Types of Controls

Definition of Control
The IIA defines control in the Glossary:
“Any action taken by management, the
board, and other parties to manage risk
and increase the likelihood that established
objectives and goals will be achieved.
Management plans, organizes, and directs
the performance of sufficient actions to
provide reasonable assurance that
objectives and goals will be achieved.”
COSO Definition of Control
Internal controls are “designed to provide
reasonable assurance regarding the
achievement of objectives in the
following categories:
• Effectiveness and efficiency of
operations,
• Reliability of financial reporting, and
• Compliance with applicable laws and
regulations.”
Ways of Classifying Controls
1. The organizational level at which the
controls exist
2. Manual or automated
3. The type of control
1. Organization Level
Controls
A. Corporate-level (entity level) controls are
mostly manual, which include general policy
statements and values and overall monitoring
procedures.
B. Operational-level controls include both
manual and automated controls.
C. Transaction-level controls are mostly
automated, consisting of complying with
specific control procedures and making sure
financial information is accurate and
complete.
2. Manual vs. Automated
• Manual controls operate through
human intervention.

• Automated controls operate

through and within a company’s
information technology system.
3. Types of Controls
1. Directive
2. Preventive
3. Detective
4. Corrective
5. Compensating
Classification Based on
Timing
Feedforward controls
Concurrent controls
Feedback controls
Planning vs. Controlling
Planning is the process of an organization
setting its goals and objectives.
Through controlling, a company monitors
its progress towards those goals and
objectives.
Without planning there is no way to
implement a control system because
there is no standard against which to
measure performance.
Characteristics of Effective
Controls
1. Economical
2. Meaningful
3. Appropriate
4. Congruent
5. Timely
6. Simple
7. Operational
Benefits of Strong Controls
Controls are a positive means for management to
achieve stated goals and objectives.
• More reliable information for the decision-making
process
• Better control over the assets of the company
• Reduced chance of fraud being committed
• Lower external audit costs
• Increased investor confidence
• A company with weak internal controls puts itself at
risk for employee theft, loss of control over
information, and other damaging inefficiencies
Limitations of Internal
Controls
Even the best internal control system has
limitations.
• Internal controls can provide only
reasonable assurance that objectives can
be achieved.
• Human error, faulty judgment, collusion, and
fraud can all limit the effectiveness of
controls.
• Excess or unreasonable controls can increase
bureaucracy and reduce productivity.
Who Benefits from Controls
• Investors
• External auditors
• Legislative and regulatory bodies
• Organizations with large numbers of employees
• Customers
Who is Responsible for
Controls
• The board of directors is responsible for
overseeing the internal control system
• The CEO is ultimately responsible for
the “tone at the top”
• Senior managers delegate responsibility
• Financial and accounting officers
• External parties such as independent
auditors
Elements of Control Process
The three main elements of the control process are:
1. Setting the objectives that are to be achieved
(Bank Recon., PR and PO, Fixed Asset Dep.,)
2. Measuring the performance against a
standard – Any PR above 100K should be
approved from next Manager, Above 500K from
next level….etc.
3. Evaluating the results and then correcting or
regulating the performance as a result of what
was measured
Steps in Control Process
1. Set the standards e.g. (Sales Below Cost)
2. Select the times or points at which to collect information about
the activities.
3. Observe the process or collect the samples. All sales happened
in every quarter below the cost.
Q:What we will use here - This is a preventive or Detective or
Corrective Control?.
How the control is working here, what the system compare? Is it
possible to do that manually? If yes, what is the formula to detect
sales below the cost.
4. Record the collected information. We observed 50 Sales
transaction below the cost.
5. Compare and measure the results against the expected or
standard. We need to highlight those sales and ask for the
reason/s.
Steps in Control Process
6. Evaluate the performance. Is this happened All the
time, regularly, Rarely
7. Report any significant deviations or problems to
the appropriate level of management.
8. Implement corrections to the system or processes.
To prevent any below cost sales.
9. Follow up to ascertain if the corrections
implemented are effective. We need to generate
the sales below cost report and to see any
transaction below the cost.
10.Review and revise the standards of performance
as necessary
Automated Control System
Application controls ensure that specific
applications will be processed in
accordance with management’s
specifications and in an accurate and
timely manner.
Application controls are broken down
into three main categories: input,
processing, and output controls.
1. Input Controls
A. Edit checks are the programs that check the validity and accuracy of input data.
 Validity checks compare the data entered in a given field with a table of valid
values for that field. For example, the vendor number on a request to cut a check
must match the table of current vendors, and the invoice number must match the
approved invoice table.
 Field/format checks are tests of the characters in a field to verify that they are
of an appropriate type for that field. For example, the system is programmed to
reject alphabetic characters entered in the field for Social Security number.

B. Key verification is the requirement of inputting information again and comparing

the two inputs. Like password check – New pass and confirm the new pass. Should
match.
C. A redundancy check is the process of sending additional sets of data to confirm
the accuracy and validity of the original sent data. What is your born city name.
D. An echo check is the process of sending received data back to the sending
computer to compare it with previously sent information and making sure that all
information matches up.
E. Completeness checks of transmission of data determine whether all necessary
information has been sent.
2. Processing Controls
A. Posting check, which compares the contents of the record
before and after updating.
B. Cross-footing, which compares the sum of the individual
components to the total figure. E.g., Sales Invoice.
C. Zero balance check, which is used when a total sum should
be 0. Credit and Debt Journal Entry.
D. Run-to-run control totals, which provide verification of the
data values during the different stages of processing. E.g.
Payroll processing.
E. Internal header and trailer labels, which ensure that the
correct files are processed.
F. Concurrency controls, which is the process of managing
two or more programs trying to access the same information
at the same time.
3. Output Controls
A. Output distribution controls ensure that
distribution is made in accordance with pre-
authorized automated or manual parameters.
B. Output retention controls ensure that
output retention is being followed in
accordance with organizational policies.
C. Forms control makes sure that there is
proper control over checks, bonds, and stock
certificates. Company Logo, approved
cheque/bond format.
D. Error logs are listings of processing errors.
Segregation of Duties
Under proper segregation of duties, different people
must perform each of the following functions:
1. Authorize the transaction.
2. Record the transaction, prepare source
documents, and maintain journals (i.e., keeping
track of how much of the asset the company
should have).
3. Keep physical custody of the related asset (i.e.,
protecting the assets that the company actually
has).
4. Periodically reconcile physical assets (point 3) to
recorded amounts (point 2).
Example: Within the inventory acquisition cycle,
different people should be responsible for:
1. Authorizing the purchase of inventory.
2. Recording the purchase of inventory in the
accounting records.
3. Receiving the inventory and maintaining the physical
custody of the units of inventory.
4. Reconciling the amount of inventory recorded (point
2) and the amount of inventory held in the
warehouse (point 3).
Controls in Accounting
Cycles
Revenue-receivable cycle
Purchases-payable cycle
Payroll cycle
Cash receipts cycle
Cash disbursements cycle
Internal Control Frameworks
Characteristics & Use
Internal Control Models
A series of control models have been developed:
• The COSO model
• The CoCo model
• The Turnbull report

28
The Sponsoring Organizations
The five sponsoring organizations are:
1. American Institute of Certified Public Accountants
(AICPA).
2. American Accounting Association (AAA).
3. Institute of Internal Auditors (IIA).
4. Institute of Management Accountants (IMA).
5. Financial Executives International (FEI).

29
Components of Internal Control
There are five components that make up
internal control:
1. The control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
30
1. The Control Environment
Considered the most important element of
internal controls because it is the basis on
which the other elements are built.

The control environment sets the tone for the

entire organization.
Seven Factors of Environment
1. Integrity and ethical values within the company
2. Management’s commitment to competence
3. Human Resource policies and procedures
4. Assigning authority and responsibility
5. Management’s philosophy and operating style
6. Board of directors and audit committee
oversight
7. Organizational structure
The “Tone at the Top”
The control environment is set by management
by the actions, deeds and behaviors.
Management plays the most important role in
establishing the control environment.
Management’s commitment to competence is
another factor influencing the control
environment.
Setting the Tone at the Top
Controls are more likely to work if management believes
controls are important and communicates that support to all
employees.
• Transmit guidance both verbally and by example.
• Foster a “control consciousness” by setting formal and
clearly communicated policies and procedures that are
followed at all times, without exception.
• Making sure employees are in the right positions.
• Board of directors is responsible for setting corporate
policy and for seeing that the company is operated in the
best interest of shareholders. 35
2. Risk Assessment
Risk assessment is identifying, analyzing,
and managing the risks that could keep the
org from achieving its objectives.

A pre-condition to assessing risk is the

setting of objectives.

36
Categories of Objectives
Broad categories of objectives include:
• Operational – Relate to the achievement
of the company’s mission.
• Financial – Address the preparation of
external financial reports.
• Compliance – Adhering to all laws and
regulations.
Risk Assessment
Analyzing risks includes:
• Estimating the likelihood of the risk’s
occurrence,
• Deciding how to best manage the risk, and
• What actions can be taken to mitigate the
risk.

38
Location of Risks
• External Risks include changes in
technology, changes in federal legislation,
natural disasters, economic changes, or
being defrauded, or robbed.
• Internal Risks include employee
embezzlement accompanied by falsification
of records to conceal theft; lack of compliance
with governmental regulations; or other illegal
acts by employees, such as taking a bribe.
3. Control Activities
These are the policies that are developed to
address the risks. These risks may be fraudulent
reporting or theft or conflict of interest, or
something else.
Control activities should be designed to mitigate risk,
wherever risk exposure is determined to exist, for
the purpose of protecting the organization’s ability
to achieve its objectives.
Controls that are implemented must have a benefit
that is greater than the cost of that control.
40
Examples of Control Activities
• Top level review of actual performance
• Reviews by management at the functional or
activity level
• Controls to check accuracy, completeness, and
authorization
• Independent checks
• Various performance indicators
• Physical controls to safeguard assets
41
Examples of Control Activities
• Documents and record protection and
authorization
• Pre-numbered documents
• Performance evaluations
• Hiring controls to ensure that qualified
personnel are hired
• Control over system modifications
• Segregation of duties
Segregation of Duties
1. Identify a function that is indispensable,
but potentially subject to abuse.
2. Divide that function into separate steps,
each of which is necessary for the function
to work, or for the power that enables that
function to be abused.
3. Assign each step (or duty) to a different
person or organization.
43
Duties to be Segregated
The following duties need to be segregated
between different people:
1. The authorization of a transaction,
2. The recording (record keeping) of the
transaction,
3. Keeping physical custody of the asset, and
4. The periodic reconciliation of the records of
the asset (how much there should be) to the
actual amount of the asset (how much there is).
44
Examples of Segregation of Duties
One person has authority to adjust accounts receivable,
while a different person posts payments on customer
accounts
One person is responsible for preparing the bank deposit,
while a different person reconciles the checking account.
One person has custody of cash receipts, while a different
person has the authority to authorize account write-offs.
One person authorizes issuance of purchase orders, while a
different person is responsible for recording receipt of
inventory.
45
Limitations of Segregation of Duties
No system is perfect and no system can eliminate
all of the risks that a company faces.
Two reasons that risk can not be completely
eliminated are:
• Collusion
• Human judgment

46
4. Information & Communication
Relevant information needs to be obtained and
communicated to people to allow them to perform their
duties.
Reports must contain information that management
needs and must be available in a timely manner.
• Communication must be on-going, both within and
between the various levels and activities of the
organization.
• Reports must be available containing operational,
financial, and compliance information needed for
informed decisions. 47
4. Information & Communication
• Supervisors must communicate duties and
responsibilities, and employees must alert
management to potential problems.
• Information must be communicated both
internally and externally.
• The system must provide way to
communicate important information to the
very top of the organization.
5. Monitoring
Monitoring is the process of reviewing the
controls over time to make sure that they
are still relevant and still functioning as
they were intended to function.
As technologies change and business
operations change, some of the controls
that had been relevant may no longer be
relevant.
49
Methods of Monitoring
Monitoring can be done in two ways:
1. Ongoing monitoring during normal
operations, and
2. Separate evaluations by management with
the assistance of the internal audit function,
or some other independent specialist.
If monitoring is done regularly, there is a lesser
need for separate evaluations.
Components of Internal Control
1. The control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring

51
Alternative Control
Frameworks
The CoCo Model
The CoCo model was designed by the Criteria of
Control Board of the Canadian Institute of
Chartered Accountants.
According to CoCo, control comprises “those
elements of an organization (including its
resources, systems, processes, culture,
structure and tasks) that, taken together,
support people in the achievement of the
organization’s objectives.”
55
Components of CoCo Model
The model has four components:
1.Purpose
2.Commitment
3.Capability
4.Monitoring and Learning
1. Purpose
1. Objectives should be established and communicated.
2. Significant internal and external risks should be
identified and assessed.
3. Policies to support the achievement of the
organization’s objectives should be designed,
communicated and implemented.
4. Plans should be established and communicated to
assist in the achievement of objectives.
5. There should be measurable performance targets in
the objectives and plans.
57
2. Commitment
6. Ethical values should be established and
practiced at all levels in the organization.
7. Human resources policies should be
consistent with the firm’s ethical values.
8. Authority, responsibility and accountability
should be clearly defined and consistent
with the organization’s objectives.
9. An atmosphere of mutual trust should be
supported through the flow of information
and communication. 58
3. Capability
10. People should have the needed knowledge, skills and
tools to support the achievement of the organization’s
objectives.
11. Communication should support the values and
achievement of objectives.
12. Sufficient and relevant information should be identified
and communicated to the appropriate party in a timely
manner.
13. Decision-making in the company should be coordinated
between departments.
14. Control activities should be designed and implemented.59
4. Monitoring and Learning
15. External and Internal environments should be monitored for
feedback on the achievement of objectives.
16. Performance should be monitored against targets and goals.
17. The assumptions used in the development of plans and
goals should be reviewed periodically.
18. Information and communication needs to be periodically
reviewed.
19. Follow-up procedures should be implemented to ensure that
the needed changes occur and are effective.
20. There should be periodic review of the effectiveness of the
control system.
60
CoCo and COSO Similarity
Both COSO and CoCo emphasize soft
controls.

These are controls that are not specific

tasks that must be done; rather, they
focus on ideas and expectations of
the people in the company.
The Turnbull Report
Internal Control: Guidance for Directors on
the Combined Code (1999, updated 2005)
is more commonly referred to as the
Turnbull Report.
Informs directors of their obligations under
the UK Combined Code with regard to
keeping effective internal control in their
companies and maintaining appropriate
audits and checks to ensure the quality of
financial reporting.
Turnbull Definition of IC System
Turnbull report says that the system of internal control
should:
• Be embedded in the operations of the company and
form a part of its culture;
• Be capable of responding quickly to evolving
risks to the business arising from factors within the
company and to changes in the business environment;
and
• Include procedures for reporting immediately to
appropriate levels of management any
significant control failings or weaknesses that are
identified together with details of corrective action
being undertaken.
Key Tenets of Turnbull
1. Board’s responsibility for internal
controls
2. Management’s responsibility for
internal controls
3. Employee’s responsibility for internal
controls
4. Adopting a risk-based approach
5. Ongoing monitoring of risks and
controls
1. Board’s Responsibility
for Internal Controls
The board is ultimately responsible for an
organization’s internal controls.
The board should set appropriate policies
on controls and get regular assurance
that internal controls are functioning
effectively.
Additionally, the board should undertake an
annual assessment for the purpose of
making its public statement on internal
controls.
2. Management’s Responsibility for
Internal Controls
Management’s role is to implement
board policies on risk and control.
Management should identify and
evaluate the risks faced by the
company for consideration by the
board and design, operate and
monitor a suitable system of internal
control which implements the policies
adapted by the board.
3. Employee’s Responsibility for
Internal Controls
All employees have some responsibility for
internal control as part of their
accountability for achieving objectives.

Employees must have the necessary

knowledge, skills, information, and
authority to establish, operate, and
monitor the system of internal control.
4. Adopting a Risk-Based Approach
The company needs to adopt a risk-
based approach to establishing a
sound system of control and
reviewing its effectiveness.

This should be incorporated within the

company’s normal management and
governance processes.
5. Ongoing Monitoring of Risks and
Controls
Risks and controls need to be
continuously monitored and fine-
tuned in order to respond to changes
in its risk exposures.

A feedback process should be in place

to ensure that appropriate change or
action occurs in response to changes
in risk and control assessments.
Summary of Models
Though there are different definitions
and terminology, all of them share a
similar concept of control.
Each model stresses controls only
provide reasonable assurance.
The effectiveness of a control system
depends heavily on the people in the
organization.
 Examining the
Effectiveness and
Efficiency of Internal
Controls
Role of Internal Audit in
Controls
Standard 2130 lays out the IAA’s
priorities for assessing internal controls.
Standard 2130 – Control
The internal audit activity must assist the organization in maintaining
effective controls by evaluating their effectiveness and efficiency and by
promoting continuous improvement.
2130.A1 – The internal audit activity must evaluate the adequacy and
effectiveness of controls in responding to risks within the organization’s
governance, operations, and information systems regarding the:
• Achievement of the organization’s strategic objectives.
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations and programs.
• Safeguarding of assets.
• Compliance with laws, regulations, policies, procedures, and contracts.
2130.C1 – Internal auditors must incorporate knowledge of controls
gained from consulting engagements into evaluation of the organization’s
control processes.
Preliminary Work
The IAA’s primary goal with respect to controls is
evaluating effectiveness and efficiency and “promoting
continuous improvements.”
• Meeting with the board and upper management to
get a sense of the “risk appetite, risk tolerance,
and risk culture.”
• Studying the controls currently in use.
• Reviewing any previous assessment of controls,
recommendations, and enacted remedies.
• Consulting the company’s legal counsel to
understand any relevant regulatory and statutory
requirements.
Evaluating Effectiveness
The system for evaluating control
effectiveness proceeds in this manner:
• Identify objectives and any associated risks.
• Determine the significance of any risks.
• Make note of the responses to these risks.
• Identify the “key controls.”
• Assess how well a given control is designed.
• Test the control to ascertain the
effectiveness of the design.
Evaluating Efficiency
An efficient control is cost-effective,
maximizes its resource allocation, and
provides discernable value for the company.
• The level of control must be “appropriate
for the risk it addresses.”
• The costs of the control must not exceed
the benefits it provides.
• No control should “create significant
business concerns.”
Continuous Improvement
The control-evaluation activity should be
an ongoing process.
• Regular training meetings for
employees,
• Frequent contact with management for
updates and input, and
• “Monitoring technical advancements”
that might enhance the controls
process.
Conformance and Documentation
Conformance is not a static quality.

Documentation should always be kept

up-to-date.
Report to Sr. Management
and the Board
A formal report should be provided annually to
senior management and the board.
In addition to the auditor’s professional judgment
about the efficiency and effectiveness of the
control processes, the report should also:
• Emphasize the importance of internal controls to
the organization.
• Describe the nature and extent of the work the
internal auditor performed.
• Note the work of other assurance providers that
was used in formulating the conclusion.