ACT1110

Governance, Business Ethics,

Risk Management and Internal Control
CONTROL PROCESS
 a) Know and explain the key objectives of Internal Control

b) Learn the classification of controls

c) Know the responsibilities for Internal Controls

d) Learn the characteristics, benefits and limitations of Internal Control

Learning Objectives
 What are
INTERNAL CONTROLS?
Why are they IMPORTANT?
 Internal Control defined..
A process effected by an entity’s board of directors, management and
other personnel, designed to provide reasonable assurance regarding
the achievements of objectives in the following categories:

• Compliance with applicable laws and regulations.

• Adherence to managerial policies
• Reliability of financial reporting.
• Effectiveness & efficiency of operations.
• Safeguarding of assetss
 Internal Control defined/explained
An integral process
•A series of actions throughout the operations on an ongoing basis

•Built in rather built on; embedded with the management processes of planning,
organizing, budgeting, staffing, implementing, and monitoring

•Not stand alone or separate specialized systems within an organization

•Interwoven into and made an integral part of each system that management uses
to regulate and guide its operations
Internal Control explained…
Which also means:

Internal control is a process. It is a means to an end, not an end itself.

• Internal control is effected by people.

- not merely policy manuals and forms,
but people functioning at every level of the organization.
• Internal control is geared to the achievement of
objectives in several overlapping categories.
• Internal control only provides reasonable assurance
regarding achievement of operational, financial reporting and compliance
objectives.
To make it simple…
CONTROL

•Any action taken by management, the board, and other parties to

manage risk and increase the likelihood that established
objectives and goals will be achieved. Management plans, organizes,
and directs the performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved.

Control Processes

•The policies, procedures and activities that are part of a control framework (e.g.,
COSO ICIF) designed and operated to ensure that risks are contained within the level
that an organization is willing to accept.
Examples…
 Proper procedures for authorization e.g. approval or sign-off of documents

 Adequate separation of duties e.g. custody, authorization and reporting

 Adequate (enough or complete) documents and records

 Physical control over assets and record e.g. locking of warehouse

 Independent checks on performances

 Accountability

 Flow of financial information e.g. approval path

Elements of Control
• Establishing standards for the operation to be controlled
• Measuring performance against the standards
• Examining and analyzing deviations
• Taking corrective action, and
• Reappraising the standards based on experience
 CONTROL OBJECTIVES
• Effectiveness & efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
• Safeguarding of assets
• Adherence to managerial policies
Economical, Efficient, and Effective Operations
Economical
- able to perform functions/tasks using the least amount of resources within a specified
timeframe

Efficient
- “doing things right” given the available resources and within a specified timeframe
- Delivering a given quantity and quality of outputs with minimum inputs or maximizing
outputs with a given quantity and quality of inputs
- Prioritization and leveraging of resources

Effective
- “doing the right things”, able to deliver major final outputs and outcomes and able to
contribute to the attainment of goals and objective
- directing, executing and implementing
Reliability of financial reporting
 These pertain to internal and external financial and non-financial reporting and may
encompass reliability, timeliness, transparency, or other terms as set forth by
regulators, recognized standard setters, or the entity’s policies.

 Must be (characteristics)
 Neutral - free from any bias
 Fairly presented - true and fair view
 Prudent (high degree of caution) must be taken into account when assumption is
required
 Complete – include all financial information, transactions, and events plus non-
financial information
 Accurate – supported by verifiable evidence/document
Compliance with applicable laws and regulations
 Adherence to laws, regulations, guidelines and specifications relevant to its
organization and operations.

 Examples:
 SEC issuances
 BIR regulations
 Sarbanes Oxley Act
 BSP Manual of Regulations for Banks
 Consumer protection
 Data privacy
 BASEL III Frameworks (international regulatory framework for banks)
 Labor Codes
 Contracts/Agreements
Safeguarding of assets
 Prevention or timely detection of unauthorized acquisition, use or disposition of the
company’s assets.

 Protecting the firm’s assets against loss due to theft/fraud, accidental destruction and
errors.

 Examples:
 Segregation of duties (i.e., recording, authorization and custody of assets shall be
handled by separate employees)
 Dual signature on checks (e.g. four eyes principle)
 Physical locks on inventory warehouse
 Employee background checks
Adherence to managerial policies
 Managerial policies
 defines the scope or spheres within which decisions can be taken by the subordinates
in an organization.
 guidelines to govern its actions; directs the performance of an outcome
 deals with acquisition, use, control and disposition of resources

 Examples:
 Human resource policies
 Operations policies
 Accounting policies
 Accountability policies
 Reporting policies
 General Classification of Controls
Financial Controls
• Procedures, policies and means by
which an organization monitors and
controls the direction, allocation, and
usage of its financial resources.
• Ex: Periodic review of credit policy,
disbursement policies, reconciliation of
subsidiary ledger to controlling account,
financial statement analysis, budget
Operations Controls
• Controls that are used in the
management of processes of directing
and controlling and are based on
comparison of results with standards.
• Designed to ensure that day-to-day
actions are consistent with established
plans and objectives.
• Ex: manual of operations, job
descriptions, flow of information,
security matrix, level of approving
authorities, performance evaluation
 Classification of Controls
As to Importance
Primary (key and significant) Controls Secondary Controls
• Control that is essential for a business • Control that takes place after the
process; typically takes place during process it applies to (i.e., reporting or
the process it applies to. ongoing monitoring)
• Minimum set of controls that can • Any other controls not defined as key
provide reasonable assurance that the or significant. These are
risk is mitigated, provided that the supplemental controls frequently
controls are designed properly, used to improve the timeliness of
operating as intended and are detection of issues or backlog controls
demonstrable (clearly apparent or used as emergency “catch-all”
capable of being logically proved) • Controls for risks rated as “moderate”
• Controls for risks rated as “high”
or “low”
 Classification of Controls
Primary Controls
Preventive Controls Detective Controls
-designed to limit the possibility of an -designed to identify occasions of undesirable
undesirable outcome outcomes having been realized
-attempt to stop a risk from occurring -attempt to determine if a risk has occurred
-Ex: use of passwords, segregation of duties, -Ex: reconciliation, inventory count, cash
storing petty cash in locked safe count, burglar alarm

Directive Controls Corrective Controls

-designed to ensure that a particular outcome
is achieved
-attempt to avoid risk by providing specific
ways to do things
-Ex: policies, procedures, employee trainings,
job descriptioins
-designed to limit the scope for loss and reduce
any undesirable outcomes which have been
realized
-may also provide a route of recourse to achieve
some recovery against loss or damage
-Ex: data back-ups can be used to restore lost
data in case of a fire or other disaster
 Classification of Controls
Secondary Controls
Compensatory (mitigative) Controls Complementary Controls
-May reduce risk when the primary -Work with other controls to reduce risk to
controls are ineffective an acceptable level
-However, they do not, by themselves, -Ex: segregation of accounting and
reduce the risk to an acceptable level custody of cash receipts is complemented
-Ex: supervisory review when segregation of by obtaining deposit slips validated by the
duties is not feasible, as when a store clerk is bank
the only employee present at closing.
Accordingly, the clerk counts cash at the end
of the day without supervision. The
compensation control performed the next
morning is for a supervisor to reconcile the
count with the cash register data.
 Classification of Controls
Time-based Controls
Feedforward Controls Feedback Controls
-Anticipate and prevent problems -Report information about completed
-Require a long-term perspective activities
-Ex: organizational policies and procedures -Permit the improvement in future
performance by learning from past mistakes
-Ex: inspection of completed goods followed
Concurrent Controls
-Adjust ongoing processes; these real-time by performing variance analysis procedures
helps identify deviations from what was
controls monitor activities in the present and
expected. Thus, inspection and analysis of
to prevent them from deviating too far from
variance provide feedback on how well the
standards
-Ex: close supervision of production-line completion of the goods meet expectations.
workers
 Classification of Controls
As to “Who Performs”
Manual Controls Automated (Application) Controls
-Performed by individuals outside of a system -Performed automatically by the system
-Applicable when judgment and discretion are -Ensure the completeness and accuracy of
required transaction processing, authorization and validity
-Configuration setting in a system that prevents or
-Ex: bank reconciliation, matching of cash detects problems
received against open AR balance -Ex: two-factor authentication on user log-in,
automatic lock-out a user after three attempts of
incorrect password
IT-Dependent Manual Controls
-Performed by individuals outside of a IT General Controls
system but requires some level of system -Refers to overall info-processing environment
involvement -Ex: policy management, logical access (pw over
-Ex: System Administrator’s review of users’ infra, apps, and data ), change management,
log report (generated by the system) physical security
All employees play some role in effecting control!!!
 Management’s Responsibility on Internal
Control System (ICS)

• Determine the need for controls

• Design suitable controls

• Implement these controls

• Check that these controls are being applied correctly

• Maintain and update the controls

Source: The IA Handbook, third edition by KHS Pickett

 Internal Audit’s Role on ICS
• Evaluation of the adequacy and effectiveness of controls in responding to risks within the
organization’s governance, operations, and information systems.
• Assessing those areas that are most at risk in terms of key control objectives.

• Defining and undertaking a program (audit procedures) for reviewing high profile systems
that attract the most risk.
• Reviewing each of these systems by examining and evaluating their associated ICS to
determine the extent to which the five key control objectives are being met.
• Advising management whether or not controls are operating adequately and effectively so
as to promote the achievement of the system’s/control objectives.
• Recommending any necessary improvements to strengthen controls where appropriate,
while making clear the risks involved for failing to effect these recommended changes.
• Following up audit work so as to discover whether management has actioned agreed audit
recommendations
Source: IIA-P
Characteristics of an Effective Control
 Addresses root cause
 Considers cost
 Simple
 Leaves tracks (audit trail)
 Embedded
 Combination of “soft” and “hard” controls
 Covers adequately the Internal Control components and objectives
Characteristics of an Effective Control
 SOFT CONTROL – is a control measure that intervenes in or appeals to
employees’ individual performance (e.g. the communication of ethical values,
fostering of mutual trust - conviction, personality, ethical climate, morale,
integrity and competencies).

 HARD CONTROL – is a control measure that lead to directly visibly changed

direction or action. It can be clearly observed and are therefore easy to test.
(e.g. compliance with specific policies and procedures - organizational
structure, assignment of authority and responsibility, and human resource
policies)
 Benefits of Internal Control
• It can HELP
 achieve performance & profitability targets
 prevent loss of resources
 ensure reliable financial reporting
 ensure compliance with laws
 prevent errors and irregularities, if they occur, help ensure timely detection
 an entity get to where it wants to go
• It encourage adherence to prescribed policies and procedures
• It can protect employees
 by clearly outlining tasks and responsibilities,
 by providing checks and balances, and
 from being accused of misappropriations, errors or irregularities.
(Sources: Internal Controls, Office of the Internal Auditor, Washington State University;
http://internalaudit.wsu.edu/internalcontrols.html; IIA-P
Limitations of Internal Control
 Internal control processes which do not reflect changed operating conditions,
specific agency activities or potential new risks
 Collusion by staff for personal gain or other motives
 Controls failing to capture or flag unusual transactions
 Controls and processes being viewed as a hindrance in the delivery of agency
services so are overridden
 System omissions, human factors, resource constraints or lack of system flexibility
 Remember!

“Internal controls, no matter how well designed and operated, can

provide only reasonable assurance to management regarding
achievements of an entity’s objectives.”
Thank you