OPERATIONAL AUDITING

Internal
Control
Processes
PRESENTED BY:
Bon Angeli Palomique, CPA
SIX PARADIGMS
INTERNAL CONTROL

COSO ON INTERNAL CONTROL (US)

TURNBULL ON INTERNAL CONTROL (UK)

COCO ON INTERNAL CONTROL (CANADA)

SYSTEMS/CYBERNETICS MODEL OF INTERNAL CONTROL

CONTROL BY DIVISION WITH SUPERVISION

CONTROL BY CATEGORY
Committee of Sponsoring Organizations (COSO)

CONTROL ENVIRONMENT

RISK ASSESSMENT

CONTROL ACTIVITIES

INFORMATION AND COMMUNICATION

MONITORING
5 essential components of internal control

CONTROL ENVIRONMENT

Internal environment
Foundation component
Tone at the top in terms of example set by top management
Includes the values, ethics, culture and commitment of the
organization and its members
Attitude and actions of the board and management regarding the
significance of control within the organization.
5 essential components of internal control

RISK ASSESSMENT

Risk can be inherent feature of operations

Identification of all risks
Ongoing process sensitive to the implications of changed market
conditions, operational workloads, macroeconomic parameters, etc.
Identified risks should be prioritized and control objectives
established in every case.
5 essential components of internal control

CONTROL ACTIVITIES

Procedures the organization operates

Need to be accurately defined and effectively communicated
Preferable to establish written procedures which removes possibility
of misinterpretation
Defined in the form of procedures, user manuals, job descriptions, etc.
Essential that some form of trail of control activities is maintained as
evidence of appropriate application of the procedure.
5 essential components of internal control

INFORMATION AND COMMUNICATION

Information should be reliable in terms of accuracy and

completeness
Inaccurate or outdated data will affect management's ability to
make the appropriate decisions and control the business.
Data should be authorized and secured
Establish management information system (MIS)
5 essential components of internal control

MONITORING

Information systems should provide the principal means of

monitoring the effectiveness of internal control systems.
Board should have the final responsibility for the operations of the
organization.
Evidence of review of system of internal control should be available
such as internal audit reports, summaries of significant control issues
or minutes of board meetings.
PARADIGM 2: TURNBULL ON INTERNAL CONTROL
MAIN PRINCIPLE:
Board should maintain a sound system of internal control to
safeguard shareholders' investment and the company's assets.

CODE PROVISION:

At least annually, conduct a review of the effectiveness of the

group's internal controls and should report to shareholders.
Review should cover all material controls, including financial,
operational and compliance controls and risk management
systems.
PARADIGM 2: TURNBULL ON INTERNAL CONTROL
TURNBALL DEFINES INTERNAL CONTROL:
Encompasses the policies, processes, tasks, behaviours and other
aspects of a company, taken together:

Facilitate its effective and efficient operation by enabling it

to respond appropriately to significant business, operational,
financial, compliance and other risks to achieving the
company's objectives.
Help ensure the quality of internal and external reporting.
Help ensure compliance with applicable laws and
regulations, and also with internal policies with respect to
the conduct of business.
PARADIGM 3: COCO ON INTERNAL CONTROL
CRITERIA OF CONTROL BOARD (COCO)

Less mechanical and more behavioral that the COSO internal control framework
and has advantages in application within the organizations that are more
participative and less hierarchical.

4 internal control components:

A person performs a task, guided by an understanding of its purpose and

supported by capability. The person will need a sense of commitment to perform
the task well over time. The person will monitor his or her performance and the
external environment to learn about how to do the task better and about changes
to be made.
PARADIGM 3: COCO ON INTERNAL CONTROL
CRITERIA OF CONTROL BOARD (COCO)
4 internal control components:

PURPOSE - what to do
COMMITMENT - wanting to do it
CAPABILITY - tools to do it
MONITORING AND LEARNING - are we going to do it?

A person performs a task, guided by an understanding of its purpose and supported by

capability. The person will need a sense of commitment to perform the task well over time.
The person will monitor his or her performance and the external environment to learn about
how to do the task better and about changes to be made.
PARADIGM 4: A Systems/Cybernetics
Model of Internal Control
MAIN ELEMENTS OF A SYSTEM
1. INPUT
2. PROCESS
3. OUTPUT

SYSTEMS CONTROL CONCEPTS

1. CONTROL OBJECT
2. DETECTOR
3. REFERECE POINT
4. COMPARATOR
5. ACTIVATOR
6. FEEDBACK
7. FEEDFORWARD
 PARADIGM 4: A Systems/Cybernetics
Model of Internal Control
SYSTEMS CONTROL CONCEPTS

1. CONTROL OBJECT - Variable of the system's behavior which is to be

monitored or controlled.
2. DETECTOR - Part of the systems which measures or monitors the control
object.
3. REFERECE POINT - Standard against which the actual performance of the
control object is compared.
4. COMPARATOR - Makes the comparison and assesses whether or not it is
significant.
5. ACTIVATOR - Takes the decision which is intended to restore actual
performance to what is desired.
Effective control may be achieved by means of an appropriate combination of various
opportunities to “divide” together with supervision.

Division of Duties

Division of Fundamentally Incompatible Responsibilities

Division of Operations

Division of Staff

Division of Data

Division of Data Entry and Accounts Postings

Division of Authority

Division of Time
Preventive
Designed to limit the possibility of an undesirable outcome being realized.

Pre-emptive
Yes/No controls that require approval before processing can proceed

Directive
Designed to ensure that a particular outcome is achieved.

Performance
Designed to orientate and motivate the organization’s people to focus on
the achievement of targets

Detective
‘‘Post-action’’ or ‘‘post-event’’ controls, taking place after the other system’s
processes have been completed

Corrective
Designed to correct undesirable outcomes which have occurred and have
been detected.

Investigative
To try to understand how the undesirable outcome occurred, to ensure that
it does not happen next time, and to provide a route of recourse.
 DETERMINING WHETHER INTERNAL CONTROL IS EFFECTIVE
The CoCo programme of the Canadian Institute of Chartered Accountants has stated that
control is effective to the extent that it provides reasonable assurance that an organisation will
achieve its objectives reliably; or, control is effective to the extent that the remaining
(uncontrolled) risks of the organisation failing to meet its objectives are acceptable.

2 questions:
Have any outcomes occurred which indicate that
internal control has been ineffective?

Is the internal control process robust enough to

give reasonable assurance of the achievement of
management’s objectives?

A sound approach to addressing the second question is to review the robustness of

COSO’s five essential components of internal control (control environment,
information and communication, risk assessment, control activities, monitoring) so
as to be able to conclude that internal control can be expected to be effective.
Thank
you!