Internal Control

• Understand what is meant by internal control in a

variety of frameworks.
LEARNING
• Identify the objectives, components, and principles of
OBJECTIVES an effective internal control framework.
• Know the roles and responsibilities each group in an
organization has regarding internal control.
• Identify the different types of controls and the
appropriate application for each of them.
• Obtain an awareness of the process for evaluating the
system of internal controls.
 FRAMEWORKS

• body of guiding principles that form a template against which organizations

can evaluate a multitude of business practices. These principles are
comprised of various concepts, values, assumptions, and practices intended
to provide a benchmark against which an organization can assess or
evaluate a particular structure, process, or environment, or a group of
practices or procedures. Specific to the practice of internal auditing, various
frameworks are used to assess the design adequacy and operating
effectiveness of controls
 DEFINITION OF INTERNAL CONTROL
a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and
compliance.
• Geared to the achievement of objectives in one or more separate
but overlapping categories-operations, reporting, and compliance.
• A process consisting of ongoing tasks and activities-a means to an
end, not an end in itself.
• Effected by people-not merely about policy and procedure
manuals, systems, and forms, but about people and the actions
they take at every level of an organization to effect internal
control.
• Able to provide reasonable assurance, but not absolute assurance,
to an entity’s senior management and board of directors.
• Adaptable to the entity structure-flexible in application for the
entire entity or board of directors, management, and for a
particular subsidiary, division, operating unit, or business process.
THE OBJECTIVES, COMPONENTS, AND
PRINCIPLES OF INTERNAL CONTROL
Internal Control Process

Control Risk Control

Environment Assessment Activities

Information & Monitoring

Communication Activities
 Control Environment
• The control environment is the
control consciousness of an
organization;
• It is the atmosphere in which people
conduct their activities and carry out their
control responsibilities.
• An effective control environment is an
environment where competent
people:
– understand their responsibilities,
– the limits to their authority, and
– are knowledgeable, mindful, and
committed to doing what is right and doing
it the right way.
• The control environment is greatly
influenced by the extent to which
individuals recognize that they will be
held accountable.
Components of
control
environment
1. Integrity and Ethical Values
2. Commitment to competence
3. Management‘s Philosophy
and Operating Style
4. Organisational structure
5. Assignment of Authority
and Responsibility
6. Oversight groups
 Integrity and Ethical Values

• Formal codes of conduct & policies

communicating appropriate ethical
and moral behavioral standards and
addressing acceptable operational
practices and conflicts of interest.
• Management appropriately addresses
intervention or overriding internal
control.
 Commitment to
competence
• Management has identified and defined
the tasks required to accomplish particular
jobs and fill the various positions.
• Formal job descriptions & training
needs’ analysis.
 Management’s Philosophy and
Operating Style
• Has an appropriate attitude toward risk-
taking.
• Endorses the use of performance-
based management.
• There has not been excessive personnel
turnover in key functions, such as
operations and program management,
accounting, or internal audit.
Organizational
structure
• The agency’s organizational structure is
appropriate for its size and the nature
of its operations.
• Balancing the degree of
centralization versus
decentralization.
• Key areas of authority and responsibility
are defined & communicated
throughout the organization.
•
 Human Resource Policies and
Practices

• Policies and procedures are in place for

hiring, orienting, training, evaluating,
counseling, promoting, compensating,
disciplining, and terminating
employees.
 Oversight Groups

• Within the organisation, there are mechanisms in

place to monitor and review operations and
programs.
• The agency has an audit committee or senior
management council consisting of high-level line
and staff executives that review the internal
audit work and coordinate closely with the
external auditors.
• The internal audit operation it reports to the entity’s
head.
• Internal audit reviews that unit’s activities and
systems and provides information, analyses,
appraisals, recommendations, and counsel to
management.
 Risk Assessment
The central theme of internal control is
(1) to identify risks to the achievement of an
organization's objectives and
(2) to do what is necessary to manage those
risks.
Thus, setting
goals and objectives is a precondition
to internal controls.
 Setting organizational objectives
• Operational objectives: achievement of the basic
mission(s) of a department and the effectiveness
and efficiency of its operations, including
performance standards and safeguarding
resources against loss.
• Financial reporting objectives: preparation
of reliable financial reports, including the
prevention of fraudulent public financial
reporting.
• Compliance objectives: adherence to applicable
laws and regulations.
• Risk assessment is the identification and analysis
of risks associated with the achievement of
operations, financial reporting, and compliance
goals and objectives.
• This, in turn, forms a basis for determining how
those risks should be managed.
 Identify Risks after Determining
Goals
• A risk is anything that could jeopardize the
achievement of an objective.
– What could go wrong?
– How could we fail?
– What must go right for us to succeed?
– Where are we vulnerable?
– What assets do we need to protect?
– Do we have liquid assets or assets with alternative
uses?
– How could someone steal from the department?
– How could someone disrupt our operations?
– How do we know whether we are achieving
our objectives?
– On what information do we most rely?
– On what do we spend the most money?
– How do we bill and collect our revenue?
– What decisions require the most judgment?
– What activities are most complex?
– What activities are regulated?
– What is our greatest legal exposure?
 The costs of risks
• When evaluating the potential impact of risk,
both quantitative and qualitative & qualitative
costs need to be addressed.
• Quantitative costs: cost of property, equipment,
or inventory, cash dollar loss, damage and repair
costs, cost of defending a lawsuit, etc.
• Qualitative costs: Loss of public trust,
violation of laws, default on a project, bad
publicity.
 Risk analysis
• Management has established a formal process to
analyze risks, and that process may include informal
analysis based on day-to-day management
activities.
• Criteria have been established for determining low,
medium, and high risks.
• Appropriate levels of management and
employees are involved in the risk analysis.
• The risks identified and analyzed are relevant to the
corresponding activity objective.
 Managing Risk During Change
• Management must give special attention to risks
presented by changes:
– the hiring of new personnel to occupy key
positions
– introduction of new or changed information
systems
– rapid growth and expansion or rapid
downsizing.
– the production or provision of new outputs or
services.
– establishment of operations in a new
geographical area.
 Control Activities

Control activities are actions,

supported by policies and
procedures that, when carried out
properly and in a timely manner,
manage or reduce risks.
 Preventive Controls

• Preventive controls attempt to deter

or prevent undesirable events from
occurring.
• They are proactive controls that help to
prevent a loss.
• Examples: separation of duties, proper
authorization, adequate
documentation, and physical control
over assets.
 Detective Controls

• Detective controls attempt to

detect undesirable acts.
• They provide evidence that a loss has
occurred but do not prevent a loss
from occurring.
• Examples: reviews, analyses,
variance analyses, reconciliations,
physical inventories, and audits.
 Information systems
(Technology) Controls

(1) General Controls and

(2) Application Controls.
 General
Controls
• General controls apply to entire information
systems and to all the applications that reside on
the systems.
Examples:
• Access Security, Data & Program Security,
Physical Security
• Software Development & Program
Change Controls
• Data Center Operations
• Disaster Recovery.
 Application Controls
• Input Controls (Data Entry) complete and
accurate recording of authorized transactions
-Authorization
-Validation
-Error Notification and Correction
• Processing Controls: complete and
accurate processing of authorized
transactions.
• Output Controls: complete and accurate audit
trail of the results of processing.
Information & Communications
• For an organisation to run and control its
operations, it must have relevant,
reliable information, both financial and
non- financial, relating to external as
well as internal events.
• That information should be recorded and
communicated to management and
others within the agency who need it
and in a form and within a time frame
that enables them to carry out their
internal control and operational
 Monitoring

Assessing the quality of performance over time a n d

ensure that the fi ndings of audits a n d other reviews
are promptly resolved.
 Ongoing
monitoring
• Management’s strategy provides
for routine feedback and
monitoring of performance and
control objectives.
• Operating reports are integrated or
reconciled with financial and budgetary
reporting system data and used to manage
operations on an ongoing basis.