Internal control is defined as a process, carried out by the staff of an entity, designed to achieve specific objectives.
Introduction.
The History of Public Accounting, its Evolution and Follow-up, provide a number of events that in the end became important steps to achieve and define what is now recognized as "Audit". From the exposition of the most remote antecedents, in the world and in Cuba, to the current and current institutions and laws that govern the profession, relevant facts are addressed that signified, from the conceptual point of view, a change in the way in which the audit exercise was being carried out.
It is the goal of top executives to find ways to better control the companies they run. Internal controls are implemented in order to detect, within the desired period, any deviation from the profitability objectives established by the company.
These controls enable management to cope with the rapidly changing economic and competitive environment, as well as changing customer demands and priorities, and adapt its structure to ensure future growth.
The internal control system is intertwined with the entity's operating activities and exists for fundamental business reasons. It is most effective when controls are incorporated into the infrastructure of the society and are part of the essence of the company.
Internal controls promote efficiency, reduce the risk of loss of asset value, and help ensure the reliability of financial statements and compliance with applicable laws and regulations.
Internal control is defined as a process, carried out by the staff of an entity, designed to achieve specific objectives.
The concept given in the COSO Report on internal control explains that: “internal control is defined as a process, carried out by the staff of an entity, designed to achieve specific objectives.
The definition is broad and covers all aspects of control of a company, but at the same time it allows focusing on specific objectives.
The Ministry of Finance and Prices (MFP) defined through Resolution 297/03 on September 23, 2003 the Management System, for Internal Control, mandatory for all economic entities based in Cuba, where internal control was defined, "As a process integrated to the operations carried out by the management and the rest of the personnel of an entity to provide reasonable security for the achievement of the following objectives":
• Reliability of the information.
• Efficiency and effectiveness of operations.
• Compliance with laws, regulations and established policies.
• Control of resources of all kinds, available to the entity.
Consequently, internal controls should not be isolated acts or mechanisms, or executive orders, but a series of actions, changes or functions that, taken together, lead to a certain end or result.
This alone extends the concept of internal control beyond the traditional notion of financial controls, to convert internal control into an integrated system of materials, equipment, procedures, and people.
Internal control is a matter of people since no organization can know all the current and potential risks to which it is exposed at any time and develop controls to face each and every one of them. That is why the people who make up the organization must be aware of the need to assess risks and apply controls, and must be in a position to respond appropriately to it.
Internal controls are not restrictive elements but they make processes possible, allowing and promoting the achievement of objectives because they refer to the risks to be overcome in order to achieve them.
It is not just about the objectives related to financial reporting and regulatory compliance, but also about the company's management operations.
In this way, seeing the controls gives value to the tasks of evaluating and improving internal controls and becomes everyone's responsibility.
The new approach provides elements that should be the domain of all workers in business organizations and are framed within the five components of internal control, which are analyzed when viewed from an integrated framework, are identified, are related to each other and are inherent to the company management style. They appear in Resolution No. 297-2003 of the MFP as aspects to be developed within the Internal Control System (SCI).
• Control environment.
• Risks evaluation.
• Control Activities.
• Information and communication.
• Supervision or Monitoring.
An analysis of the importance of the five components, from the point of view of the organizational objectives and the interrelation that exists between both evidences that, the definition, establishment and application of the organizational objectives is the primary requirement to be able to introduce in the organization a SCI.
Organizational objectives indicate the direction, and must be stated in writing defining the results to be achieved in a given period.
The objectives are WHAT: What results do you want and need to achieve? The objectives provide information on how the system should work, facilitate the structure and organization, and are capable of evaluating progress since a clearly established, measurable objective with a specific date becomes a performance standard that allows individuals assess their progress. Therefore, objectives are an essential part of control.
Therefore it is a reality that a company must be directed by objective, which means that both the managers and the subordinates of an organization together, identify their common goals, define the main areas of responsibility of each person in terms of the results that he These measures are expected and used as guidelines for the management of the unit and to evaluate the contribution of each of its members.
If the organizational objectives indicate the direction, the result to be achieved, the five components of internal control constitute ways to achieve the objectives of the organization, the planned results and its proper functioning, coinciding with the essential objectives of everything. change process that is focused on business performance and results.
Control environment:
It sets the tone for the operation of a company and influences the awareness of its employees regarding control. It is the basis of all the other components of internal control, providing discipline and structure.
Control environment factors include the integrity, ethical values, and capabilities of company employees, management philosophy and management style, how management assigns authority and responsibilities, and professionally organizes and develops its employees and the attention and guidance it provides to the board of directors.
The Control Environment fosters the structure in which the objectives must be met and the preparation of the man who will make them meet.
Risk assessment:
Organizations face various external and internal risks that have to be evaluated. A precondition to risk assessment is the identification of objectives at different levels, linked to each other and internally consistent. Risk assessment consists of identifying and analyzing the risks relevant to achieving the objectives, and serves as the basis for determining how risks are to be managed.
The entity must know and address the risks it faces, establishing mechanisms to identify, analyze and treat the corresponding risks in the different areas.
Although it is necessary to assume prudent risks to grow, management must identify and analyze risks, quantify them, and foresee the probability of their occurrence and the possible consequences.
Risk assessment should be a continuous process, a basic activity of the organization, and its assessment processes should be future-oriented, allowing management to anticipate new risks and take appropriate measures to minimize and / or eliminate the their impact on achieving the expected results. Risk assessment is preventive in nature and should become a natural part of the company's planning process.
Control activities:
Control activities are the policies and procedures that help to ensure that the instructions of the company management are carried out.
They help to ensure that the necessary measures are taken to control the risks related to the achievement of the company's objectives.
Control activities exist throughout the organization and occur throughout the organization, at all levels and in all functions, and include such things as; approvals, authorizations, verifications, reconciliations, analysis of operational efficiency, security of assets, and segregation of duties.
In some settings, control activities are classified into; preventive controls, detection controls, corrective controls, manual or user controls, computer or information technology controls, and management controls. Regardless of the classification adopted, control activities must be appropriate for the risks.
Information and communication:
Relevant information must be identified, collected and communicated in a manner and time frame that allows each worker to fulfill his or her responsibilities. Computer systems produce reports that contain operational, financial, and compliance information that enables the business to be run and controlled appropriately.
These systems not only handle internally generated data, but also information on internal events, activities and conditions relevant to management decision-making as well as to the presentation of information to third parties.
There must be effective communication in a broader sense, flowing in all directions through all areas of the organization, from top to bottom and vice versa.
The message from senior management to all staff must be clear; control responsibilities have to be taken seriously. Workers need to understand what the role is in the internal control system and how individual activities are related to the work of others. On the other hand, they must have the means to communicate significant information to higher levels. Likewise, there must be effective communication with third parties, such as customers, suppliers, control agencies and others.
At present, the management of a company is not conceived without information systems. Information technology has become so commonplace that it is taken for granted. In many organizations, managers complain that the voluminous reports they receive require them to review too much data to extract relevant information.
In such cases there may be communication but the information is presented in such a way that the individual cannot use it or does not use it really and effectively.
All staff, especially those with important operational or financial functions, should receive and understand the message from senior management that control obligations must be taken seriously.
In this same way, the role in the internal control system must be known, as well as the way in which their individual activities are related to the work of others.
If the control system, specific tasks and obligations in the system are not known, problems are likely to arise. Employees must also know how their activities relate to the work of others. There must be effective communication throughout the entire organization.
The free flow of ideas and the exchange of information are vital. Upstream communication is often the most difficult, especially in large organizations. However, its importance is evident.
Fostering a suitable environment to promote open and effective communication is beyond the scope of the policy and procedure manuals. It depends on the atmosphere that reigns in the organization and on the tone given by senior management.
Supervision or monitoring:
Internal control systems require supervision, that is, a process that checks that the proper functioning of the system is maintained over time.
This is accomplished through ongoing monitoring activities, periodic evaluations, or a combination of both. Continued supervision occurs in the course of operations. It includes both normal management and supervisory activities and other activities carried out by staff in the performance of their duties.
The scope and frequency of periodic evaluations will depend essentially on a risk assessment and on the effectiveness of ongoing monitoring processes. The deficiencies detected in the internal control must be notified at higher levels, while the senior management and the board of directors must be informed of the significant aspects observed.
“The entire process must be supervised, making the pertinent modifications when deemed necessary. In this way, the system can react quickly and change according to the circumstances ”.
Internal controls need to be continuously monitored to ensure that the process works as intended. This is important because, as internal and external factors change, controls that were once suitable and effective may cease to be adequate and to give management the reasonable security that they offered before.
The scope and frequency of supervisory activities depend on the risks to be controlled and the degree of trust that management inspires in the control process.
Supervision of internal controls can be done through ongoing activities embedded in business processes and through separate evaluations by management, the internal audit function, or independent individuals.
Ongoing oversight activities designed to test the effectiveness of internal controls include periodic management and oversight activities, comparisons, reconciliations, and other routine actions.
In general and after the analysis of each of the components, it can be synthesized that these, linked together:
• They generate synergy and form an integrated system that responds in a dynamic way to the changing circumstances of the environment.
• They are influenced and influence the management methods and styles applicable in companies and have a direct impact on the management system, having as a premise that man is the most important asset of any organization and needs to have a more active participation in the process of management and feel an integral part of the Internal Control System that is applied.
• They are intertwined with the entity's operating activities, contributing to their efficiency and effectiveness.
• They allow you to maintain control over all activities.
• Its effective operation provides a reasonable degree of assurance that one or more of the stated goal categories will be met. Therefore, these components are also criteria for determining whether internal control is effective.
• They make a difference with the traditional internal control approach aimed at the financial area.
• They contribute to the fulfillment of organizational objectives in a general sense.
II. Report of the Diagnosis made to the Internal Control System of the Faculty of Economic Sciences.
Component Diagnosis: Control Environment
Positive aspects:
• There are norms or rules applicable in the Faculty to have an ethical culture. For this purpose, the following documents are available: Regulations and Internal Code of Ethics for the Network, the Collective Labor Agreement, the Regulations for State and Government Tables, the Regulations of the Board of Directors, Labor Discipline Standards, etc..
• In the event that a leader or worker has failed to comply with the established provisions, the corresponding measures are applied.
• The Mission, Vision and Shared Values of the Faculty are defined and the SWOT Matrix of the Faculty was prepared. There is also a document that establishes the Corporate Purpose of the UCLV and therefore, of the Faculty.
• The Profesiograms are made and filed with the description of the jobs of each worker, related activities, the required knowledge and competencies of the Administrative and Services personnel, according to the model established for this purpose by the DHR and the plans of Teachers' work is duly updated.
• Minutes of the Boards of Directors and Trade Union Assemblies are issued, and compliance with the agreements made in most cases is controlled by those responsible.
• It is evidenced in the Minutes of the Boards of Directors, that as part of the management methods and styles, those responsible for the ARCs report their management to the Dean periodically.
• There are some communication channels for the workers to present their suggestions on improvements or possible changes that provide the fulfillment of the tasks and goals, such as union assemblies, mail, Department meetings and meetings of guide teachers and coordinators.
• The organizational chart that defines the organizational structure of the area is prepared, the Process Map with the key processes of the Faculty and its sub-processes and, in some way, who are in charge of its correct operation.
• There is control and workers are known about the tasks, missions they carry out and their location, in each case for wartime and exceptional situations.
• The Training and Development Plan for the Tables is drawn up, although for the 2006/2007 academic year. All the Tables within their training plan have included “Achieving mastery of the Internal Control processes in correspondence with Resolution 297/03 of the MFP, through participation in Seminars on the subject.
• The Faculty Control Committee is constituted.
Existing weaknesses:
• The knowledge and conscious acceptance of the written rules (Codes of conduct) and Ethics established are insufficient. This is fundamentally due to the fact that these behavioral guidelines are not in writing, so that everyone can access them, in addition to the fact that their dissemination to the expected levels of ethical behavior has not been systematized and these are not They are included in the evaluation carried out on the workers.
• The Internal Regulations and Code of Ethics for the Network are outdated.
• The Profesiograms of the Vice Deans are not updated as they do not correspond to the functions they currently occupy. The Profesiogram of the Vice Dean of Universalization is not elaborated.
• The legal documentation that regulates the main activities (Resolutions, Circulars, Instructions, etc.) is scattered, almost all in digital format on the Intranet or in some folder, and not everyone knows or knows how to access them.
• There is no total knowledge on the part of managers and workers regarding the responsibility they have in the Faculty's Internal Control System.
• Minutes are not issued for other forms of meetings used in the organization (offices, weekly work meetings, among others), which prevents adequate control by those responsible for compliance with the agreements made and their follow-up.
• In the Minutes of the Boards of Directors there was no evidence of the quarterly evaluation of the economic-financial situation, of the quarterly analysis of Internal Control, nor of the approval of the objectives and work strategies of this course. A review was made of the Minutes of the Boards of Directors from February / 07 to March / 09, which ranges from Minutes No. 1 to 19 and of the Notepad of the Board of Directors and Work Meetings from February / 07 to November / 08. Only in three minutes was any topic related to the Internal Control System and the Prevention Plan addressed.
• There is no evidence in the Minutes of the Board of Directors of the analysis of compliance with the measures of the Prevention Plan in each of the areas, only of its approval on 04/21/08. The Prevention Plan is not made by area.
• There is no evidence in the Minutes of the Board of Directors of the analysis of the results of inspections, audits or any other type of review of the Faculty and of the adoption of measures to correct the deficiencies detected.
• The Strategic Planning with the key results areas and Work Objectives for the 2008/2009 academic year shown is that approved at the university level and not that of the faculty and its departments.
• The duties and responsibilities of the positions, hierarchical and functional relationships are not formalized in an Organization Manual or organic regulation of the Faculty.
• Each manager and worker does not have a written definition of his duties, rights and material responsibility for the resources he guards.
• The Implementation Schedule of the Internal Control System has not been drawn up.
• An Internal Control Actions File has not been prepared. (which includes audits, inspections, accreditations, etc.). The Advancement and Training Plan for the Tables is not updated and has not been prepared for the rest of the workers.
• A basic program is not established so that new employees are methodically familiar with the customs and procedures of the Faculty.
• No personnel rotation and promotion policies are applied that allow an organizational mobility that means the recognition and promotion of the most capable and innovative.
• The Control Committee was recently restructured and its structure, objectives and functions have not been defined (neither are these issues defined at the university level).
Component Diagnosis: Risk Assessment
Positive aspects:
Various actions have been carried out at the Faculty to define and assess risks both generally and by area, specifically in the Departments of Economics and Accounting. There are several separate documents that demonstrate this: Risks in the activity, Risks identified by ARC, Determination of the intensity of the risks, Causes of risks.
Existing weaknesses:
Notwithstanding the foregoing, risk assessment has yet to become a natural part of the planning process. In addition, the aforementioned documents have some shortcomings that we will detail below, being very numerous, some of which must be integrated.
• The documents are not dated. In investigations carried out it was possible to determine that they date from 2006 and / or 2007, and therefore they do not have updates.
• The documents do not identify: Risk-Cause-Estimate and Objectives-Risk-Cause-Control Objectives. These elements appear individually, in the case that they were defined.
• The risks of the Faculty in internal and external origin and its own activity related to the domains or key points of the organization and objectives pursued by ARC are not identified.
• The Faculty Risk Map has not been prepared.
• The value of the loss that could result from the risk occurring is not identified in a document, only the frequency and severity were evaluated.
• The procedures to keep the Risk Assessment process updated are not established, so that they do not lose validity or include new risks.
• The control objectives have not been specified based on the defined internal, external and activity risks.
• It has not been possible to interrelate the Internal Control System with the Prevention Plan, since the SCI has not been focused as an instrument of management and prevention of corruption, indiscipline and illegalities.
Component Diagnosis: Control Activities
Positive aspects:
The Faculty, in general, carries out control activities in its fundamental processes, such as: Analysis carried out by the management of the ARC, monitoring and review by those responsible for the various functions or activities, physical controls of its assets, security devices to restrict access to assets, segregation of duties, etc.
Existing weaknesses:
Notwithstanding the aforementioned and based on the concept that "control activities are procedures that help ensure that management's policies are carried out, and must be related to the risks that management has determined and assumes", there are insufficiencies in this component, such as:
• Coordinations between the areas that promote integration, consistency and collective responsibility are not documented.
• The Internal Control structure and significant events are not clearly documented and available for verification, since the Manuals containing the procedures related to Internal and Organizational Control have not been prepared for each of the processes and sub-processes that they have. place in the organization and certain risks.
Component Diagnosis: Information and Communication.
Positive aspects:
The Faculty, in general, is characterized by complying in time with all the information requested at different levels, both internally and externally.
For this, it has defined different communication channels:
• Those established to facilitate communication between management and workers are:
- Union assemblies. Mail, through personalized user lists. Meeting that takes place every Monday. Department meetings. Meetings of guide teachers and coordinators.
• In as much the channels to receive the information of the superior organisms and to maintain a certain level of update are:
- The offices with the deans. Management councils. Electronic mail. Rectorate's locker. Through the information of the vice deans.
Existing weaknesses:
• An Information System is not prepared in the faculty in which it is reflected, detailed for each of the different levels (dean, vice-deans, department heads, professors) and according to responsibilities (guide professors, coordinators, J 'of discipline etc.) the information to receive, to issue, its destination, frequency, which facilitates its management. Hence the need for information and communication in aspects such as:
- The objectives for preparing the Individual Work Plan, which do not arrive in a timely manner. Normative documents for the preparation of semester reports, for the self-evaluation of the subjects, etc. The research lines of the faculty. Documents that support the methodological work. Magazines or sites where there are possibilities of publication. Ministerial resolutions. Socioeconomic situation of the territory. Disciplinary regulations for workers and students. The roles and responsibilities of the discipline managers, career managers, coordinators and guide teachers.
• The Faculty management has not created effective mechanisms and spaces that allow it to know the suggestions of the workers on how to improve a certain process. Only in some cases this aspect is taken into account, such is the case of the meetings of guide teachers and coordinators for the professional training process. Although the nature of these meetings is rather informative, the teachers provide suggestions to improve some processes, such as comprehensiveness, but no agreements are made in this regard to respond or to follow up on them.
Component Diagnosis: Supervision and Monitoring
Positive aspects:
• The existence of a Control Committee that supervises and controls the progress of the Internal Control System.
• The support and commitment of the Faculty Management and its Board of Directors, with the implementation of the Internal Control System.
Existing weaknesses:
• An Action Plan (Self-Control Plan) has not been prepared to evaluate the tasks related to both the continuous Activities and the SCI specific evaluations in all the areas and main activities of the organization and the effectiveness of the measures.
• The manner and periodicity in which each area must report on the situation of Internal Control, compliance with objectives or other issues has not been established.
Prevention plan:
Positive aspects:
• There is Resolution 13/06 of the MAC and the university indications issued in this regard.
• University indications are analyzed in the Boards of Directors.
• There is a history of having worked with the information on control actions carried out before the entity, since the main problems, areas of greater complexity, etc. have been identified.
• The Prevention Plan against indisciplines, illegalities and acts of corruption is prepared.
Existing weaknesses:
• The prepared Prevention Plan to confront indisciplines, illegalities and manifestations of corruption lacks the date on which it was prepared.
• In the conformation of the Prevention Plan some insufficiencies were found such as:
- In item No.1 "Misuse of authorized access to Email and Internet", appears as responsible Administrator. In point No.3 the same risk appears 2 times (lack of involvement of the sentries with the objective to cover the guard) In addition, there are defined risks that are causes of risks that should have been defined as: Loss of Material Resources, Deviation towards unauthorized ends of material resources. In point No. 4, several incorrectly defined risks appear: Correspondence between expenditures and what is approved in the Plan, Correspondence between expenses and what is planned in the projects, compliance with the legislation in time and level of minor payments. In all cases, NO should precede. They appear as responsible and executing Economy;which is incorrect since there is no direct action on that area and therefore the compliance of the action cannot be guaranteed. There are many defined risks that are actually the cause of certain risks. In the Prevention Plan, compliance dates are not specified as established in Resolution 13/06 of the MAC. The structure established in the aforementioned Resolution is not complied with and it does not have an elaboration date.
The structure should be as follows: No., vulnerable points, possible manifestations (risks appear), measures to be taken (actions to be taken appear), person responsible, executor, date of compliance.
Those responsible and executors of the actions to be carried out must be reviewed. Example: Vice Dean which one ?; the Dean is in charge of activities that are the direct responsibility of the Teaching Vice Dean; to the extent Carry out audits, the person in charge is the Secretary and the executor is the Vice Dean, which one?
• The Prevention Plan is drawn up at the Faculty level, but has not been established by each area or department of the Faculty.
III. Conclusions.
• The internal control approach may be seen as a bit rigorous, but due to its topicality, it can be beneficially assimilated by the entities.
• Its five components are elements that contribute to the system, integrate with each other and are implemented in an interrelated way, influenced by the management style. They are used to determine if the system is effective.
• The components make a difference with the traditional internal control approach aimed at the financial area. These components are framed in the management system. They make it possible to foresee risks and take the appropriate measures to minimize or eliminate their impact on the fulfillment of organizational objectives.
