Internal Control Process

a. Discuss the Control Process

b. Discuss and illustrate Primary and Secondary
Controls according to COSO
c. Discuss and illustrate Time-Based Classification
Controls according to COSO
d. Discuss and illustrate Manual and Automated
Controls according to COSO
 What are
INTERNAL CONTROLS?
Why are they IMPORTANT?
Basis of Objectives Categories
Certain objectives are derived from the regulatory
environment or industry in which the business operates.
Example:
1. Some entities submit information to environmental
agencies.
2. Publicly traded companies file information with
securities regulators.
3. Universities report grant expenditures to government
agencies.
• These types of objectives are established largely by law
or regulation, and fall into the category of compliance,
external reporting, or in these examples, both.
Basis of Objectives Categories
• Conversely, operations objectives and internal reporting are
based more on preferences, judgments, and management
style. They vary widely among entities simply because
informed and competent people may select different
objectives.
Example,
• for product development, one organization might choose to
be an early adopter, another might be a quick follower, and
yet another a late adopter. These choices will affect the
structure, skills, staffing, and controls of the research and
development function. Consequently, no one formulation of
objectives can be optimal for all entities.
Overlap of Objectives Categories
• An objective in one category may overlap or
support an objective in another.
Example
Closing financial reporting period within five
workdays”
1. Operation
• primarily an operations objective to support
management in reviewing business performance.
2. Compliance
• It also supports timely reporting and timely filings with
regulatory agencies.
Overlap of Objectives Categories
Example:
Controls to prevent theft of assets—
1. Operation
• such as maintaining a fence around inventory, or having
a gatekeeper to verify proper authorization of requests
for movement of goods
2. Reporting
• physical security controls, along with controls over the
perpetual inventory records
COSO Components and Principles
Control Environment:
• The control environment is the foundation for all
other components of internal control.
• The board and senior management establish the
tone from the top regarding the importance of
internal control and expected standards of conduct.
The control environment provides discipline,
process, and structure.
Control Environment:
1. The organization demonstrates a commitment to integrity and
ethical values.
2. The board of directors demonstrates independence of
management and exercises oversight for the development and
performance of internal control.
3. Management establishes, with board oversight, structures,
reporting lines, and appropriate authorities and
responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract,
develop, and retain competent individuals in alignment with
objectives.
5. The organization holds individuals accountable for their internal
control responsibilities in the pursuit of objectives.
Risk Assessment
• Risk assessment involves a dynamic and iterative
process for identifying and analyzing risks to
achieving the entity’s objectives, forming a basis for
determining how risks should be managed.
Management considers possible changes in the
external environment and within its own business
model that may impede its ability to achieve its
objectives.
Risk Assessment
6. The organization specifies objectives with sufficient
clarity to enable the identification and assessment of
risks relating to objectives.
7. The organization identifies risks to the achievement
of its objectives across the entity and analyzes risks
as a basis for determining how the risks should be
managed.
8. The organization considers the potential for fraud in
assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes
that could significantly impact the system of internal
control.
Control Activities
• Control activities are the actions established by
policies and procedures to help ensure that
management’s directives to mitigate risks to the
achievement of objectives are carried out. Control
activities are performed at all levels of the entity
and at various stages within business processes,
and over the technology environment.
Control Activities
10. The organization selects and develops control
activities that contribute to the mitigation of
risks to the achievement of objectives to
acceptable levels.
11. The organization selects and develops general
control activities over technology to support the
achievement of objectives.
12. The organization deploys control activities as
manifested in policies that establish what is
expected and in relevant procedures to effect the
policies.
Information and Communication
• Information is necessary for the entity to carry out
internal control responsibilities in support of
achievement of its objectives. Communication
occurs both internally and externally and provides
the organization with the information needed to
carry out day to day internal control activities.
Communication enables all personnel to
understand internal control responsibilities and
their importance to the achievement of objectives.
Information and Communication
13. The organization obtains or generates and uses
relevant, quality information to support the
functioning of other components of internal
control.
14. The organization internally communicates
information, including objectives and
responsibilities for internal control, necessary to
support the functioning of other components of
internal control.
15. The organization communicates with external
parties regarding matters affecting the
functioning of other components of internal
control.
Monitoring Activities
• Ongoing evaluations, separate evaluations, or some
combination of the two are used to ascertain
whether each of the five components of internal
control, including controls to effect the principles
within each component, are present and
functioning. Findings are evaluated and
deficiencies are communicated in a timely
manner, with serious matters reported to senior
management and to the board.
Monitoring Activities
16. The organization selects, develops, and performs
ongoing and/or separate evaluations to ascertain
whether the components of internal control are
present and functioning.
17. The organization evaluates and communicates
internal control deficiencies in a timely manner
to those parties responsible for taking corrective
action, including senior management and the
board of directors, as appropriate.
Limitation of internal control
• The quality and suitability of objectives established as a
precondition to internal control.
• The realities that human judgment in decision making can be
faulty.
• Knowing that decisions on responding to risk and establishing
controls must consider the relative costs and benefits.
• Breakdowns that can occur because of human failures such as
simple errors or mistakes.
• Controls that can be circumvented by collusion of two or more
people.
• The ability of management to override internal control decisions.
• Internal control is a process, effected by an entity’s
board of directors, management, and other personnel,
designed to provide reasonable assurance regarding
the achievement of objectives in the following
categories:
ORC
• Effectiveness and efficiency of operations.
• Reliability of reporting.
• Compliance with applicable laws and
regulations.
• Safeguarding of assets
An integral process
• A series of actions throughout the operations on an ongoing basis

• Built in rather built on; embedded with the management processes of

planning, organizing, budgeting, staffing, implementing, and monitoring

• Not stand alone or separate specialized systems within an organization

• Interwoven into and made an integral part of each system that management
uses to regulate and guide its operations
Which also means:
• Internal control is a process. A process consisting of ongoing tasks and activities. It is a
means to an end, not an end in itself.
• Internal control is effected by people.
- not merely policy manuals and forms,
but people functioning at every level of the organization.
• Internal control is geared to the achievement of
objectives in several overlapping categories.
• Internal control only provides reasonable assurance
regarding achievement of operational, financial reporting and compliance
objectives.
CONTROL

• Any action taken by management, the board, and other parties to

manage risk and increase the likelihood that established
objectives and goals will be achieved. Management plans,
organizes, and directs the performance of sufficient actions to provide
reasonable assurance that objectives and goals will be achieved.

Control Processes

• The policies, procedures and activities that are part of a control framework (e.g.,
COSO-ICIF 2013) designed and operated to ensure that risks are contained within
the level that an organization is willing to accept.
❑ Proper procedures for authorization

❑ Adequate separation of duties (CARE)

❑ Adequate documents and records

❑ Physical control over assets and record

❑ Independent checks on performances

❑ Accountability

❑ Flow of financial information

1. Establishing standards for the operation to be
controlled
2. Measuring performance against the standards
3. Examining and analyzing deviations
4. Taking corrective action, and
5. Reappraising the standards based on experience
• Effectiveness & efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and
regulations
• Safeguarding of assets
• Adherence to managerial policies
Economical, Efficient, and Effective
Operations
Economical
- able to perform functions/tasks using the least amount of resources within a specified
timeframe

Efficient
- “doing things right” given the available resources and within a specified timeframe
- Delivering a given quantity and quality of outputs with minimum inputs or
maximizing outputs with a given quantity and quality of inputs
- Prioritization and leveraging of resources

Effective
- “doing the right things”, able to deliver major final outputs and outcomes and able to
contribute to the attainment of goals and objective
- directing, executing and implementing
Reliability of financial reporting
❑ These pertain to internal and external financial and non-financial reporting and may
encompass reliability, timeliness, transparency, or other terms as set forth by
regulators, recognized standard setters, or the entity’s policies.

❑ Must be (characteristics)
✓ Neutral - free from any bias
✓ Fairly presented - true and fair view
✓ Prudent (high degree of caution) must be taken into account when assumption is
required
✓ Complete – include all financial information, transactions, and events plus non-
financial information
✓ Accurate – supported by verifiable evidence/document
Four categories of reporting
Objectives
Compliance with applicable laws and
regulations
❑ Adherence to laws, regulations, guidelines and specifications relevant to its
organization and operations.

❑ Examples:
✓ SEC issuances
✓ BIR regulations
✓ Sarbanes Oxley Act (Security Regulation Code Rule 68, Corporate governance)
✓ BSP Manual of Regulations for Banks
✓ Consumer protection
✓ Data privacy
✓ BASEL III Frameworks
✓ Labor Codes
✓ Contracts/Agreements
Sarbanes-Oxley Act of 2002
• The Sarbanes-Oxley Act of 2002 is a
federal law that established sweeping auditing and
financial regulations for public companies.
Lawmakers created the legislation to help protect
shareholders, employees and the public from
accounting errors and fraudulent financial
practices.
Safeguarding of assets
❑ Prevention or timely detection of unauthorized acquisition, use or disposition of the
company’s assets.

❑ Protecting the firm’s assets against loss due to theft/fraud, accidental destruction and
errors.

❑ Examples:
✓ Segregation of duties (i.e., recording, authorization and custody of assets shall be
handled by separate employees)
✓ Dual signature on checks
✓ Physical locks on inventory warehouse
✓ Employee background checks
Adherence to managerial policies
❑ Managerial policies
✓ defines the scope or spheres within which decisions can be taken by the
subordinates in an organization.
✓ guidelines to govern its actions; directs the performance of an outcome
✓ deals with acquisition, use, control and disposition of resources

❑ Examples:
✓ Human resource policies
✓ Operations policies
✓ Accounting policies
✓ Accountability policies
✓ Reporting policies
Internal control
measures
Cash to Stockholders equity
 Internal Control measures- Cash
1. Cash receipts should be deposited intact – that is, in the same amount and form as they are
received.
2. All disbursements should be authorized and made by check except those involving small
amounts which should be paid from petty cash fund.
3. Both receipts and disbursements should be properly accounted for in the records.
4. There should be separation of personnel duties for
1. receiving cash
2. recording receipts
3. depositing cash collections
4. reconciling bank account
5. authorizing disbursement
6. disbursing cash
5. Bank reconciliation statement should be prepared monthly.
6. Provide physical protection for cash.
7. Minimize cash on hand in the office.
8. Cash actually present in the office – petty cash, change fund and undeposited receipts can be
periodically counted and compared with the company records.
9. Adopt imprest fund system for petty cash.
Internal Control Measures -
Receivables
1. Proper internal control over receivables should observe the following:
1. Sales must be separated from the accounting for them.
2. Accounting for sales must be separated from the receipt of cash
arising from the receivables.
3. Returns, allowances, discounts, and uncollectible charge-offs must
be properly approved and separated from the cash receipts
function.
4. Periodically, receivables should be aged in order to determine the
actions and efficiency of the credit department.
2. Notes receivable custodian should not have access to cash or to the
accounting record.
3. A responsible official who does not have access to the notes should
approve note renewals as well as charge-offs of defaulted notes in
writing.
4. Proper procedures should be adopted for the follow-up of defaulted
notes.
Internal Control Measures -
Inventories
1. Authority and responsibility for controlling the inventories should be centralized management
and in one person.
2. There should be careful selection of inventory personnel and intensive training of such
personnel in policies, objectives and system of inventory control.
3. Adequate physical facilities for handling and storage of inventory should be provided.
4. Adequate system of procedures, forms and reports related to the management of inventories
should be developed and implemented.
5. Quantitative controls through perpetual inventory records; book quantities verified with
physical counts at least once a year and differences being investigated, promptly adjusted and
reported to higher authority should be implemented.
6. Deliveries of materials, finished stock and merchandise should be made only upon specific
authorizations emanating at authorized levels.
7. Slow-moving, obsolete and damaged stock should be identified and reported following
periodic reviews of physical and book records by qualified employees. Valuation on the basis
of approved cost-mark-down methods should be reviewed.
8. Safeguards against that action of the element and inaccuracies in recording receipts and
issues should be adopted. Example – Maintaining adequate insurance coverage.
Internal Control Measures -
Investment
1. Purchases and sales of investments should be properly
authorized (normally by the board of directors or
investment committee of the board of directors).
2. Access to securities should not be vested in one person
only.
3. Custodianship of investment securities and the
accounting for them should be segregated.
4. Securities must be physically controlled in order to
prevent unauthorized usage and they must be registered
in the name of the entity.
5. Income received from investments should be reconciled
periodically with amounts that should be received.
Internal Control Measures - PPE
1. Additions and dispositions of fixed assets should be
properly authorized and approved by the board of
directors or executive committee or person to whom
authority has been delegated.
2. A clearly defined and sound policy for differentiation of
capital and revenue expenditures should be established.
3. Cost of constructed fixed assets should be controlled
through work orders
4. Fixed assets controlling account should be supported by
detailed plant records.
5. Physical inspection of fixed assets should be conducted
and investigated.
Internal Control Measures -
Intangibles
1. Acquisitions, dispositions and write offs of intangible
assets should be properly authorized.
2. Adequacy and consistency of accounting policies
governing intangible assets should be reviewed
periodically.
3. General ledger account should be supported by
adequate detailed records and they should be
periodically reconciled.
4. Schedules of intangibles showing their cost and basis
of amortization should be prepared periodically and
reviewed by a responsible official.
Internal Control Measures -
Current Liabilities
• Accounts payable
• A proper system of requisitioning, purchase order placement and approval,
receiving, invoice approval, and approval for payment should be well-defined and
established.
• Subsidiary accounts payable records or unpaid vouchers should be reconciled with
controlling account at frequent intervals.
• Check mathematical accuracy of suppliers’ invoices prior to recording.
• Adjustments to accounts payable should be properly approved.
• Debit balances in accounts payable should be reviewed and resolved.
• Notes payable
• Borrowings on notes payable should be properly authorized. (Specify the institutions
from which money may be borrowed and designate the officers authorized to sign
notes)
• Unissued notes should be properly safeguarded.
• Adequate and well organized records for notes specifying the details should be
maintained.
• Subsidiary notes payable records should be reconciled with controlling account at
frequent intervals.
• Paid notes should be properly cancelled and preserved.
Internal Control Measures – Long
Term Liabilities
1. Long-term obligation should be properly authorized by the board of
directors or by a required majority of the shareholders.
2. There should be proper control over issued and unissued obligations as
in bonds, by an independent bond trustee or transfer agent.
3. Redeemed bonds should be cancelled, property mutilated and retained
for audit in order to prevent the unauthorized issuance.
4. Bond ledger should be used in which details of bonds issued, cancelled
and outstanding are shown. A subsidiary bondholders’ ledger should
also be maintained by the issuing corporation or the bond trustee for
bonds registered, as to principal and interest.
5. Proper control should be exercised over the payment of interest on
long-term liabilities. Payment may be done by an independently
engaged interest-paying agent.
Internal Control Measures –
Equity
1. Internal control measures regarding the issuance of share certificates
and proper accounting for transfers and registration of shares should
be established. One of these measures is the appointment of a share
and transfer agent or an independent registrar.
2. Share certificates should be serially prenumbered by the printer and
that the authority for signing and issuing the certificates be
designated by the board of directors.
3. As individual certificates are issued, corresponding records of the
certificates should be prepared containing the name and address of
the shareholders and the number of shares issued to each.
4. Cancelled certificates should be mutilated and any necessary
documentary stamps should be attached to the cancelled certificates.
5. Entries for the share issuances and transfers should be made by a
person who does not have authority to sign and issue certificates.
 Question No. 1
Controls should be designed to provide reasonable assurance that

A. Management’s plans have not been circumvented by worker collusion.

B. Organizational objectives will be achieved economically and efficiently.
C. The internal audit activity’s guidance and oversight of management’s
performance is accomplished economically and efficiently.
D. Management’s planning, organizing, and directing processes are
properly evaluated
 Question No. 2
Which of the following are most directly designed to
ensure that risks are contained?

A. Risk management processes

B. Internal audit activities
C. Control processes
D. Governance processes
 Question No. 3
The actions taken to manage risk and increase the
likelihood that established objectives and goals will be
achieved are best described as

A. Quality assurance
B. Compliance
C. Control
D. Supervision
 General Classification of Controls
Financial Controls Operations Controls

• Procedures, policies and means by • Controls that are used in the

which an organization monitors and management of processes of directing
controls the direction, allocation, and and controlling and are based on
usage of its financial resources. comparison of results with
• Ex: Periodic review of credit policy, standards.
disbursement policies, reconciliation of • Designed to ensure that day-to-day
subsidiary ledger to controlling actions are consistent with
account, financial statement analysis, established plans and objectives.
budget • Ex: manual of operations, job
descriptions, flow of information,
security matrix, level of approving
authorities, performance evaluation
 Classification of Controls
As to Importance
Primary (key and significant) Controls Secondary Controls

• Control that is essential for a business • Control that takes place after the
process; typically takes place during process it applies to (i.e., reporting or
the process it applies to. ongoing monitoring)
• Minimum set of controls that can • Any other controls not defined as key
provide reasonable assurance that the or significant. These are supplemental
risk is mitigated, provided that the controls frequently used to improve
controls are designed properly, the timeliness of detection of issues or
operating as intended and are backlog controls used as emergency
demonstrable “catch-all”
• Controls for risks rated as “high” • Controls for risks rated as
“moderate” or “low”
 Classification of Controls
Primary Controls
Preventive Controls Detective Controls
- designed to limit the possibility of an - designed to identify occasions of
undesirable outcome undesirable outcomes having been realized
- attempt to stop a risk from occurring - attempt to determine if a risk has occurred
- Ex: use of passwords, segregation of - Ex: reconciliation, inventory count, cash
duties count

Directive Controls Corrective Controls

- designed to ensure that a particular - designed to limit the scope for loss and
outcome is achieved reduce any undesirable outcomes which have
- attempt to avoid risk by providing specific been realized
ways to do things - may also provide a route of recourse to
- Ex: policies, procedures, trainings achieve some recovery against loss or
damage
- Ex: data back-ups can be used to restore lost
data in case of a fire or other disaster
 Classification of Controls
Secondary Controls
Compensatory (mitigative) Controls Complementary Controls
- May reduce risk when the primary - Work with other controls to reduce risk
controls are ineffective to an acceptable level
- However, they do not, by themselves, - Ex: segregation of accounting and
reduce the risk to an acceptable level custody of cash receipts is
- Ex: supervisory review when segregation complemented by obtaining deposit
of duties is not feasible slips validated by the bank
 Classification of Controls
Time-based Controls
Feedforward Controls Feedback Controls
- Anticipate and prevent problems - Report information about completed
- Require a long-term perspective activities
- Ex: policies and procedures - Permit the improvement in future
performance by learning from past
mistakes
- Ex: inspection of completed goods

Concurrent Controls
- Adjust ongoing processes; real-time controls
monitor activities in the present and to prevent
them from deviating too far from standards
- Ex: close supervision of production-line
workers
 Classification of Controls
As to “Who Performs”
Manual Controls Automated (Application) Controls
- Performed by individuals outside of a - Performed automatically by the system
system - Ensure the completeness and accuracy of
- Applicable when judgment and discretion transaction processing, authorization and
are required validity
- Configuration setting in a system that prevents
- Ex: bank reconciliation, matching of cash or detects problems
received against open AR balance - Ex: two-factor authentication on user log-in,
automatic lock-out a user after three attempts
of incorrect password
IT-Dependent Manual Controls
- Performed by individuals outside of a IT General Controls
system but requires some level of - Refers to overall information-processing
system involvement environment
- Ex: System Administrator’s review of - Ex: policy management, logical access,
users’ log report (generated by the system) change management, physical security
 Question No. 1
Controls that are designed to provide management with
assurance of the realization of specified minimum gross
margins on sales are

A. Preventive controls
B. Detective controls
C. Output controls
D. Directive controls
 Question No. 2
The requirement that purchases be made from suppliers
on an approved vendor list is an example of a

A. Preventive control
B. Detective control
C. Corrective control
D. Monitoring control
 Question No. 3
Managerial control can be divided into feedforward,
concurrent, and feedback controls. Which of the
following is an example of a feedback control?

A. Variance analysis
B. Quality control training
C. Budgeting
D. Forecasting inventory needs

l
 Question No. 4
The use of financial statement analysis, quality control
procedures, and employee performance evaluations are
all examples of

A. Feedback controls
B. Preliminary controls
C. Concurrent controls
D. Feedforward controls
All employees play some role in effecting control!!!
• Determine the need for controls

• Design suitable controls

• Implement these controls

• Check that these controls are being applied correctly

• Maintain and update the controls

Source: The IA Handbook, third edition by KHS Pickett

• Evaluation of the adequacy and effectiveness of controls in responding to risks within the
organization’s governance, operations, and information systems.

• Assessing those areas that are most at risk in terms of key control objectives.

• Defining and undertaking a program for reviewing high profile systems that attract the most risk.

• Reviewing each of these systems by examining and evaluating their associated ICS to determine the
extent to which the five key control objectives are being met.

• Advising management whether or not controls are operating adequately and effectively so as to
promote the achievement of the system’s/control objectives.

• Recommending any necessary improvements to strengthen controls where appropriate, while

making clear the risks involved for failing to effect these recommended changes.

• Following up audit work so as to discover whether management has actioned agreed audit
recommendations

Source: IIA-P
❑ Addresses root cause
❑ Considers cost
❑ Simple
❑ Leaves tracks
❑ Embedded
❑ Combination of “soft” and “hard” controls
❑ Covers adequately the Internal Control components and objectives
• It can HELP
✓ achieve performance & profitability targets
✓ prevent loss of resources
✓ ensure reliable financial reporting
✓ ensure compliance with laws
✓ prevent errors and irregularities, if they occur, help ensure timely detection
✓ an entity get to where it wants to go
• It encourage adherence to prescribed policies and procedures
• It can protect employees
✓ by clearly outlining tasks and responsibilities,
✓ by providing checks and balances, and
✓ from being accused of misappropriations, errors or irregularities.
(Sources: Internal Controls, Office of the Internal Auditor, Washington State University;
http://internalaudit.wsu.edu/internalcontrols.html; IIA-P
 Internal control processes which do not reflect changed operating conditions,
specific agency activities or potential new risks
 Collusion by staff for personal gain or other motives

 Controls failing to capture or flag unusual transactions

 Controls and processes being viewed as a hindrance in the delivery of agency
services so are overridden

 System omissions, human factors, resource constraints or lack of system

flexibility
“Internal controls, no matter how well designed and operated, can
provide only reasonable assurance to management regarding
achievements of an entity’s objectives.”