Chapter 6

Internal control
Internal control

Faculty of Economics and Business - Accounting Undergraduate Program

Learning Objective I :
Understand what is meant by Internal
Control

Faculty of Economics and Business - Accounting Undergraduate Program

 Internal Control: COSO Definition
Internal Control is a process, effected by an entitys board of
directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives
relating to operations, reporting, and compliance ( Revised in 2013)

Implications from definition:

Internal control is a process
Internal control is affected by people
Internal control can be expected to provide reasonable assurance, not
absolute assurance
Internal control is geared to achievement of objectives

Faculty of Economics and Business - Accounting Undergraduate Program

Globally recognized Internal Control
Frameworks

Faculty of Economics and Business - Accounting Undergraduate Program

 COSO, CoCo, Turnbull : Comparison
Definition of Internal Control

COSO A process, effected by an entitys board of directors,

management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives
relating to operations, reporting, and compliance ( Revised in
2013)

CoCo Those elements of an organization (including its resources,

systems, processes, culture, structure, and tasks) that, taken
together, support people in the achievement of the
organizations objectives.

Turnbull Encompasses the policies, processes tasks, behavior, and other

aspects of company that offer reasonably assurance in
facilitating its effective and efficient
Facultyoperation
of Economics and Business - Accounting Undergraduate Program
 COSO, CoCo, Turnbull : Comparison

Components of Internal Control

COSO Control Environment, Risk Assessment, Control
Activities, Information and communication, and
monitoring

CoCo Purpose, commitment, capability, monitoring and

learning

Turnbull Control activities, information and communication,

processes, monitoring, embeddedness in operations
of company, response to risk and changes, and
reporting Faculty of Economics and Business - Accounting Undergraduate Program
Learning Objective II :
Understand Basic Principles of COSO Internal
Control over Financial Reporting

Faculty of Economics and Business - Accounting Undergraduate Program

 Internal Control Over Financial Reporting
(ICFR)
US securities and Exchange Commission (SEC) requires CEO
and CFO of publicly traded companies to opine on the design
adequacy and operating effectiveness of Internal Control over
Financial Reporting (ICFR) as part of the annual filling of
financial statements with SEC
SEC requires evidence of compliance, ruling that management
must base its evaluation or opinion of the effectiveness of the
companys internal control over financial reporting
SEC suggests to adopt the COSO internal control framework for
ICFR

Faculty of Economics and Business - Accounting Undergraduate Program

 20 Basic Principles for Effective ICFR
COSO Framework CONTROL ENVIRONMENT

1. Integrity and Integrity and Ethical Values Sound integrity and ethical
Ethical Values values, particularly of top management, are developed and
understood and set the standard of conduct for financial
reporting
2. Board of Directors The board of directors understands and exercises oversight
responsibility related to financial reporting and related internal
control.
3. Managements Managements philosophy and operating style support
Philosophy and achieving effective internal control over financial reporting.
Operating Style
4. Organizational The companys organizational structure supports effective
Structure internal control over financial reporting.
5. Financial Reporting The company retains individuals competent in financial
Competencies reporting and related oversight roles
6. Authority and Management and employees are assigned appropriate levels
Responsibility of authority and responsibility to facilitate effective internal
control over financial reporting.
Faculty of Economics and Business - Accounting Undergraduate Program
 20 Basic Principles for Effective ICFR
COSO Framework RISK ASSESMENT

8. Financial Management specifies financial reporting objectives

Reporting with sufficient clarity and criteria to enable the
Objectives identification of risks to reliable financial reporting .

9. Financial The company identifies and analyzes risks to the

Reporting Risks achievement of financial reporting objectives as a basis
for determining how the risks should be managed.

10. Fraud Risk The potential for material misstatement due to fraud is
explicitly considered in assessing risks to the
achievement of financial reporting objective

Faculty of Economics and Business - Accounting Undergraduate Program

 20 Basic Principles for Effective ICFR
COSO Framework CONTROL ACTIVITIES

11. Integration with Actions are taken to address risks to the achievement of
Risk Assessment financial reporting objectives.
12. Selection and Control activities are selected and developed
Development of considering their cost and potential effectiveness in
Control Activities mitigating risks to the achievement of financial
reporting objectives.
13. Policies and Policies related to reliable financial reporting are
Procedures established and communicated throughout the
company, with corresponding procedures resulting in
management directives being carried out
14. Information Information technology controls, where applicable, are
Technology designed and implemented to support the achievement of
financial reporting objectives.
Faculty of Economics and Business - Accounting Undergraduate Program
 20 Basic Principles for Effective ICFR
COSO Framework INFORMATION AND COMMUNICATION

15. Financial Pertinent information is identified, captured, used at all levels

Reporting of the company, and distributed in a form and timeframe that
Information supports the achievement of financial reporting objectives.

16. Internal Control Information needed to facilitate the functioning of other

Information control components is identified, captured, used, and
distributed in a form and timeframe that enables
personnel to carry out their internal control
responsibilities.
17. Internal Communications enable and support understanding and
Communication execution of internal control objectives, processes, and
individual responsibilities at all levels of the
organization.
18. External Matters affecting the achievement of financial reporting
Communication objectives are communicated with
Faculty outside
of Economics parties
and Business - Accounting Undergraduate Program
 20 Basic Principles for Effective ICFR
COSO Framework MONITORING
19. Ongoing and Ongoing and/or separate evaluations enable
Separate management to determine whether the other
Evaluations components of internal control over financial reporting
continue to function over time

20. Reporting Internal control deficiencies are identified and

Deficiencies communicated in a timely manner to those parties
responsible for taking corrective action, and to
management and the board as appropriate

Faculty of Economics and Business - Accounting Undergraduate Program

Learning Objective III :
Identify the Components of COSO Internal
Control Framework

Faculty of Economics and Business - Accounting Undergraduate Program

COSO Internal Control Components

Faculty of Economics and Business - Accounting Undergraduate Program

 COSO Internal Control Component:
Control Environment
The control environment sets the tone of an organization, influencing
the control consciousness of its people.
The foundation for all other components of internal control,
providing discipline and structure.
Control environment factors include :
The integrity
Ethical values and competence of the entity's people
management's philosophy and operating style
the way management assigns authority and responsibility
organizes and develops its people
the attention and direction provided by the board of directors.
Faculty of Economics and Business - Accounting Undergraduate Program
 COSO Internal Control Component:
Risk Assessment
Every entity faces a variety of risks from external and internal
sources that must be assessed.
A precondition to risk assessment is establishment of objectives,
linked at different levels and internally consistent.
Risk assessment is the identification and analysis of relevant
risks to achievement of the objectives, forming a basis for
determining how the risks should be managed.
Because economic, industry, regulatory and operating conditions
will continue to change, mechanisms are needed to identify and
deal with the special risks associated with change.

Faculty of Economics and Business - Accounting Undergraduate Program

 COSO Internal Control Component:
Control activities
Control activities are the policies and procedures that help ensure
management directives are carried out.
They help ensure that necessary actions are taken to address
risks to achievement of the entity's objectives.
Control activities occur throughout the organization, at all levels
and in all functions.
They include a range of activities as diverse as approvals,
authorizations, verifications, reconciliations, reviews of operating
performance, security of assets and segregation of duties.

Faculty of Economics and Business - Accounting Undergraduate Program

 COSO Internal Control Component:
Information and Communication
Pertinent information must be identified, captured and communicated in a form
and timeframe that enable people to carry out their responsibilities.
Information systems produce reports, containing operational, financial and
compliance-related information, that make it possible to run and control the
business
Effective communication also must occur in a broader sense, flowing down,
across and up the organization.
All personnel must receive a clear message from top management that control
responsibilities must be taken seriously.
They must understand their own role in the internal control system, as well as
how individual activities relate to the work of others.
They must have a means of communicating significant information upstream.
There also needs to be effective communication with external parties, such as
customers, suppliers, regulators and shareholders.
Faculty of Economics and Business - Accounting Undergraduate Program
 COSO Internal Control Component:
Monitoring
Internal control systems need to be monitored--a process that
assesses the quality of the system's performance over time
This is accomplished through ongoing monitoring activities, separate
evaluations or a combination of the two.
Ongoing monitoring occurs in the course of operations, It includes
regular management and supervisory activities, and other actions
personnel take in performing their duties.
The scope and frequency of separate evaluations will depend
primarily on an assessment of risks and the effectiveness of ongoing
monitoring procedures.
Internal control deficiencies should be reported upstream, with
serious matters reported to top management and the board.
Faculty of Economics and Business - Accounting Undergraduate Program
 Examples of Monitoring
Ongoing Independent Regular management supervisory activities
Verification activities
Comparison activities
Reconciliation activities
Continuous management monitoring activities

Ongoing Non - Fraud prevention and detection activities

Independent Continuous auditing techniques or activities
Independent surveillance activities

Separate Evaluation - Internal audit function activities

Independent Independent compliance function activities
Independent quality assurance activities

Separate Evaluation Management control self-assessment

Non Independent Management compliance activities
Management quality assurance activities
Faculty of Economics and Business - Accounting Undergraduate Program
Learning Objective IV:
Know the roles and responsibilities each group in
organization has regarding internal control

Faculty of Economics and Business - Accounting Undergraduate Program

 Roles and Responsibilities in Internal Control
CEO Tone at the top ( how ethical or how much integrity an
organization has)

BOD Overseeing management and provides direction regarding

internal control
Ensuring management has established an effective system
of internal controls

Internal Verifying effectiveness of internal controls in place

Auditors Provide reasonable assurance that the system of internal
controls is designed adequately and operating effectively

Other Everyone in organization has responsibility for internal

Personal control
All personnel should be responsible for communicating
upward problems in operations, Faculty
non-compliance with the
of Economics and Business - Accounting Undergraduate Program
 Inherent limitation of Internal Control

Human judgment in decision making can be faulty

Breakdowns can occur because of such human failures
as simple error or mistake
Controls can be circumvented by the collusion of two or
more people
Management has the ability to override the internal
control system
Controls must be considered in terms of their costs
compared to their benefits
Faculty of Economics and Business - Accounting Undergraduate Program
Learning Objective V:
Understand Types of Risks

Faculty of Economics and Business - Accounting Undergraduate Program

Inherent Risk, Controllable Risk and
Residual Risk

The gross risk that exists assuming

Inherent risk there are no internal controls in
place

A portion of inherent risk that

Controllable management can directly influence
risk and reduce through day-today
business activities

The portion of inherent risk that

Residual risk remains after mitigating all
controllable risk
Faculty of Economics and Business - Accounting Undergraduate Program
 Balancing Risks and Controls
Consequences Accepting Consequences of
Excessive Risk Implementing Excessive
Internal Control
Potential loss of assets Increased bureaucracy
Poor or ineffective business Excess cost
decision making Unnecessary complexity of
Potential noncompliance with controls
laws and regulations Increased cycle time
Potential for fraud to occur Non-Value-added Activities

Faculty of Economics and Business - Accounting Undergraduate Program

Learning Objective VI:
Understand Types of Controls

Faculty of Economics and Business - Accounting Undergraduate Program

 Types of Controls
Entity level Control
Based on their Process level control
level Transaction level control

Based on their Primary controls

Importance Secondary control

Preventive control
Based on their Detective control
purposes

Corrective control
Directive control
Faculty of Economics and Business - Accounting Undergraduate Program
 Levels of Controls

Very broadly focused and often deal with the organizational environment
Entity level Designed to directly mitigate risks that exist at the organization wide level

controls Divided into two categories: Governance Controls and Management

Oversight controls

Process level More detailed in their focus than entity level controls
Established by process owners to reduce the risk that threatens the
controls achievement of process objectives

Transaction More detailed in their focus than process level controls

level controls Reducing risk in operational level activities

Faculty of Economics and Business - Accounting Undergraduate Program

 Entity Level Controls - Examples
Controls related to the control environment
Controls over management override
The companys risk assessment process
Controls to monitor results of operations
Policies that address significant business control and
risk management practices

Faculty of Economics and Business - Accounting Undergraduate Program

 Level Controls - Examples

Reconciliation of key accounts

Physical verifications of assets
Process employee supervision and performance
evaluations
Process level risk assessments
Monitoring of specific transactions

Faculty of Economics and Business - Accounting Undergraduate Program

 Process Level Controls - Examples

Authorizations
Documentation
Segregation of duties
IT application controls (Input, processing, output)

Faculty of Economics and Business - Accounting Undergraduate Program

 Controls Based on their
Importance
Primary controls
Designed to reduce key risks associated with business
objectives
Failure to implement can result in the failure of the
Secondary
organization control
Mitigate risks that are not key to business objectives
Partially reduce the level of risk when key controls do
not operate effectively
Faculty of Economics and Business - Accounting Undergraduate Program
Controls based on their Purpose
designed to deter unintended events from occurring in the
A preventive first place.
control Ex: physical and logical access controls >> locked doors
User ID

A detective
control
A detective
control

Faculty of Economics and Business - Accounting Undergraduate Program

 A detective control is designed to discover undesirable events
that have already occurred. Ex: security camera
A corrective control is one in which detected omissions and
errors are corrected
A directive control, giving explicit direction regarding what
actions need to take place to cause or encourage a desirable
event to occur

Faculty of Economics and Business - Accounting Undergraduate Program