Control, identify basic influencing factors such as environment, complexity, nature, scope of business activities to select and develop appropriate control activities. Businesses can choose control activities that combine both manual control and automatic control through technology systems, control for prevention purposes, control for detection purposes and corrective control.
Preventive controls are controls that prevent risks from occurring, usually before a transaction or job is performed.
Detection control is a type of control that detects a risk when it has occurred, usually during the process of a transaction or after the transaction has been completed.
Corrective control is a control activity after detecting fraud and errors of the enterprise by strengthening other control procedures to replace the preventive control procedures and detection control procedures that have been bypassed [22].
Maybe you are interested!
-
Factors affecting the effectiveness of internal control system in social insurance collection at Binh Duong Provincial Social Insurance - 19 -
The effectiveness of internal control system - Empirical study at ceramic manufacturing enterprises in Binh Duong province - 19 -
Internal control factors affecting the effectiveness of business operations at commercial banks in Vinh Long province - 4 -
Factors affecting the effectiveness of internal control system in social insurance collection at Binh Duong Provincial Social Insurance - 18 -
Factors affecting the effectiveness of internal control system at Thu Dau Mot University - 17
Principle 11: Select and use technology in control activities
Information technology is an effective tool to help businesses obtain data and reports to serve the analysis and make accurate and timely decisions of managers and leaders. Synchronized application of information technology in business processes helps businesses promptly identify fraud in each activity to have timely prevention, avoid loss of assets, and affect the reputation of the business.
Control associated with IT applications is often divided into 3 processing stages: Input data control, Processing control and Output control. Input data control of the system is the data of the business, of the activities that are often reflected on the original documents or entered,
recorded on the system. Processing control ensures that business data is processed accurately and completely, and that no data is lost or changed during processing. Output control ensures that output data is circulated to users in a timely and correct manner. Output data can be in the form of printed copies, files, or information published on the internet [23].
Principle 12: Control policies and procedures
Any organization operates control activities through policies and procedures to ensure that its objectives are achieved. Policies can be expressed in writing, expressed in communications between managers and members of the organization, or implicit in the actions and decisions of managers. Procedures include actions taken to implement policies. Control activities are established and operated on the basis of policies and procedures to respond to risks to the implementation of the organization's objectives. Policies and procedures that form the basis for control activities must establish clear responsibilities and accountability for management positions at all levels in the organization. Policies and procedures need to be carefully established to ensure that those responsible for implementing policies and procedures are highly responsible, consistent and effective. Periodically, enterprises need to re-evaluate policies, procedures and related control activities to ensure the continued effectiveness and suitability of control activities, and timely adaptation to changes in objectives and risks within the organization [23].
1.3.4. Information and communication
Information and communication : necessary information must be identified, collected and exchanged within the organization in appropriate forms and times, so that it helps all members of the organization perform their tasks.
Information and communication generate reports, providing information necessary for the management and control of the organization. Effective information exchange requires that it takes place in many directions: from top to bottom, from bottom to top, and between levels [81].
Information systems provide relevant information for managers to perform financial, business and compliance functions. Communication is the exchange and transmission of necessary information to stakeholders both inside and outside the enterprise. It is considered an attribute of information systems. Every information system itself has a communication function, because only then can the collected and processed information reach the objects in need [57].
Information and communication have an inseparable relationship, so these two concepts are presented together as an element of internal control. Information and communication must ensure coverage of all departments and individuals in each enterprise as well as external entities directly related to the enterprise [57].
Principle 13: Information Collection, Processing and Provision
The organization builds an information system to be able to collect and process data from internal and external information sources, providing useful and appropriate information to meet different information needs. The organization's information system supports the decision-making process of managers and the operation of other factors in internal control through the collection, processing and provision of quality information to those responsible for the relevant information. The operation of the information system must ensure the creation of quality information, satisfying the following requirements:
- Easy to access;
- Exactly;
- Current;
- Protected;
- Archived;
- Full;
- Timely;
- Easy to check; [23]
Principle 14: Internal Communication
Information exchanged within the unit is communicated in many different directions, which can be communicated horizontally between departments, individuals or vertically between superiors and subordinates. Managers need to be provided with information from their subordinates to grasp the unit's operating situation. In addition, they also need to respond to their subordinates' opinions so that these people can implement according to the manager's policies. Internal communication must be linked to the responsibility of each individual so that information is communicated promptly, accurately and completely. Lack of understanding in communicating and grasping internal information can lead to incorrect information or lack of information affecting the unit's goal achievement.
Information exchange carried out within the unit includes:
- Discuss policies and procedures to support members in performing their internal control responsibilities.
- Discuss business goals.
- Discuss the roles and responsibilities of the management board and internal control enforcement staff.
- Discuss the unit's expectations on important issues related to internal control.
Methods of internal information exchange include: Meetings; Face-to-face meetings; Bulletin boards; Emails; Online training; Presentations; Posting on websites... [29]
Principle 15: External Communication
Information from external entities such as suppliers, government agencies, banks, and customers also needs to be collected, processed, and reported to appropriate levels so that managers can have appropriate action plans. Outsiders can provide important and objective information to businesses. For example, independent auditors can understand and evaluate business operations and the effectiveness of internal controls, thereby providing advice to the unit's managers.
State management agencies such as tax authorities, social insurance, state audit... when conducting compliance checks of units will help units detect weaknesses in compliance with state regulations, thereby helping businesses overcome consequences and prevent future violations.
In addition to collecting information from outside, the unit is also responsible for providing information to shareholders, authorities, and relevant parties that is appropriate to their needs, thereby helping them understand the situation and grasp the necessary information. The information provided to different agencies and units must ensure consistency, appropriateness, and legal value [57].
1.3.5. Monitoring
Monitoring : is an activity established to ensure that the internal control process continues to operate effectively. Monitoring helps the internal control maintain its effectiveness over different periods, so it always plays an important role in internal control. Monitoring includes regular and periodic evaluation by managers.
management to review whether their operations are as designed and what adjustments are needed to suit each stage. [29]
Principle 16: Implement regular or periodic monitoring
The main objective of monitoring is to ensure that internal control is always operating effectively, so it is necessary to monitor all activities of the unit and sometimes also apply to external partners related to the unit's activities. Normally, internal control will be designed to monitor itself regularly at a certain level. If regular monitoring is more effective, periodic monitoring will be reduced. Organizing periodic monitoring is mainly subjective of the manager based on personal judgment based on risk, level of change, capacity and experience of the person performing regular monitoring.
Regular monitoring is carried out during daily activities and is repetitive in nature. In other words, regular monitoring is carried out during daily activities and is therefore more effective than periodic monitoring. In addition, periodic monitoring is carried out after an incident occurs, so problems that arise are often detected more quickly than in regular monitoring. Units with effective regular monitoring activities do not even need to carry out regular monitoring activities or may only need to carry out periodic monitoring activities once every few years. On the contrary, units with high frequency of periodic monitoring should focus on promoting regular monitoring activities [57].
Principle 17: Assess and communicate internal control deficiencies to relevant parties
Deficiencies are actual or potential shortcomings that the supervisor discovers and requires adjustments to internal control to achieve the set objectives. Internal control deficiencies can be detected from many different sources.
different: from regular monitoring, periodic monitoring and from external sources (such as customers, independent auditors and other partners).
Internal control deficiencies need to be assessed for their impact on the entity's objectives and reported to the entity's managers. In addition, the extent of the consequences caused by the deficiencies must be considered [57].
1.4. Effectiveness of internal control
There are many different views on the effectiveness of internal control. According to the COSO Report and most studies, internal control is considered effective at a given point in time if the Board of Directors and managers ensure the achievement of three basic objectives: operational efficiency, compliance and reliability of reporting. Inheriting the content of the COSO Report, in the studies of Amudo and Inanga (2009), Dougles (2011), Gamage & Kevin Low Lock and Philip Ayagre (2014), the authors also agree that the effectiveness of internal control is the assessment of the results of the implementation of the objectives: operations, reporting and compliance. Nowadays, businesses operating in a market economy always face many risks from inside and outside, so internal control can only ensure reasonable but not absolute in ensuring the objectives. The establishment of an internal control framework and a risk management framework complement each other in the operation of each enterprise. In the scope of the thesis, in addition to inheriting the three objectives of COSO 2013, the author adds the risk management objective in assessing the effectiveness of internal control.
- Ensuring operational efficiency: Internal control is designed to ensure the effective use of all resources of the enterprise. This is reflected in the labor productivity of the staff, assets are used for the right purpose and capacity, and during the operation, risks are limited and prevented to ensure the economic efficiency of the enterprise.
- Ensuring the reliability of reports: According to COSO 2013, effective internal control contributes to ensuring that financial and non-financial information is truthful and reasonable to serve the decision-making of not only people in the enterprise but also investors, customers, creditors... Besides ensuring the reliability of financial reports, the effectiveness of internal control in COSO 2013 also aims at the reliability of corporate governance reports. This helps managers to plan, operate and control the enterprise effectively.
- Ensuring compliance with laws and regulations: In the business environment, compliance is reflected in two aspects: Compliance with current laws; Compliance with company charters, internal processes, regulations, culture, standards, and core values of the business. Internal control to ensure compliance goals plays an important role in the existence and development of the business. [81]
- Ensuring risk management objectives: In September 2017, COSO released an update to the Enterprise risk management framework - 2004 (ERM 2004): “Enterprise risk management is a process, controlled by an enterprise's board of directors, management and other individuals, used in setting strategy and applied throughout the enterprise. Enterprise risk management is designed to identify potential events that may affect the enterprise to provide reasonable assurance about the achievement of the enterprise's objectives”. In short, risk management is a process of approaching risk scientifically and systematically to identify, control, prevent and minimize losses, losses, adverse effects of risks and at the same time find ways to turn risks into opportunities.
In the relationship between the constituent elements of internal control and the objectives, to achieve a certain objective, all five elements need to be established and operated fully, in accordance with each objective. An internal control ensures