 “ Control is the employment of all the

means devised in an enterprise to promote,

direct, restrain, govern, and check upon its
various activities for the purpose of seeing
that enterprise objectives are met. These
means of control include but are not limited
to, form of organization, policies, systems,
procedures, instructions, standards,
committees, chart of accounts, forecasts,
budgets, schedules, reports, records,
checklists, methods, devices, and internal
auditing “
 “ Control is any action taken by the
management to enhance the likelihood
that established objectives and goals will
be achieved. Control may be
preventive, detective, or directive. The
concept of a system of control is the
integrated collection of control
components and activities that are used
by an organization to achieve its
objectives and goals “
Control is a process effected by an entity’s
board of directors, management and other
personnel, designed to provide reasonable
assurance regarding the achievement of
objectives in the following categories:
 Effectiveness and efficiency of
operations
 Reliability of financial reporting
 Compliance with laws and regulations
1. Internal Control is a Process
- it is a means to an end, not an end
itself. The concept of a system of control is
the integrated collection of control
components and activities that are used
by the an organization to achieve its
objectives and goals.
 Control Process

a. Setting Standards
- specific goals or objectives with
which performance is compared.
Standards are commonly classified in
terms of Quantity, Quality, Time, and
Cost.
b. Measuring Performance
- every products, output or action can
be measured in some way. The difficulty is
in selecting appropriate measures for the
performance activity being monitored. The
measurement must be carefully chosen
because it is a message to the controlled
activity’s personnel and directs their
behaviour.
 Control Points
- selection of points at which performance will be
measured is critical. It is possible to oversee or measure
the performance of every aspect of an organization’s
activities because of various factors such as:

 The cost would be prohibitive

 The information system generating such data would
overload the manager’s capacity for review
 To much control is demoralizing
 Measuring the wrong performance is unproductive
 Developing surrogate quantitative measures for
many qualitative issues may focus attention on the
wrong issues
 The choices of control points and standards will
affect behaviour. Standards and control points must
be selected so they are congruent with
organizational goals
c. Evaluating and Correction
- care must be taken to compare like
items. Thus, any alteration in the production
process may make previously used or
organization-wide standards inapplicable
to the case at hand
2. Internal Control is effected by people
- control is not merely a policy manuals
and forms, but people at every level an
organization. Meaning, internal control is
effected by the board of directors,
management and other personnel.

 Board of Directors and senior management

- one of the tasks of a board of directors
is to establish and maintain the organization’s
governance processes and obtain assurances
concerning the effectiveness of the risk
management and control processes.
 Organization’s Managers
- among the responsibilities of the
organization’s managers is the assessment of
the control processes in their respective areas

 Internal and external Auditors

- internal and external auditors provide
varying degrees of assurance about the state
of effectiveness of the risk management and
control processes in select activities and
functions of the organization.

3. Internal control can be expected to provide

only a reasonable assurance, not absolute
assurance to an entity’s management and
board.
• Internal control, no matter how well designed
and operation can provide only reasonable
assurance that control objectives are met
due to its inherent limitations, Responsibility for
internal control resides with ( is “owned by)
the chief executive, but all people in the
organization share this responsibility.

• Parties with significant roles are the financial

and accounting officers, other managers, the
internal auditors ( who nevertheless do not
have primary responsibility for establishing or
maintaining internal control), the board and
the audit committee, and external parties (
e.g., the external auditors).
 Reasonable assurance can apply to
judgements surrounding the
effectiveness of internal controls, the
mitigation of risks, achievement of
objectives, or other engagement
related conclusions.
a) Human Judgment – Controls may fail
because of simple errors or mistakes.
b) Manual or automated controls can be
circumvented by collusion - Collusion
can result in internal control deficiencies.
c) Management may inappropriately
override internal control - Management
override means overruling prescribed
policies or procedures for legitimate
purpose for illegitimate purposes with the
intent of personal gain or an enhanced
presentation of an entity’s performance
or compliance.
 Increase reported revenue to cover an
unanticipated decrease in market share
 Enhance reported earnings to meet
unrealistic budgets
 Boost the market value of the entity prior to a
public offering or sale of shares
 Meet sales or earnings projections to bolsters
bonus payouts tied to performance
 Appear to cover violations of death
covenant or agreements
 Hide lack of compliance with legal
requirements.
d.) Custom, Cultural, the corporate
governance systems, and an effective
control environment are not absolute
deterrents to fraud.

e.) Cost should not exceed the benefits

of control.
 The COSO framework sets forth
three categories of objectives,
which allow organizations to
focus on separate aspects of
internal control:
a) Operation objectives
b) Reporting objectives
c) Compliance objectives
 Where significant deficiencies or
weaknesses discovered from the audit work
performed and other assessment
information gathered?
 If so, the were corrections or improvements
made after the discoveries?
 Do the discoveries and their consequences
lead to the conclusion that a pervasive
condition exists resulting in an
unacceptable level of business risk?
 Control is the process of assuring that plans
achieve the desired objectives and goals.
1. Performance is measured against
a standards.
2. Performance is regulates or
corrected ( if necessary) in light of
that measurement ( thus,
timeliness of feedback is
important).
1. Financial and operational
information is reliable and possesses
integrity.
2. Operations are performed efficiently
and achieve effective results.
3. Assets are safeguarded.
4. Actions and decisions of the
organizations, are in compliance
with laws, regulations, and contracts.
1. Control Environment
2. Risk Assessment Process
3. Control Activities
4. Information and Communication
5. Monitoring
 It reflects the attitude and actions of the board
and management regarding the significance
of control within the organization.

 Elements of Control Environment

a. Integrity and ethical values .
b. Commitment to competence.
c. Board of directors or audit committee participation.
d. Management’s philosophy and operating style.
e. Organizational structure.
f. Assignment of authority and responsibility.
g. Human resource policies and practice.
 Based on a set of complementary
operational, financial reporting, and
compliance objectives linked across all
levels of the organization.

 Key elements of Risk Management

Process
a. Objective setting
b. Event identification
c. Risk assessment
d. Risk response
a. Changes in the operating environment.
b. New personnel.
c. New and revamped information
systems.
d. Rapid growth.
e. New technology
f. New business lines, products, or
activities.
g. Corporate restructuring.
h. Expanded foreign operations.
 Policiesand procedures helping to
ensure that management directives
are executed and actions are take to
address risks affecting achievement of
objectives. Whether automated or
manual, they have various objectives
and are applied at all levels and in all
functions of the organization. Control
devises may be Quantitative or
Qualitative .
 Policy
 Procedures
a. Performance reviews by top managers
include reviews of actual performance
versus budgets, forecasts, prior
performance, and competitor’s results.

b. Performance reviews at the functional

or activity level involve reviews of
performance reports.
c. Analysis of performance indicators, that
is, comparison of different sets of
operating or financial data, may reveal
unexpected results or trends that should
be investigated.

d. Information processing requires checks

of accuracy, completeness, and
authorization of transactions.
e. Physical controls involve the security of
assets and records and periodic counts
and reconciliations.

f. Segregation of duties involves the

separation of the functions of
authorization, record keeping, and asset
custody so as to minimize the opportunities
for a person to be able to perpetrate and
conceal errors or fraud in the normal
course of his/her duties.
4. Information and communication
-relevant internal and external
information should be identified, captured
and communicated in a timely manner
and in appropriate forms.

a. An information system may be formal or

informal. It uses internal and external
information to generate reports on
financial, operational and compliance
b. These reports facilitate the operation
and control of the enterprise, decision-
making and external communications.
c. An information system may perform a
routine monitoring function or may be used
for special tasks

d. Information systems should be integrated

not only but also with operations and the
financial reporting process but also with the
strategic objectives of the enterprise

e. Information should be appropriate,

timely, current, accurate and accessible
5. Monitoring
- monitoring is a process that
assesses the quality of the systems
performance over time. It consist of
types ongoing activities built into normal
operations to ensure that they continue
to be performed effectively.
- separate evaluations and periodic
evaluations
1. Internal Control – Integrated Framework
issued by COSO
2. Guidance on Control issued by CoCo of
The Canadian Institute of Chartered
Accountants
3. Internal Control Guidance for directors
on the Combined Code (Turnball) issued
by The Institute of Chartered
Accountants- England Wales
1. The internal audit activity is part of
management concern for the total control
process. Internal auditors
 Assist in providing organizational control
 Monitor organizational changes

2. Internal auditors must be familiar with

organizational arrangements.
3. Internal auditors must relate operational
arrangements to operational deficiencies.
They should
 Understand the basic concept in
appraising the soundness of
organizational arrangements
 Probe for actors leading to significant
operational deficiencies in the internal
control system also known as reportable
conditions
 Consider the extent to which existing
organizational arrangements are the
cause operational deficiencies
 Were significant deficiencies/weakness
from the audit work performed and
other assessment information gathered?
If so, were corrections or improvements
made after the discoveries?
 Do the discoveries and their
consequences lead to the conclusion
that a pervasive condition exists resulting
in unacceptable level of business risk?
 The auditor should make management
aware, as soon as practicable and at an
appropriate level of responsibility of
material weaknesses in the design or
operation of the accounting and internal
control systems, which have come to the
auditors attention.
 As to function
1. Preventive
- preventive control are intended to
deter undesirable events from occurring.
They are intended to function during an
activity or transaction.
Example preventive controls:
 The requirement that purchases be made from
suppliers on an approval vendor list is
 Limit built into a payroll system, a certification of
recipient eligibility
 Providing/reinforcing training of employees on
how to do the job correctly
 Creating physical deterrents such as locks,
alarms, and building passes to deter theft
 Convening peer review committees or expert
panels review project proposals
 Segregation of duties and other control
processes serve to prevent or detect a fraud
committed
2. Detective/Corrective
- to detect and correct undesirable
events that occurred

Example
 Reports which detail the information
accessed by an employee from a
department of agency’s systems
 Reconciliation of an inventory listing to the
actual physical inventory
 Monitoring contribution recipients to ensure
that funds have been used for the purposes
intended
3. Directive
- to cause or encourage a desirable
event to occur. Control action is directed
toward eliminating the deviation in future
cycles of the process under control
 As to nature
1. Financial or Accounting controls -
objectives of financial controls may
include:
 Proper authorization
 Appropriate accounting
 Safeguarding of assets
 Compliance with laws, regulations, and
contracts

2. Administrative controls – applicable to

support activities like production
 Other types:

1. Feedback control
- obtain information about completed
activities. They provide information as to
whether desired state has been attained or
maintained.

2. Concurrent control
- adjust ongoing processes. These real
time control monitor activities in the present to
prevent them from deviating too far from
standards
3. Feedforward Control
- anticipate and prevent problems.
These controls require a long term
perspective
1. Economical: Excessive controls are costly in
time as well as money.
2. Meaningful: They must measure performance
in important areas.
3. Appropriate: They must fairly reflect the
events they are designed to measure.
4. Congruent: They must be consistent with the
need for and ability to obtain precision in
measurement.
5. Timely: Outdated information is
inappropriate.
6. Simple: Control should be understandable to
people using it.
7. Operational: Control should be relevant to a
planned result and not just interesting.
 Organization use various approaches
to executing and controlling financial
transaction. Some are still very
manual in nature. However, more and
more transactions are being
processed completely by the
technology through private links within
and between companies, or over the
internet.
1. Perpetual inventory records for large
dollar items.
2. Prenumbered receiving reports prepared
when inventory received; receiving
reports accounted for.
3. Adequate standard cost system to cost
inventory items
4. Physical controls against theft
5. Written inventory requisitions used
6. Proper authorization of purchases and
use of prenumber purchase orders.
1. Segregate:
 Timekeeping
 Payroll preparation
 Personnel
 Paycheck distribution
2.Time clocks use where possible
3. Job time tickets reconciled to time clock cards
4. Time clock cards approved by supervisors ( over time
and regular hours)
5. Treasure signs paychecks
6. Unclaimed paychecks controlled by someone otherwise
independent of payroll function ( locked up and eventually
destroyed if not claimed).
7. Personnel department promptly sends termination
notices to the payroll department.
1. Major asset acquisitions are properly
approved by the firm’s board o directors and
properly controlled through capital
budgeting techniques.
2. Detailed records are available for property
assets and accumulated depreciation.
3. Written policies exist for capitalization vs.
expensing decisions.
4. Depreciation properly calculated.
5. Retirements approved by appropriate level
of management.
6. Physical control over assets prevent theft.
7. Periodic physical inspection of plant and
equipment by individuals who are otherwise
independent of property, plant, and
equipment ( e. g., internal auditors)
 The revised Code of Corporate
Governance (CCG) provide that the
Board is primarily accountable to the
shareholders and should provide them
with a balanced and comprehensible
assessment of the corporation’s
performance, position, and prospects on
a quarterly basis, including interim and
other reports that could adversely affect
its business, as well as reports to
regulators that are required by law.
 The rules shall be embodied in a manual
that can be used as reference by the
members of the Board and Management.

 The manual should be submitted to the

Commission for its evaluation to determine
its compliance taking into consideration
the nature, size, and scope of the business
of the corporation.
 The Code shall apply to registered corporations and
to branches or subsidiaries of foreign corporations
operating in the Philippines that:
a. Sell equity and /or debt securities to the public that
are required to be registered with the SEC, OR
b. Have assets in excess of Fifty Million Pesos and at
least two hundred (200) stockholders who own at
least one hundred (100) shares each of equity
securities, OR
c. Whose equity securities are listed on an Exchange,
OR
d. Are grantees of secondary licenses from the
Commission.
 Combination of processes and
structures implemented by the Board to
inform, direct, manage, and monitor
the activities of the organization
performed to achieve activities.

 The process conducted by the board

of directors to authorize, direct, and
oversee management toward the
achievement of the organization’s
objectives.
 Governance is the system by which
organizations are directed and
controlled. It includes the rules and
procedures for making decisions on
corporate affairs to ensure success
while maintaining the right balance
with the stakeholders’ interest.
 Corporate Governance involves a set of
relationships between a company’s
management, its board, its shareholders,
and other stakeholders. Corporate
Governance also provides the structure
through which the objectives of the
company are set, and the means of
attaining those objectives and
monitoring performance are
determined.
1. Governance begins with the board of
directors and its committees.
2. The board must understand and focus
on the needs of key stakeholders.
3. Day-to-day governance is executed by
the management of the organization.
4. Internal and External Auditors provide
management and the board with
assurances regarding the effectiveness
of governance activities.
 The Audit Committee should provide
oversight of financial reporting, risk
management, internal control,
compliance, ethics, management, internal
auditors, and the external audit.
 The internal audit activity must assess the
design, implementation, and effectiveness
of organization’s ethics- related objectives,
programs, activities and whether the
information technology governance of the
organization support the organization’s
strategies and objectives.
 Promoting appropriate ethics and values
within the organization
 Ensuring effective organizational
performance management and
accountability
 Communicating risk and control information
to appropriate areas of the organization
 Coordinating the activities and
communicating information among the
board, external and internal auditors, and
management.
1. Ensuring that financial statements are
understandable, transparent, and
reliable.

2. Ensuring the risk management process is

comprehensive and ongoing, rather
than partial and periodic.
3. Helping achieve an organization-wide
commitment to strong and effective
internal controls, emanating from the
tone at the top.

4. Reviewing corporate policies relating to

compliance of laws and regulations,
ethics, conflict of interest, and the
investigation of misconduct and fraud.
5. Reviewing current and pending
corporate-governance-related litigation
or regulatory proceedings to which the
organization is a party.

6. Continually communicating with senior

management regarding status,
progress, and new developments, as
well as problematic areas.
7. Ensuring the internal auditors’ access to
the audit committee, encouraging
communication beyond scheduled
committee meetings.
8. Reviewing internal audit plans, reports,
and significant findings.
9. Establishing a direct reporting
relationship with the external auditors.
1. Ensure properly organized and
functioning board that has the correct
number of members, an appropriate
board committee structure, establish
meeting protocols, sound, independent
judgement about affairs of the
organization, and periodically
reaffirmed membership.
2. Ensure board members possess
appropriate qualifications and
experience, with a clear understanding
of their role in the governance activities,
a sound knowledge of the
organization’s operations, and an
independent/objective mindset.
3. Ensure that the board has sufficient
authority, funding, and resource to
conduct independent inquiries.
4. Maintain an understanding by executive
management and the board of the
organization’s operating structure,
including structures that impede
transparency.
5. Articulate an organizational strategy
against which the success of the overall
enterprise and the contributions of
individuals are measured.
6. Create an organizational structure that
supports the enterprise in achieving its
strategy
7. Establish a governing policy for the
operation of key activities of the
organization.

8. Set and enforce clear lines of

responsibility and accountability
throughout the organization
9. Ensure effective interaction among the
board, management, external and internal
auditors and any other assurance
providers.

10. Secure appropriate oversight by

management, including establishment and
maintenance of a strong set of internal
controls
 ERM helps align the risk appetite of the
organization with its strategy, enhances
risk response decisions, reduces
operational surprises and losses, identifies
and manages cross-enterprise risks,
provides integrated responses to multiple
risks, helps the organization seize
opportunities and improves the
deployment of capital.
 RISK as the possibility that an event will
occur and adversely affect the
achievement of an objective

 Consequently, among the many

outcomes of organizations’ inability to
effectively manage risks are
bankruptcies, frauds, restatement of
earnings, plummeting stock values and
loss of customers, careers, business
partners and overall credibility.
 Key points that must understood to have
a better understanding and
appreciation of ERM

1. Risk begins with strategy formulation and

objective setting
2. Risk does not represent a single point
estimate (for ex. The most likely
outcome)
3. Risks may relate to preventing bad
things from happening of failing to
ensure good things happen.
 Enterprise Risk Management is a process,
effected by an entity’s board of
directors, management and other
personnel, applied in strategy setting
and across the enterprise, designed to
identify potential events that may affect
the entity and manage risk to be within
its risk appetite to provide reasonable
assurance regarding the achievement of
entity objectives
1. An ongoing entity-wide process to
identify, evaluate, analyze, respond to,
monitor and communicate on risks
2. Is effected by people at all levels
3. Occurs in strategy setting
4. Applies to every unit
5. Provides reasonable, but not absolute
assurance due to the following limitations
 Judgment
 Breakdowns
 Management override
 Cost over benefits
6. Enables continuous improvement in
decision making
7. Helps achieve objectives
 While the board of directors provides
monitoring, guidance and direction, it is
the Chief Executive Officer (CEO) of the
organization who has the ultimate
ownership for the organization’s ERM.
 Organizational risk management framework
which should contain the ff. elements:
 Clear, coherent risk strategy, policies and
standards
 Forums for risk and authority to manage it are
clearly defined and assigned to key staff
 Effective two way communication within the
organization to ensure that policies are widely
understood and that the actual situation found
in the business is reported so that it can be
seen how effective these policies are
 Suitable organizational risk programs and
procedures
 Arrangements for monitoring and reviewing
management of risk including continuous
learning from experience
- Under IIA Standard 2120. the internal audit
activity must evaluate the effectiveness and
contribute to the improvement of risk
management processes as part of its
assurance activities. Thus, internal auditors
should:
 Provide advice and challenge or support
management’s decisions on risk, as
opposed to making risk management
decisions
 Address risk consistent with the
engagement’s objectives
 Be alert to the existence of other significant
risks during consulting engagements.
 Core internal audit roles:
1. Giving assurance on the risk
management processes
2. Giving assurance that the risk ar4e
correctly evaluated
3. Evaluating risk management
processes
4. Evaluating the reporting of key risks
5. Reviewing the management of the
key risks.
 Evaluating risk exposures relating to the
organization’s governance, operations,
and information system regarding
reliability and integrity of financial and
operational information, effectiveness
and efficiency of operations and
programs, safeguarding of assets and
compliance with laws, regulations,
policies, procedures, and contracts; and
 Evaluating the potential for the
occurrence of fraud and how the
organization manages fraud risk.
 Legitimate internal audit roles:
1. Facilitating identification and evaluation
of risks
2. Coaching management in responding
to risks
3. Coordinating ERM activities
4. Consolidated reporting on risks
5. Maintaining and developing the ERM
framework
6. Championing establishment of ERM
7. Developing ERM strategy for board
approval.
 Organizational objectives support and align
with the organization’s mission
 Significant risks are identified and assessed
 Appropriate risks responses are selected that
align risks with the organization’s risks
appetite
 Relevant risks information is captured and
communicated in a timely manner across the
organization, enabling staff, management,
and the board to carry out their
responsibilities
1. Setting the risks appetite
2. Imposing risk management processes.
3. Taking decisions on risk responses on
management’s behalf
4. Accountability for risk management
 ( Based on IIA position statement on ERM)
 Greater likelihood of achieving company objectives
 Consolidated reporting of different risks at board level
 Improved understanding of risk and implications
 Greater management focus on the issues that really
matter
 Fewer surprises or crisis
 More focus internally on doing the right thing in right
way
 Increased likelihood on change initiatives being
achieved
 Capability to take on greater risk for greater reward
 More informed risk-taking and decision making
 Articulating and communicating the objectives
of the organization
 Determining the risk appetite of the organization
 Establishing an appropriate internal environment,
including a risk management framework
 Identifying potential threats to the achievements
of objectives
 Assessing risks and likelihood of the threat
occurring
 Selecting and implementing responses to risks
 Undertaking control and other response activities
 Communicating information on risks
management processes and the outcomes
 Providing assurance on the effectiveness with
which risks are managed.
 In practice, internal audit’s role may well
across organization and as provided in
the audit charter. Nonetheless, the
internal audit activity must determine the
most appropriate role for their
organization and supply the required
service. However, when determining the
most appropriate role to play, internal
auditor’s should comply with the
professional requirements for
independence and objectivity and
should ensure that these are not
breached.
 Acting as facilitators, enabling and guiding manager and
staff through the risk management process, usually as part
of a self assessment exercise, by organizing and leading
workshop based discussions, without themselves
necessarily becoming directly involved in the process.
 Operating as team members who are part of boarder
based groups, often bringing together staff with first hand
knowledge of line management issues as well as those
with specific technical expertise.
 Acting as risk and control analysis providing managers with
expert advice on the identification and assessment of
business risk, and the design and construction of control
and mitigation strategies.
 Making available to management tools and techniques
use by internal audit to analyse risk and controls.
 Becoming a centre of expertise for managing risk.
 According to COSO,ERM consists of eight
interrelated components, including:
1. Internal environment
2. Objectives setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information and communication, and
8. Monitoring
 The internal environment is the basis for
all other components of ERM, providing
discipline-and structure. It encompasses
the tone of the organization and set the
basis for how risks is viewed and
addressed by an organization’s people,
including risk management philosophy
and risk appetite, and integrity and
ethical values. The board of directors is a
critical part of the internal environment.
The board provides oversight over
management’s implementation of ERM
helping to make sure that it is effective.
 ERM ensures that management has in
place a process to set objectives and
that the chosen objectives support and
align with the organization’s mission sets
forth in broad terms what the
organization aspire to achieve.
a. Operations objectives
b. Reporting objectives
c. Compliance objectives
 Potential internal and external events
affecting achievement of an
organization's objectives must be
identified, distinguishing between risk
and opportunities.
a. Event inventories
b. Internal analysis
c. Escalation or threshold triggers
d. Facilitated workshops or interviews
e. Process flow analysis
f. Leading event indicators
g. Loss event data methodologies
 Management should assess both
inherent risk and residual risk for an
event.
 Inherent risk
 Residual risk
 Risk are assessed in terms of their
likelihood of occurring and their impact.
 Management selects risk responses that
are consistent with the risk appetite of
the organization including:
a. Avoidance
b. Reduction
c. Sharing
d. Acceptance
 Policies and procedures should be
established and implemented to help
ensure the risk responses are effectively
carried out.
 Relevant information is identified,
captured, and communicated to
enable people to carry out their
responsibilities.
 Information is needed at all levels of the
organization to identify, assess and
respond to risks.
a. Risk relates to the future which is
uncertain;

b. ERM provides information about risks of

achieving objectives but it cannot
provide even reasonable assurance
that objectives will be achieved; and
c. ERM cannot provide absolute assurance
with respect to any of the objectives
categories. Specific limitations include
the following:
 The effectiveness of ERM is subject to the
limitations of the ability of humans to make
judgements about risk and impact.
 Well-designed ERM can break down.
 Collation among two or more individuals
can results in ERM.
 ERM systems can never be perfect due to
cost-benefit constraints
 ERM is subject to management of override.