5 Internal Control

CONTENTS
1.1. Internal Control
Overview
1.2. Internal Control
affecting Assets,
Liabilities, Equity

OUTCOMES
LO2. Measure the
effectiveness of internal
controls in an
organization and
develop risk
management plans.

OBJECTIVES During the past discussions and lessons, we

1. Explain what is have pointed out how inevitable risk is to
internal control; every organization. Risk is the probability that
2. Identify and explain an event or action will adversely affect the
the elements of organization. The primary categories of risk
internal control; are errors, omissions, delay and fraud. In
3. Describe the order to achieve goals and objectives,
importance of COSO management needs to effectively balance risks
to financial and controls. Therefore, control procedures
reporting. need to be developed so that they decrease
risk to a level where management can accept
the exposure to that risk. By performing this
balancing act "reasonable assurance” can be
attained.

1 BALINA ‖ For Internal Use only

 ABSTRACTION

Internal Control
According to Cabrera & Cabrera, (2019), internal control is the process
designed and effected by those charged with governance, management and
other personnel to provide reasonable assurance about the achievement of
the entity’s objectives with regard to reliability of financial reporting,
effectiveness and efficiency of operations and compliance with applicable
laws and regulations. Internal control is a process designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:
 Effectiveness and efficiency of operations
 Reliability of financial reporting
 Compliance with applicable laws and regulations

Several key points should be made about this definition:

1. People at every level of an organization affect internal control.
Internal control is, to some degree, everyone's responsibility.

2. Effective internal control helps an organization achieve its

operations, financial reporting, and compliance objectives.
Effective internal control is a built-in part of the management process
(i.e., plan, organize, direct, and control). Internal control keeps an
organization on course toward its objectives and the achievement of
its mission, and minimizes surprises along the way. Internal control
promotes effectiveness and efficiency of operations, reduces the risk of
asset loss, and helps to ensure compliance with laws and regulations.
Internal control also ensures the reliability of financial reporting (i.e.,
all transactions are recorded and that all recorded transactions are
real, properly valued, recorded on a timely basis, properly classified,
and correctly summarized and posted).

3. Internal control can provide only reasonable assurance - not

absolute assurance - regarding the achievement of an
organization's objectives. Effective internal control helps an
organization achieve its objectives; it does not ensure success. There
are several reasons why internal control cannot provide absolute
assurance that objectives will be achieved: cost/benefit realities,
collusion among employees, and external events beyond an
organization's control.

In layman’s term, internal control is “what we do to ensure that the

things we want to happen will happen and the things that we don’t want to

2 BALINA ‖ For Internal Use only

happen won’t happen.” As more formally defined in the COSO Framework,
Internal Control is a process effected by the board of directors, management,
and other personnel designated to provide reasonable assurance regarding
the achievements of business objectives.
Firstly, it is a process. it is not an isolated procedure. Rather, it is
comprised of an interrelated sets of policies, procedures and activities that
work together for the achievement of business objectives. Secondly, it is
something that must be put into effect by people from all levels within the
company. Internal control is not a mere checklist of dos and don’ts. Even a
lengthy internal control procedures manual will not be enough if it is not
implemented. Last but not least, internal control is not an end in itself;
rather, it is a means ward achieving the objectives of the company.
Therefore, without internal control, there would be no assurance towards the
objectives of the company will be achieved.

Internal Control System

Internal control system means all the policies and procedures adopted
by the management of an entity to assist in achieving management’s
objective of ensuring, s far as practicable, the orderly and efficient conduct of
its business, including adherence to management policies, the safeguarding
of assets, the prevention and detection of fraud and error, the accuracy and
completeness of the accounting records, and the timely preparation of
reliable financial information.

Elements of Internal Control

A. Control Environment
The control environment describes a set of standards,
processes, and structures that provide the basis for carrying out internal
control across the organization. According to the Institute of Internal

3 BALINA ‖ For Internal Use only

 Auditors (IIA), a control environment is the foundation on which an
effective system of internal control is built and operated in an
organization that strives to;
1. Achieve its strategic objectives,
2. Provide reliable financial reporting to internal and external
stakeholders,
3. Operate its business efficiently and effectively,
4. Comply with all applicable laws and regulations, and
5. Safeguard its assets.

The control environment is the control consciousness of an

organization; it is the atmosphere in which people conduct their
activities and carry out their control responsibilities. An effective control
environment is an environment where competent people understand
their responsibilities, the limits to their authority, and are
knowledgeable, mindful, and committed to doing what is right and doing
it the right way. They are committed to following an organization's
policies and procedures and its ethical and behavioral standards. The
control environment encompasses technical competence and ethical
commitment; it is an intangible factor that is essential to effective
internal control.
A governing board and management enhance an organization's
control environment when they establish and effectively communicate
written policies and procedures, a code of ethics, and standards of
conduct. Moreover, a governing board and management enhance the
control environment when they behave in an ethical manner-creating a
positive "tone at the top"—and when they require that same standard of
conduct from everyone in the organization.
Several factors that comprise the control environment, including;
1. Communication and enforcement of Integrity and Ethical values.
2. Commitment to Competence
3. Participation by those charged with governance.
4. Management’s Philosophy and Operating style
5. Organizational Structure
6. Assignment of authority and responsibility
7. Human resources policies and procedures

B. Entity’s Risk Assessment Process

Risk assessment is the identification, analysis, and management of
risks pertaining to the preparation of financial statements. For example,
risk assessment may focus on how the entity considers the possibility of
transactions not being recorded or identifies and assesses significant
estimates recorded in the financial statements.
Risk assessment is an iterative process for identifying and assessing
those risks that may prevent the achievement of enterprise objectives.
First, management sets the company’s operational and financial reporting
and compliance objectives. Then, risks that could prevent the

4 BALINA ‖ For Internal Use only

 achievement of these objectives will be identified. This sub-process is
known as risk identification.
The identified risks are subsequently assessed in terms of likelihood
and impact. Likelihood pertains to the probability of the occurrence of
negative event. Impact pertains to the significance, consequence, or
magnitude of the identified risk to the company. This sub-process is called
risk analysis or risk assessment. The assessment of risks in terms of
likelihood and impact results to the determination whether such risks are
significant or not. Significant risks are typically those that have high risk
scores for likelihood and impact.
The last step in this component is risk response. Risk responses
include accept, mitigate, share, transfer and avoid. Risk acceptance is not
an appropriate response for significant risks. Significant risks should be
mitigated by way of deploying control activities. Some risks can be
transferred through insurance. An example of totally avoiding risk is when
a company chooses to exit a market or drop one of its product lines due
to market saturation.

C. Information and Communication

Information is obtained or generated by management from both
internal and external sources in order to support internal control
components. Communication based on internal and external sources is
used to disseminate important information throughout and outside of
the organization, as needed to respond to and support meeting
requirements and expectations. The internal communication of
information throughout an organization also allows senior management
to demonstrate to employees that control activities should be taken
seriously.
An information system consists of infrastructure (physical and
hardware components), software, people, procedures, and data.
Infrastructure and software will be absent, or have less significance, in
systems that are exclusively or primarily manual.
The information system is relevant to financial reporting
objectives, which includes the accounting system, consists of the
procedures and records designed and established to:
1. Initiate, record, process, and report entity transactions and to
maintain accountability for the related assets, liabilities, and
equity;
2. Resolve incorrect processing of transactions;
3. Process and account for system overrides or bypasses to
controls;
4. Transfer information from transaction processing systems to
the general ledger;
5. Capture information relevant to financial reporting for events
and conditions other than transactions, such as the
depreciation and amortization of assets and changes in the
recoverability of accounts receivables; and

5 BALINA ‖ For Internal Use only

 6. Ensure information required to be discovered by the applicable
financial reporting framework is accumulated, recorded,
processed, summarized and appropriately reported in the
financial statements.

D. Control Activities
Control activities are actions (generally described in policies,
procedures, and standards) that help management mitigate risks in order
to ensure the achievement of objectives. Control activities may be
preventive or detective in nature and may be performed at all levels of
the organization.
Control activities are the policies and procedures that help ensure
that management directives are carried out, that necessary actions are
taken to address risks that threaten the achievement of the entity’s
objectives. The major categories of control procedures are:
1. Performance Review – management uses accounting and operating
data to assess performance, and it then takes corrective action. Such
reviews include:
a. Comparing actual performance with budgets, forecasts, prior
period performance, or competitors’ data or tracking initiatives
to measure the extent to which targets are being met;
b. Investigating performance indicators based on operating or
financial data;
c. Reviewing functional or activity performance.

2. Information Processing Controls – are policies and procedures

designed to require authorization of transactions and to ensure the
accuracy and completeness of transaction processing.

3. Physical Controls – Activities that assure the physical security of

assets and records.
a. The physical security of assets, including adequate safeguard
such as secured facilities over access to assets and records.
b. The authorization for access to computer programs and data
files.
c. The periodic counting and comparison with amounts shown on
control records.

4. Segregation of duties – separation of the functions of transaction

authorization, record-keeping, and custody

E. Monitoring Activities
Monitoring activities are periodic or ongoing evaluations to
verify that each of the five components of internal control, including the
controls that affect the principles within each component, are present
and functioning. around their products.
Monitoring is also the assessment of internal control performance
over time; it is accomplished by ongoing monitoring activities and by

6 BALINA ‖ For Internal Use only

 separate evaluations of internal control such as self-assessments, peer
reviews, and internal audits. The purpose of monitoring is to determine
whether internal control is adequately designed, properly executed, and
effective. Internal control is adequately designed and properly executed
if all five internal control components (Control Environment, Risk
Assessment, Control Activities, Information and Communication, and
Monitoring) are present and functioning as designed. Internal control is
effective if management and interested stakeholders have reasonable
assurance that:
1. They understand the extent to which operations objectives are
being achieved.
2. Published financial statements are being prepared reliably.
3. Applicable laws and regulations are being compiled.

Monitoring the final component of internal control, is the process

that an entity uses to assess the quality of internal control over time.
Monitoring involves assessing the design and operation of controls on a
timely basis and taking corrective action as necessary. Management
monitors controls to consider whether they are operating as intended and
to modify them as appropriate for changes in conditions. In many entities,
internal auditors evaluate the design and operation of internal control and
communicate information about strengths and weaknesses and
recommendations for improving internal control.

COSO Requirements for Integrated Components

The following are two basic requirements under the COSO Internal
Control – Integrated Framework before once can conclude that the
company’s internal control system is effective.

1. Each of the five components must be present and functioning. In this

respect, present means that the five (5) components exist in the design
and implementation of the system of internal control to achieve
business objectives. Functioning means that the components continue
to exist and are being implemented over time.

2. The five components must “operate together” in an integrated manner.

The components of internal control are not to be treated in isolation;
rather they needed to be operated in an integrated manner.

Different Categories of Control

1. Entity-level Controls – are controls that are applied broadly at the

company level and essentially affect the entire corporate culture as
well as the functioning of transaction-level controls. Broadly speaking,
entity-level controls include those policies and procedures that are
embedded in the four components of internal control.

7 BALINA ‖ For Internal Use only

 2. Transaction-level Controls – are internal control procedures
deployed and implemented for every major transaction and accounts
of the company. They are more specific compared to entity-level
controls and applicable to specific business processes or transactions
such as revenue and collection, expenditures and disbursements,
production process, payroll, and the like.

3. Hard and Soft Controls – specific control activities may be classified

into:
a. Hard controls – are controls that have tangible or physical
characteristics.
b. Soft Controls – are controls that do not have tangible
characteristics.

Internal Controls as to Lines of Defense

1. Preventive Controls – these are the first line of defense against risk
events. These are controls that are intended to avert the happening of
the negative events.

2. Detective Controls – when risk ae able to penetrate the preventive

controls, the company should implement detective controls. These are
those controls intended to identify and uncover fraud, error, or
noncompliance that may have already occurred within the company.
As such, detective controls serve as the second line of defense.

3. Corrective Controls – are designed to correct errors or irregularities

that have been detected.

Fraud and Error

Fraud is an intentional act involving the use of deception that results in
a material misstatement of the financial statements. There are generally
three requirements for fraud to occur - motivation, opportunity and personal
characteristics. Motivation is usually situational pressures in the form of a
need for money, personal satisfaction, or to alleviate a fear of failure.
Opportunity is access to a situation where fraud can be perpetrated, such as
weaknesses in internal controls, necessities of an operating environment,
management styles and corporate culture. Personal characteristics include a
willingness to commit fraud. Personal integrity and moral standards need to
be “flexible” enough to justify the fraud, perhaps out of a need to feed their
children or pay for a family illness. It is difficult to have an effect on an
individual’s motivation for fraud. Personal characteristics can sometimes be
changed through training and awareness programs. Opportunity is the
easiest and most effective requirement to address to reduce the probability
of fraud. By developing effective systems of internal control, you can remove
opportunities to commit fraud.
Two types of misstatements are relevant to auditor’s consideration of
fraud:

8 BALINA ‖ For Internal Use only

A. Misstatements arising from misappropriation of assets
 Asset misappropriation occurs when a perpetrator steals or misuses
an organization’s assets. It can be accomplished in various ways
including embezzling cash receipts, stealing assets, or causing the
company to pay for goods or services that were not received. Asset
misappropriation commonly occurs when employees:
a. Gain access to cash and manipulate accounts to cover up cash
thefts.
b. Manipulate cash disbursements through fake companies.
c. Steal inventory or other assets and manipulate the financial
records to cover up the fraud.

B. Misstatements arising from fraudulent financial reporting.

 The intentional manipulation of reported financial results to misstate
the economic condition of the organization is called fraudulent
financial reporting. The perpetrator of such a fraud generally seeks
gain through the rise in stock price and the commensurate increase in
personal wealth. Sometimes the perpetrator does not seek direct
personal gain, but instead uses the fraudulent financial reporting to
“help” the organization avoid bankruptcy or to avoid some other
negative financial outcome. Three common ways in which fraudulent
financial reporting can take place include:
a. Manipulation, falsification, or alteration of accounting records or
supporting documents.
b. Misrepresentation or omission of events, transactions, or other
significant information.
c. Intentional misapplication of accounting principles.

The Fraud Triangle

The three elements of the fraud triangle are:

9 BALINA ‖ For Internal Use only

1. Pressures to commit fraud – Fraud-related risk assessment considers
incentives and pressures to commit fraud. Incentives relating to asset
misappropriation include:
a. Personal factor as severe financial considerations
b. Pressure from family, friends, or the culture to live a more lavish
lifestyle than one’s personal earnings allow for
c. Additions to gambling or drugs.

The incentives include the following for fraudulent financial reporting:

a. Management compensation schemes
b. Other financial pressures for either improved earnings or an
improved balance sheet
c. Debt covenants
d. Pending retirement or stock option expirations
e. Personal wealth tied to either financial results or survival of the
company
f. Greed

2. Opportunities to Commit Fraud – There are perceived opportunities to

commit fraud when there are not internal controls nor an audit process in
the company. Some of the opportunities to commit fraud that the top
management should consider include the following:
a. Significant related-party transactions
b. A company’s industry position, such as the ability to dictate
terms and conditions to suppliers or customers that might allow
individuals to structure fraudulent transactions
c. Management’s inconsistency involving subjective judgments
regarding assets or accounting estimates
d. Simple transactions that are made complex through an unusual
recording process

10 BALINA ‖ For Internal Use only

 e. Complex or difficult to understand transactions, such as
financial derivatives or special-purpose entities
f. Ineffective monitoring of management by the board, either
because the board of directors is not independent or effective,
or because there is a domineering manager
g. Complex or unstable organizational structure
h. Weak or nonexistent internal controls.

3. Rationalizing the Fraud – for asset misappropriation, personal

rationalization often revolved around mistreatment by the company or
sense of entitlement by the individual perpetrating the fraud. If
employees in the company believe that stealing is not bad for as long as
you are doing it to feed your family; then, rationalizing that fraud is
sometimes being committed for noble purposes.

Risk factors contributory to Misappropriation of Assets

Misappropriation of assets involves the theft of an entity’s assets and
is often perpetrated by employees in relatively small and immaterial
amounts. However, it can also involve management who are usually more
able to disguise or conceal misappropriations in ways that are difficult to
detect. It is often accompanied by false or misleading records of documents
in order to conceal the fact that the assets are missing or have been pledged
without proper authorization.
Misappropriation of assets can be accompanied in a variety of ways
including:
a. Embezzling receipts
b. Stealing physical assets or intellectual property
c. Causing an entity to pay for goods and services not received
d. Using an entity’s assets for personal use

1. Incentives/Pressures
a. Personal financial obligations may create pressure on
management or employees with access to cash or other assets
susceptible to theft to misappropriate those assets.
b. Adverse relationships between the entity and employees with
access to cash or other assets susceptible to theft may motivate
those employees to misappropriate those assets.

2. Opportunities
a. Certain characteristics or circumstances may increase the
susceptibility of assets to misappropriate.
b. Inadequate internal control over assets may increase the
susceptibility of misappropriation of those assets.

3. Attitudes / Rationalizations
a. Disregard for the need for monitoring or reducing risks related
to misappropriation of assets.

11 BALINA ‖ For Internal Use only

 b. Disregard for internal control over misappropriation of assets by
overriding existing controls or by failing to correct known
internal control deficiencies.
c. Behavior indicating displeasure or dissatisfaction with the entity
or its treatment of the employee.
d. Changes in behavior or lifestyle that may indicate assets have
been misappropriated.
e. Tolerance of petty theft.

Risk factors contributory to Fraudulent Financial Reporting

Fraudulent financial reporting may be accomplished by the following:
a. Manipulation, falsification, or alteration of accounting records or
supporting documentation from which the financial statements are
prepared.
b. Misrepresentation in, or intentional omission from, the financial
statements of events, transactions or other significant information.
c. Intentional misapplication of accounting principles relating to amounts,
classification, manner of presentation, or disclosure.

Fraud, whether fraudulent financial reporting or misappropriation of

assets, involves incentive or pressure to commit fraud, a perceived
opportunity to do so and some rationalization of the act.

1. Incentive/Pressure
 Incentive or pressure to commit fraudulent financial reporting may
exist when management is under pressure, from sources outside
or inside the entity, to achieve an expected earnings target or
financial outcome – particularly since the consequences to
management for failing to meet financial goals can be significant.

2. Opportunities
 A perceived opportunity to commit fraud may exist when an
individual believes internal control can be overridden, for example,
because the individual is in a position of trust or has knowledge of
specific weaknesses in internal control.
 fraudulent financial reporting often involves management override
of controls that otherwise may appear to be operating effectively.
Fraud can be committed by management overriding controls using
such techniques as:
a. recording fictitious journal entries, particularly close to the
end of an accounting period, to manipulate operating results
or achieve other objectives.
b. Inappropriately adjusting assumptions and changing
judgements used to estimate account balances.
c. Omitting, advancing or delaying recognition in the financial
statements of events and transactions that have occurred
during the reporting period.

12 BALINA ‖ For Internal Use only

 d. Concealing, or not disclosing facts that could affect the
amounts recorded in the financial statements.
e. Engaging in complex transactions that are structured to
misrepresent the financial position or financial performance
of entity.
f. Altering records and terms related to significant and unusual
transactions.

3. Rationalizations
 Individuals may be able to rationalize committing a fraudulent act.
Some individuals possess an attitude, character or set of ethical
values that allow them knowingly and intentionally to commit a
dishonest act. However, even otherwise honest individuals can
commit fraud in an environment that imposes sufficient pressure
on them.

Responsibility for the Prevention and Detection of Fraud

There primary responsibility for the prevention and detection of
fraud rests with both those charged with governance of the entity and
management. It is important that management, with the oversight with
those charged with governance, place a strong emphasis on fraud
prevention, which may reduce opportunities for fraud to take place, and
fraud deterrence, which could persuade individuals not to commit fraud
because of the likelihood of detection and punishment. This involves a
commitment to creating a culture of honesty and ethical behavior which can
be reinforced by an active oversight by those charged with governance. in
exercising oversight responsibility, those charges with governance consider
the potential for override of controls or other inappropriate influence over the
financial reporting process, such as efforts by management to manage
earnings in order to influence the perceptions of analysts as to the entity’s
performance and profitability.

13 BALINA ‖ For Internal Use only