Committee Toolkit: Private Companies, 2nd edition, 2014) 4. Do the board and management demonstrate through actions and behaviors their commitment to the standards of conduct? Is there consistency at all levels of the organisation?

CONTROL ENVIRONMENT — Exercises Oversight Responsibility 5. Does the board of directors define, maintain and evaluate periodically the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate actions? 6. Does the board set the expectations for the performance, integrity, and ethical values of the chief executive officer (or equivalent role)? 7. Does the board assume oversight responsibility for management’s design, implementation, and conduct of internal control?

10

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

COSO Framework

YES

NO

CONTROL ENVIRONMENT — Establishes Structure, Authority, and Responsibility 8. Has the board established appropriate oversight structures and processes (i.e. board and committees) for the entity? 9. Does the board retain authority over significant decisions and review management’s assignments and limitations of authorities and responsibilities?

CONTROL ENVIRONMENT — Demonstrates Commitment to Competence 10. Do board committees contain members who have the requisite level of skills and expertise commensurate with the committee’s responsibilities? 11. Are board oversight effectiveness reviews commissioned periodically and/or as required for regulator purposes, with opportunities for improvement identified and addressed? 12. Is the board effective in exercising its fiduciary responsibilities (as applicable under the relevant jurisdiction’s legislation) and due care in oversight (for example, prepare for and attend meetings, review the entity’s financial statements and other disclosures)? 13. Does the board evaluate the performance, integrity and ethical values of the chief executive officer (or equivalent role) and act as necessary to address shortcomings? 14. Do succession plans, contingency plans, or both exist for the CEO and other key roles in order to assign responsibilities important to internal control?

CONTROL ENVIRONMENT - Enforces Accountability 15. Does the board challenge senior management by asking probing questions about the entity’s plans and performance, and require follow-up and corrective actions, as necessary? 16. Does the board act to address competence, internal control, and standards of conduct shortcomings among the CEO, the organisation, and its outsourced service providers? 17. Does the board align executive compensation, incentives, and rewards appropriately, including consideration of related pressures, with the fulfillment of internal control responsibilities in the achievement of objectives?

11

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

NOT SURE

COSO Framework RISK ASSESSMENT 1. Does the board consider significant risks to the achievement of objectives from external sources, such as creditor demands, economic conditions, regulation, labour relations and sustainability? Does the organisation identify related issues and trends? 2. Does the organisation consider significant risks to the achievement of objectives from internal sources, such as business continuity, retention of and succession planning for key employees, financing and the availability of funding for key programmes, competitive compensation and benefits, and information systems security and backup systems? Does the organisation identify related issues and trends? 3. Does management have a process in place to assess risk proactively as significant changes, such as entering a new market, disruptive innovations, economic/geopolitical shifts, fraud, and management override of internal controls, occur? 4. Does the board apply an appropriate level of scepticism and challenge management’s assessment of risks?

CONTROL ACTIVITIES 1. Does the board assume the responsibility to oversee senior management effectively in its performance of control activities? 2. Does the board have necessary assurance from management, internal and external auditors, and others (as appropriate) that control activities are designed effectively and operating to address all significant risks to the preparation of reliable financial statements? 3. Does the board make specific inquiries of management regarding the selection, development and deployment of control activities in significant risk areas and remediation as necessary? Does the company design control activities proactively to address emerging significant risk areas?

12

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

YES

NO

NOT SURE

COSO Framework INFORMATION AND COMMUNICATION 1. Do the board and management have an effective level of communications in place to enable fulfillment of their roles with respect to the entity’s objectives and to enable consistency in direction and tone at the top? 2. Does the board receive the necessary operational and financial information relating to the entity’s achievement of objectives on a timely basis and in a format that facilitates its use? Does the board review and discuss this information? 3. Does the board apply critical judgment effectively to scrutinize information provided and present alternative views? 4. Does the board review disclosures to external stakeholders for completeness, relevance, and accuracy? 5. Does the board receive communications regarding relevant information from third party assessments? 6. Do open communication channels exist to allow relevant information to flow to the board from customers, consumers, suppliers, external auditors, regulators, financial analysts and others? 7. Is there an effective process established and publicised periodically to officers, employees, and others to allow open communication of suspected instances of wrongdoing by the company or employees of the company? See also the tool entitled “Whistleblower Common Practices Checklist” in chapter 11, “Whistleblower Policy: Complaint Reporting Procedures and Tracking Report,” in the toolkit (AICPA Audit Committee Toolkit: Private Companies, 2nd edition, 2014)

13

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

YES

NO

NOT SURE

COSO Framework MONITORING ACTIVITIES 1. Does the board understand the nature and scope of ongoing monitoring procedures and/or separate evaluations to enable an effective evaluation of whether the components of internal control continue to function over time? 2. Does the board inquire with management, internal and external auditors, and others (as appropriate) to understand the presence and nature of any management overrides of controls? 3. Does the board receive regular communications from management regarding its evaluation of internal control and the status of remediation of deficiencies? 4. Does the board engage with management, internal and external auditors, and others (as appropriate) to evaluate the adaptability of the company’s strategies and internal control framework to evolving business, infrastructure, regulations, and other factors?

14

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

YES

NO

NOT SURE

About the tool The above checklist was taken directly from The AICPA Audit Committee Toolkit: Private Companies, 2nd edition, 2014. This full publication is available online and in publication from cpa.com. This is one in a series of four audit committee toolkits (Public Company, Private Company, Not-for-Profit Organisations and Government Organisations).

Acknowledgements We would like to thank all of those who contributed their time, knowledge, insight and experience in order to provide this tool.

© 2015 American Institute of CPAs. All rights reserved. This material may be shared and reproduced for non- commercial purposes in online format only, subject to provision of proper attribution to the copyright owner listed above. For information about obtaining permission to use this material in any other manner, please email [email protected] All other rights are hereby expressly reserved. The information provided in this publication is general and may not apply in a specific situation. Legal advice should always be sought before taking any legal action based on the information provided. Although the information provided is believed to be correct at the date of publication, be advised that this is a developing area. The AICPA or CIMA cannot accept responsibility for the consequences of its use for other purposes or other contexts.

15

AUDIT COMMITTEE TOOLKIT: INTERNAL CONTROL CHECKLIST

The information and any opinions expressed in this material do not represent official pronouncements of or on behalf of the AICPA, CIMA, the CGMA designation or the Association of International Certified Professional Accountants. This material is offered with the understanding that it does not constitute legal, accounting, or other professional services or advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought. The information contained herein is provided to assist the reader in developing a general understanding of the topics discussed, but no attempt has been made to cover the subjects or issues exhaustively. While every attempt to verify the timeliness and accuracy of the information herein as of the date of issuance has been made, no guarantee is or can be given regarding the applicability of the information found within to any given set of facts and circumstances.

American Institute of CPAs 1211 Avenue of the Americas New York, NY 10036-8775 T. +1 212 596 6200 F. +1 212 596 6213

Chartered Institute of Management Accountants 26 Chapter Street London SW1P 4NP United Kingdom T. +44 (0)20 7663 5441 F. +44 (0)20 7663 5442

CIMA REGIONAL OFFICES: Africa Office address: 4th Floor, 54 Melrose Boulevard Melrose Arch Melrose North Johannesburg, South Africa T: +27 (0)11 788 8723 F: +27 (0)11 788 8724 [email protected] Europe 26 Chapter Street London SW1P 4NP United Kingdom T: +44 (0)20 8849 2251 F: +44 (0)20 8849 2250 [email protected]

Middle East, South Asia and North Africa 356 Elvitigala Mawatha Colombo 5 Sri Lanka T: +94 (0)11 250 3880 F: +94 (0)11 250 3881 [email protected] North Asia Unit 1508A, 15th floor, AZIA Center 1233 Lujiazui Ring Road Pudong Shanghai, 200120 China T: +86 (0)21 6160 1558 F: +86 (0)21 6160 1568 [email protected]

South East Asia and Australasia Level 1, Lot 1.05 KPMG Tower, 8 First Avenue Bandar Utama 47800 Petaling Jaya Selangor Darul Ehsan Malaysia T: +60 (0) 3 77 230 230/232 F: +60 (0) 3 77 230 231 [email protected] CIMA also has offices in the following locations: Australia, Bangladesh, Botswana, China, Ghana, Hong Kong SAR, India, Ireland, Malaysia, Nigeria, Pakistan, Poland, Russia, Singapore, South Africa, Sri Lanka, UAE, UK, Zambia and Zimbabwe.

cgma.org © The Chartered Institute of Management Accountants 2015 17047-347

March 2015

CGMA, CHARTERED GLOBAL MANAGEMENT ACCOUNTANT, and the CGMA logo are trademarks of the Association of International Certified Professional Accountants. ASSOCIATION OF INTERNATIONAL CERTIFIED PROFESSIONAL ACCOUNTANTS and the ASSOCIATION OF INTERNATIONAL CERTIFIED PROFESSIONAL ACCOUNTANTS logo are trademarks of the American Institute of Certified Public Accountants. These trademarks are registered in the United States and in other countries.