INTERNAL CONTROLS

TABLE OF
Internal Control Definition and
Importance
01
CONTENTS: Risks
02
COSO’S Internal Control
Integrated Framework 03
Internal Control Examples 04
Internal Control Applications 05
Critical Thinking and Summary 06
01 Internal Control Definition and Importance

What is Internal
Control?

Internal Control-Integrated Framework (2013)

❑ Internal Control is a process effected by an

entity’s board of directors, management and
other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives relating to
operations, reporting, and compliance.
Accoding to COSO’s Definition:
✔ Internal Control
necessarily involves ✔ Internal Controls are
✔ Internal Control people throughout the designed to provide
is a process. organization. reasonable assurance.

Internal controls are designed

Board of Directors, management to provide reasonable
Internal controls are the and other personnel are involve in assurance :
mechanisms, rules, and internal control design, • That information is
reliable, accurate and
procedures implemented implementation and evaluation. In
timely
addition, internal controls are subject • Of compliance with
by a company in relation
applicable laws,
to a cost/benefit constraint, similar to regulations, contracts,
to operation, reporting
constraint identified in the FASB policies and procedures
and compliance. • Of the reliability of
Conceptual Framework of financial reporting
Accounting.
 Why are Internal
Controls Important?

oSafeguarding Assets

oEnsuring Financial Statements Reliability

oPromoting Operational Efficiency

oEncouraging Compliance with

Management Directives
Safeguarding Assets
Safeguarding of assets is defined as those policies and procedures
that "provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use or disposition of the company's assets that could have
a material effect on the financial statements."

For example, a company has performs periodic physical inventory counts timely in
relation to its quarterly and annual financial reporting dates. Although
the physical inventory count does not safeguard the inventory from theft or loss, it
prevents a material misstatement to the financial statements if performed effectively
and timely.
oEnsuring Financial Statements Reliability

The reliability principle aims to ensure that all transactions,

events, and business activities presented in the financial
statements is reliable. Information is considered reliable if it
can be checked, verified, and reviewed with objective
evidence.

For instance, this utilize an accounting system which allows a

business or entity to record expenses only if there is valid
proof.
oPromoting Operational Efficiency

Operational efficiency is the ability of an organization to reduce

waste in time, effort and materials as much as possible,
while still producing a high-quality service or product.
Financially, operational efficiency can be defined as the ratio
between the input required to keep the organization going
and the output it provides.
oEncouraging Compliance with Management Directives

is the way an organization ensures employees

comply with internal policies, procedures, rules, as
well as performance and behavioral standards (by
distributing a company procedures manual).
02 Risks Internal Control-Integrated Framework (2013)

Financial Risk Strategic Risk

Brown’s Risk
Taxonomy ▪Market Risk ▪Legal and Regulatory
▪Credit Risk Risk
▪Liquidity Risk ▪Business Strategy Risk

Operational Risk Hazard Risk

▪System Risk ▪Director’s and

▪Human Error Risk Officers’ Liability Risk
Financial Risks:

a. Market Risk

b. Credit Risk
Refers to changes in
a company’s stock
prices, investment c. Liquidity Risk
Associated with
values, and interest
customers’ unwillingness
rates.
or inability to pay
Involves the possibility that a
amounts owed to the
company will not have sufficient
organization.
cash and near-cash assets
available to meet its short-term
obligations.
 Operational Risks:

a. Systems Risk
This relates directly to information
technology (IT),which includes malware,
data theft, and server crashes.

b. Human Error Risk

It recognizes the possibility that
people in the organization will make
mistakes.
 Strategic Risks: Hazard Risks:

a. Legal and Regulatory Risk Directors’ and Officers’ Liability

This risk is concerned with the Risk
chance that the In which directors and
management and BOD might officers are accused of
break laws in their decisions mismanagement by
that result in financial, legal, shareholders. Government
or operational sanctions. agencies, employees or

b. Business Strategy Risk other stakeholders bear this

This comprises poor decision risk in a very direct way.

making related to a company’s

basis for competing in its
markets.
 COSO’S INTERNAL
03
CONTROL
INTEGRATED FRAMEWORK
Committee of Sponsoring Organizations of the Treadway
Commission

The Committee of Sponsoring Organizations

of the Treadway Commission is an
organization that develops guidelines for
businesses to evaluate internal controls,
risk management, and fraud deterrence.
COSO COMPRISES FIVE
PROFESSIONAL ACCOUNTING
ORGANIZATIONS

❑ AMERICAN ACCOUNTING ASSOCIATION

❑ AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS

❑ FINANCIAL EXECUTIVES INSTITUTE

❑ INSTITUTE OF INTERNAL AUDITORS

❑ INSTITUTE OF MANAGEMENT ACCOUNTANTS

 CONTROL
COMPONENTS ENVIRONMENT
Establishing the
“tone at the top”
01
RISK ASSESSMENT
Clarifying an
02
organization’s risk
exposure
CONTROL ACTIVITIES
Developing specific
03
controls to address
the risk exposure
INFORMATION AND
COMMUNICATION 04
Ensuring stakeholders Exhibit 1. The COSO Cube
know about the MONITORING
internal control plan Keeping plan updated
and relevant 05
CONTROL ENVIRONMENT

Control Environment is the set of standards, processes, and

structures that provide the basis for carrying out internal control

across the organization. The board of directors and senior

management establish the tone at the top regarding the importance

of internal control including expected standards of conduct.

Management reinforces expectations at the various levels of the

organization.
CONTROL ENVIRONMENT

Top management can start creating a good control environment by

mentioning internal control in organizational communications,

providing training and development opportunities, and maintaining

open lines of communication regarding internal control effectiveness

(or lack thereof).

 Control Environment component has
five (5) principles :

❑ The organization demonstrates a commitment to integrity and ethical values.

❑ The board of directors demonstrates independence from management and exercises
oversight of the development and performance of internal control.
❑ Management establishes, with board oversight, structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of objectives
❑ The organization demonstrates a commitment to attract, develop, and retain competent
individuals in alignment with objectives.
❑ The organization holds individuals accountable for their internal control responsibilities in
the pursuit of objectives.
RISK ASSESSMENT

Risk assessment will assess how big the risks are, both individually and
collectively, in order to focus management’s attention on
the most important threats and opportunities, and to lay
the groundwork for risk response. Risk assessment is all
about measuring and prioritizing risks so that risk levels are
managed within defined tolerance thresholds without being
overcontrolled or forgoing desirable opportunities.
RISK ASSESSMENT

For example, if a company’s goals include increasing the percentage of

sales from new customers, it must consider things that could interfere
with that goal, such as insufficient advertising.
RISK ASSESSMENT
CONTROL ACTIVITIES

Control activities are policies, processes and procedures that will address the
risks in a cost-effective way and provide reasonable assurance that the goals will
be achieved. Organizations can “address” risks in at least 3 ways: prevention,
detection, and correction.

Ex: To address the risk of insufficient advertising, an organization might allocate

more money to the advertising budget and/or conduct a survey to assess the
effectiveness of current advertising methods.
 The organization selects and develops control activities that
contribute to the mitigation of risks to the achievement of objectives
to acceptable levels.
⬣ The management and board of the entity will establish control activities that would
eliminate risks or reduce their occurrences to the barest minimum or at least an
acceptable level. Matrices can be drawn up to indicate the risks that the organization is
exposed to as well as the controls that can be put in place to limit them. Also, authorization
limits can be set to reduce the entity’s exposure to the possibilities of one man’s fraudulent
activities. Duties can be duly segregated to prevent one man seeing through all stages of a
transaction. These can, at least, limit the occurrences of fraudulent practices even if it does
not totally eradicate them.
 The organization selects and develops general control activities over
technology to support the achievement of objectives:

⬣ Since the advent of technology, a lot of business processes have become computerized
and automated. However, even though technology works to a very high level of accuracy,
its outputs are based on the inputs fed into it. As a result, there are risks of producing
inaccurate outputs through errors and misstatement in the input. There is therefore just as
much need to place controls around the electronic business process as there is over the
manual/people operated processes. For that reason, duties can also be segregated
amongst different personnel, so one person does not handle too many processes. One
person could be made to input transactions while another person would have the duty of
authorizing the transaction. This provides a level risk mitigation and confidence in reports
but this is only subject to avoidance of collusion among these personnel.
 The organization deploys control activities through policies that
establish what is expected and procedures that put policies into
action:
⬣ The organization should select and develop control activities, including control activities
over technology, that contribute to the mitigation of risks to the achievement of objectives
to acceptable levels. This principle however elaborates that even though the previous
principles are important, their objectives would not be fulfilled except they are properly
documented and implemented as policies. These policies, after being developed, can be
cascaded throughout the organization by leaders in various positions and parts of the
entity. The policies, apart from being assessed on a regular basis, should also be reviewed
when there is a specific need for such.
INFORMATION AND COMMUNICATION

•The organization obtains or generates and uses relevant, quality

information to support the functioning of internal control.

•The organization internally communicates information, including

objectives and responsibilities for internal control, necessary to
support the functioning of internal control.

•The organization communicates with external parties regarding

matters affecting the functioning of internal control.
INFORMATION AND COMMUNICATION

For example, a company might post some

components of the internal control plan on its Web
site; it might also require employees to participate
in training sessions to familiarize them with the
plan.
MONITORING ACTIVITIES

•The organization selects, develops, and performs ongoing and

or separate evaluations to ascertain whether the components of
internal control are present and functioning.

•The organization evaluates and communicates internal control

deficiencies in a timely manner to those parties responsible for
taking corrective action, including senior management and the
board of directors, as appropriate.
MONITORING ACTIVITIES

Establishing a monitoring plan should, at minimum,

involve a timeline (such as quarterly or annually),
assignment of responsibility (such as with the internal
audit department or a company-wide committee), and
suggested activities (such as surveys or employee focus
groups).
 “EACH OF THE FIVE
COMPONENTS AND RELEVANT
PRINCIPLES MUST BE
PRESENT AND FUNCTIONING .”

“The five components operate

together in an integrated
manner .”
THANK YOU!