APPROACH AND SCOPE

AURCO has adopted the internationally accepted COSO approach as its basis for auditing. The COSO framework expects internal auditors to become business advisors and business partners, instead of playing the traditional role of "policemen".

The basic principles of COSO should be explained as it is also aimed at enhancing management's role and attitude towards risk and control.

In September 1992 a report: "Internal Control - Integrated Framework" was issued in the United States of America by the Committee of Sponsoring Organisations (COSO) for the Treadway Commission.

The objective of this report was to provide a definitive framework against which business and other entities should assess their control systems and determine how to improve them. This report was one of the main reference sources used in the United Kingdom by the Cadbury Committee to issue their seminal report. The King Committee was established in South Africa following the UK publication and was supportive of the Cadbury recommendation on internal controls.

The principles of internal control as described in the COSO integrated framework aligns itself closely to our own internal audit principles. The framework has a structured approach and addresses each of the objectives of internal control in a logical and systematic manner. In light of the extensive study undertaken and the sound principles of the COSO report we believe that it is to the benefit of our client, and critical to future success, to incorporate these principles into our audit approach.

to top >>

COMPONENTS OF INTERNAL CONTROL

Control components are intended to extend beyond the detailed control procedures and combine into a cohesive whole to enable the board to maintain control. The components also provide the framework for structuring a control evaluation. The following broad interrelated components of control are identified:

The control environment has a pervasive influence over the way business activities and processes are conducted. It begins with the board, and sets the tone within the organisation, influencing the ethical and organisational behaviour and attitude of all personnel. The control environment forms the foundation for all other components of internal control providing the business with discipline and structure.

Risk assessment is the identification and analysis of risks relevant to the achievement of business objectives, forming a basis for determining how the risks should be managed. A risk assessment follows identification of business objectives and provides a rational way to set control priorities and design cost-effective controls. Risk assessment lies at the heart of an assessment of the adequacy of business controls.

Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achieve the entity's business objectives. Control activities are part of the business process and enable management to control the day-to-day activities of the entity. Control activities would typically include approvals, authorisations, verifications, reconciliations, reviews and segregation of duties. Control activities may be detective or preventative. Preventative controls are designed to ensure that business processes operate effectively first time. Detective controls are control activities designed to identify any process failures so that corrective action can be taken timeously.

to top >>

Identification of pertinent information and its timely communication is essential to any control system and enables individuals to carry out their responsibilities. The board and senior management need to receive relevant, reliable and timely operational, financial and compliance-related information, consistent with the objectives of the business, to enable them to run and control the business.

Effective communication must also occur in a broader sense, flowing down, across and up the organisation. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.

Monitoring procedures are designed to assess the quality of the control system's performance and ensure that it continues to operate effectively in controlling the operations of the business. Monitoring is achieved through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations and would typically include regular management and supervisory activities, and other actions personnel take in performing their duties. Internal Audit plays a central role in the monitoring required to enable the board to report positively on internal control.

to top >>