INTERNAL CONTROL

Course Objectives:
At the end of the seminar, participants are expected to be:

Knowledgeable on Able to identify, implement,

and recommend improvements
principles/concepts of
on internal controls in the
internal controls performance of their functions
Topic Outline:
Internal Control Concepts Components of Internal
Control
• Overview of Internal
Control • Control Environment
• Definition of Internal • Risk Assessment
Control • Control Activities
• Objectives of Internal • Information and
Control Communication
• Monitoring
Internal Control Policies
and Procedures
WORKSHOPS
• Elements
• Classification
 What are
INTERNAL CONTROLS?
Why are they
IMPORTANT?
 Internal Control

• Internal control is what we do to see that the

things we want to happen will happen
• And the things we don’t want to happen won’t
happen.

CICA Materials
Internal Control
Helps to achieve business goals…

VISION/
MISSION/
OBJECTIVES

Controls
Business
Risks
Roles/contributions
Primary Objectives
 Accurate Financial Information
 Compliance with Policies and Procedures
 Safeguarding Assets
 Efficient Use of Resources
 Accomplishment of Objectives and Goals
Internal Control defined

Process, effected by an organization’s people,

designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories:

 Effectiveness and efficiency of operations

 Reliability of financial reporting
 Compliance with applicable laws and regulations
 Three categories of objectives
Operations Objectives — effectiveness and efficiency of
the entity’s operations, including operational and financial
performance goals, and safeguarding assets against loss.

Reporting Objectives — internal and external financial and

non-financial reporting and may encompass reliability,
timeliness, transparency, or other terms as set forth by
regulators, recognized standard setters, or the entity’s
policies.

Compliance Objectives — adherence to laws and

regulations to which the entity is subject.

Source: COSO’s Internal Control Integrated framework

Who is Responsible for Internal
Control?
Responsibility for Internal Control

“Section 124. Installation. It shall be the direct

responsibility of the agency head to install,
implement and monitor a sound system of
internal control.” (PD 1445, “Government Auditing Code of
the Philippines”, as amended, 11 June 1978)
Responsibility for Internal Control

 Management is responsible for establishing and

maintaining the control environment.
 Every employee plays a role in either strengthening or
weakening the Institution’s internal control system.
 Auditors play a role in a system of internal controls by
performing evaluations and making recommendations
for improved controls.
All employees play some role
in effecting control
Objectives of NGICS
• An initiative taken by the national government to affirm
its commitment to the citizenry towards:
 Accountability
 Effective Operations
 Prudence in finances
 Quality service
• It unifies in one document existing
to serve as a
benchmark towards designing, installing, implementing,
and monitoring internal controls in the public service
Importance of NGICS

A strong and responsive internal control system

(ICS) is an essential component of an
organization’s internal and external processes.

It can significantly enhance the integrity of

operations and improve organizational
outcomes and results to achieve sectoral goals.
Benefits of NGICS
• Stronger accountability;
• Ethical, economical, efficient and effective
operations;
• Improved ability to address risks to achieve
general control objectives;
• Better systems of responding to the needs of
citizens; and
• Quality outputs and outcomes and effective
governance.
 Legal Bases for Internal Control
• Section 123 of Presidential Decree (PD) 1445 dated June 11,
1978, as amended
• Section 124 of PD 1445, as amended
• Section 2(1), Article IX-D (Commission on Audit) of the 1987
Constitution
• Section 1, Chapter 1, Subtitle B, Book V of the Administrative
Code of 1987
• Section 1 of Administrative Order No. 119 dated March 29,
1989
• Memorandum Order No. 277 dated January 19, 1990
Definition of Internal Control
Internal control refers to the
• plan of organization and
• all the coordinated methods and measures adopted within an
organization or agency

That aims to
• safeguard its assets,
• check the accuracy and reliability of its accounting data, and
• encourage adherence to prescribed managerial policies

(Section 123 of Presidential Decree No. 1445, as amended)

Definition of Internal Control
Internal Control comprises the
•plan of organization and
•all the methods and measures adopted within an agency

To ensure that
•resources are used consistent with laws, regulations and policies;
•resources are safeguarded against loss, wastage and misuse;
•financial and non-financial information are reliable, accurate and timely;
and
•operations are economical, efficient and effective
(Section 32, Title 2, Volume III of the GAAM)
Definition of Internal Control
• Internal Control is an integral process that is effected by an
entity’s management and personnel, and is designed to
address risks...”.
• It provides reasonable assurance that in pursuit of the
entity's mission, the following general objectives are
achieved:

 executing orderly, ethical, economical, efficient and effective operations;

 fulfilling accountability obligations;
 complying with applicable laws and regulations;
 safeguarding resources against loss, misuse and damage.

(International Organization of Supreme Audit Institutions)

Key Concepts
Internal Control is a process.
• It is a means to an end, not an end in itself
• Involves series of actions throughout the operations on an ongoing
basis
• Built in rather built on; embedded with the management processes
of planning, organizing, budgeting, staffing, implementing, and
monitoring
• Not stand alone or separate specialized systems within an agency
• Interwoven into and made an integral part of each system that
management uses to regulate and guide its operations
Elements of Internal Control

Plan of Organization:
• Organizational structure
• Staffing complement that enable an organization to
carry out its functions
• Distribution of powers, functions and responsibilities to
various units and personnel
Elements of Internal Control

Coordinated Methods and Measures

• Systems of authorization, policies, standards
• Accounting systems and procedures
• Reports used by the agency to control its operations and
resources
• Systems and work processes integral to the operations of
an agency and consistently applied by all units in the
public service
Internal Controls aim to

Ensure economical,
Check accuracy
efficient, and
Safeguard assets and reliability of
effective
accounting data
operations

Comply with laws Adhere to

and regulations managerial policies
Safeguard Assets

• Judicious use of government funds, facilities, including documents,

records, and human resource in the delivery of public services
 Proper documentation and recording are appropriate controls that
eliminate the vulnerability of assets to misuse, loss, destructions
and other hazards
 Proper procurement and use of PHILGEPS
 Policies and procedures designed to prevent or detect loss of
assets and records on a timey basis
Check Accuracy and Reliability of
Accounting Data
Essential to control and decision making is the generation of
correct and credible financial information which can be achieved
through government accounting that will

•Produce information concerning past operations and present

conditions
•Provide a basis for guidance for future operations
•Provide for control of the acts of public bodies and officers in the
receipt, disposition, and utilization of funds and property
•Report on the financial position and results of operations of
government agencies for the information of all persons concerned
Ensure Economical, Efficient, and
Effective Operations

Agency outputs and outcomes are measured in terms of how

these directly affect the quality of public service delivery through
economical, efficient, and effective operations
Ensure Economical, Efficient, and Effective
Operations
• Able to perform functions/tasks using the least amount resources
within a specified timeframe
• Agencies are enjoined to exercise prudence and restraint in the use of
Economical
their resources by focusing on their core functions and prioritizing their
programs, projects, and activities to those which would contribute best
to the attainment of agency objectives. Ex: Procurement Law

• “Doing things right” given the available resources and within a

specified timeframe
Efficient • Delivering a given quantity and quality of outputs with minimum
inputs or maximizing outputs with a given quantity and quality of
inputs
• Prioritization and leveraging of resources

• “Doing the right things”, able to deliver major final outputs and
Effective outcomes and able to contribute to the attainment of the agency’s
sectoral goals in particular, and of the societal goals in general
Comply with Laws, Rules, and
Regulations
• Government operations conform to the basic tenet that powers and
authorities of a government office/ agency are usually prescribed
in the law creating such office/agency
• Powers of administrative agencies depend largely, if not wholly, on the
provisions of the statute creating or empowering such agency
• Management and operational compliance are among the things
evaluated to assess conformity with laws and other regulatory
requirements
• In government, organizations, programs, activities, and functions are
usually created by law and are subject to specific rules and regulations
Adhere to Managerial Policies
• Managerial policies are directives and courses of action given
by the agency head or management committee towards
achieving defined objectives.
• They provide guidance to personnel in the proper execution of
the work of their unit and individual tasks that collectively
contribute to the attainment of organizational goals.
Adhere to Managerial Policies
Supervision and Control
(usually the relationship between a department and its bureaus)
The department has the authority to act directly
whenever a specific function is entrusted by law or
regulation to a subordinate which include

•Direct the performance of duty

•Restrain the commission of acts
•Review, approve, reverse or modify acts and decisions of
subordinate officials or units
•Determine priorities in the execution of plans and programs
•Prescribe standards, guidelines, plans and programs
Adhere to Managerial Policies
Administrative Supervision
(relationship of a department with regulatory agencies under it)
•Departments or its equivalent are authorized generally oversee the
operations of such agencies and ensure that they are managed
effectively, efficiently and economically without interference with
day-to-day activities and to review and pass upon the budget of
such agencies under its administrative supervision but it may not
increase or add to it

•The department can require the submission of reports and cause

the conduct of management audit, performance evaluation and
inspection to determine compliance with policies, standards and
guidelines; and take action as may be necessary for the proper
performance of official functions, including rectification of violations,
abuses and other forms of maladministration
Adhere to Managerial Policies
Attachment

This refers to the lateral relationship between a department or

its equivalent and the attached agency for purposes of policy
and program coordination.

Coordination

Representation in the governing board of the attached

agency or corporation, if it is permitted by the charter
Having the attached agency/corporation comply with a
system of periodic reporting which shall reflect the progress of
programs and projects
Provide general policies through its representative in the
board, which shall serve as the framework for the internal
policies of the attached agency
Sources of Controls

Laws Charter

Rules Internal Guidelines

Regulations Administrative Orders

Operations Manual Board Resolution

Manual of Procedures

Standard Operating Procedures

Internal Control Procedures
• Alignment of objectives, risks and controls to
the agency’s mandate/overall objectives
• Personnel
• Proper procedures for authorization
• Adequate separation of duties
• Adequate documents and records
• Physical control over assets and records
• Independent checks on performances
• Consistency of policy compliance
• Coordination in a decentralized environment
Internal Control Procedures
• Flow of financial information
• Linkages between technology, process and
organizational structure
• Completeness and relevancy of policies
• Issue escalation and resolution process
• Accountability
• Early warning systems
• Training and other HR mechanisms
• Tools and techniques for monitoring
IT Internal Controls
• General Controls (relate to the overall information-processing
environment)
 Physical security
 Hardware controls
 Segregation of IT duties
 Documentation
 Back-up procedures
• Application Controls (ensure the completeness and accuracy of
transaction processing, authorization, and validity)
 Input controls
 Processing controls
 Output controls
IT Application Controls

INPUT PROCESSING OUTPUT

Data are Data are Files and reports

authorized, properly generated by the
converted to application reflect
processed by transactions or events
an automated
the computer that actually occurred
form, and
and files are and accurately reflect
entered into the results of
the application
updated
processing, and reports
in an accurate, correctly are controlled and
complete, and distributed to the
timely manner authorized users.
 Characteristics of an
Effective Control
• Addresses root cause
• Considers cost
• Simple
• Leaves tracks
• Embedded
• Combination of “soft” and “hard” controls
• Covers adequately the Internal Control
components and objectives
Types of Controls
Preventive • designed to limit the possibility of an undesirable outcome
being realized
• attempt to stop a risk from occurring
Corrective • designed to limit the scope for loss and reduce any
undesirable outcomes which have been realized
• may also provide a route of recourse to achieve some
recovery against loss or damage

Directive • designed to ensure that a particular outcome is achieved

• attempt to avoid risks by providing specific ways to do things

• designed to identify occasions of undesirable outcomes

Detective
having been realized
• their effect is, by definition, “after the event” so they are only
appropriate when it is possible to accept that the loss or
damage has incurred
• attempt to determine if a risk has occurred
Benefits of IC
 Help prevent errors and irregularities
 If they occur, help ensure they are detected timely
 Encourage adherence to prescribed policies and
procedures
 Protect employees:
1) by clearly outlining tasks and responsibilities,
2) by providing checks and balances, and
3) from being accused of misappropriations, errors or
irregularities.
(Source: Internal Controls, Office of the Internal Auditor, Washington State University
http://internalaudit.wsu.edu/internalcontrols.html
Sub-sets of Internal Control System

Managem Financial/a
ent ccounting
controls controls

Administ
Budget
rative
controls
controls
Program
controls
Financial/Accounting Controls

• Methods and procedures used to produce

accurate records and safeguards assets.

They are designed to ensure that:

Specified individuals are held accountable for transactions
under their control;
Accounting records are accurately and reliably maintained;
There is adequate segregation of records keeping duties from
custodianship of the agency’s assets;
Transactions are properly authorized;
There is adequate segregation of incompatible duties and;
There are adequate checking and reconciling procedures.
Agency Books

Cash Receipts
Journal
JOURNALS Cash Disbursement
Journal
Check Disbursement
Journal

General Journal
Agency Books

Assets
General
Ledger
LEDGERS Liabilities
Subsidiary
Ledgers
Income

Expenses
Administrative Controls
Primarily established to create a sound environment within
which accounting controls may efficiently operate. They
encompass all those organizational plans, methods and
procedures that help entities achieve operational efficiency
and adherence to management policies.

They are designed to ensure that:

 Assets are safeguarded and access to those assets is
restricted;
 The agency operation is conducted in an orderly and
efficient manner that includes a detailed organizational
structure that highlights lines of responsibility, or centers of
responsibility;
 Staff and team responsibilities match their ability;
 Management has the necessary information to exercise
sound decisions; and
 Transactions and other decisions are properly authorized.
Program Controls

Put in place to ensure that the programs/projects of

the government/agency achieve their goals and
objectives.

They are designed to ensure the following:

•Responsiveness of the programs/projects to the
needs of the client/beneficiaries and stakeholders;
•Sustainability of the program/project; and
•Alternative courses of actions have been
considered in the implementation of the
program/project.
Budget Controls

Established to ensure that funds are properly allocated

and utilized solely for the purpose for which they have
been appropriated .

Specifically, the system of budgetary controls shall:

• Ensure that funds are used only for the intended
purpose; and
• Establish and maintain the accountability of public
officers;
• Ensure the disclosure of material errors in the
accounts and unauthorized transactions or loss of
assets.
Management Controls

Process effected by management and other personnel

designed to provide reasonable assurance regarding the
achievement of objectives, with the following objectives:

• To keep the organization on course toward achievement

of its mission, goals and objectives, while minimizing
surprises along the way;
• To enable management to cope with rapidly changing
economic and political environment, shifting service
demands and priorities and the inevitable organizational
restructuring that accompanies them; and
• To promote efficiency, reduce risk or resource loss,
increase reliability of management data, and ensure
compliance with laws and regulations.
Internal Control Framework
IC Components
Control Environment

 Sets the tone of the organization; foundation of the ICS

 provides discipline and climate; integrity, ethical values
and competence of the people
 provides structural and operational framework;
assignment of authority and responsibility
 influence the direction and
shape of an organization
 influence agency’s strategies and outcomes; reflects
the philosophy and operating style of the officers
Elements of Control Environment
1. Plan of organization

Organizational structure

Management and personnel

Accountability, norms of
conduct and ethical standards
Elements of Control Environment
2. Coordinated methods and measures
Control processes that are implemented and which form part
of the normal recurring operations of an agency.
Comprises the policies, rules and regulations that support and
become integral to the operations
Guide and communicate management actions at all levels and
ensure that operating activities are performed within the
standards prescribed in each systems

3. Human resource management system – process of

recruitment, retention, training, supervision and discipline
Elements of Control Environment
4. Financial management system – budgeting, accounting,
financial reporting

Linking of financial information with agency performance

Ex. Evaluation of the quantitative and qualitative measures of agency
performance, Organizational performance indicator framework –
useful tool in expenditure and budget accountability, Government
accounting
5. Quality Management System - should consider the business
environment, changes in that environment, or risks associated with
the environment; its varying needs, particular objectives, products
it provides, the processes it employs, size and organization
structure (Section 0.1,ISO 9000:2008 QMS)
Control Policies and Measures
 Delegation of authority and supervision
 Authority must be clear – transaction, purpose and limitation
 Supervision – monitoring and review of the staff work
 Approval

 Segregation of duties
 Incompatible duties are segregated
 processing, reviewing, recording, custody and
approval/authorization
 to reduce the risk of error or fraud
Control Policies and Measures
 Access over resources, assets and facilities
 accountable and responsible persons
 authorized
 documented use
 proper turnover
 proper recording/reporting

 Reconciliation of financial and non-financial data

 accounting records – GL vs. SL
 accounting records vs. inventory
 bank records vs. book
 reports vs. data source
Risk Assessment

Identification Analysis Evaluation

Existing and
Potential

For appropriate response to achieve

control objectives
Risk Assessment
Internal context can include, but is not limited to:
 Capabilities, understood in terms of resources and
knowledge (e.g., capital, time, people, processes, systems
and technologies);
 Information systems, information flows, and decision
making processes;
 Internal stakeholders;
 Policies, objectives, and the strategies that are in place;
 Standards and reference models adopted by an organization;
 Structures (e.g., governance roles and accountabilities).
Risk Assessment
External context can include, but is not limited to:
 Cultural, political, legal, regulatory, financial,
technological, economic, natural and competitive
environment, whether international, national, regional
or local;
 Key drivers and trends having impact on the objectives
of the organization; and
 Perceptions and values of external stakeholders.
 Terminology
Risk is defined as the possibility that an event will occur and
adversely affect the achievement of objectives.

Risk Tolerance is the acceptable level of variation in

performance relative to the achievement of objectives.

Inherent Risk is defined as the risk to the achievement of

objectives in the absence of any actions management might
take to alter either the risk likelihood or impact.

Residual Risk is defined as the risk to the achievement of

objectives that remains after management’s response has
been designed and implemented.

Risk Response is defined as the decision to accept , avoid,

reduce or share risk. Sources: COSO, financialexecutives.org
Risk Identification Risk Analysis Risk Evaluation

• significance of the
• Opportunities and • Systematic use of risk
threats to the information to • assessing the
achievement of the identify sources
control objectives likelihood of
and to estimate occurrence
• To generate a
the risk To come up with
comprehensive list
• Consider the prioritization for
of risks based on
factors that causes and appropriate risk
enhance, prevent, sources of risk response
degrade or delay (treatment):
the achievement of  Accept
the general control  Transfer
objectives
 Eliminate/prevent
Control Activities
 Actions established by the policies and procedures to help ensure that
management directives to mitigate risks to the achievement of
objectives are carried out.

 Performed at all levels of the entity, at various stages within

business processes, and over the technology environment.

 Activities done to implement policies and procedures designed to:

 address risks
 achieve the agency objectives.
 contain the uncertainty of an outcome already assessed
 treat risks
Control Activities, must be
 Appropriate - means that the control activity is in the right
place and is commensurate to the risk involved

 Cost effective - means the cost of implementation of the

control activity should not outweigh its benefits

 Comprehensive/reasonable - that the control activity directly

relates to the control objectives and the agency mission

 Should be doable and function consistent with the design or

plan
Information and Communication
 Go hand in hand and cut across all other internal control
components.
 Relevant information must be
 Identified , captured and communicated in a form & timeframe that
enables people to carry out their responsibilities
 Communicated throughout the agency, its network of organizations
and sectors
 Information systems produce reports containing operational,
financial and compliance –related information that make it possible
to run and control the business.
 Effective communication must occur in a broader sense, flowing
down, across and up the organization.
 All employees must understand their roles and responsibilities
including the effective communication of actions to external parties
Information and Communication
 Information

Management’s ability to make appropriate decisions is affected

by the quality of information, which implies that
information should be appropriate, timely, current,
accurate and accessible.
 Accurate and timely recording of transactions and events is
required as these will serve as valuable inputs to management
in decision-making and controlling operations.
 All public documents should be made accessible to, and
readily available for, inspection by the public, within
reasonable working hours.
Information and Communication
 Communication

 Effective communication should flow down, across, and up the

organization, throughout all components in the entire structure.
 Communication with external individuals and organizations
concerned
 Means of obtaining information from external parties
 What to communicate?
 Up-to-date performance, developments, risks and the functioning of
internal controls, as well as other relevant events and issues
Information and Communication
Documents and Criteria to be considered
 Department/Agency Citizen’s Charter
 Information systems – Government Information Systems
Plan/Philippine Government Online
 Review and compliance procedures in the filing of SALN
and Disclosure of Business Interests and Financial
Connections
 Report Card Survey on Anti-Red Tape Act
 Consultations and dialogues between officials and staff
 Consultations with various offices
 Mechanism of public consultations and hearings
 Consultation with internal and external stakeholders
Monitoring
 Monitoring activities assess whether each of the five
components of internal control and relevant principles is
present and functioning
 Monitoring of the internal control system is necessary to
help ensure that internal control systems remain attuned to
the changes in objectives, environment, resources and risks
are adequately and promptly resolved.
 Types of monitoring:
- ongoing during the course of operations
- evaluation for which the scope and frequency will depend
primarily on an assessment of risks and the effectiveness of
ongoing monitoring procedures.
Monitoring
I. On-Going Monitoring
 Built into the normal, recurring operating activities of an
entity
 ICS to be monitored by management and service units
 Cover each of the internal control components
 Performed continually and on a real-time basis
 Reacts dynamically to changing conditions
 Involve action against irregular, unethical, uneconomical,
inefficient and ineffective internal control systems.
Monitoring
II. Separate Evaluation
 Performed by IAS
 Evaluation of the effectiveness of the internal control
system based on predefined methods and procedures
 Ensure that internal control achieves the desired
results
 Internal control deficiencies are reported to the
Audit Committee and the Administrator
 Observations and recommendations are adequately
and promptly resolved.
Limitations of IC
 system omissions, human factors, resource constraints
or lack of system flexibility.

Examples of causes of breakdowns:

• a culture that does not reinforce the value of internal
controls
• staff carelessness, poor judgement or lack of knowledge
• staff taking short-cuts instead of following procedures
• staff failing to recognise or act on unusual transactions
Limitations of IC
 internal control processes which do not reflect changed
operating conditions, specific agency activities or potential
new risks

 collusion by staff for personal gain or other motives

 controls failing to capture or flag unusual transactions

 controls and processes being viewed as a hindrance in the

delivery of agency services so are overridden.
Actions to minimise internal control breakdowns
might include:

•management displaying a culture of responsiveness

to identified control weaknesses
•encouraging reporting of internal control weaknesses
•training in internal control processes as part of
staff induction, with regular follow-ups trainings
•easy access to user-friendly documented internal
procedures
Actions to minimise internal control
breakdowns might include:
 having a financial management practice manual
that reflects current practice of the agency
financial and other processes
 regular review of potential risks that may
significantly impact agency operations
 regular review and update of internal
operational, financial and other processes
(BAICS)
(Sources: Financial Accountability Handbook, October 2013
http://www.treasury.qld.gov.au/office/knowledge/docs/financial-accountability
handbook/2-4-limitations-internal-controls.pdf)
The Cost of Implementing a Specific
Control Should Not Exceed the
Expected Benefit of the Control.

 The potential loss of a computer printer may justify the

cost of a door lock but not an alarm system.
 Sometimes there is no out-of-pocket
cost to establish an adequate control.
A realignment of duty assignments
may be all that is necessary to
accomplish the objective.

 Cancelled receipts are approved by someone (supervisor

or manager) other than the person preparing receipts.
What Internal Control Can Do

• It can help achieve performance & profitability targets.

• It can help prevent loss of resources.
• It can help ensure reliable financial reporting.
• It can help ensure compliance with laws.
• It can help an entity get to where it wants to go and
avoid pitfalls and surprises along the way.
What Internal Control Cannot Do

• It cannot ensure success.

• It cannot ensure the reliability of financial reporting.
• It cannot ensure compliance with laws and regulations.

“Internal controls, no matter how well designed and

operated, can provide only reasonable
assurance to management regarding
achievements of an entity’s objectives.”
Workshop 1: ICS

• Select a process within your agency; identify the control

objectives and recommend improvements on ICS

Agency:

Process:

Control Objectives:

Recommended internal control procedures:

Workshop 2: Recommend controls under each
control components
Agency:
COMPONENTS CONTROLS
Control Environment
Risk Assessment
Control Activities
Information and
Communication
Monitoring