Question

To see internal controls in action, look around you. When you go to the store, see what types of internal controls you can identify. At your place of work see if you can identify internal controls that might be in place. After checking out some different places, come up with two internal controls you have observed. It can be at your place of business or when you are a customer (and they don't have to be from the same place). Describe each of the internal controls and identify which assets these internal controls are safeguarding. Second, find an example of a poor internal control or an example of a situation where an internal control should be implemented. Describe the situation and tell how you would either improve the internal control or implement an internal control if one is lacking.

Answer 1

INTERNAL CONTROLS IN A RETAIL STORE
Strong internal controls are an important component in helping Retail Store Businesses reduce possible fraud usually caused by employee theft and customer shoplifting. Smaller businesses are especially susceptible to have higher shrinkage than larger companies. Shrinkage cannot be totally eliminated, but can be substantially reduced by implementing the following:

STORE DESIGN AND SECURITY

Design the Store layout so that customers must pass the register area to exit the store
Ensure adequate lighting in all areas of the store
Eliminate blind spots in corners by putting in mirrors or cameras
Limit the number of items each customer can take to the Dressing Room
Put alarms in back door/ unused exits, which go off if the exit door is opened
Close or block off unused checkout aisles
Install security equipment such as CCTV cameras. If it is a big store then, covering the entire space with cameras may not be feasible. Install dummy cameras to act as deterrence.
Put Anti-theft tags on small, expensive items or keep them in locked cabinets
Keep store areas neat and clean so that it’s easier to observe customers and manage security
Place signs in store which state that shoplifters will be prosecuted to the full extent of the law
Greet every customer that comes into the store. This serves a dual purpose: First it helps in customer service and second deters shoplifters as they do not want to be noticed.
Provide personal customer service to as many customers as possible
Have a Shoplifting Policy and Procedures in place to provide guidance to employees on the following:

How to identify suspicious customers or shoplifters?
What procedure to follow if a shoplifting event occurs?

Train new hires on all policies and provide annual training to existing employees
Have a tips hot line for employees to report potential shrinkage

SALE TERMINALS

Sales terminals should show the customer, each item’s cost during the ringing process to prevent incorrect charges
Require an authorization by a second person before a sale can be voided by the cashier
Ensure blind counting by someone other than the cashier on a periodic basis
Provide each customer a receipt for every purchase. Have a policy which states that a customer will receive say $5 if the cashier fails to provide the receipt. Put visible signs at the sale terminals so that the customers are informed of this policy.
Require receipts for refunds for cash

OWNER/ STORE MANAGER

Visit the retail store(s) unannounced.
Have the store mystery shopped. The mystery shopper can provide feedback on customer service as well as compliance with policies and procedures by employees
Perform periodic self-assessment audits
Monitor the cash receipts, sales, customer returns, and promotional reductions on a daily basis. Any unusual variances should be investigated and explained.
Perform regular inventories of high theft items.
Perform surprise cash counts.
Track employee purchases for any unusual activity.

CASH DEPOSITS

Maintain adequate segregation of duties in the cash deposit process. Different employees should perform the following;

Receive, count and deposit cash in Bank
Reconcile sales receipts and bank statement
Record payments in the General Ledger

Deposit cash from cash sales daily in bank
Perform pre-employment background checks on all employees who handle cash

Additional controls should be in place to cover other areas of the business such as Payroll, Accounts Payable, Accounts Receivable and Financial Reporting.

INTERNAL CONTROL OOF UNICREDIT

The Internal Control System (ICS) consists of a set of rules, procedures and organizational structures which aim to:

• ensure that corporate strategy is implemented
• achieve effective and efficient corporate processes
• safeguard the value of corporate assets
• ensure the reliability and integrity of accounting and management data
• ensure that operations comply with all existing rules and regulations.

Role of governing bodies

The Chairman and Deputy Chairman: are ex officio members of the Internal Control and Risk Committee (ICRC). Subject to an opinion of the ICRC, the Chairman shall propose the appointment and replacement of the Head of the Internal Audit function to the Board of Directors.

The Board of Directors of UniCredit: draws up group internal control guidelines and policy in accordance with the Italian regulators' directives and applicable law. The Board of Directors, having consulted the Board of Statutory Auditors, approves risk management policy. The Internal Audit Department reports to the Board.

The CEO: identifies the main corporate risks, presents them to the Board of Directors, and carries out the Board's instructions by having the ICS designed, managed and monitored.
The CEO has the duty of ensuring effective risk management by drawing up adequate policies and procedures and making sure that they are complied with within the bank.
In respect of third-level controls performed by the audit function that reports directly to the Board of Directors, the CEO examines the audit guidelines, proposes additions to the annual audit plan, and gives a non-binding opinion on proposed organisational and staff changes within the Internal Audit Department.

The Board of Statutory Auditors: The Chairman of the Board of Statutory Auditors is an ex officio member of the Internal Control and Risk Committee and may delegate another Statutory Auditor to attend meetings of the Committee. Statutory Auditors may at any time undertake inspections or verification, jointly or singly.

The Internal Controls and Risk Committee: comprises non-executive directors (a majority being independent directors). It assists the Board of Directors in drawing up the rules for the ICS and at least once a year assesses its adequacy, ensuring that the main corporate risks are correctly identified, measured, managed and monitored.
The ICRC may, through its Chairman, access all corporate information and functions as necessary for the proper performance of its duties, and avail itself of corporate and group departments and where necessary external advisors.
The ICRC assists the Board in determining the group's risk appetite, evaluates the annual audit plan drawn up by the Head of the Audit Department, examines the accounts quarterly and assists the Board in drawing up risk management policy. The ICRC reports at least half-yearly to the Board on its activity and on the adequacy of the ICS.

Role of the corporate functions

UniCredit monitors, measures and controls market, credit, operational, reputational and compliance risk as follows:

• First-level or line controls are designed to ensure that transactions are carried out correctly. Controls are performed by the production unit, incorporated in procedures or carried out by a back office.
• Second-level or risk management controls are the duty of a unit which is distinct from the production unit. The departments responsible for these controls are the following.

The Compliance Function looks after the correct application of/and compliance with the regulatory framework, its consistent interpretation at group level, as well as the identification, evaluation, prevention and monitoring of the overall compliance risks of the group or respective Legal Entities.

The Group Risk Management (GRM) controls and steers Group risks by the definition of policies and methods aimed at measuring and controlling those risks, and optimizing the cost of risk through the definition of guidelines, policies and credit non-binding opinions on significant credit exposures, in compliance with internal and external rules and regulations.

• Third-level controls are performed by internal audit, which assesses and regularly checks the completeness, functionality and adequacy of the ICS. Internal audit is independent of both production and second-level control units. In some cases an entity may outsource internal auditing to UniCredit Audit.

UniCredit Group has an Internal Audit Department. The "Person in Charge of Internal Control System" prescribed by the Italian Corporate Governance Code is the Head of Internal Audit

Examples of Poor Internal Controls

Lack of proper authorization
Inadequate documentation
No separation of duties for authorization, custody, record keeping
No independent checks on performance
Lack of clear lines of authority
No written policies and procedures
Inadequate training program for employees

They can be improve in following ways-

1. Ensure Duties Are Segregated
Segregation of duties is a basic, key internal control and one of the most difficult to achieve. At the most basic level, it means that no single individual should have control over two or more phases of a transaction or operation. It is used to ensure that errors or irregularities are prevented or detected on a timely basis by employees in the normal course of business. Segregation of duties provides two benefits: 1) make a deliberate fraud more difficult because it requires
collusion of two or more persons, and 2) make it much more likely that innocent errors will be found.
If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day
activities they have generally been assigned or allowed access to incompatible duties or responsibilities.
2. Develop Adequate Physical Control of Assets
Controls should be established to secure and safeguard vulnerable assets. Examples include security for and limited
access to assets such as cash, inventories, and equipment which might be vulnerable to risk of loss or unauthorized
use. Such assets should be periodically counted and compared to control records.
3. Identify Risks in Your Office
In order to properly manage risks, you must first identify them. Once risks have been identified, they should be
analyzed for their possible effect. Risk analysis generally includes estimating the risk’s significance, assessing the
likelihood of its occurrence, and deciding how to manage the risk and what actions should be taken. Risks can often be identified by asking yourself:
What could go wrong? How could we fail?
Where are we most vulnerable? What assets do we need to protect?
How could someone steal from the department? On what information do we most rely?
On what do we spend the most money? How do we collect our revenue?
How can someone bypass our internal controls? Do we have new technology?
Do we have new personnel? What is our past performance?
4. Correct Errors Promptly
Even well designed internal controls can break down. Employees sometimes misunderstand instructions or simply make mistakes. However, errors detected at any stage of a process should receive prompt corrective action and be
reported to the appropriate level of management.5. Develop Written Policies and Procedures
Although OSF, DCS, and other central service agencies have procedures manual for agencies to follow, an agency should develop its own comprehensive procedures manual for its internal business and financial processes. Written procedures serve various functions. They provide written notice to all employees of the agency’s expectations and
practices; provide direction in the correct way of processing transactions; serve as reference material; and provide a training tool for new employees. Written procedures also provide a source of continuity and a basis for uniformity.
Without clear, written and current procedures, an internal control structure is weaker because practices, controls,
guidelines and processes may not be applied consistently, correctly and uniformly throughout the agency.
6. Perform Reconciliations Regularly Reconciliations are often an underappreciated internal control. When performed correctly and routinely, they provide a powerful control to identify and correct errors on a timely basis. Agencies should reconcile all funds and accounts on at least a monthly basis and record any necessary adjustments in a timely manner. The reconciliation should be reviewed by a person outside of the reconciliation process and the reviewer should sign and date the reconciliation to signify that the review has been satisfactorily completed and any discrepancies resolved.
7. Review and Approve Processes/Transactions
When a significant process or transaction is performed within an agency, there should always be another level of
review and approval performed by an individual independent of the process. The reviewer should have the experience and knowledge to be able to identify errors and omissions. The approval should be documented to verify that a review has been done. Review and approval help to reduce uncorrected errors, irregularities and inaccurate or incomplete information in funds, accounts, and reports.
8. Maintain Adequate Supporting Documentation
Auditors and program monitors often assume that “if it isn't documented, it didn't happen.” Adequate supporting
documentation provides the hard evidence to properly verify that the appropriate processes and controls are being used.
9. Provide Adequate Training to Staff Employees should be properly trained and authorized to perform their duties. It is important to remember that training
should be considered an ongoing process and staff training needs should be periodically evaluated to consider changes in business processes, technology, new laws and regulations, etc.
10. Perform a Self-Evaluation of Your Internal Control
Performing a self-evaluation of your internal control can help identify possible deficiencies before problems arise and will lead to the implementation of more effective controls. This self-evaluation can often be done by performing a
“walk-through” which is simply the act of tracing a transaction through agency records and procedures. The walk-through will help provide an understanding of process and control design, particularly with respect to controls that may help prevent or detect fraud, a determination of whether controls have been designed effectively a