INTOSAI Guidelines on

Internal Controls

RTI, Jaipur
Internal Controls- Definition
“Internal control is an integral process i.e. a series of
actions that permeates all activities that is effected by
management & personnel & designed to address risks &
to provide reasonable assurance that in the pursuit of the
entity’s mission, the following general objectives are
being achieved:
Promoting orderly, economical, efficient & effective
operations, quality products/services consistent with the
organization's mission.
Safeguarding against loss, waste, abuse, mismanagement,
errors, fraud and irregularities.
Adhering to laws/regulations/management directives.
Appraising the relevance, reliability and integrity of
management, financial & operational data/ reports.”
 Internal Controls- Objectives
• Executing orderly, ethical, economical, efficient & effective
operations.
• Fulfilling accountability obligations.
• Complying with applicable laws and regulations.
• Safeguarding resources against loss, misuse and damage.

Internal control is a dynamic integral process.

• It continuously adapts to organisational changes.
• All personnel must be involved in addressing risks.
• It provides a reasonable assurance of the achievement of the
entity’s mission & its general objectives.
 An Integral Process

Internal control is a series of actions.

It permeate all activities & occur throughout its
operations on an ongoing basis.
They are pervasive and inherent in the way
management runs the organisation.
Most effective when built into the entity's
infrastructure and is its integral part.
Has important implications for cost
containment.
Effected by Management & Personnel

• Management responsible for establishing &

monitoring Internal Controls since it is a
management tool directly related to the
entity’s objectives.
• Clarity of roles, responsibilities and limits of
authority required.
• Being implemented by people, differences in
background/technical ability/needs and
priorities IC guidelines must recognize that
people do not always understand,
communicate or perform consistently.
In pursuit of the Entity’s Mission

• Organisations primarily concerned with the achievement

of its mission.
• Entities exist for a purpose e.g. the public sector is
generally concerned with the delivery of a service and a
beneficial outcome in the public interest.
 To Address Risks
Management responsible to identify and respond to risks.
Internal Controls assist address these risks & provide
reasonable assurance.
Reasonable assurance is a satisfactory level of confidence
under given considerations of costs, benefits, and risks.
Reasonable assurance requires judgment regarding risks
and its acceptable levels under varying circumstances.
Outside factors effect risk and must be assessed
quantitatively and qualitatively.
Limitations:
Faulty human judgment & decision making.
Collusion or by management overriding the internal control
system.
Cost implications. Cost must not exceed likely benefits.
Achievement of Objectives
ICs geared to the achievement of a separate but
interrelated series of general objectives &
implemented through specific sub-objectives,
functions, processes, and activities including:
Executing orderly, ethical, economical, efficient and
effective operations consistent with the organisation’s
mission.
Ethical behaviour, prevention/ detection of fraud/
corruption/managing public resources properly and
impartial treatment are citizen’s expectations of public
servants.
Public ethics is a prerequisite to underpin public trust
& a keystone to good governance.
Fulfilling Accountability Obligations
• Accountability- process whereby public organisations/
officials held responsible for their decisions and actions,
including their stewardship of public funds, fairness,
and all aspects of performance.
• Done by developing, maintaining and making available
reliable and relevant financial and non-financial
information and by fair disclosure of that information in
timely reports to internal as well as external
stakeholders.
• Non-financial information may relate to the economy,
efficiency and effectiveness of policies and operations
(performance information), and to internal control and
its effectiveness.
Complying with Laws and Regulations

• Organisations are required to follow many

laws and regulations.
• Public organisations mandates laws and
regulations for the collection and spending
of public money and the way of operating.
Examples include the Budget Act.
Limitations
IC cannot guarantee by itself the achievement of
the general objectives.
It can give only a ‘reasonable assurance not
absolute assurance.
It cannot change an inherently poor manager into
a good one.
An effective system of internal control reduces
the probability of not achieving the objectives.
Designing an internal control system faces
resource constraints hence the benefits of
controls must consequently be considered in
relation to their costs.
Management must continually review and update
controls, communicate changes to personnel, and
set an example by adhering to those controls.
Internal Controls- Classification

Preventive

Control Types

Detective
 Preventive Controls

Objective- to discourage or prevent undesirable transactions or

events taking place.
Plays a pro active role.
Being preventive, these controls, by their very nature are quality
oriented.

E.g. of preventive controls are:

Written policies and procedures.
Separation of duties.
Approvals, authorizations and verifications.
Documentation procedures.
 Detective Controls
These controls are ‘post event’ controls.
Their objective is to detect and provide evidence of
events or transactions that are not in line with the
Unit’s control objectives and procedures.
Detective control also enables the assessment of
whether the preventive controls are working or
otherwise.

E.g. include:
Reconciliations.
Performance reviews.
Physical verification of inventories.
Audits.
Reliance on Controls
Reasonable assurance depends on the results of audit testing of
the Unit’s control systems.
Internal auditors must assess the adequacy of internals controls
and suggesting appropriate recommendations.
They must identify the Unit’s significant controls & then decide
the appropriate audit testing procedures.
To this end:
Establish the audit objectives and identify the key areas/issues
to be examined.
Identify for testing the key controls in the areas above.
Conduct audit tests and assess the appropriateness, sufficiency
and reliability of the controls being tested.
Evaluate whether the controls are actually effective, its extent
or otherwise.
Document the steps taken and the testing procedures applied,
collect evidence, arrive at relevant audit opinion and proceed to
the reporting stage.
IC Elements

Control Environment

Risk Assessment

Control Activities
IC Elements
Information &
Communication

Monitoring
IC Elements- Control Environment

Organizational
Structure
Delegation of Duties
Management’s Control
Consciousness
Control
Ethical Behaviour &
Environment Integrity
Competence of Staff
Management’s
Philosophy & Operating
Style
Unit’s Operating
Environment
 Control Environment
Foundation for all other elements of internal control &
provides it with an appropriate structure and
discipline.
Control environment established by Unit’s
Management must encourage a positive and supportive
attitude toward internal control.
The nature and intensity of the control environment
will define the Unit Management’s commitment to its
internal controls & influence the control consciousness
of its people.
Heads of each functional sections, area or activity
must thereafter establish a local control environment
relevant for their activity.
The key factors that affect a Unit’s control
environment include:
 Organizational Structure & Delegation of
Duties
Organizational structure provides the overall
framework for its effective functioning.
It must ensure that the method of assigning authority
and responsibility are clearly defined.
Reporting relationships are well understood and it
encourages the achievement of the Unit’s objectives.
The strength & appropriateness of a Unit’s
organizational structure can be evaluated by asking the
following questions:
 Management’s Control Consciousness

The operational philosophy of the Unit’s top management

affects its control consciousness.
The top Management must realize that they are the
custodians of public property and are responsible for its
utilization for public benefit.
The above realisation enhances its control consciousness.
The higher this consciousness, the more effective its control
environment thus lowering its audit risk.
 Ethical Behaviour
Involves:
A commitment to competence and integrity.
The prescription of a Code of Ethics and the
inculcation and communication of moral and ethical
values to its officers.
Must aim at bringing about a ‘tone at the top’.
Unit’s top management’s operating style will
significant influence the control environment,
particularly when management is dominated by one or a
few individuals.
Ethical Behavior- Issues
Is the Management’s commitment to integrity & an
ethical code of practice & conduct effectively
communicated to all the officers concerned?
Does the Unit’s reward system give due consideration
to an officer’s contribution and is it seen as fair and
unbiased by all the Unit officers?
Does the Management decisions offer confidence that
due diligence has been applied especially while dealing
with high risk/ high value contracts?
Is the Management seen to be independent? How do
they respond to extraneous interventions or influences
in their business operations?
How responsive is the Unit Management to issues of
irregularities, departures from established procedures
or willful violations of official policies?
Risk Assessment
Risk an inherent companion of every business activity
since it has to utilize its ‘assets’ to achieve its goals.
The ‘assets’ utilized include financial assets, physical
assets, human assets and intangibles like goodwill,
reputation etc.
Utilization of ‘assets’ may lead to its depreciation, loss
or impairment,. Hence essential to consider the
consequences before subjecting their assets to
business exposures.
Every IC system must provide for an assessment of
its internal and external risks.
The process of identification and assessment of the
Unit’s risk depends upon its objectives.
Risk per se is value neutral and can be considered
positively as an ‘opportunity’.
Control Procedures or Activities

Are actions based on the Unit’s Rules and Regulations, Codes and
Manuals, Operating Procedures etc which enable enforcement of
Management’s directives.
Occur at all Unit levels/functions, facilitate standardized
procedures/ risk mitigating measures & enhance the Unit’s
accountability framework.
IC procedures must be flexible and suitable to its IC objectives
& hence will vary from Unit to Unit & even within the same Unit
depending upon the size/ complexity/activity/operational
requirements & Management’s risk perception.
Examples include authorization procedures, physical restrictions,
documentation etc.
Information and Communication
Reliable, relevant & timely information enables
appropriate & timely action to be taken. An efficient
system of information capturing and sharing enhances
accountability and better achievement of objectives.
Unit’s communications system must facilitate
information flow & record all relevant information in a
reliable, timely & accurate manner.
Unit Management must ensure that there are
adequate means of information and communication
sharing with its external stake holders.
Through effective communication, every officer must
be made aware of their roles and responsibilities
towards control functions and how each of their
activities relates to the overall control activities.
The following are some of the questions that enable
evaluation of the quality of the Unit’s information and
communication system:
 Information & Communication- Assessment

Do the Unit’s procedures and formats enable it to obtain

information from internal and external sources in a reliable,
useful and timely manner?
To what extent does the Unit’s information system provide
information regarding its risk perceptions?
Is the Unit’s performance reporting system relevant to and
adequate to report on its operational, financial and compliance
issues?
Does the Unit’s information system identify, record, process and
report information both internally and externally in a timely,
useful and effective manner?
 Information Technology Control Activities

Information technology controls consist of two broad

groupings:
(1) General Controls
 Are structures, policies and procedures that apply to all or
a large segment of an entity’s information systems and
help ensure their proper operation. They create the
environment in which application systems and controls
operate.
The major categories of general controls are:
(1) Entity-wide security program planning and management.
(2) Access controls.
(3) Controls on the development, maintenance and change of
the application software.
(4) System software controls.
(5) Segregation of duties.
(6) Service continuity.
 Application Controls
Includes the structure, policies and procedures that
apply to separate, individual application systems.
They are directly related to individual computerized
applications.
Generally designed to prevent, detect and correct
errors and irregularities as information flows through
information systems.
General and application controls are interrelated and
both are needed to help ensure complete and accurate
information processing.
Because information technology changes rapidly, the
associated controls must evolve constantly to remain
effective.
Information and Communication
Essential to realising all internal control objectives.
Information
Reliability depends on prompt recording and proper
classification of transactions and events.
Pertinent information should be identified, captured and
communicated in an appropriate form and timeframe.
Collate IS Reports containing operational, financial/non-
financial, and compliance-related information.
Report not only internally generated data, but also
information about external events, activities and conditions
necessary to enable decision-making and reporting.
Management’s ability to make appropriate decisions is
affected by the quality of information which implies that the
information should be appropriate, timely, current, accurate
and accessible.
Information Contd.
Information must be:
Appropriate (is the needed information there?) and timely (is
it there when required?).
Current (is it the latest available?) and accurate (is it
correct?).
Accessible (can it be obtained easily by the relevant
parties?).
Quality of information and reporting, all transactions and
significant events should be fully and clearly documented
(e.g. flow charts and narratives) & be readily available for
examination.
IC documentation should include identification of its
organisation's structure and policies and its operating
categories and related objectives and control procedures.
All IC process components must have written evidence of its
components, including its objectives & control activities.
The extent of the IC documentation will vary with the entity's
size, complexity and similar factors.
 Communication
• Effective communication must flow down, across and up the
organisation, through all components & entire structure.
• Ensure that control responsibilities are taken seriously.
• Employees must understand their role in the IC system &
how their individual activities relate to the work of others.
• Need for effective communication with external parties.
• Information must meet the expectations of groups and
individuals, enabling them to carry out their responsibilities
effectively.
Monitoring
Monitor IC systems to assess its performance over time.
Monitoring done through routine activities, separate evaluations
or a combination of both.
(1) Ongoing Monitoring
Built into the normal, recurring operating activities including
management supervisory activities and duties of other
personnel.
Covers each of the IC components & involve action against
irregular, unethical, uneconomical, inefficient & ineffective IC
systems.
(2) Separate Evaluations
Its scope & frequency depends risk assessment & the
effectiveness of ongoing monitoring procedures.
They ensure that IC procedures achieve the desired results
based on predefined methods and procedures.
Internal control deficiencies must be appropriately reported.
Monitoring should ensure that audit findings and
recommendations are adequately and promptly resolved.
Roles and Responsibilities
IC is everyone’s responsibility. But Managers are
directly responsible for all activities including
designing, implementing, supervising proper
functioning of, maintaining and documenting etc.
Responsibilities for IC will vary depending on their
function & the organisational characteristics.
Internal auditors play a significant role in IC though
they are not primarily responsible for designing,
implementing, maintaining and documenting Ics.
IC is a part of everyone’s duties & all staff must play a
role in effecting control & be responsible for reporting
operational, non-compliance or violations of policy
instances.
External parties may contribute to the organisation’s
objectives or may provide information useful to effect
Ics.