INTERNAL

CONTROL
WHAT IS INTERNAL CONTROL???
• Internal Control is a process designed to provide reasonable
assurance regarding the achievement of company’s
objectives (Moeller, 2017).

• According to ACCA (2020), Internal control is a set of

activities perform by companies/businesses with intention to
protect the assets, minimizing errors, and ensure the
operations are conducted accordingly.
WHY DO WE NEED CONTROL???
• Reduce risk
• Avoid Financial failures
(Default, do we have enough cash to continue the business?)
• Avoid Accounting failures
(Misstatement, manipulation).
• Avoid Operational Failures
(Human Errors, Quality risk)
WHY INTERNAL CONTROL
IMPORTANT???
• Internal control play critical role in businesses, because they
establish safeguards (protection) to the assets, minimize the
opportunity of fraud happen, and detect errors in the daily
operations.
• According to Moeller (2017), Internal control aims to:
– reduces the risk of assets loss,
– ensure the reliability of financial statements
– assure that company comply with law and regulations.
INTERNAL CONTROL
INTERNAL CONTROL STANDARDS

•What is the standards that require

company to assess its internal
control???
INTERNAL CONTROL STANDARDS

• SARBANES AND OXLEY ACT 2002.

• After the case of Enron and Worldcom, Public reporting
companies must strengthen their internal control.
HOW INTERNAL CONTROL WORKS???
Some of internal control activities include:
• Board of directors monitor the entire organization and provide
governance (control) to management.
• Access to computer records is restricted, so that information only
available to people who need it to conduct specific task. (reduce the
risk of information theft).
• Assets are locked up when not in use (reduce the risk of stolen
assets).
• Authorized signature for documents.
• INTERNAL AUDITORS routinely test the internal
controls by examine the process and activities
perform in the company, including checking for
failures that can be corrected.
INTERNAL CONTROL FRAMEWORK
Framework serve as the foundation in Internal Control.
It explains how company establish its internal control.

COSO
FRAMEWORK
WHAT IS COSO FRAMEWORK???
• WHAT IS COSO STANDS FOR???
COSO FRAMEWORK

• COSO stands for Committee of Sponsoring Organizations.

• They work under Institute of Internal Auditors (IIA).
• They were given authority by government to develop a framework as
a guidance for company to establish and assess its internal control.
• Sarbanes and Oxley Act 2002 require company to use COSO
Framework to evaluate the internal controls.
COSO FRAMEWORK CUBE
COSO FRAMEWORK
TOP DIAGRAM
• COSO framework have three objectives, which are
1.Operations Control: Ensure effectiveness and efficiency
of operations.
2.Reporting Control : Ensure reliability of financial
reporting.
3.Compliance Control: Ensure businesses comply with
law and regulations.
COSO FRAMEWORK
COMPONENTS

RISK
CONTROL CONTROL
ASSESSMEN
ENVIRONMENT ACTIVITIES
T

INFORMATION & MONITORING

COMMUNICATION ACTIVITIES
 CONTROL ENVIRONMENT
• COSO indicates that the control environment is the set of standards, processes, and
structures that provide the basis for carrying out internal controls in the organization.
• IIA state control environment serve as the foundation for establishing internal
controls.
• Control Environment provide discipline and structure of organization
• Control environment principles include:
1. Demonstrating commitment to integrity and ethical values.
2. Maintaining the independence of board of directors.
3. Establish organizational structure to segregate duties
4. Setting responsibilities for employees.
5. Setting standards and Code of Conduct in the company.

These principles are utilized to maintain control in the organization

 RISK ASSESSMENT
• What is risk???
• A threat to achieve objectives.
• In companies, risk are define as possibility of event occur that will give
negative impact to the company.
• Risk can come from internal or external sources.

• Risk assessment involve in identifying the risk that company might face.
• Management specifies risk assessment objectives, which are to identify
risks relating to operations, reporting and compliance.
RISK ASSESSMENT
Management will identify the frequency of occurrence and the
level of risk that the business might face.
Examples type of risk that might occur:
OPERATION
S

1. Supply Chain Risk

2. Customer Satisfaction
3. Human Resources
4. Training Risk
5. Default Risk
RISK ASSESSMENT
Examples type of risk that might occur:

REPORTING

1.Manipulation Risk
2.Fraud
3.Errors
 RISK ASSESSMENT
Examples type of risk that might occur:

COMPLIANCE

1. Accounting Standards Risk

2. Taxation Risk
3. Failure to meet Responsibility of the
company.
4. Failures of employee to follow rules.
RISK RESPONSE STRATEGIES
• This is establish as a way for management to handle the risk
1. Avoidance: Walking away from the risk. This is a strategy where
management ignore the risk and don’t find solutions to reduce the risk.
For example, when customers complain, they ignore the critiques.
2. Reduction: Where management find solutions to reduce the risk. For
example, when company face with human resources risk, they find
more talented individuals to become their employees.
3. Acceptance: Where management accept the risk because it can’t be
avoided or solved by the company. For examples: Natural disasters,
Inflation.
CONTROL ACTIVITIES
• Control activities are the actions taken by management and
the board of directors to mitigate the risks and increase the
likelihood to achieve company’s objectives.
• This is where the management and board of directors work
together to reduce the risk faced by the company.
• Aside from reducing the risk, they also work together to
assure the employee work to achieve company’s goals.
CONTROL ACTIVITIES
• Types of Control Activities
1. VERIFICATION: to check the accuracy and validity of something.
Example: Management verify transactions whether it match with the
invoices or not.
2. RECONCILIATION: to check the completeness of transactions. For
example: Completing creating financial statements from the financial
activities performed.
3. AUTHORIZATION and APPROVAL: This is a process to assure
activities are perform based on company’s objectives (therefore need
approval before taking actions). This taken to reduce the risk of Fraud
and Errors.
4. PHYSICAL CONTROL: Inventories, cash and other assets are
securely locked and guarded.
INFORMATION & COMMUNICATION
• INFORMATION AND COMMUNICATION is how the management
deliver knowledge and issue regarding their objectives and internal
controls to internal and external parties.
• INFORMATION: provided by management to the employees on how
they are establishing internal control to achieve the objectives in
operations, reporting and compliance.
• COMMUNICATION: The process where management keep sharing
the information to the employees and external parties. For example:
Use Emails, Bulletin boards, Company’s Websites, etc.
MONITORING ACTIVITIES
• Monitoring activities are ongoing evaluation perform to
examine the work of individuals in the organization.
• Monitoring activities are taken to assure the implementation
and operation of the five components of Internal Control.
• This is the activity where the directors or management observe
whether the employee are performing the work effectively and
accordingly.
• Examples: Directors go to departments for monthly
inspections.
 COSO
FRAMEWORK
COMPONENT
COSO FRAMEWORK
THIRD DIMENSION

• The third dimension on the right represents the

organizational structure of the organization.
• It shows the people who supports and perform internal
control activities in the organization
• Third Dimensions shows the hierarchy level of an
organization from Entity level (Top Management)
descending to Divisions & Operating Unit (Middle
Management) and Function (Lower Management).
COSO FRAMEWORK CUBE
 INTERNAL CONTROL AND INTERNAL
AUDIT
• Internal auditor will test the internal control in the organization.
• Are the company conducting internal control effectively? Are the system
effective and efficient?
• Internal audit are performed at a specific time to assess the way internal
control work in the organization.
• Internal audit is the action of reviewing financial and operating activities
in the organization.
• While internal control is the system puts in place to achieve company’s
objectives.
INTERNAL AUDITOR TEST INTERNAL
CONTROL
There are 4 actions in which internal auditor test the internal control
1. Inquiry: Obtaining an explanation of an internal control from the
management. (Ask how the internal control works in each of department).
2. Observation : Observe whether internal control are performed effectively.
3. Inspection: Examine physical evidence of the internal control. (Ex:
checking signatures in the document, Checking assets).
4. Recommendation: Give recommendation to fix errors in Internal control.
TASK!!!

• IDENTIFY COSO
NEXT WEEK:
THE PROCESS OF INTERNAL AUDIT
• Document Review
• Observation
• Interview
• We will get further on Week 4 .