Internal Control

Oleh:
Kurniasari Mauludina Putriani (1706059095)
Marvella (1706058880)
Michelle Zevania (1706059164)
Anggita Agustina (1706972581)
Luvyta (1706972833)
Shelly Maryani (1706973060)
Vanessa Marsya K (1706973092)
Outline
Framework
1. Definition of Internal
Control
2. Objectives, Components,
and Principles
3. Effective Internal Control
4. Additional Considerations
5. Control Environment
6. Risk Assessment
7. Control Activities
8. Information and
Communication
9. Monitoring Activities
10. Limitations of Internal
Control
Appendices
A. Glossary
B. Roles and
Responsibilities
C. Specific Considerations
for smaller entities
D. Methodology for
Revising the Framework
E. Public comment letters
F. Summary of changes to
internal control -
integrated framework
issued in 1992
G. Comparison with COSO
Enterprise Risk
2
Management -
 1. Definition of
Internal Control
Internal control is a process,
effected by an entity’s board of
directors, management, and other
personnel, designed to provide
reasonable assurance regarding
the achievement of objectives
relating to operations,
reporting, and compliance.
2. Objectives, Components, and
Principles
An organization adopts a mission
and vision, sets strategies,
establishes objectives it wants to
achieve, and formulates plans for
achieving them. Objectives may be
set for an entity as a whole, or be
targeted to specific activities within
the entity
COMPONENT INTERNAL CONTROL
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring Activities
 Relationship of Objectives, Components, and the
Entity
A direct relationship exists
between objectives, which
are what an entity strives to
achieve, components, which
represent what is required
to achieve the objectives,
and entity structure (the
operating units, legal
entities, and
other structures)
 OBJECTIVES

“Such objectives may focus on the entity’s unique operations

needs, or align with laws, rules, regulations, and standards
imposed by legislators, regulators, and standard setters, or some
combination of the two. Setting objectives is a prerequisite to
internal control and a key part of the management process
relating to strategic planning”
Principles of Internal Control

Control
Control Monitoring
Environme
Activities Activities
nt

Risk Informatio
Assestmen n and
tt Communic
ation
 Internal Control and the Management
Process
◂ Having a board that comprises directors
with sufficient independence from
management and that carries out its
oversight role is part of internal control
◂ Making strategic decisions impacting the
entity’s objectives is not part of internal
control
◂ Setting the overall level of acceptable risk
and associated risk appetite is part of
strategic planning and enterprise risk
management, not part of internal control.
◂ Selecting and Developing control activities
designed to mitigate risks based on
 Internal Control and
Objective-Setting
As part of internal control, an organization
specifies objectives by:
◂ Articulating and codifying specific,
measurable or observable, attainable,
relevant and time-based objective.
◂ Assessing suitability of objectives and sub-
objectives for internal control based on
facts, circumstances, and established laws,
rules, regulations, and standards
◂ Communicating objectives and sub-objectives
throughout the entity and sub-units
Limitations of Internal Control
◂ Suitability of objectives established as a
precondition to internal control
◂ Reality that human judgment in decision making
can be fault.
◂ Breakdowns that can occur because of human
failures such as errors
◂ Ability of management to override internal control
◂ Ability of management, other personnel, and/or
third parties to circumvent controls through
collusion
 3. Effective Internal
Control
An effective system of internal control
provides reasonable assurance regarding
achievement of an entity’s objectives.
 Present and Role of
Functioning Component

Dificiencies in
Role of Principles
Internal control
4.
Additional
Considerations
14
Judgement Point of focus

The Framework requires To that end, points of focus assist

judgment in designing, management in designing,
implementing, and implementing, and conducting internal
conducting internal control control and in assessing whether the
and assessing its relevant principles are, in fact, present
effectiveness and functioning
 Organizational
Boundaries
Many organizations choose to shift
Control to effect some business activities to outside
principles service providers. This approach has
become prevalent because of the
Embedded within the benefits of obtaining access to low-
internal control process cost human resources, reducing
are controls, which costs in the day-to-day
consist of policies and management of certain functions,
procedures. These obtaining access to better
policies reflect processes and systems, and
management or board allowing management to focus
statements of what more on the entity’s mission.
should be done to effect
control
Technology

1. Enables organization to process high volumes of

transaction,
2. Transform data into information to support sound
decision making,
3. Share information efficiently across the entity and
with business partners,
4. Secure confidential information,
5. Allow an entity to share operational and
performance data with the public.
Technology
Opportunities Risk
1. Develop new Increase complexity:
business markets identifying and managing
and models the risks more difficult.
2. Generate efficiencies
through automations
3. Enable entities to do
things
 Larger versus Smaller Entities
Large entities Small Entities
◂ More complex ● Less complex
and lesser The approach and more
communications entity uses frequent
◂ Whistle-blower according to the communications
program: require complexity of with the boards
initial reporting organizational ● Allow direct
to an identified structures and reporting to
operations
internal staff audit committee
function chair
 Larger versus Smaller Entities

Large entities Small Entities

● Bigger ● Effective
economies of Advantages internal
scale control:
● Broader range ● Wider span of
of experienced control
in-house ● Greater
personnel interpersonal
● Smaller relative relation
cost
Benefits and Cost of Internal
Control

Benefi
ts
➔ Provides management and boards of
directors
➔ As a basis for decision-making
➔ Provides feedback of the business functions
➔ Increase efficiency
➔ Reduce surprises
➔ Increase business relationship
Benefits and Cost of Internal
Control

Cos
➔ Trade-offs between competency and
ts compensation costs of labors
➔ Efforts from selecting till maintaining and
updating updating the control activities
needed
➔ Reliance on technology
➔ Establishing an information system
Other Considerations in
Determining Benefits and Costs

Benefit side: more subjective evaluation

> associated with achievement

Cost side: compounded by the

interrelationship of controls with business
operations
Documentation

Purpose:
1) Planning: Creates standards and expectations of
performance and conduct
2) Organizing: Capturing the design of internal control,
Provides clarity around roles and responsibilities/
consistency in management
3) Leading:Assist in training new personnels,
Communicating 5W of the execution, Provides a means
to retain organizational knowledge and mitigate the risk
4) Monitoring: Provides evidence of performance activities
Documentation
The level and nature of documentation can also vary
by the size of the organization and the complexity of
the control through:
● In-depth policy and procedure manuals
● Flowcharts of processes
● Organizational charts
● Job descriptions
● Direct observation
5.
Control
Environmen
t
26
Introduction
The control environment is the set of
standards, processes, and structures
that provide the basis for carrying out
internal control across the organization.
 Principle 1:
“ The organization
demonstrates a
commitment to integrity
and ethical values.
Tone at the Top and throughout the
Organization
The board of directors and management at
all levels of the entity demonstrate through
their directives, actions, and behavior
The importance of integrity and ethical
values are to support the functioning of the
system of internal control.
Tone at the Top and throughout the
Organization
Demonstrate through: The tone affects::
● the operating style ❖ Awareness of risk
and ❖ Responses to risks
● personal conduct of ❖ Control activities
management and ❖ Information and
the board of communication
directors, attitudes ❖ Feedback from
toward risk, and monitoring
positions activities
Establish Standards of Conducts
The expectations of the board of directors and senior
management concerning integrity and ethical values
are defined in the entity’s standards of conduct and
understood at all levels of the organization and by
outsourced service providers and business partners
Establish Standards of Conducts
Variables that can affect:
➢ The nature of services outsourced
➢ Extent of alignment of the service
provider
➢ Quality and frequency of the service
provider’s reinforcement and oversight
➢ Magnitude and level of complexity of the
entity’s supply chain and business model
Evaluates Adherence to Standard of
Conduct
Processes are in place to evaluate the
performance of individuals and teams
against the entity’s expected standards of
conducts
Evaluates Adherence to Standard of
Conduct
The process requires that management:
1. Define a set of indicators
2. Establish continual and periodic compliance
procedures
3. Identify, analyze, and report business conduct
issues and trends
4. Consider the demonstration strength of leadership
5. Compile allegations centrally
6. Conduct and document investigations
7. Follow through on the implementation
8. Periodically analyze of issues
Addresses Deviations in a Timely
Manner
Deviations of the entity’s expected
standards of conduct are identified and
remedied in a timely and consistent manner.
 Principle 2:
“ The board of directors
demonstrates
independence from management
and exercises oversight
of the development and
performance of internal control.
Establishes Oversight
Responsibilities
The board of directors identifies and
accepts its oversight responsibilities in
relation to established requirements
and expectations.
Establishes Oversight
Responsibilities
The positions need to While BOD retains oversight
be specialized: responsibility,
1. Nomination The chief executive officer
committees and senior management
2. Compensation bear direct responsibility for
committees developing and
implementing the internal
3. Audit committees
control system.
4. etc
Applies Relevant Expertise
The board of directors defines, maintains,
and periodically evaluates the skills and
expertise needed among its members to
enable them to ask probing questions of
senior management and take
commensurate actions.
Operates Independently
The board of director has sufficient
members who are independent from
management and objective in evaluations
and decision making
Provides Oversight for the system
of internal control
The board of director retains oversight
responsibility for management’s design,
implementation and conduct of internal
control
 Principle 3:
“ Management establishes, with
board
oversight, structures, reporting
lines, and appropriate
authorities and responsibilities
in the pursuit of objectives.
Considers All Structures of the
Entity
Management and the board of directors
consider the multiple structures used
(including operating units, legal
entities, geographic distribution, and
outsourced service providers) to support
the achievement of objectives.
 Considers All Structures of the
Entity
Variables to consider:
• Nature, size, and geographic distribution of the entity’s
business
• Risks related to the entity’s objectives and business
processes
• Nature of the assignment of authority and responsibility to
top, operating unit, functional, and geographic management
• Definition of reporting lines and communication channels
• Financial, tax, regulatory, and other reporting requirements
of relevant jurisdiction
Establishes Reporting Lines
Management designs and evaluates lines
of reporting for each entity structure to
enable execution of authorities and
responsibilities and flow of information to
manage the activities of the entity
Establishes Reporting Lines
• The board of directors stays informed and
challenges senior management
• Senior management is ultimately responsible for
establishing directives, guidance, and control
• Management, which includes supervisors and
decision-makers, executes senior management
directives at the entity and its subunits.
• Personnels have direct responsibility over
outsourced processes conducted by service providers.
Define, Assign and Limits
Authorities and Responsibilities
Management and the board of director
delegate authority, define responsibilities,
and use appropriate process and technology
to assign responsibility
Define, Assign and Limits
Authorities and Responsibilities

Authority is limited as necessary so that:

• Delegation occurs only to the extent required to
achieve the entity’s objectives
• Decision making is based on sound practices for
identifying and assessing risks
• Duties are segregated to reduce the risk of
inappropriate conduct
• Technology is leveraged as appropriate
 Principle 4:
“ The organization demonstrates
a commitment
to attract, develop, and retain
competent individuals in
alignment with objectives.
 Main Focus
Establishes Policies and Practices
Policies and practices reflect expectations
of competence necessary to support the
achievement of objectives.
 Main Focus
Evaluates Competence and
Addresses Shortcomings
The board of directors and management
evaluate competence across the
organization and in outsourced service
providers in relation to established policies
and practices, and acts, as necessary to
address shortcomings.
 Main Focus
Attracts, Develop and Retains
Individual
The organizations provide the mentoring
and training needed to attract, develop and
retain sufficient and competent personnel
and outsourced service providers to support
the achievements of objective
 Main Focus
Plans and Prepare for Succession

Senior management and the board of

directors develop contingency plans for
assignments of responsibility important
for internal control.
 Principle 5: The
“ organization holds
individuals accountable for
their internal control
responsibilities in the
pursuit of objectives.
Enforces Accountability through
Structures, Authorities, and
Responsibilities
Main Focus
Management and the board of directors
establish the mechanisms to
communicate and hold individuals
accountable for performance of internal
control responsibilities across the
organization and implement corrective
action as necessary.
 Main Focus
Establishes Performance Measures,
Incentives, and Rewards—
Management and the board of directors
establish performance measures, incentives,
and other rewards appropriate for
responsibilities at all levels of the entity,
reflecting appropriate dimensions of
performance and expected standards of
products, and considering the achievement
for short term & long term objectives
Incentives, and Rewards for
Ongoing
Relevance
Main Focus
Management and the board of directors
align incentives and rewards with the
fulfillment of internal control responsibilities
in the achievement
of objectives.
 Main Focus
Considers Excessive Pressures
Management and the board of directors
evaluate and adjust pressures associated
with the achievement of objectives
as they assign responsibilities, develop
performance measures, and
evaluate performance.
 Main Focus
Evaluates Performance and
Rewards or Disciplines Individuals
Management and the board of directors
evaluate performance of internal control
responsibilities, including adherence to
standards of conduct and expected
levels of competence and provide rewards
or exercise disciplinary action as
appropriate.
Accountability for Internal Control
Refers to the delegated ownership for the
performance of internal control in the
pursuit of objectives considering the risks
faced by the entity, and is demonstrated in
each form of organizational structure used
by the entity.
Performance Measures, Incentives,
and Rewards
Performance is greatly influenced by the
extent to which individuals are held
accountable and how they are rewarded.
Management and the board of directors
establish performance measures, incentives,
and other rewards appropriate for
responsibilities at all levels of the entity,
considering the achievement of both short-
term and longer-term objectives.
 Key Success Measures
Clear Objectives
● Consider all levels of personnel
to support the achievement of
the entity’s objectives.
● Consider the multiple dimensions
of expected conduct and
performance of the organization,
outsourced service providers and
business partners (e.g., per
service-level agreements), define
objectives and related incentives
and pressures.
Defined Implications
Communicate/reinforce the entity’s
objectives and how each area and
level of the organization is expected
to support the achievement of
objectives.
Identify and discuss events that the
market has rewarded in the past and
those that the market has punished.
Communicate consequences
(positive and negative) of not
achieving or fully/partially achieving
specific entity objectives.
 Key Success Measures
Meaningful Metrics Adjustment to Changes
● Define metrics to transform
disparate data into meaningful Adjust performance
information on performance. measures regularly based on
● Measure expected versus actual a systematic and continual
conduct and the impact of the
deviations, both positive and
evaluation of the potential
negative. impacts of risks as they
● Assess the expected impact on evolve
the entity’s objectives.
Pressures
Management and the board of directors
establish goals and targets toward the
achievement of objectives that by their
nature create pressures within the
organization. Pressures can also result from
cyclical variations of certain activities, which
organizations have the ability to influence
by rebalancing workloads or increasing
resource levels, as appropriate
Excessive pressures are most
commonly associated with:
◂ Unrealistic performance targets, particularly for
short-term results
◂ Conflicting objectives of different stakeholders
◂ Imbalance between rewards for short-term
financial performance and those for long-term
focused stakeholders, such as corporate
sustainability goals
◂ Other business changes, such as changes in
strategy, organizational design, and
acquisition/divestiture activity, also create
pressures
Performance Evaluation and
Reward
◂ Evaluations are communicated and acted
upon with rewards or sanctions as
applicable to influence desired behavior
◂ Goal: retaining high performers and
encouraging attrition of lower-end
performers
6.
Risk
Assessment
67
Specifies Suitable Objectives
Principle 6: The Organization specifies objectives with
sufficient clarity to enable the identification and
assessment of risks relating to objectives.

◂ A precondition to risk assessment:

the establishment of objectives.

Operation Objectives
Point of focus:
• reflects management’s choices
• Considers tolerances for risk
• Includes operations and financial performance goals.
• Forms a basis for committing of resources.

68

External
Financing
Reporting
Objectives
Complies with applicable
accounting standards.
Considers Materiality.
Reflects entity activities.
External Non-
Financial
Reporting
Objectives
- Complies with externally
established standards
and frameworks.
- Considers the required
level of precision
- Reflects entity activities.
69
Internal
Reporting
Objectives
- Reflects Management’s Choices
- Considers the required level of
precision.
- Reflects entity activities.

Compliance
-Objectives
Reflects external laws and regulations
- Considers tolerance for risk

70
Identifies and Analyzes Risk
Principle 7:
The organization identifies
risks to the achievement of
its objectives across the
entity and analyzes risks as
a basis for determining how
the risks should be
managed.
Points of focus:
- Includes entity, subsidiary,
division, operating unit and
functional levels.
- Analyzes internal and
external factors.
- Involves appropriate levels of
management.
- Estimates significance of
risks identified.
- Determines how to respond
to risks.
71
Includes entity, subsidiary, division,
operating unit, and functional
levels

Risk identification is an iterative process and is

often integrated with the planning process.

Entity-level risk identification is typically

conducted at a relatively high level and
generally doesn’t include assessing transaction-
level risk.

72
Analyze Internal and External
Factors

External factor may include:

- Economy
- Natural environment
- Regulatory
- Foreign operations
- Social
- Technological
Internal factor may include: infrastructure,
management structure, personnel, access to
assets, and technology
73
Involves Appropriate Level of
Management

As with other processes within internal control,

responsibility and accountability for risk
identification and analysis processes reside with
management at the overall entity and its
subunits. The organization puts into place
effective risk assessment mechanisms that
involve appropriate levels of management with
expertise.

74
 Estimates Significance Risk

Organizations may assess significance using criteria such as:

- Likelihood of risk occurring and impact. → likelihood
represents the possibility that given event will occur,
while “impact” represent its effect.
- Velocity or speed to impact upon occurrence of the risk.
→ refers to the pace with which the entity expected to
experience the impact of the risk.
- Persistence or duration of time of impact after
occurrence of the risk.

75
 Estimates Significance Risk

A risk that doesn’t have a significant impact on the entity and that’s
unlikely to occur generally doesn’t require a detailed risk response. a
risk with a higher likelihood of occurrence and potentially of a
significant impact, results in considerable attention.

Estimates the significance of the risk often are determined by using

data form past events, which provide a more objective basis than
entirely subjective estimates.

76
Risk Response

Risk response fall within the following

categories:
- Acceptance : No action is taken to affect risk
likelihood.
- Avoidance: exiting the activities giving rise
to risk.
- Reduction: action that is taken to reduce risk
likelihood or impact.
- Sharing: reducing risk impact by transferring
a portion of the risk, for example by forming
a joint venture.
77
Risk Response

In considering risk response, management

should consider:
- The potential effect on risk significance and
which response options align with the
entity’s risk tolerance.
- Requisite segregation of duties to enable the
response to achieve the intended reduction
in significance.
- Costs vs benefits of potential responses.

78
Assesses Fraud Risk
Principle 8: Points of focus:
The Organization considers - Considers various
the potential for fraud in types of frauds.
assessing risks to the
achievement of objectives - Assesses incentive and
pressures.
- Assesses
opportunities.
- Assesses attitudes and
rationalizations.

79
Types of fraud

- Fraudulent reporting → when an entity’s

reports are wilfully prepared with
misstatements or omissions.
- Safeguarding of assets → protecting against
the unauthorized and wilful acquisition, use,
or disposal of assets.
- corruption

80
Factors Impacting Fraud Risk

- Incentives and pressures → where there is

fraud, there are typically incentives and
pressures, opportunities to access those
assets, and attitudes and rationalizations
that claim just to justify the action.
- Opportunity → created by weak control
activities and monitoring, poor management
oversight, and management override of
control.
- Attitudes and rationalization.
81
Assesses Fraud Risk
Principle 9:
The organization identifies
and assesses changes that
could significantly impact
the system of internal
control
Points of focus:
- Assesses changes in
external environment
- Assesses changes in
the business model
- Assesses changes in
leadership.
82
External Environment

- Changing external environment - a changing

regulatory or economic environment can
result in increased competitive pressures,
changes in operating requirements, adn
significantly different risks.
- Changing physical environment - natural
disaster directly impacting the entity, supply
chain, and other business partners may
result in elevated risks that an entity need
to consider to sustain its business.
83
 Business Model
- Changing business model → when an entity enters new
business lines, alters the delivery of its services through new
outsourced relationship, or dramatically alters the composition
of existing business lines.
- Significant acquisitions and divestitures → when an entity
decides to acquire business operations.
- Foreign operations → the expansion or acquisition of foreign
operations carries new and often unique risk.
- Rapid growth
- New technology

84
Leadership Changes

Significant personnel changes - a member of

senior management new to an entity may
not understand the entity’s culture and
reflect a different philosophy or may focus
solely on performance to the exclusion of
control-related activities.

85
7.
Control
Activities
86
Introduction

Control activities serve as mechanism for

managing the achievement of an entity’s
objectives and are very much a part of the
processes by which an entity strives to achieve
those objectives.

87
Selects and Develops Control
Activities
Principle 10:
The organization selects and
develops control activities
that contribute to the
mitigation of risks to the
achievement of objectives to
acceptable levels.
Points of focus:
- Integrate with risk
assessment.
- Considers entity-specific
factors.
- Determines relevant
business processes.
- Evaluate a mix of control
activity types.
- Considers at what level
activities are applied.
- Addresses segregation of
duties.
88
Integrate with risk assessment

Control activities support all the components of

internal control, but are particularly aligned with
the risk assessment component.

Control activities are those actions that help

ensure that responses to assessed risks, as well
as other management directives, are carried out
properly and in a timely manner.

89
Entity-Specific Factors

Each entity has its own set of objectives and

implementation approaches, so there will be
differences in objectives, risk, risk response,and
related control activities.

90
Business Process Control Activities

A business process will likely cover many

objectives and sub-objectives, each with its own
set of risks and risk responses. A common way
to consolidate these business process risk into a
more manageable form is to group them
according to information processing objectives
of completeness, accuracy, and validity.

91
Types of Transaction Control
Activities

- Authorizations and approvals

- Verifications
- Physical controls
- Controls over standing data
- Reconciliations
- Supervisory controls

Controls activities can be preventive or detective, and

organizations usually select a mix. When selecting and
developing control activities, the organization considers the
precision of the control activity.

92
Control activities at Different Levels

Transaction controls and business performance

reviews at different levels work together to
provide a layered approach to addressing the
organization’s risks and are integral to the mix
of controls within the organization.

Most business performance reviews are

detective in nature because they typically occur
after transactions have already taken place and
been processed.
93
Segregating Duties

Segregation of duties generally entails dividing

the responsibility for recording, authorizing, and
approving transactions, and handling the related
asset.

However, sometimes segregation isn’t practice,

cost effective, or feasible.

94
8.
Information &
Communicatio
n

95
Communication Beyond
Normal Channel
Organization makes separate communication
channel for Customers, Suppliers, Outsorurced
Service Providers, and other external parties in
order to make them able to communicate
directly with management and/or other
personnel about concerns over how business is
led by/between parties that usually is generated
by complexity that arouse in a business
relationship between an entity and external
party.
E.g. : customer service
96
Method of Communication
● Management considers which method
reckoning The Audiences, The Nature of
Communication, Timeliness, and Any legal
or regulatory requirements.
● Methods that are often effective and used
by management to reach a broad audience
of external parties are :
○ Issuing Press and News Release through
investor/public relations channels
○ Using Blogs, Social Media, Electronic
Billboards, and e-mail.
97
9.
Monitoring
Activities

98
Monitoring Activities
➔ Activities to ascertain whether the five
components of Internal Control is available
and functioning effectively.
➔ Selected, developed, and performed in order
to ascertain whether each component have
to continue being present and functioning or
there are some changes needed.
➔ In the process of ascertaining it,
Organization can use on-going evaluation,
separate evaluation, or combination of both.

99
Distinguishing Control
Activities & Monitoring
Activities

Control Activities Monitoring Activities

Assesses whether controls within

Responds to Specific Risks each components are operating as
intended

Ask why there were errors in

Detect and Correct Errors
the first place

100
Conducts Ongoing and/or
Separate Evaluations
Principle 16 : The Organization selects, develops, and
perform ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and
functioning.

Rate of Change Baseline Information

Management need to take Management need to
a look at how quick and understand the design and
anticipated a change in an current state of a system that
entity is, in order to internal control system apply. So
determine whether that they can provide a useful
ongoing, separate, or baseline information that can
establish ongoing, separate, or
combination evaluations is
combination evaluations
needed
101
Ongoing Evaluations
● Monitor the presence and functioning of ◂ Generally
Defined
component of the five internal control in the ◂ Routine
operation
ordinary course of business management. ◂ Built in to
● Usually performed by line operating or business
Processes
functional managers who are competent ◂ Performed
in the field that they are evaluating and are on a Real-
Time Basis
able to give a thoughtful considering about
implication of the information they received.

102
Separate Evaluations
● Include Observating, Reviewing, and other ◂ Conducted
Periodically by
examination to ascertain whether controls to objective
effect principles accross it’s entity and management
subunit are designed, implemented, and personnel,
internal audit,
conducted. or external
● Vary in scope and frequency, depend on parties
significance of risks, risk responses, results on ◂ Scope and
Frequency of
ongoing evaluations, and expected impact on which is a
control matter of
● Evaluation scope is determined by either: management
judgment
operations, reporting, or compliance (3
objectives categories)

103
Separate Evaluations
● Knowledgeable Personnel
● Separate Evaluation Approach and
Objectivity
○ Internal Audit Evaluations
○ Other Objective Evaluations
○ Cross Operating Unit or Functional
Evaluations
○ Benchmarking/Peer Evaluations
○ Self-Assesments
● Outsourced Service Providers

104
Evaluates and
Communicates
Principle 17 : The organization Deficiencies
evaluates and communicates
internal control deficiencies in a timely manner to those
parties responsble for taking corrective action including
senior management and the board of directors, as
appropriate

Communicating Internal
Assess Results Control Deficiencies
Deficiencies can be known Report depends on:
through: ◂ Criteria established by
◂ Monitoring Activities regulators, standard-setting
bodies, management, and BOD
◂ Other Components
◂ External Parties Scope depends on:
◂ How the deficiency is evaluated
against established criteria
105
10.
Limitations of
Internal
Control

106
Limitations in Internal
Control
● Preconditions of Internal Control
Areas that are part of management but not part of internal control
● Judgment
Human Judgment is often inaccurate
● Breakdowns
There is always possibility of breakdowns no matter how well
designed a system of Internal Control is
● Management Override
Lay Aside determined policies/procedures for illegitimate purpose
with the intention of personal gain or to enhance entity’s
presentation of performance.
● Collusion
Individuals acting collectively to do a fraud and concealing it can
cause deficiency in internal Controls

107
Appendices

108
B.
Roles and
Responsibility

109
 Our process is easy

1st Line 2nd Line 3rd Line

Manager and Business Internal Auditors

Other Personnel Enabling Function

110
Responsible
Parties
111
Board of Directors and its
Committees
● Audit Committee
● Compensation Committee
● Nomination/Governanve Committee
● Other Committee

112
Chief Executive Officer
Responsible for Internal Control include :
● Provide leadership and direction to senior
management
● Maintaining control over the risk that is facing the
entity
● Guiding development and performance of control at
entity level, and delegating it to various level
● Communicating expectation
Evaluating deficiencies in control

113
Chief Financial Officer
● Supports CEO in front-line responsibilities
○ E.g.: Internal Control in financial reporting
● Provides valuable input and direction
● Is positioned to focus on evaluating and following up
management’s action
● Narrowing CFO’s role only for treasury and financial
reporting can limit entity’s ability to succeed
● In some Jurisdiction, required by the law to certify
the effectiveness of internal control in financial
reporting alongside the CEO

114
Other Member of Senior
Management
● E.g.: Chief Administrative Officer, Chief Audit
Executive/Chief Compliance Officer, Chief
Information Officer, etc.
● Guides the development and implementation of
internal control policies and procedures that address
objective of their functional/operating unit
● Assigns more specific internal control over personnel
within their unit

115
Business-Enabling Function
● Risk and Control Personnel
○ Provide specialized skill and guidance to front-
line management and other personnel and
evaluating internal control
● Legal and Compliance Personnel
○ Making sure that legal, regulatory, etc. Are
understood and communicated to those
responsible for working on compliance

116
Other Personnel
● Control Environment: Reading, understanding, and
applying the standards
● Risk Assesment: Identifying and evaluating risks to
the achievement of objective, and
● Control Activities: Performing reconciliation,
following up on exception reports, performing
physical inspection, and investigating reasons for
cost variances, etc.
● Information and Communication: Emitting and
sharing information used to Internal Control System
● Monitoring Activities: Identify and communicate
violations to a higher-level management
117
Internal Auditor
● Provide assurance and advisory support to
management in internal control
● Evaluating the sufficiency and effectiveness of
controls in responding to risks that can be arose
within organization’s oversight, operations, and
information systems.
○ E.g.: Reliability and integrity of financial and
operational information, effectiveness and
efficiency of operations and program,
safeguarding of assets, etc.
● Can be required or optional, depending on
jurisdiction, size of the entity, and nature of business

118
Other Parties Interacting with
Entity
1. Independent 3. Legislators and
auditors Regulators
2. External Reviewers 4. Financial Analysts,
Bond Rating Agencies,
News Media

119
Specific
Consideration
s for Small
Entities

120
Characteristics of smaller entities :
•Fewer lines of business and fewer products within lines
•Concentration of marketing focus by channel or geography
•Leadership by management with significant ownership interest or rights
•Fewer levels of management with wider spans of control
•Less complex transaction processing systems
•Fewer personnel, many having a wider range of duties
•Limited ability to maintain deep resources in line as well as support staff positions
such as legal, HR, accounting, and internal auditing
Meeting Challenges in Attaining Cost-
Effective Internal Control
•Obtaining sufficient resources
to achieve adequate
segregation of duties
•Balancing management’s
ability to dominate activities
•Recruiting individuals with
requisite expertise to serve
effectively on the board of
directors and committees
•Recruiting and retaining personnel
with sufficient experience and skill in
operations, reporting, compliance,
and other disciplines
•Taking critical management attention
from running the business in order to
provide sufficient focus on internal
control
•Controlling information technology
and maintaining appropriate general
and application controls over
computer information systems with
limited technical resources
 Segregation of Duties

Review
Reports of
Review
Selected
Take Check
Reconciliations
Detailed Transactions Periodic
Transactions
Asset
Counts
Managers review Managers periodically
on a regular and Managers select conduct counts of
Managers from time to
physical inventory,
timely basis
transactions for equipment, or other time review
system reports of assets and compare reconciliations of
the detailed review of them with the
accounts balances such
accounting records
transactions supporting as cash or perform them
independently
documents
 Mitigating Management Override

Maintain a Implement a Position an Attract and retain

corporate culture whistle-blower effective internal qualified board
where integrity and program, where audit function to members that take
ethical values are personnel feel detect instances their responsibilities
held in high esteem, comfortable seriously to perform
embedded reporting any of wrongdoing the critical role of
throughout the improprieties, and breakdowns preventing or
organization, and regardless of the at the entity and detecting instances
practiced on an level at which they sub-unit levels. of management
everyday basis. may be committed. override
Other Things To Consider

Board of Information Monitoring

Technology Activities
Directors
Methodology of
Revising the
Framework
 The Project Approach

Preparation for
Build and Public
Assess and Envision Public Finalization
Design Exposure
Exposure

Through Developed Refined the The Framework Finalize the

was issued for Framework and
literature the update, update related
reviews, including through a public
publications and
exposure for a
global principles and reviews with provide them to
104-day the COSO Board
surveys, and points of the general comment for review and
public forums focus public period acceptance
Definition of
Internal
Control
Reporting, operations and
compliance objectives

128
Principles
The Framework carries forward the seventeen
principles. It retains the principles that focus on the use
of technology and the assessment of fraud risks,
recognizing their important role in achieving effective
internal control. Some principles were also enhanced or
clarified based on respondents’ comments.

129
Assessing
Effectiveness
Attributes
Classification of Internal
Control Deficiencies

130
Objective-
setting
The Framework retains the five components and the
concept that establishing objectives is a precondition to
internal control. It clarifies the distinction between
establishing objectives (outside the system of internal
control) and specifying objectives (within the system of
internal control). The Framework expands discussion on
suitability of objectives and explains how management
should respond when specified objectives are viewed as
unsuitable

131
Objective
s
Safeguarding of Assets
Strategic Objectives

132
Technology
The Framework includes enhanced discussion on
technology both in the points of focus. The Framework
does not include extensive discussion on specific
current technology initiatives or the risks associated
with them because of the evolving nature of technology
and concerns that the Framework may become dated.
The Framework does not explicitly reference other
technology-focused frameworks by name.

133
Summary of Changes
to the Internal Control
- Integrated
Framework Issued in
1992

134
Broadbased changes :
•Applies a principles-based approach
•Expands the reporting category of objectives
•Clarifies the role of objective-setting in internal control
•Enhances governance concepts
•Considers globalization of markets and operations
•Considers different business models and organizational structures
•Considers demands and complexities in laws, rules, regulations, and standards
•Considers expectations for competencies and accountabilities
•Reflects the increased relevance of technology
•Enhances consideration of anti-fraud expectations
Key Changes to
Internal
Control
Components
Control Environment
•Combining into five principles the discussions relating to
integrity and ethical values, commitment to competence,
board of directors or audit committee, management’s
philosophy and operating style, organizational structure,
assignment of authority and responsibility, and human
resource policies and practices
•Explaining linkages between the various components of
internal control to demonstrate the foundational aspects
of the control environment for a sound system of
internal control
•Expanding the discussion of governance roles in an
organization, recognizing differences in structures,
requirements, and challenges across different
jurisdictions, sectors, and types of entities
•Clarifying the expectations of integrity and ethical
values to reflect lessons learned and developments in
ethics and compliance
•Expanding the notion of risk oversight and
strengthening the linkages between risk and
performance to help allocate resources to
support internal control in the achievement of
the entity’s objectives
•Emphasizing the need to consider internal
control across the complexities in
organizational structure resulting from
different business models and the use of
•Aligning roles and responsibilities discussed in
organizational structure with the information
presented in Appendix B so that major roles
are used consistently within the Framework
137
Risk Assessment
•Repositioning much of the discussion on
objective-setting
•Focusing the risk assessment component on
articulating objectives relating to operations,
reporting, and compliance with sufficient
clarity so that any risks to those objectives can
be identified and assessed
•Broadening the financial reporting category of
objectives to include other aspects of external
reporting and to include internal reporting
•Reflecting the view that non-financial
reporting is conducted in relation to an
external requirement or standard
•Clarifying that risk assessment includes processes for
risk identification, risk analysis, and risk response
•Expanding the discussion on the risk severity beyond
impact and likelihood to include such velocity and
persistence
•Incorporating risk tolerances into the assessment of
acceptable risk levels
•Expanding the discussion on management needing to
understand significant changes in its internal and
external factors and how those might impact the overall
system of internal control
•Considering fraud risk relating to material misstatement
of reporting, inadequate safeguarding of assets, and
corruption as part of the risk assessment process
Control Activities
•Broadening the discussion to
reflect the evolution in
technology since 1992
•Expanding the discussion of
the relationship between
automated control activities
and general controls over
technology to reinforce the
linkages to business processes
•Expanding the discussion that control
activities constitute a range of control
techniques while providing a more detailed
description of these types and techniques, and
a way to categorize them
•Updating the discussion on general
technology controls to focus on the more
universal concepts of what needs to be
controlled in this area rather than specifics
applicable to the 1992 technology
•Clarifying that control activities are actions
established by policies and procedures
rather than being the policies and
procedures themselves
Information
and
Communication
Information and Communication

● Emphasizing the ● Expanding the ● Reflecting the

discussion of discussion on the impact of
importance of impact of technology and
quality of regulatory other
information requirements on communication
● Expanding the reliability and mechanisms on the
discussion of the protection of speed, means, and
expectations for information the quality of the
verifying to a ● Expanding the flow of information
source and for discussion of the ● Adding content on
retention when volume and sources the information and
information is used of information in communication
to support light of increased needs between the
reporting objectives complexity of entity and third
to external partner business processes, parties
greater interaction
with external
parties, and
technology
advances 141
Monitoring Activities :
● Refining the terminology, where the two main
categories of monitoring activities are now referred to
as “ongoing evaluations” and “separate evaluations”
● Adding the need for a baseline understanding in
establishing and evaluating ongoing and separate
evaluations
● Expanding discussion of the use of technology and
external service providers
Comparison with
COSO Enterprise Risk
Management -
Integrated Framework

143
Comparison :
● A broader concept
● Categories of Objectives
● Risk Appetite and Risk Tolerances
● Portfolio View
● Components
● Summary :
○ Common to both Internal Control (IC) and Enterprise Risk Management (ERM) : Control
Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring
Activities
○ Included in IC and expanded upon in ERM : Control Environment, Risk Assessment, Information
and Communication
○ Incremental to ERM and not part of IC : Control Environment, Risk Assessment