Chap 6 - Internal Control

CHAPTER 6
Internal Control
Internal Auditing: Assurance &Internal

AdvisoryAuditing:
Services,Assurance
4th Edition&©Advisory
2017 byServices,
the Internal
4th Edition
Audit Foundation.
© 2017 by the Internal Audit Foundation.
Chapter 6: Internal Control
LEARNING OBJECTIVES
◼ Understand what is meant by internal

control in a variety of frameworks.
◼ Identify the objectives, components, and
principles of an effective internal control
framework.
◼ Know the roles and responsibilities each
group in an organization has regarding
internal control.
◼ Identify the different types of controls and
the appropriate application for each of
them.
◼ Obtain an awareness of the process for
evaluating the system of internal controls.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
STANDARDS RELEVANT TO
INTERNAL CONTROL
FRAMEWORKS
A framework is a body of guiding principles

that form a template against which
organizations can evaluate a multitude of
business practices.
 These principles are comprised of various
concepts, values, assumptions, and practices
intended to provide a benchmark against which
an organization can assess or evaluate a
particular structure, process, or environment, or
a group of practices or procedures.
 Specific to the practice of internal auditing,
various frameworks are used to assess the
design adequacy and operating effectiveness of
controls.
INTERNAL CONTROL FRAMEWORKS
 There are no substantive differences

among COSO, CoCo, and FRC Internal
Control Guidance. All of the frameworks
include definitions of internal control that
describe a process that provides reasonable
assurance for achieving the objectives of
an organization in three specific
categories: effectiveness and efficiency of
operations, reliability of reporting, and
compliance.
 The components of each internal control
framework are basically the same and can
be examined using the COSO titles for
each component. They are: Control
Environment, Risk Assessment, Control
Activities, Information and
Communication, and Monitoring.
U.S. SARBANES-OXLEY ACT

OF 2002 COMPLIANCE
Many organizations were able to

successfully apply the COSO frameworks
in their efforts to comply with Section
404 of Sarbanes-Oxley, despite
encountering significant unanticipated
costs. Smaller publicly held companies
(as defined in exhibit 6-4), on the other
hand, struggled to comply due to the
prohibitive costs as well as several other
challenges unique to smaller
organizations.
DEFINITION OF INTERNAL CONTROL
COSO broadly defines internal control as:

. . . a process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and compliance. This definition emphasizes
that internal control is:
 Geared to the achievement of objectives in one or more separate but overlapping categories—
operations, reporting, and compliance.
 A process consisting of ongoing tasks and activities—a means to an end, not an end in itself.
 Effected by people—not merely about policy and procedure manuals, systems, and forms, but about
people and the actions they take at every level of an organization to effect internal control.
 Able to provide reasonable assurance, but not absolute assurance, to an entity’s senior management
and board of directors.
 Adaptable to the entity structure—flexible in application for the entire entity or for a particular
subsidiary, division, operating unit, or business process.*
*
Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 1.
THE OBJECTIVES, COMPONENTS,

AND PRINCIPLES OF INTERNAL CONTROL
COSO explains, “A direct relationship

exists between objectives, which are what
an entity strives to achieve, components
[and principles], which represent what is
required to achieve the objectives, and
entity structure (the operating units, legal
entities, and other structures). The
relationship can be depicted in the form of
a cube.”*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring
Organizations of the Treadway Commission, 2013), 5.
THE PRINCIPLES OF
INTERNAL CONTROL
In addition to the five

integrated components, COSO
also defines 17 supporting
principles representing the
fundamental concepts
associated with each
component of internal control.
CONTROL OBJECTIVES
The COSO framework sets forth three categories of objectives, which allow
organizations to focus on differing aspects of internal control:
 Operations Objectives - These pertain to effectiveness and efficiency
of the entity’s operations, including operational and financial
performance goals, and safeguarding assets against loss.
 Reporting Objectives - These pertain to internal and external financial
and non-financial reporting and may encompass reliability, timeliness,
transparency, or other terms as set forth by regulators, standard setters,
or the entity’s policies.
 Compliance Objectives - These pertain to adherence to laws and
regulations to which the entity is subject.*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 2.
INTERNAL CONTROL COMPONENTS
COSO indicates, “Supporting the organization in its efforts to achieve

objectives are five components of internal control:
 Control Environment
 Risk Assessment
 Control Activities
 Information and Communication
 Monitoring Activities

These components are relevant to an entire entity and to the entity level, its
subsidiaries, divisions, or any of its individual operating units, functions, or
other subsets of the entity.”*
MONITORING
INTERNAL CONTROL ROLES
AND RESPONSIBILITIES
Everyone in an organization has responsibility for internal control:

 Board of Directors
 Management
 Internal Auditors
 Other Personnel
There are legitimate reasons for different groups to be interested in different

objectives. Likewise, different groups, because of their different perspectives,
will perceive the benefits and related costs of internal control very differently,
which is valuable to the organization when assessing the adequate design and
effective operation of internal control.
INHERENT RISK, CONTROLLABLE RISK,
AND RESIDUAL RISK
Inherent risk is the gross risk that exists assuming there are no internal controls in place.
Acknowledgement of the existence of inherent risk and that certain events or conditions are simply
outside of management’s control (external risks) is critical to recognizing the inherent limitations of
internal control.
Identifying external and internal risks at an entity and activity (process and transaction) level is
fundamental to effective risk assessment. Once key risks have been identified, management can link
them to business objectives and the related business processes.

Once entity-level and activity-level risks have been identified, they must be assessed in terms of
impact and likelihood. Risk analysis processes vary depending on many factors specific to an
organization, but typically they include:
 Estimating the impact (or severity) of a risk.
 Assessing the likelihood (or frequency) of the risk occurring (probability).
 Considering how to manage the risk—that is, assessing what actions to take.
INHERENT RISK, CONTROLLABLE RISK,
AND RESIDUAL RISK (CONT’D)
 Controls: risk responses management takes to reduce the impact and/or likelihood of
threats to objective achievement.
 Risk appetite: the types and amount of risk, on a broad level, an organization is
willing to accept in pursuit of value*
 Acceptable variation in performance: the boundaries of acceptable outcomes related
to achieving a business objective (both the boundary of exceeding the target and the
boundary of trailing the target)**
 Controllable risk: that portion of inherent risk that management can directly influence
and reduce through day-to-day business activities.
 Residual risk: the portion of inherent risk that remains after mitigating all controllable
risks
*ERM exposure draft glossary, page 105

*ERM exposure draft glossary, page 19
LIMITATIONS OF INTERNAL CONTROL
While internal control provides reasonable assurance of achieving the entity’s objectives, limitations do
exist. Internal control cannot prevent bad judgments or decisions, or external events that can cause an
organization to fail to achieve its operational goals. In other words, even an effective system of internal
control can experience a failure. Limitations may result from the:
 Suitability of objectives established as a precondition to internal control.
 Reality that human judgment in decision-making can be faulty and subject to bias.
 Breakdowns that can occur because of human failures such as simple errors.
 Ability of management to override internal control.
 Ability of management, other personnel, and/or third parties to circumvent controls through
collusion.
 External events beyond the organization’s control.
While a well-designed system of internal controls can provide reasonable assurance to management
relative to achievement of the organization’s objectives, no system of internal controls can provide
absolute assurance for the reasons listed above.*
TYPES OF CONTROLS
There are many types of controls that are used by an organization to increase
the likelihood that objectives will be met:
 Entity-level, Process-level, and Transaction-level Controls
 Key Controls and Secondary Controls
 Compensating Controls
 Preventive and Detective Controls
 Information Systems (Technology) Controls
Specific controls can fit into several categories at the same time. For example,
a control can be an entity-level control at the same time that it is a key control.
That same control also can be a detective control.
EVALUATING THE SYSTEM OF

INTERNAL CONTROLS
 Management is responsible for putting in place adequately designed and effectively
operating entity-level and activity-level controls to mitigate risks associated with the
achievement of business objectives in each of the three COSO-defined categories:
operations, reporting, and compliance.
 Internal auditors play a significant role in the verification that management has met its
responsibility. Initially, management performs the primary assessment of internal
controls using a formalized process developed for that purpose. The internal audit
function then independently validates management’s results.
 A report is typically submitted to the audit committee by either senior management or

the CAE outlining the results of management’s assessment regarding the design
adequacy and operating effectiveness of the organization’s system of internal controls.

Chap 6 - Internal Control

Uploaded by

Copyright:

Available Formats

Chap 6 - Internal Control

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chap 6 - Internal Control

Uploaded by

Copyright:

Available Formats

CHAPTER 6

Internal Auditing: Assurance &Internal

◼ Understand what is meant by internal

A framework is a body of guiding principles

INTERNAL CONTROL FRAMEWORKS

 There are no substantive differences

U.S. SARBANES-OXLEY ACT

Many organizations were able to

DEFINITION OF INTERNAL CONTROL

COSO broadly defines internal control as:

THE OBJECTIVES, COMPONENTS,

COSO explains, “A direct relationship

In addition to the five

INTERNAL CONTROL COMPONENTS

COSO indicates, “Supporting the organization in its efforts to achieve

Everyone in an organization has responsibility for internal control:

There are legitimate reasons for different groups to be interested in different

*ERM exposure draft glossary, page 105

LIMITATIONS OF INTERNAL CONTROL

EVALUATING THE SYSTEM OF

 A report is typically submitted to the audit committee by either senior management or

You might also like