Jean Carla J.

Silva INTERNAL EVENTS AND THEIR IMPACT

BSMA-2103 ( events that occur within the company )

CHAPTER 4 INTRODUCTION TO RISK 1. INTERNAL FRAUD

MANAGEMENT: “WHAT CAN GO ● Financial loss
WRONG?” ● Damage to the reputation of
the company
RISK
2. MACHINE BREAKDOWN
➢ Described as “things that can go ● Disruption in the production
wrong” process
➢ Should be identified before they ● Failure to deliver, finished
even happen so that the company goods to customer
will be in a better position and time
to prepare for them. 3. ACCIDENT IN THE FACTORY
➢ comes from the Italian word ● Physical injuries, loss of lives
“risicare” which means to dare; a ● Increase in medical costs
choice under uncertain conditions
(rather than fate) 4. VIOLATIONS OF LAWS AND
➢ Risks represent the barriers to REGULATIONS
successfully achieving those ● Fines and penalties
objectives as well as the ● Potential criminal prosecution
opportunities that may help achieve of erring corporate officers
those objectives and employees
➢ It does not represent single point
rather , it represents a range of EXTERNAL EVENTS AND THEIR IMPACT
possible outcomes. ( those that happen outside the company )

❖ According to Committee of 1. ECONOMIC RECESSION

Sponsoring Organizations of the
Treadway Commission (COSO),
risks is the possibility that an event
will occur and adversely affect the
achievement of enterprise objectives
❖ According to International of
Standardization Organization
(ISO), risk is now defined as the
“effect of uncertainty on objectives”,
which focuses on the effect of
incomplete knowledge of events or
circumstances on an organization’s
decision making
● Decline in sales revenue and
operating profit
● Possible closure of the
business
2. ENTRY OF MORE COMPETITORS
IN THE MARKET
● Loss of market share
● Decline in sales revenue
3. BANKRUPTCY OF A MAJOR
CUSTOMER
● Failure to collect receivables
● Decline in cash balance
 4. PANDEMIC ( e.g COVID-19, SARS ) 3. MARKET RISK
& NATURAL CALAMITIES ( flood, ➔ The risk of volatility in the
earthquakes, volcanic eruption ) market brought about by
● Disruption in business factors of interest rate,
operations foreign currency, and market
● Decline in revenue and profit prices.
● Possibility of closure of the a. INTEREST RATE RISK
business ● Potential decline in
earnings and capital
TYPES OF RISK arising from changes
in interest rates in the
FINANCIAL RISK market
b. FOREIGN CURRENCY
➢ The likelihood that the company RISK
might incur a financial loss, or suffer ● Fluctuations in
a decline in profit, capital, exchange rates could
investment or cash flows, on affect the profit of the
account of the occurrence of events business
or transactions c. PRICE RISK
● Changes in specific
FINANCIAL RISK CATEGORY: prices (stock price,
price of other
1. CREDIT RISK investments) could
➔ The risk that a counter-party affect the profit or
such as a customer or cash flow of the
borrower might fail to pay its business
account on due date.
➔ This risk is present in all 4. BUSINESS RISK
activities where there is an ➔ The possibility that the
expectation of returns or business may not be able to
repayments generate sufficient revenue,
or an increase in production
2. LIQUIDITY RISK and increased operating
➔ The risk that the business will costs.
not be able to meet its ➔ Examples:
financial obligations as they ★ Increase in raw
fall due to insufficient cash. materials cost will
➔ This also includes the result to decline in the
possibility that the business gross profit margin of
may not be able to convert the company
non cash assets such as ★ Unable to achieve its
investments into cash on sales target,
short notice. revenues will not be
enough to cover
 operating costs and
provide a reasonable
profit margin to
shareholders
NON- FINANCIAL RISK
➢ It do not have an immediate direct
financial impact to the business
however, their consequences may
be serious and can later \affect the
financial well-being of the business
NON- FINANCIAL RISK CATEGORY:
1. OPERATIONAL RISK
➔ The risk that business
operations will be disrupted
due to inadequate or failed
systems, processes, people,
breaches in internal controls
or other unforeseen
catastrophes
2. LEGAL OR COMPLIANCE RISK
➔ The risk that the company
might fail to comply with
applicable laws and
regulations such as tax laws,
labor laws, corporation laws,
anti-money laundering laws
and environmental laws.
➔ This type of risk may result to
fines and penalties as well as
possible criminal prosecution
of erring company officers
and employees.
3. HEALTH AND SAFETY RISK
➔ The risk that the unforeseen
events could result to
injuries, illnesses, or even
loss of lives.
➔ This risk will increase
medical costs that will be
incurred by the company.
4. ENVIRONMENTAL RISK
➔ The risk that the company
may fail to control or
minimize factory wastes,
emissions, and other
pollutants arising from its
business activities.
5. STRATEGIC RISK
➔ The risk of selecting an
inappropriate corporate
strategy or the failure of
implementing an appropriate
one.
➔ This type of risk may result to
failure to achieve long-term
strategic goals, loss of
market share and shrinkage
in corporate value.
6. REPUTATION RISK
➔ The risk that reputation or
image of the company will be
damaged due to reasons
such as improper acts of
corporate officers, poor
financial performance and
bad news about the company
among others.
RISKS RELATED TO TO PROFESSIONAL
ACCOUNTANTS
1. FINANCIAL REPORTING RISKS
➔ The possibility that the
financial statements of the
company will be incorrect
due to errors, lapses or
failure to apply accounting
standards such as the
 International Financial prepared to withstand, in order to
Reporting Standards. achieve its objectives.

2. FRAUD RISKS RISK CAPACITY

➔ The risk arising from
deceptive and intentional ➢ The maximum level of risk to which
acts that result to loss of the organization should/ can be
company assets, resources exposed.
and reputation.
★ Examples of fraud ERM ROLES AND RESPONSIBILITIES
includes theft of cash
and inventories, 1. BOARD OF DIRECTORS
bogus deliveries, ➔ Conducts an oversight of the
ghost employees and effectiveness of the
window dressing. company’s risk management
process.
DEFINITION AND NATURE OF RISK ➔ Risk oversight pertains to
MANAGEMENT periodic review and
monitoring of the process
ENTERPRISE RISK MANAGEMENT being used by management
in addressing and controlling
➢ It is a process effected by an entity’s risks.
board of directors, management and ➔ It is common for large
other personnel, applied in strategy companies to gave risk
setting and across the enterprise, oversight committees within
designed to identify potential events the board of directors
that may affect the entity and
manage risk to be within its risk 2. MANAGEMENT
appetite, to provide reasonable ➔ Implements specific risk
assurance regarding the mitigation and control
achievement of entity objectives. procedures in managing the
various types if risks affecting
RISK APPETITE the company.
➔ also identifies and assesses
➢ The amount and type of risk that an risks prior to selecting the
organization is willing to pursue or appropriate risk response.
retain
3. INTERNAL AUDITORS
RISK TOLERANCE ➔ Conduct examination of the
risk management process for
➢ The acceptable degree of variability, the purpose of determining
or deviation from the expected level its effectiveness over time.
of risk that an organization is ➔ The results of their
examination are
 communicated either the c. REPORTING
board of directors or the risk OBJECTIVES- goals
oversight committee. that are relating to the
reliability and
4. OTHER PERSONNEL transparency of
➔ Staff functions, such as corporate reports
accounting, human such as financial and
resources, compliance, or nonfinancial reports.
legal, also have important d. COMPLIANCE
supporting roles in designing OBJECTIVES- goals
and executing effective ERM that are related to
practices. compliance and
➔ These functions may design conformity with
and implement programs that applicable laws and
help manage certain key regulatory
risks across the entire requirements.
organization.
2. IDENTIFY THE RISK
STEPS IN THE RISK MANAGEMENT
PROCESS ➢ The company must practice
holding workshops or
1. SETTING OF BUSINESS technical sessions where key
OBJECTIVES people (HEAD OF
DEPARTMENTS AND OR
➢ The risk management MANAGERS) produce a
process starts with the comprehensive listing of all
setting of business risks affecting the company.
objectives. In this regard, the This list is often called as
COSO Risk Management RISK MATRIX.
framework categorizes ➢ there are also “unknown”
business objectives into: risks which is more
a. STRATEGIC dangerous kinds of risks
OBJECTIVES-high since they are yet to be
level goals aligned identified even though they
with and support the can occur anytime.
organization’s mission
and long term vision. 3. ASSESS THE RISK
b. OPERATIONAL
OBJECTIVES-goals ➢ Dimensions of Risk:
that are related to the ★ The probability that
effective and efficient something can go
use of corporate wrong
resources. ★ The negative
consequence or
 impact if that event c. SHARE - share or
occurs transfer the risks to
➢ The risks should be some other entity
assessed in terms of such as insurance
likelihood of occurrence and company.
its impact. d. AVOID - avoiding risk
➢ LIKELIHOOD pertains to the may be the right
probability that the event will response when
occur while IMPACT refers to management thinks
the significance or magnitude that mere reducing it
of the negative effect of the is not enough.
risk to the company.
★ Likelihood and Impact 5. IMPLEMENT THE RISK
can be classified into RESPONSE
● HIGH
● MODERATE ➢ Implementing the risk
● LOW response is done through
➢ RISK ASSESSMENT - deployijng specific risk
analyzing risk in terms of mitigating plans or
likelihood and impact management action plans to
control the risks.
4. RESPOND TO ASSESSED RISK
6. MONITOR THE RISK
➢ Management will select the MANAGEMENT PROCESS
appropriate risk response
depending on the result of ➢ The risk management
the risk assessment which process must be
can be “high”, “moderate” or continuously monitored to
low. determine if it remains to be
a. ACCEPT - tolerating effective and efficient over
or accepting the risk time.
is permissible only if it ➢ Management and corporate
is of minor effect of boards cannot make the
the business. erroneous assumption that
b. REDUCE - risks that an effective risk management
are likely to happen process will simply remain to
or those that are be effective.
expected to have a ➢ There must be a periodic
significant impact to evaluation of the risk
the business. These management process.
risks should be ➢ This is usually done through
mitigated or reduced an internal audit process.
to tolerable levels.
RISK MANAGEMENT FRAMEWORKS
1. ISO 31000-RISK MANAGEMENT
➢ A series of risk management
standards formulated by the
International Organization
for Standardization
➢ It provides a set of principles
and guidelines for the design,
implementation and
evaluation of the risk
management process for
companies across different
industries.
2. COSO ENTERPRISE RISK
MANAGEMENT
➢ The original framework was
published in 2004. It was
established in order to study
the causes of fraudulent
financial reporting during the
latter part of the 1980s.
➢ It was tasked to make
recommendations on how to
prevent such improper
accounting practices.
CHAPTER 5 ASSESSMENT OF RISKS &
SELECTION OF RISK STRATEGIES
TOP DOWN VIEW OF RISK
❖ It uses a funnel metaphor to depict
the top-down role ERM plays in
helping organizations reduce their
key risks to acceptable levels.
COSO ERM CUBE
➢ The 2004 COSO Enterprise Risk
Management Framework can be
illustrated through a diagram known
as the COSO Cube.
➢ The top portion of the cube
highlights the four objectives of risk
management.
➢ The front section of the cube
identifies the eight components of
risk management.
These are the elements that
make up the risk
management process.
ELEMENTS OF RISK MANAGEMENT
PROCESS
1. INTERNAL ENVIRONMENT
➔ It reflects the company’s risk
management philosophy, risk
appetite, board oversight,
commitment to ethical values
and competence of the
human resource and the
assignment of authority and
responsibility.
➔ The board and management
must have an awareness and
understanding of risks
confronting the company. If
the board and top
management do not believe
that risk management is
important, then people in the
company would not even
care about managing risks.
What elements should an internal control
environment include?
● Risk Management Philosophy
● Risk Appetite
● Board of Directors
● Integrity and Ethical Values
● Commitment to Competence
● Organizational Structure
● Assignment of Authority and
Responsibility
● Human Resource Standards
2. OBJECTIVE SETTING
➔ It is a precondition to event
identification,risk assessment
& risk response.
➔ Management sets strategic
objectives which provide a
context for operational,
reporting and compliance
objectives.
★ Strategic Objectives-
Related Objectives-
Selected Objectives-
Risk Appetite- Risk
Tolerances
3. EVENT IDENTIFICATION
➔ Management identifies
potential events that may
affect the company’s ability to
achieve its strategic,
operational, reporting and
compliance objectives
➔ The events may also be
categorized as potentially
positive (OPPORTUNITIES)
or potentially negative events
(RISKS).
➔ Management applies various
event identification
techniques such as facilitated
workshops,technical
sessions and brainstorming
among others.
● Events
● Influencing Factors
● Event Identification
Techniques
● Event
Interdependencies
● Event Categories
● Distinguishing Risks
and Opportunities
4. RISK ASSESSMENT
➔ Management considers
different assessment
techniques and uses various
data sources to evaluate the
likelihood and impact of the
identified potential events.
★ INHERENT RISK is
the susceptibility of
the company to risk in
the absence of any
actions management
might take to alter the
risk’s likelihood or
impact.
★ RESIDUAL RISK is
the risk that remains
after applying
management’s
response to the risk.
Management must
evaluate whether this
residual risk is within
the company’s risk
appetite.
● Inherent and Residual
Risk
● Establishing
Likelihood and Impact
● Data Sources
● Assessment
Techniques
● Event Relationships
5. RISK RESPONSE
➔ Management considers
alternative risk response
options and their effect on
risk likelihood and impact
with the goal of reducing
 residual risk to within desired ●
Audit findings of
risk tolerances. internal auditors
★ Evaluating Possible ● Risk Management
Responses- Selected Policies & Directives
Responses- Portfolio ➔ Examples of external
View communication:
● Letters/corresponden
6. CONTROL ACTIVITIES ce from government
➔ Management implements agencies such as BIR
specific risk mitigation and SEC
policies and procedures
throughout the organization, 8. MONITORING
at all levels and in all ➔ Ongoing activities and
functions, to help ensure that separate evaluations assess
risk responses are properly both the existence and
executed. effective functioning of the
➔ There are different types of risk management
control activities such as components and the quality
preventive, detective and of their performance over
corrective controls. time.
Controls over information ➔ Internal auditors perform
systems must also be separate evaluations of thE
implemented to ensure effectiveness of the risk
reliable information. management process on a
● Integration with Risk periodic basis. Significant
Response deficiencies in the design
● Types of Control and operating effectiveness
Activities of the risk management
● Policies & Procedures process must be
● Controls over communicated to appropriate
Information Systems level of management and to
● Entity Specific the board of directors.

7. INFORMATION AND COMMUNICATION RISK MAPS

➔ The company identifies,
captures, and communicates ➢ It is a graphic or visual
pertinent information from representation of the likelihood and
internal and external sources impact one or more risks.
to enable personnel in ➢ Risk ratings can be plotted on the
carrying out their plot.
responsibilities. ➢ To provide better visuals, color
➔ Examples of internal coding is often applied depending on
communication: risk levels where significant risks are
colored red. Moderate risks and
 minor risks are colored green and
yellow, respectively.
COMBINED ASSESSMENTS AND RISK
RESPONSE
1. LOW LIKELIHOOD/ LOW IMPACT
➔ These are the risks on the
bottom left corner of the risk
map. Since combined risk
assessment is only “LOW”,
management can ordinarily
accept these risks. Hence
the risk response will be to
ACCEPT risk.
2. HIGH LIKELIHOOD/ HIGH IMPACT
➔ These are the risks on the
top right corner of the risk
map.
➔ These risks cannot be
accepted for they are
significant risks. Therefore,
management gives top
priority to these risks.
➔ Available responses for
these risks are to:
★ MITIGATE, SHARE or
AVOID
➔ Management should make
sure that these risks are
addressed through
implementing RISK
MITIGATION PLANS AND
SPECIFIC CONTROL
ACTIVITIES
3. HIGH LIKELIHOOD/ LOW IMPACT
AND HIGH IMPACT/LOW
LIKELIHOOD
➔ These are moderate risks.
Management may not simply
ignore these risks as they
can still affect the company.
➔ Because they are not minor
risks, management should
exert efforts in REDUCING
these moderate risks.
MONITORING AND TESTING RISK
MANAGEMENT PROCESS
❖ Monitoring is usually done in two
ways:
1. Ongoing Monitoring Activities
such as routine management
reviews of the processes.
2. Separate Evaluations being
done by internal auditors
❖ After evaluating the chosen risk
mitigation strategies and monitoring
of control activities applied to risks,
there will be a determination of the
residual risks.
CHAPTER 6 CONCEPT OF INTERNAL
CONTROL
INTERNAL CONTROL
➢ is a process not an isolated
procedure. It is comprised of an
interrelated sets of policies,
procedures and activities that work
together for the achievement of
business objectives.
➢ It is something that must be put into
effect by people from all levels within
the company.
 ➢ It is not an end in itself, rather, it is a minimize operating costs and
means toward achieving the avoid operational
objectives of the company. inefficiencies.
★ Theft prevention
COSO INTERNAL CONTROL ★ Safeguarding of
FRAMEWORK assets destructions

❖ COSO published the original internal 2. RELIABILITY OF FINANCIAL AND

control framework in 1992. NON FINANCIAL REPORTING
❖ It was revised in 2013 to reflect ➔ The company must
changes in the business, operating, implement Internal Controls
regulatory and economic over Financial Reporting
environment. (ICFR)
➔ An accounting staff reviews
❖ AICPA and reconciles cash, A/R,
American Institute of inventory and other
Certified Public Accountants accounts. If there are any
discrepancies, it should be
❖ AAA corrected on a timely basis.
American Accounting Association ➔ A person who conduct bank
reconciliation should not
❖ IMA have an access to cash.
Institute of Management ➔ Inventory must be performed
Accountants periodically in order to
determine shortages or
❖ IIA possible inventory pilferage.
Institute of Internal Auditors ➔ The reliability objective of
internal control is not
❖ FEI confined to financial reports
Financial Executives International only but also to non-financial
reports. Non financial reports
CATEGORIES OF INTERNAL CONTROL should also be reliable so as
OBJECTIVES not to mislead users.

1. EFFECTIVE AND EFFICIENT 3. COMPLIANCE WITH APPLICABLE

OPERATIONS LAWS AND REGULATIONS
➔ Managers and employees ➔ To enhance the adherence to
have effectively carried out laws and regulations, a
operations when revenue compliance function must be
and operating cash flow established within the
targets are achieved. company.
➔ Efficient operations, on the ➔ The compliance department
other hand, is achieved when is usually headed by a Chief
the company is able to Compliance Officer.
 ● Anti-Money ● Clear lines of
Laundering responsibility and
● Taxation authority
● Labor laws ● Competence and
● Environmental laws independence of the
● Corporation laws BOD and Board
Committees
COMPONENTS OF INTERNAL CONTROL
2. RISK ASSESSMENT
1. CONTROL ENVIRONMENT ➔ It is an iterative process of
➔ It is a set of standards, identifying and assessing of
processes, and structures those risks that may prevent
that provide the basis for the achievement of
carrying out internal control. enterprise objectives.
➔ Without an effective control
environment, internal control 3. CONTROL ACTIVITIES
will not function properly. ➔ These are the specific
➔ The Control Environment is actions established through
comprised of the ff: policies and procedures that
★ Integrity and Ethical help ensure that
Values; management’s directives to
★ Management’s mitigate risks to the
philosophy and achievement of objectives
operating style; are carried out.
★ Organizational ★ Automated
structure; ★ Manual
★ Commitment to ★ Preventive
competence; ★ Detective
★ HR Policies and
Procedures; EXAMPLES OF CONTROL ACTIVITIES
★ Functioning of the
BOD ★ Performance Reviews
➔ The control environment ● comparison of actual
should ensure controls are in performance against budgets
place in areas such as: and forecasts
● Hiring practices
● Code of ethical ★ Information Processing
conduct ● controls that check accuracy,
● Whistleblower completeness and
policies authorization of transactions.
● Employee training ★ Physical Controls
● Succession planning ● activities that assure the
physical security of assets
and records
★ Segregation of Duties up, down and and
● separation of the functions of across the entity.
transaction authorization, ★ EXTERNAL
record-keeping and custody. COMMUNICATION- it
enables inbound
4. INFORMATION & COMMUNICATION communication of
➔ INFORMATION is necessary relevant external
for the entity to carry out information and
internal control provides information
responsibilities to support to external parties in
achievement of its objectives. response to
★ Management obtains, requirements and
generates and uses expectations.
relevant and quality
information from both 5. MONITORING ACTIVITIES
internal and external ➔ It is essential because
sources to support internal control that is
the functioning of effective today may no longer
internal control. be effective months or a year
★ For instance, the from now.
company’s
accounting TYPES OF MONITORING ACTIVITIES
information system
plays an important 1. Ongoing Monitoring
role in making ● it provides timely information
business decisions on the business processes at
and ensuring that different levels of the entity
only actual ★ Ex: Routine review of
transactions are purchasing manager
recorded and fictitious of the procurement
ones are prevented procedures in the
from getting recorded company
in the books.
➔ COMMUNICATION is the 2. Separate Evaluations
continual, iterative process of ● performed by INTERNAL
providing, sharing and AUDITORS
obtaining necessary ★ Ex: Findings of
information. Internal Auditor
★ INTERNAL
COMMUNICATION- COSO REQUIREMENTS FOR INTEGRATED
information is COMPONENTS
disseminated
throughout the 1. Each of the five components must
organization, flowing be present and functioning
 ➔ Present means the five components ● Code of Conduct in the workplace
exist in the design and ● Controls under risk assessment
implementation of the system of component
internal control to achieve business ● Monitoring process
objectives. ● Code of corporate governance
➔ Meanwhile, functioning means that
the components continue to exist TRANSACTION-LEVEL CONTROLS
and are being implemented over
time. ➢ Are internal controls procedures
deployed and implemented for every
2. The five components must major transaction and accounts of
operate together in an integrated the company.
manner ● Sales/accounts
➔ The components of internal receivable/revenue
control are not be treated in recognition/cash collection
isolation; rather, they need to ● Purchases/accounts
be operated in an integrated payable/expenses/cash
manner. disbursements
● Inventory
LIMITATIONS OF INTERNAL CONTROL ● Segregation of accounts
payable transaction
1. Possibility of collusion processing from bank
2. Management override reconciliations
3. Human Factors
4. Cost-Benefit Consideration INTERNAL CONTROLS AS TO LINE OF
DEFENSE
CHAPTER 7 INTERNAL CONTROL IN
ACTION KINDS OF INTERNAL CONTROL

ENTITY- LEVEL CONTROLS 1. PREVENTIVE CONTROL

➔ This is the first line of
➢ Are controls that are applied broadly defense against risk events
at the company level and essentially in which it is intended to
affect the entire corporate culture as avert the happening of the
well as the functioning of abovementioned negative
transaction-level controls. events.
EXAMPLES:
SPECIFIC EXAMPLES OF ENTITY-LEVEL ★ Cash Vaults and
CONTROLS Locks is
implemented to
● Corporate Charter prevent theft of cash
● Internal Audit Function ★ Daily Time Records
● Controls over are utilized to keep an
● management override accurate records of
 the number of hours 3. CORRECTIVE CONTROL
rendered by ➔ When error is detected
employees. through a bank reconciliation
★ Inventories are stored statement, such should be
in WAREHOUSE and adjusted in the books of
are being monitored accounts in order to correct
by warehouse the cash balances.
personnel. This is to EXAMPLES:
prevent the ★ Sanctions on the erring
occurence of employees should be
inventory theft. implemented in order
to show that the
➔ In spite of preventive company is serious
controls, it is still possible against fraud.
that fraud or error may occur ★ If it is found out that
in the company. fraud occured because
of a weakness or
loophole in the cash
2. DETECTIVE CONTROL
disbursement approval
➔ This serves as the second
process, then approval
line of defense and it is
procedures should be
intended to identify and ungraded or improved
uncover fraud, error or non to prevent the
compliance that may have recurrence of fraud.
already occurred within the
company. AUTOMATED CONTROLS
EXAMPLES: ➔ Computerized controls
★ Preparation of bank ➔ These are controls that are built into
reconciliation computer program and systems
statements for the intended to ensure system integrity,
purpose of detecting reliability and security.
errors in the recording EXAMPLES:
of bank transactions. ★ User log-in and passwords
★ A surprise cash ★ Input controls (validity check & limit
count of the cash check)
custodian is also an
example of detective SPECIFIC CONTROL ACTIVITIES PER
control. MAJOR ACCOUNTS

➔ Fraud or error, once it is CASH

detected, must be corrected ● Prenumbered use of official receipts
on a timely basis. ● Daily deposit of collections
● Bonding (through an insurance
company) of cash
 ● Authorization for the opening of bank ● Periodic comparison of general
accounts ledger and perpetual inventory
● Comparison of deposit slips with records
cash ● Investigation of discrepancies in
● Separation of duties between case of inventory short or overage
cashier personnel ● Use of prenumbered receiving
● Use of cash vaults and locks. reports
● No signing of blanks ● Separation of inventory custodian
● Prenumbered use of vouchers and from inventory accounting/
checks record-keeping function
● Approval of cash disbursements ● Adequacy of insurance on
● Limit authorization to sign checks inventories
● Mutilation of void checks ● Physical safeguards on inventory
● Control over signature machines and against fire and other catastrophes
over interbank transfers ● Physical safeguards against theft of
● Physical control of unused checks inventories
● Surprise cash counts ● Authorization over inventory
purchases
INVESTMENTS ● Inspection procedures upon receipt
● Proper authorization of investment of inventories
purchase transactions ● Procedures in the dispatch of
● Use of safety deposit box for the inventories
safe keep of investment documents ● Procedures on inventory returns
● Bonding (through an insurance ● Requiring inventory requisitions prior
company) of the investment to purchase ordering
custodian ● Control over in-transit goods
● Investment custodian function
separate from investment FIXED ASSETS
accounting ● Use of detailed property records
● Limit the access to the safety ● Periodic comparison of property
deposit box. records with physical assets
● Dual Control ● Periodic counts of fixed assets
● Investment securities in the name of ● Policy on capitalization of
the company expenditures
● Investment securities in the name of ● Physical safeguards over assets
the company ● Use of properly identification
● Periodic internal audit numbers
● Periodic appraisal of the investment ● Adequacy of insurance over fixed
● Authorization for the disposal of the assets
investments. ● Fixing of the accountability of fixed
asset custodians
INVENTORIES ● Review of depreciation computations
● Periodic inventory counts ● Control over fully-depreciated fixed
● Use of perpetual inventory records assets
 ● Review of useful lives
● Control over disposal of fixed assets
● Control over scrap sales
PAYROLL
● Effective hiring procedures
● Maintenance of personnel data
records (201 files)
● Use of time clock or through
biometric device
● Supervisor review of time cards
● Review of payroll calculations
● Procedures in distributing payroll
checks
● Control over unclaimed wages
● Transmittal to the bank of official
roster of employees for ATM Payroll
Arrangements
● Periodic head count of all company
personnel
● Control over the rendering of
overtime
● Access controls to prevent
unauthorized use of payroll system
● Timely removal of retired employees
from payroll system
● Periodic audit of payroll
ACCOUNTS PAYABLE AND PURCHASES
● Independence of A/P function from
purchasing function
● Periodic reconciliation of A/P
subsidiary records with the A/P
control account
● Control over purchase returns
● Review of vendor’s invoices
● Matching of purchase orders,
receiving reports and vendor invoice
● Reconciliation of vendor statements
with A/P detail
● Review of A/P debit balances
● Review of unmatched receiving
reports
● Review of A/P postings
● Bidding procedures for significant
purchases
● Investigation of discounts not taken
● Periodic comparison with budgets
● Checking for personal purchases
● Vendor accreditation procedures
● System access to create, edit or
delete purchase orders is restricted
to authorized personnel
● Comparison of purchase amounts to
budgets
OVERVIEW OF FRAUD
FRAUD
➢ is an intentional act by one or more
individuals among management,
those charged with governance,
employees or third parties, involving
the use of deception to obtain an
unjust or illegal advantage.
CATEGORIES OF FRAUD
1. Fraudulent Financial Reporting
➔ or also known as window
dressing.
➔ It is a kind of fraud that
results in manipulated
financial statements and
misleading accounting report
and records
2. Misappropriation of assets
➔ involves theft of company
assets, fund or resources.
3. Corruption
➔ involves irregularities that
result to illegal kickbacks,
under the table schemes,
bribery and the like.
 THE FRAUD TRIANGLE
CONTROL DEFICIENCIES
DEFICIENCY IN DESIGN
➢ a critical control is not properly
designed and does not meet the
control objective or is simply
ineffective
DEFICIENCY IN OPERATIONS
➢ a critical control is designed properly
but does not perform in the intended
manner and is unable to address the
identified risks.
INTERNAL AND EXTERNAL AUDITING
INTERNAL AUDIT
➢ an interdependent and objective
assurance that provides service to
the company in the areas of
operations, reporting, compliance
and finance. It is performed by
internal auditors
TYPES OF AUDITS PERFORMED BY
INTERNAL AUDITOR
1. Operational Audit
➔ examinations intended to
ascertain whether the
management has conducted
business operations
effectively and efficiently.
2. Compliance Audit
➔ examinations intended to
determine whether the
company or any of its
department is able to adhere
to prevailing laws and
regulations.
3. Financial Audit
➔ examinations focused on
determining whether the
company’s finance function
as well as financial reports
are accurate or reliable.
EXTERNAL AUDIT
➢ it expresses the truthfulness of the
financial statements of the company.
➢ Their audits are focused on the
fairness of corporate financial
statements insofar to adherence to
applicable accounting standards are
concerned. It is performed by
external auditors which must be a
Certified Public Accountant (CPA).
➢ Internal Auditors need not be CPAs
but they need to possess
competence in the field of internal
auditing. Many internal auditors are
Certified Internal Auditors (CIA).
○ CIA
■ is an advanced
certification although
it is not a mandatory
requirement for one
to be an internal
auditor.