Module 6

Internal Controls
LEARNING OUTCOMES

At the end of this module, you should be able to:

1. Understand what is internal control and its purpose
2. Understand the elements of internal control, including the different types of
controls
3. Understand the limitations of internal contol

DEFINITION OF INTERNAL CONTROL

Internal control is the process designed, implemented and maintained by those

charged with governance, management and other personnel to provide reasonable
assurance about the achievement of an entity’s objectives with regard to

a. Reporting
 This pertain to internal and external financial and nonfinancial
reporting and may encompass reliability, timeliness,
transparency.

b. Operations
 This pertain to effectiveness and efficiency of the entity’s
operations, including operational and financial performance
goals, and safeguarding assets against loss.

c. Compliance
 These pertain to adherence to laws and regulations to which the
entity is subject.

This definition reflects certain fundamental concepts of internal controls:

a. It is geared towards achievement of organizational objectives – financial

reporting, operations and compliance. It is established in order to help
management and those charged with governance achieve those objectives.

b. It is a process of ongoing tasks and activites. It is not an end itself but a

means to an end. It is not the objective itself but a means to achieve the
entity’s objectives.
 c. It is effected by people. It is not merely manuals, written procedures, forms
and systems but is about people and their actions at every level of the
organization.

d. It is able to provide reasonable assurance – a high level of assurance but not

an absolute assurance because it has inherent limitations. (Refer to the
discussion of inherent limitations of internal control later in this module.)

e. It is adaptable to the entity structure. It is applicable to the entire entity or to

specific subsidiary, division, operating unit or business process.

Assessment Task 01
When considering internal control, an auditor should be aware of the concept of reasonable assurance,
which recognizes that:
A. Internal control may be ineffective due to mistakes in judgment and personal carelessness.
B. Adequate safeguards over access to assets and records should permit an entity to maintain
proper accountability.
C. Establishing and maintaining internal control is an important responsibility of management.
D. The cost of an entity’s internal control should not exceed the benefits expected to be derived.

COMPONENTS OF INTERNAL CONTROL

COSO identifies five (5) components of internal control.

 Control environment
 Risk assessment
 Control activities
 Information and communication
 Monitoring

Some authors liken the components of internal control to the manner in which a
family keeps the household safe from intruders. First, the head of the family must
have concern about keeping the house safe. That concern will likely trickle down to
the other familty members as well. That is your control environment – oversight of
the head of the family and the culture created within the household of proactively
keeping the home safe.

Second is risk assessment. The family, particularly its head, will assess where the
intruder may be able to enter and the likelihood that an intrusion could occur. Would
it be through the backdoor? Or through the balcony in the second floor, perhaps?

Next, after having assessed where the intruder may be able to enter and the
likelihood of occurrence, the family devices ways to prevent it or detect it, if it ever
happens. The family may decide to secure its backdoor through the use of double
locks. Depending on the company’s cost benefit analysis, they may decide to
purchase CCTV systems near possible entrance/exit. That is the control activities
component.
Next, after having installed such devices or systems, the head of the family should
inform the rest of the household members about so that such may be used
effectively. Communication among household members is also important because
there may be risks assessed by one that is not known by the others especially the
head of the family. That is the fourth control component – information and
communication.

Lastly, the household should not rest easy that there are locks or CCTV in place.
They should continuously check whether these devices (controls) are operating
effectively. That is the fifth component, monitoring.

Assessment Task 02
Which of the following is not a component of an entity’s internal control?
A. Control risk.
B. Control activities.
C. Monitoring.
D. Control environment.

Detailed discussion of these components are discussed below:

A. Control Environment

 Culture of honesty and ethical behavior created by management and

those charged with governance

 The “tone at the top” set by management and those charged with
governance

 The foundation for all other components of internal controls

The COSO Internal Control – Integrated Framework Executive Summary

describes control environment as follows:

 It is the set of standards, processes and structures that provide the

basis for carrying out internal control across the organization. The
board of directors and senior management establish the tone at the top
regarding the importance of internal control including expected
standards of conduct. Management reinforces expectations at the
various levels of the organization. It comprises the integrity and ethical
values of the organization; the parameters enabling the board of
directors to carry out its governance oversight responsibilities; the
organizational structure and assignment of authority and responsibility;
the process for attracting, developing, and retaining compentent
individuals; and the rigor around performance measures, incentives,
and rewards to drive accountability for performance. The resulting
control environment has a pervasive impact on the overall system of
internal control.
Elements of the control environment

a. Communication and enforcement of integrity and ethical values

o Setting a good example is necessary but is not enough. Top

management should verbally communicate the entity’s values
and behavioral standards to employees.

b. Commitment to competence

o Competence is the knowledge and skills necessary to

accomplish tasks that define the individual’s job. Management
needs to specify the competence levels for particular jobs and
make sure those possessing the necessary training, experience,
and intelligence perform the job.

c. Participation by those charged with governance

o The guidance and oversight responsibilities of an active and

involved board of directors who possess an appropriate degree
of management, technical, and other expertise is critical to
effective internal control. The board must be prepared to
question and scrutinize management’s activities, present
alternative views and have the courage to act in the face of
obvious wrongdoing. This highlights the importance of
nonexecutive directors among the board.

d. Management’s philosophy and operating style

o Management’s philosophy and operating style is their attitude

about, and approach to, financial reporting, accounting issues,
and to taking and managing business risk. A personal example
set by top management and the board provides a clear signal to
employees about the company’s culture and about the
importance of control. The chief executive plays a key role in
determining whether subordinates decide to obey, bend, or
ignore company rules, and the kinds of business risks accepted.

o Management philosophy may create significant risk. A key

element of risk is dominance of management by a few
individuals.

e. Organizational structure

o This provides the framework within which business activities are

planned, executed, controlled, and monitored. There should be
clear lines of authority and responsibility.
 f. Assignment of authority and responsibility

o How authority and responsibility are assigned throughout the

organization and the lines of reporting has impact on controls.
For example, a company may require that two officers sign
checks above a certain threshold. Computer users are only
allowed to access certain parts of the accounting system.
Responsibility and delegation of authority should be clearly
assigned. How responsibility is distributed is usually spelled out
in formal company policy manuals.

g. Human resource policies and practices

o A company should take care in hiring, orientation, training,

evaluation, counseling, promoting, compensating, and remedial
actions. Recruiting practices that include formal, in-depth
employment interviews and evidence of integrity and ethical
behavior result in hiring high-quality employees. This is
important because trustworthy and competent employees
compensate weakneses in other controls. Honest, efficient
people are able to perform at a high level even when there are
few other controls in place.

o Training improves employee technical skills and communicates

their prospective roles in the enterprise. Rotation of personnel
and promotions driven by periodic performance appraisals
demonstrate the entity’s commitment to its people. Competitive
compensation programs that include bonus incentives serve to
motivate and reinforce outstanding performance. Disciplinary
actions send a message that violations of expected behavior will
not be tolerated.

Assessment Task 03
The overall attitude and awareness of an entity’s board of directors concerning the importance of
internal control usually is reflected in its:
A. Computer-based controls.
B. System of segregation of duties.
C. Control environment.
D. Safeguards over access to assets.

Assessment Task 04
The philosophy and operating style of management would most likely have a significant influence on an
entity’s control environment when
A. The duties of all management are specifically designated.
B. The audit committee is active in overseeing the financial reporting process.
C. Management is dominated by one individual.
D. The internal auditors report directly to management.
B. Entity’s Risk Assessment Process

The following is taken from the discussion of the COSO Internal Control –
Integrated Framework Executive Summary about risk assessment:

 Every entity faces a variety of risks from external and internal sources.
Risk is defined as the possibility that an event will occur and adversely
affect the achievement of objectives. Risk assessment involves a
dynamic and iterative process for identifying and assessing risks to the
achievement of objectives. Risks to the achievement of these
objectives from across the entity are considered relative to the
established risk tolerances. Thus, risk assessment forms the basis for
determining how risks will be managed.

 A precondition for risk assessment is the establishment of objectives,

linked at different levels of the entity. Management specifies objectives
within categories relating to operations, reporting and compliance with
sufficient clarity to be able to identify and analyze risks to those
objectives. Management also considers the suitability of objectives for
the entity. Risk assessment also requires management to consider the
impact of possible changes in the external environment and within its
own busines model that may render internal control ineffective.

C. Information System (including the related business processes relevant to

financial reporting) and Communication

The following is taken from the discussion of the COSO Internal Control –
Integrated Framework Executive Summary about information system and
communication:

 Information is necessary for the entity to carry out internal control

responsibilities to support the achievement of objectives. Management
obtains or generates and uses relevant and quality information from
both internal and external sources to support the functioning of other
components of internal control.

 Communication is the continual and iterative process of providing,

sharing, and obtaining necessary information.

o Internal communications is the means by which information is

disseminated throughout the organization, flowing up, down and
across the entity. It enables personnel to receive a clear
message from senior management that control responsibilities
must be taken seriously.

o External communication is twofold: it enables inbound

communication of relevant external information, and it provides
information to extenal parties in response to requirements and
expectations.
D. Control Activities

These are the policies and procedures that help ensure that management’s
directives are carried out.

The following is taken from the discussion of the COSO Internal Control –
Integrated Framework Executive Summary about control activities:

 These are actions established through policies and procedures that

help ensure that management’s directives to mitigate risks to the
achievement of objectives are carried out. Control activies are
performed at all levels of the entity, at various stages within business
processes, and over the technology environment. They may be
preventive or detective in nature and may encompass a range of
manual and automated activities such as authorizations and approvals,
verifications, reconciliations, and business performance reviews.
Segregation of duties is typically built into the selection and
development of control activities. Where segregation of duties is not
practical, management selects and develops alternative control
activities.

Categories of specific control activities:

a. Authorization

o The delegation and initiation of transactions and obligations on

the company’s behalf.

o For example, a purchase transaction is initiated by a request for

the user department and approved through a purchase order. A
payment is initiated when the accounts payable clerk has
determined that there is already on hand a purchase order,
receiving report and a supplier’s invoice. Ultimately, the
payment is approved when the check is signed by the
authorized check signatory.

o Management should restrict authorization of personnel to

access assets and records.

b. Performance reviews

o These are independent checks on performance by a third party

not directly involved in the activity (internal verification).

o For example:
 reviews of actual performance versus budgets
 surprise checks of procedures
 Example, surprise check of time cards at the
beginning of a shift to see whether everyone who
clocked in is actually present.
  periodic comparisons of accounting records and physical
assets
 Example, bank reconciliation, cash counts,
inventory counts
 review of functional or activity performance.
 Example, bank’s consumer loan manager’s review
of reports by branch, region, and loan type for
loan.

c. Information processing

Two types:

1. Application controls

o Controls that apply to applications that initiate, record, process,

and report transactions (such as MS Office, SAP, QuickBooks),
or specific financial reporting modules, such as general ledger,
payroll, purchasing and payment, and billing, rather than the
computer system in general.

o Examples: edit checks of input data, numerical sequence

checks, and manual follow-up of exception reports. In manual
systems applications controls may be referred to as adequate
document and record controls.

2. General controls

o Policies and procedures that relate to many applications and

support the effective functioning of application controls by
helping to ensure the continued proper operation of information
systems.

o Examples: controls over data center and network operations,

controls over system software acquisition, controls over access
to the computer software (password controls), change and
maintenance controls, access security, and application system
acquisition and development controls.

d. Physical controls

o Procedures to ensure the physical security of assets.

o Only individuals who are properly authorized should be allowed

access to the company’s assets. Direct physical access to
assets may be controlled through physical precautions

o Examples: storerooms guard inventory against pilferage, locks,

fences and guards protect other assets such as equipment, and
 fireproof safes and safety deposit vaults protect assets such as
currency and securities.

e. Segregation of duties

No employee should be able to perpetrate fraud and conceal it at the

same time. To prevent the perpetration an concealment of fraud by the
same personnel, segregation of duties should be in place.

The three functions that must be segregated are as follows:

1. Authorization
o is the delegation of initiation of transactions and obligations on
the company’s behalf

2. Custody
o physical control over assets or records

3. Recording
o the creation of documentary evidence of a transaction and its
entry into the accounting records.

A separation of these three functions is an essential element of control.

Let us use the example of wages. Authorization is required for hiring of
staff and is a function of the personnel department. The receipt of
paychecks and issuance of them to the employees is handled by work
supervisors. The accounting department handles the recording of the
time records and the payroll in the payroll journals.

Assessment Task 05
Proper segregation of functional responsibilities calls for separation of the functions of:
A. Authorization, execution, and payment.
B. Authorization, recording, and custody.
C. Custody, execution, and reporting.
D. Authorization, payment, and recording.

E. Monitoring of Controls

This is a process to assess the effectiveness of internal control performance

over time. It involves assessing the effectiveness of controls on a timely basis
and taking necessary remedial actions.

The following is taken from the discussion of the COSO Internal Control –
Integrated Framework Executive Summary about monitoring of controls:

4. Ongoing evaluations, separate evaluations, or some combination of

the two are used to ascertain whether each of the five components
 of internal control, including controls to effect the principles within
each component, is present and functioning.

a. Ongoing evaluations, built into business processes at

different levels of the entity, provide timely information.

b. Separate evaluations, conducted periodically, will vary in

scope and frequency depending on assessment of risks,
effectiveness of ongoing evaluations, and other management
considerations.

5. Findings are evaluated against criteria established by regulators,

recognized standard-setting bodies or management and the board
of directors, and deficiencies are communicated to management
and the board of directos as appropriate.

Internal Control Components and Principles Summary

The internal control components and priciples are summarized below:

Components Principles
Control environment 1. The organization demonstrates a commitment to integrity and
ethical values.
2. The board of directors demonstrates independence from
management and exercises oversight for the development and
performance of internal control.
3. Management establishes, with board oversight, structures,
reporting lines, and appropriate authorities and responsibilities in
the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop,
and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal
control responsibilities in the pursuit of objectives.
Risk assessment 6. The organization specifies objectives with sufficient clarity to
enable the identification and assessment of risks relating to
objectives.
7. The organization identifies risks to the achievement of its
objectives across the entity and analyzes risks as a basis for
determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks
to the achievement of objectives.
9. The organization identifies and assesses changes that could
significantly impact the system of internal control.
Control activities 10. The organization selects and develops control activities that
contribute to the mitigation of risks to the achievement of
objectives to acceptable levels.
11. The organization selects and develops general control activities
over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that
establish what is expected and in procedures that put policies into
action.
Information and 13. The organization obtains or generates and uses relevant, quality
communication information to support the functioning of other components of
internal control.
14. The organization internally communicates information, including
objectives and responsibilities for internal control, necessary to
support the functioning of other components of internal control.
15. The organization communicates with external parties regarding
matters affecting the functioning of other components of internal
control.
Monitoring 16. The organization selects, develops, and performs ongoing and/or
separate evaluations to ascertain whether the components of
internal control are present and functioning.
17. The organization evaluates and communicates internal control
deficiencies in a timely manner to those parties responsible for
taking corrective action, including senior management and the
board of directors, as appropriate.

LIMITATIONS OF INTERNAL CONTROL

No matter how effective, internal control can provide the entity with only reasonable
assurance about achieving the entity’s financial reporting objectives because of the
following factors:
1. Human error
2. Human judgment in decision-making can be faulty
3. Controls can be circumvented by collusion of two or more people
4. Inappropriate management override of internal control
5. In designing and implementing controls, management may make judgments
on the nature and extent of the controls it chooses to implement and the
nature and extent of risks it chooses to assume. This includes the
managements’ cost benefit consideration regarding selecting which controls
to implement.

CONSIDERATIONS FOR SMALLER ENTITIES

Smaller entities often have fewer employees which may limit the extent to which
segregation of duties is practicable. Oversight by the owner-manager may
compensate for the generally more limited opportunities for segregation of duties. On
the other hand, the owner-manager may be more able to override controls because
the system of internal control of smaller entities is less structured.

***

ANSWERS TO ASSESSMENT TASKS

1. D
2. A
3. C
4. C
5. B
REFERENCES

Committee of Sponsoring Organization of the Treadway Commission (COSO), Internal Control –

Integrated Framework, Executive Summary, 2013

Auditing and Assurance Standards Council (AASC), PSA 315, Identifying and Assessing the Risks of
Material Misstatement Through Understanding the Entity and Its Environment

Hayes, Rick et al., Principles of Auditing – An Introduction to International Standards on Auditing,

Second Edition