TOPIC IV – INTERNAL CONTROL: A VITAL TOOL IN MANGING RISK

Overview of Internal Control

Nature and Purpose of Internal Control

Companies establish goals and objective. And then assess the risk of achieving those objectives. As a
response to the assessed risk, the company may design and implement internal control to have a
reasonable assurance that objectives will be achieved.

Control is defined as any action taken by management, the board and other parties to manage risk and
increase the likelihood that the established policy and goals will be achieved. Management plans,
organizes, and directs the performance of sufficient actions to provide reasonable assurance that the
objectives and goals will be achieved. The term “controls” refers to any aspect of one or more of the
components of the internal control.

Internal control is the process designed and effect by those charged with governance, management and
other personnel to provide for reasonable assurance about the achievement of the entity’s objectives
with regard to reliability of financial reporting and efficiency of operations and compliance with
applicable laws and regulation. Internal control pertains to the actions that foster the best result for an
organization.

It follows that internal control is designed and implemented to address identified business risks than
threaten the achievement of any of the objectives.

Those objectives fall into three categories:

• Reliability of the entity’s financial reporting

• Effectiveness and efficiency of operations
• Compliance with applicable laws and regulations

Whether an entity achieves its objectives relating to financial reporting and compliance is determined by
activities within the entity’s control. However, achieving its objectives relating to operations will depend
not only on management’s decision but also on the competitor’s actions and other factors outside the
entity.

Internal Control System Defined

Internal control system means all the policies and procedures (internal controls) adopted by
management of an entity to assist in achieving management’s objectives of ensuring, as far as
applicable, the orderly and efficient conduct of its business, including adherence to management
policies, the safe guarding of assets, the prevention and detection of fraud and error, the accuracy and
completeness of the accounting records, and the timely preparation of reliable financial information.

Elements / Components of internal Control

Internal control structures vary significantly from one company to the next.
Factors such as size of the business, nature of operations, the geographical dispersion of its activities,
and objectives of the organization affect the specific control features of an organization. COSO is a joint
initiative to combat corporate fraud. However, certain elements of features must be present to have a
satisfactory system of control in almost any large-scale organization.

The internal control system extends beyond these matters which relate directly to the functions of the
accounting system and consists of the following components in accordance with the Committee on
Sponsoring Organizations (COSO) updated Internal Control – integrated frame work. The COSO
Framework is a system used to establish internal controls to be integrated into business processes.
Collectively, these controls provide reasonable assurance that the organization is operating ethically,
transparently and in accordance with established industry standards.

Five components of the COSO framework

1. the control environment;

2. the entity’s risk assessment process;
3. the information system, including the related business processes, relevant to financial reporting
and communication;
4. control activities;
5. monitoring controls.

A. Control Environment

The control environment which means the overall attitude, awareness and actions of directors and
management regarding the internal control system and its importance in the entity. The attitude and
actions of the directors, management and employees that set the tone for control with the organization.
It talks about:

➢ Exercise integrity and ethical values

➢ Make a commitment to competence
➢ Use the board of directors and audit committee
➢ Facilitate management philosophy and operating style
➢ Create organizational structure
➢ Issue assignment of authority and responsibility
➢ Utilize human resource policies and procedures

The control environment has an effect on the effectiveness of the specific control procedures. A strong
control environment, for example, one with tight budgetary controls and an effective internal audit
function, can significantly complement specific control procedures. Factors reflected in the control
environment include:

• The function of the board of directors and its committees;

• Management’s philosophy and operating style;
• The entity’s organizational structure and methods of assigning authority and responsibility;
• Management’s control system including the internal audit function, personnel policies and
procedures and segregation of duties.

Control Environment is about Exercise integrity and ethical values, Make a commitment to competence,
Use the board of directors and audit committee, Facilitate management’s philosophy and operating
style, Create organizational structure, Issue assignment of authority and responsibility. Utilize human
resources policies and procedures.

The environment in which internal control operates has an impact on the effectiveness of the specific
control procedures.

Several factors comprise the control environment, including:

1) Communication and Enforcement of Integrity and Ethical Values

Integrity and ethical values are essential elements of the internal control environment. They affect the
design, administration, and monitoring of other component of internal control. An entity’s ethical and
behavioral standards and the manner in which it communicates and reinforces them determine the
entity’s integrity and ethical behavior.

Integrity and ethical values include management’s action to remove or reduce incentives and
temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also
include the communication of entity values and behavioral standards to personnel through policy
statements, a code of conduct, and management’s example of appropriate behavior.

2) Commitment to Competence

Competence is the key and skills necessary to accomplish tasks that define an employee's job.
Commitment to competence means that management considers the competence levels for a particular
job in determining the skills and knowledge required of each employee and that it hires employee’s
competence to perform the task.

3) Participation by those Charged with Governance

An entity’s control consciousness is influenced significantly by those charged with governance.

Attributes of those charged with governance include independence from management, their experience
and stature, the extent of their involvement and scrutiny of activities, the appropriateness of their
actions, the information they receive, the degree to which difficult questions are raised and pursued
with management, their interaction with internal and external auditors.

4) Management ‘s Philosophy and Operating Style

This refers to management’ s attitude towards (a) business risk, (b) financial reporting, (c) meeting
budget, profit and other established goals which all have impact on the reliability of the financial
statements. Management’s approach to taking and monitoring business risks, its conservative or
aggressive selection from alternative accounting principles, its conscientiousness and conservatism in
developing accounting estimates and its attitude toward information processing and the accounting
function and personnel are factors that affect the control environment.

5) Organizational Structure

The responsibilities and authorities of the various personnel within the organization should be
established in such a manner as to

(1) assist the entity in meeting its goals and objectives and

(2) ensure that transactions are processed, recorded, summarized and reported in an accurate and
timely manner.

Organizational structure provides the overall framework for planning, directing and controlling
operations.

6) Assignment of Authority and Responsibility

Personnel within an organization need to have a clear understanding of their responsibilities and the
rules and regulations that govern their actions. Management may develop job descriptions, computer
system documentation. It may also establish policies regarding acceptable business practice, conflicts of
interest and code of conduct.

7) Human Resources Policies and Procedures

Perhaps the most important element of an internal accounting control system is the people who
perform and execute the established policies and procedures. Personnel policies should be adopted by
the client to reasonably ensure that only capable and honest persons are hired and retained. Policies
with respect to employee selection, training and supervision should be adopted and implemented by
the client. Square peg in a round hole, Square Peg, Round Hole: Dealing with An Employee Who Does
Not Fit In.

The selection of competent and honest personnel does not automatically assure that errors or
irregularities will not occur. However, adequate personnel policies, coupled with the design concepts
suggested earlier in this section, enhance the likelihood that the client’s policies and procedures will be
followed.

B. Entity’s Risk Assessment Process

➢ Create companywide objectives

➢ Incorporate process-level objectives
➢ Perform risk identification and analysis
➢ Manage change

Risk assessment is the “identification, analysis, and management of risks pertaining to the preparation
of financial statements”. For example, risk assessment may focus on how the entity considers the
responsibility of transactions not being recorded or identifies and assesses significant estimates
recorded in the financial statements.
An entity’s risk assessment process is its process for identifying and responding to business risks and the
results thereof. For financial reporting purposes, the entity’s risk assessment process includes how
management identifies risks relevant to the preparation of financial statements that are presented
fairly, in all material respects in accordance with the entity's applicable financial reporting framework,
estimates their significance, assess the likelihood of their occurrence, and decides upon actions to
manage them.

Risks relevant to financial reporting include external and internal events and circumstances that may
occur and adversely affect an entity’s ability to initiate, record, process and report financial data
consistent with the assertions of management in the financial statements.

Once risks are identified, management considers their significance, the likelihood of their occurrence
and how they should be managed.

Risks can arise or change due to circumstances such as the following:

• Changes in operating environment. Changes in the regulatory or operating environment can

result in changes in competitive pressures and significantly different risks.
• New personnel. New personnel may have a different focus on or understanding of internal
control.
• New or revamped information systems. Significant and rapid changes in information systems
can change the risk relating to internal control.
• New technology. Incorporating new technologies into production processes or information
system may change the risk associated with internal control.
• New business models, products or activities. Entering into business areas or transactions with
which an entity has little experience may introduce new risk associated with internal control.
• Corporate restructurings. Restructurings may be accompanied by staff reductions and changes
in supervision and segregation of duties that may change risk associated with internal control.
• Expanded foreign operations. The expansion or acquisition of foreign operations carries new
and often unique risk that may affect internal control, for example, additional or change risk
from foreign currency transactions.
• New accounting pronouncements. Adoption of new accounting principles or changing
accounting principles may affect risks in preparing financial statements.

The basic concepts of the entity’s risk assessment process are relevant to every entity, regardless of size,
but the risk assessment process is likely to be less formal and less structured in small entities than larger
ones.

All entities should have established financial reporting objectives, but they may be recognized implicitly
rather than explicitly in small entities.

Management may be aware of risks related to these objectives without the use of a formal process but
through direct personal involvement with employees and outside parties.

Considerations specific to Smaller Entities

Many small entities are carried out entirely by the engagement partner (who may be a sole
practitioner). In such situations, it is the engagement partner who, having personally conducted the
planning of the audit, would be responsible for considering the susceptibility of the entity’s financial
statements to material misstatement due to fraud and error.

C. Information and Communication

➢ Measure quality of information

➢ measure effectiveness of communication

Information System, including the Business Processes, Relevant to Financial Reporting and
Communication – An information system consists of infrastructure (physical and hardware components),
software.

People, procedures, and software will be absent, or have less significance, in systems that are exclusively
or primarily manual, many information systems make extensive use of IT.

The Information System, including Related Business Processes. Relevant to Financial Reporting – The
information system relevant to financial reporting objectives, which includes the accounting system,
consist of the procedures and records designed and established to:

• Initiate, record, process and report entity transactions (as well as events and conditions) and to
maintain accountability for the related assets, liabilities and equity;
• Resolve incorrect processing of transactions, for example, automated suspense files and
procedures followed to clear suspense items out on a timely basis;
• Process and account for system overrides or by passes to controls;
• Transfer information from transaction processing systems to the general ledger;
• Capture information relevant to financial reporting for events and conditions other than
transactions, such as the depreciation and amortization of assets and changes in the
recoverability of accounts receivables; and
• Ensure information required to be disclosed by the applicable financial reporting framework is
accumulated, recorded, processed, summarized and appropriately reported in the financial
statements.

Journal Entries

An entity’s information system typically includes the used of standard journal entries that are required
on a recurring basis to record transactions.

Examples might be journal entries to record sales, and cash disbursements in the general ledger, or to
record accounting estimates that are periodically made by management, such as change in the estimate
of uncollectible accounts receivable.

An entity’s financial reporting process also includes the use of non-standard journal entries to record
non-recurring, unusual transactions or adjustments.

Examples of such entries for a business combination or disposal or nonrecurring estimates such as the
impairment of an asset.

In manual general ledger system, non-standard journal entries may be identified through inspection of
ledgers, journals, and supporting documentation.
When automated procedures are used to maintain the general ledger and prepare financial statements,
such entries may exist only in electronic form and may therefore be more easily identified through the
use of computer-assisted audit techniques.

Related Business Processes

An entity’s business processes are the activities designed to:

• Develop, purchase, produce, sell and distribute an entity’s products and services;
• Ensure compliance with laws and regulations; and
• Record information, including accounting and financial reporting information.

Business processes result in the transactions that are recorded, processed and reported by the
information system.

Obtaining an understanding of the entity’s business processes, which include how transactions are
originated, assists the auditor obtain an understanding of the entity’s information system relevant to
financial reporting in a manner that is appropriate to the entity’s circumstances.

Accordingly, an information system encompasses methods and record that:

• Identify and record all valid transactions.

• Describe on a timely basis the transactions in sufficient detail to permit proper classification of
transactions for financial reporting.
• Measure the value of transactions in a manner that permits recording their proper monetary
value in the financial statements.
• Determine the time period in which transactions occurred to permit recording of transactions in
the proper accounting period.
• Present properly the transactions and related disclosures in the financial statements.

Communication involves providing an understanding of individual roles and responsibilities pertaining to

internal control over financial reporting.

It includes the extent to which personnel understand how their activities in the financial reporting.

It includes the extent to which personnel understand how their activities in the financial reporting
information system relate to the work of others and the means of reporting exceptions to an
appropriate higher level within the entity.

Communication takes such forms as policy manuals, accounting and financial reporting manuals, and
memoranda.

Communication also can be made electronically, orally, and through the actions of management.

Application to Small Entities

Information systems and related business processes relevant to financial reporting in small entities are
likely to be less formal than larger entities but their role is just as significant.

Small entities with active management involvement may not need extensive descriptions of accounting
procedures, sophisticated accounting records, or written policies.
Communication may be less formal and easier to achieve in a small entity than in a larger entity due to
the small entity’s size and fewer levels as well as management’s greater visibility and availability.

D. Control Activities

➢ follow policies and procedures

➢ Improve security (application and network)
➢ Conduct application change management
➢ Plan business - continuity / backups
➢ Perform out sourcing

Control activities are the policies and procedures that help ensure that management directives are
carried out, for example, that necessary actions are taken to address risks that threaten the
achievement of the entity’s objectives.

Controls activities are policies and procedure that guide employees’ actions to address risk and achieve
management activities.

Control activities, whether within IT or manual systems, have various objectives and are applied at
various organizational\ and functional levels.

The major categories of control procedures are:

a. Performance review
b. Information Processing Controls
1) Proper authorization of transactions and activities
2) Segregation of duties
3) Adequate documents and records
4) Safeguards over access to assets; and
5) Independent checks on performance
c. Physical controls
Limiting physical access to assets and records.
Only authorized personnel should have access to certain assets (particularly valuable or portable
ones)

A. Performance Review

In performance review management uses accounting and operating data to assess performance, and it
then takes corrective action.

Such reviews include:

• comparing actual performance (or operating results) with budgets, forecasts, prior performance,
or competitors’ data or tracking major initiatives such as cost-containment or cost

-reduction programs to measure the extent to which targets are being met.

• investigating performance indicators based on operating or financial data, such as quantity or

purchase price variances or the percentage of returns to total orders.
 • reviewing functional or activity performance, such as relating the performance of a manager
responsible for a bank’s consumer loans with some standard, such as economic statistics or
targets.

Personnel at various levels in an organization may make performance reviews. Performance reviews
may be used by managers for the sole purpose of making operating decisions. For example, managers
may analyze performance data and base operating decisions on them because the data are consistent
with their expectations.

B. Information Processing Controls

Information processing controls are policies and procedures designed to require authorization of
transactions and to ensure the accuracy and completeness of transaction processing.

Control activities may be classified according to the scope of the system they affect.

General controls are control activities that prevent or detect errors or irregularities for all accounting
system.

General controls affect all transaction cycles and apply to information processing as a center, hardware
and systems software acquisition and maintenance, and backup and recovery procedures.

Application controls are controls that pertain to the processing of a specific type of transaction, such as
payroll, or sales and collections.

These controls help ensure that transactions occurred, are authorized, and are completely and
accurately recorded and processed. Example of application controls include checking the arithmetical
accuracy of records, maintaining and reviewing accounts and trial balances, automated controls such as
input data and numerical sequence checks and manual follow-up of exception reports.

General IT – controls are policies and procedures that relate to many applications and support the
effective functioning of application controls by helping to ensure the continued proper operation of
information systems. Examples of such general IT – controls are programs change controls, controls that
restrict access to programs or data, controls over the implementation of new releases of packaged
software applications and controls over system software that restrict access to or monitor the use of
system utilities that could change financial data or records without leaving an audit trail.

Control Objectives for Information and Related Technologies, more popularly known as COBIT, is a
framework that aims to help organizations that are looking to develop, implement, monitor, and
improve IT governance and information management.

Internal controls relating to the accounting system are concerned with achieving objectives such as;

• Transactions are executed in accordance with management’s general or specific authorization.

• All transactions and other events are promptly recorded in the correct amount, in the
appropriate accounts and in the proper accounting period so as to permit preparation of
financial statements in accordance with an identified financial reporting framework.
• Access to assets and records is permitted only in accordance with management’s authorization.
 • Recorded assets are compared with the existing assets at reasonable intervals and appropriate
action is taken regarding any differences.

Control activities related to the processing of transactions may be grouped as follows: (1) proper
authorization, (2) design and use of adequate documents and records, and (3) independent checks on
performance.

1. Proper authorization of transactions and activities

Authorization for the execution of transaction flows from the stockholders to management and its
subordinates. Before a transaction is entered into with another party, certain conditions must usually be
met. As part of the evaluation of the potential transaction, documentation will be created.

The auditor uses this documentation to determine whether business transactions are properly
authorized. For example, the purchase of inventory may create a purchase order, a receiving report, and
a vendor invoice. By inspecting these documents and comparing them with company policy, the auditor
may be reasonably satisfied that a business transaction was authorized and executed in a manner
consistent with company policy.

2. Segregation of duties

An important element in designing internal accounting control system that safeguards assets and
reasonably ensures the reliability of the accounting records is the concept of segregation of
responsibilities.

No one person should be assigned duties that would allow that person to commit an error or perpetuate
fraud and to conceal the error or fraud. For example, the same person should not be responsible for
recording the cash received on account and for posting the receipts to the accounting records.

3. Adequate documents and reports

The use of adequate documents and records allow the company to obtain reasonable assurance that all
valid transactions have been recorded.

4. Access to assets
The resources of a client can be protected by the establishment of physical barriers and appropriate
policies. For example, inventories may be kept in a storeroom, or negotiable instrument may be place in
a safe deposit box.

5. Independent checks on performance

The objective of a well-designed internal accounting control system is the adoption of procedures that
periodically compare the actual asset with its record balance. Regardless of the effectiveness of an
internal control system, some transactions may not be accurately recorded and some assets may
misappropriate.

To accomplished this period counts of assets by the client and comparing the counts to the balances in
the general ledger account. Example are the count of inventory and the preparation of monthly bank
reconciliation.

C. Physical Controls

Controls that encompass;

• The physical security of assets, including adequate safeguards such as secured facilities over
access to assets and records.
• The authorization for success to computer programs and data files.
• The periodic counting and comparison with amounts shown on control records (for example,
comparing the results of cash, security and inventory counts with accounting records).

The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of
financial statement preparation, and therefore the audit, depends on circumstances such as when
assets are highly susceptible to misappropriation.

The concepts underlying control activities in small entities are likely to be similar to those in larger
entities, but the formality with which they operate varies. An appropriate segregation of duties often
appears to present difficulties in small entities.

E. Monitoring of Controls

➢ Perform ongoing monitoring

➢ Conduct separate evaluation
➢ Report deficiencies

Monitoring, the final component of internal control, is the process that an entity uses to assess the
quality of internal control over time. Monitoring involves assessing the design and operation of controls
on a timely basis and taking corrective action as necessary.

Management monitors controls to consider whether they are operating as intended and to modify them
as appropriate for changes in conditions.

In many entities, internal auditors evaluate the design and operation of internal control and
communicate information about strengths and weaknesses and recommendations for improving
internal control. Some monitoring activities include communications from external parties.
For example, customers implicitly corroborate sales data by paying their bills or raising questions. Also,
bank regulators, other regulators, and outside auditors may communicate about design or effectiveness
of internal control.

Application to Small Entities

Ongoing monitoring activities of small entities are more likely to be informal and are typically performed
as a part of the overall management of the entity’s operation. Management’s close involvement in
operations often will identify significant variances from expectations and inaccuracies in financial data
leading to corrective action to the control.

Classification of controls as to function (or approach)

1. Preventive controls are proactive controls that deter undesirable events form occurring.

Examples of prevent controls are as follows:

a. Storing petty cash in a lock safe and segregating duties.

b. Checking invoices from suppliers against goods received notes before paying the invoices.
c. Regular checking of delivery notes against invoices, to ensure that all deliveries have been
invoiced.
d. Pre-approval of actions and transactions (such as a Travel Authorization)
e. Access controls (such as passwords and Gatorlink authentication)
GatorLink is an individual's computer network identity at the University of Florida. Every
applicant, student, faculty and staff member are expected to have a GatorLink username and
password.

2. Detective controls are reactive and detect undesirable events that have occurred. They provide
evidence after-the-fact that a loss or error has occurred, but do not prevent them from
occurring.

Examples are:

a. Bank reconciliation
b. Regular checks of physical inventory against book records of inventory (physical inventory
count)
c. Review organizational performance (such as a budget-to-actual comparison to look for any
unexpected differences)
d. Physical inventories (such as a cash or inventory count)

3. Corrective Controls are reactive designed to allow manual or automated correction of errors or
irregularities discovered by detective controls, including resolution or duplicate payment in cash
disbursement system, audit trails, backup and recovery procedures.
 6. Directive controls are proactive that cause or encourage a desirable event to occur. Examples
are:
a. Operational manual
b. Guidelines
c. Training program
d. Incentive plans

5. Mitigating controls reduce the potential impact should an event occur. Insurance is a prime
example.

6. Compensating controls. These controls compensate for the lack of an expected control. For
example, close supervisory review may compensate for lack segregation of duties were a small
staff size makes proper segregation impractical.

7. Redundant or back controls duplicate a control objective or a secondary control that operates
only if a key control fails, for example, a spillover pool below a toxic substance holding tank.

Control your Controls

Internal controls can sometimes make it very difficult to work efficiently. Example, it took a month to get
16 signatures authorizing the purchase of computer.

Limitations of Internal Control

In spite of the positive effect of having good internal control system to company operations, finances,
and compliance, it can only provide reasonable assurance that business objectives will be achieved.
There is no such thing as perfect internal control. Because internal control has inherent limitations. The
following are typical limitations of internal control:
1) Possibility of collusion
Even if there is segregation on incompatible duties, fraud or irregularity may still occur because
of collusion or connivance. For instance, Mr. A is the cash custodian of the company. As such, he
does not have record-keeping duty to post transactions in the accounting records.
This is done so that in case Mr. A steals cash from the drawer, the cash records cannot be
manipulated and, therefore, will not tally with the actual cash on the drawer. The stolen cash
will be easily detected because the actual cash will be compared with the accounting records.
 However, if Mr. A has access to the accounting records, he can manipulate the balance of cash
so that it tallies with the actual cash.
Mr. B makes recordings in the accounting records. As such, he does not have cash custodianship
duties. There is internal control in the area of cash because incompatible duties (recording and
custodianship) are segregated. However, if Mr. A and Mr. B connived to commit fraud; the
segregation of duty control will not function properly. To detect the fraud, there should be a
surprise audit of cash.

2) Management override
Management override happens when, even in the presence of internal control procedures,
people who are in positions of power may intervene and somehow break those policies.
For example, ABC Co. has a policy that all purchase transactions must have proper purchase
requisition and approved purchase orders. Therefore, no purchase transaction can be executed
without these documents. However, Mr. X was able execute a purchase transaction without the
necessary purchase requisition and approved purchase order because he is the company’s
general manager.
This an example of management override of internal controls.

8) Human factors
Even when it appears that the internal control or accounting system is properly functioning,
unreliable financial statements or incorrect records may still happen because of human error.
Clerical errors often occur in the input process resulting to incorrect output. Human fatigue,
mistakes in judgement, incompetent personnel, and the like also contribute and thus, the
objectives of internal control or accounting system may not be achieved.

4) Cost-benefit considerations
The cost of establishing and implementing internal control should not exceed the benefits that
could be derived by the company.

No one will recommend an internal control system that cost a million to a sari-sari store. It is not worth
the price even if said internal control is effective.

Internal control may be appropriate in the case of medium-size or large business.