CHAPTER –4

INTERNAL
 Contents
• Meaning and objectives of internal controls
• Accounting and administrative controls.
• Categories of internal control system
• The control process
• Importance of internal control
• Basic Internal control structure
activities/components
• Limitations of internal control
• Evaluating internal control
2
 Meaning of Internal Control
❑ Any organization wishing to conduct its
business
in an organized and efficient manner and to
produce reliable financial accounting
information, both for its own and for others’
use
needs some controls to minimize the effects of
the endemic human failings(with the best
intentions or intentional falsification).
❑When such controls are implemented within
the
organization’s systems they are described as
internal controls.
❑Internal controls are mechanisms designed to
control all of an entity’s functions, not just its
accounting function.
3
 Meaning of Internal Control
❑An internal control system encompasses the
policies, processes, tasks, behaviors and other
aspects of a company that, taken together:
❖Facilitate its effective and efficient
operation
by enabling it to respond appropriately to
significant business, operational, financial,
compliance and other risks to achieving the
company’s objectives
❖Help ensure the quality of internal and
external reporting
❖Help ensure compliance with applicable
laws
and regulations
4
Definition of Internal Control * COSO
❑Internal control is ‘a process, effected by
an
entity’s board of directors, management, and
other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives in the following
categories:
❖Effectiveness and efficiency of operations
❖Reliability of financial reporting
❖ Compliance with applicable laws and
regulations.’ (COSO)
* Committee of Sponsoring Organizations of the Tread way Commission
 Definition of Internal Control cont…

➢ Internal control is an activity that we perform to

see
that the things we want to happen will happen …

➢ and the things we don’t want to happen won’t

happen.
6
Internal Controls Are Common Sense

What do you worry

about going wrong?

What steps have been taken

to assure it doesn’t?

How do you know

things are under control?

7
➢ Internal control is a process; it is a
means
to an end, not an end itself.
➢ Internal control is effected by people; it’s
not merely policy manuals and forms but
people at every level of an organization.
➢ Internal control can be expected to only
provide reasonable assurance, not
absolute assurance.
8
 Objectives of Internal Control
Internal control is geared to the achievement of
objectives in one or more separate overlapping
categories. Objectives fall into four categories:
1. Operations – relating to effective and efficient
use of the entity’s resources
2. Financial reporting – relating to preparation of
reliable published financial statements
3. Compliance – relating to the entity’s
compliance with applicable laws and
regulations; and
4. Safeguarding of assets
9
 Components of Internal Control
❑ICs contain accounting and administrative
controls.
❑The internal accounting controls are designed,
in
particular, to ensure that transactions which give
rise to the accounting data are:
1. properly recorded, that is, all relevant details
of transactions are recorded at the time the
transactions take place;
2. properly authorized, that is, all transactions
are authorized by a person with the requisite
authority;
10
 Components of Internal Control
3. valid, that is, transactions recorded in the
accounting system represent genuine exchanges
with legitimate parties:
4. complete, that is, all genuine transactions are
input to the accounting system; none are
omitted;
5. properly valued, that is, transactions are
recorded in the correct amounts;
6. Properly classified, that is, transactions are
recorded in the correct accounts;
7. Recorded in the correct accounting period
Categories of Internal Control System
• Preventive controls: Prevent some thing
bad from happening.
• Detective Controls: Detect problems that
passed through preventive control.
• Corrective controls: Aimed at correcting
problems detected by detective control.

12
 The Control Process
Management designs systems of internal
control
to accomplish all three objectives
➢(Reliability of Financial Reporting ,
➢Efficiency and Effectiveness of Operations
and
➢Compliance with Laws and Regulations).
 The auditor’s focus in both the audit of
financial
statements and the audit of internal controls is
to
operations and to compliance with laws and
 regulations objectives that could materially
affect
financial reporting.
13
 Common Internal Controls in our personal life

➢Lock-up valuable belongings.

➢Keep copies of your tax returns, registration
slip, academic credentials, etc.
➢Balance your checkbook.
➢Keep your ATM/debit card PIN number
separate from your card.
➢Lock-up your computer with pass word.
➢Compare your book and bank balance.
14
 Why are Internal Controls Important?
➢ Compliance with applicable laws and
regulations.
➢ Accomplishment of the entity’s
mission.
➢ Relevant and reliable financial
reporting.
➢ Effective and efficient operations.
➢ Safeguarding of assets.

15
 Risks of Weak Internal Controls
➢ Weak Internal Controls Increase Risk
Through…
➢ Business Interruption
system breakdowns or catastrophes, excessive re-
work to correct for errors.
➢ Erroneous Management Decisions
based on erroneous, inadequate or misleading
information.
➢ Fraud, Embezzlement and Theft
by management, employees, customers, vendors,
or the public-at-large.
16
➢ Statutory Sanctions
penalties arising from failure to comply
with regulatory requirements, as well
as overt violations.
➢ Excessive Costs/Deficient Revenues
expenses which could have been
avoided, as well as loss of revenues to
which the organization is entitled.

➢ Loss, Misuse or Destruction of Assets

unintentional loss of physical assets
such as cash, inventory, and
equipment.
17
 Benefits of Strong Internal Controls
➢ Reducing and preventing errors in a
cost- effective manner.
➢ Ensuring priority issues are identified and
addressed.
➢ Protecting employees & resources.
➢ Providing appropriate checks and
balances.
➢ Having more efficient audits, resulting in
shorter timelines, less testing, and fewer
demands on staff.
➢ Contribute to the effectiveness of
control
system
18
 Effective Internal Controls
➢ Make sense within each organization’s
unique operating environment.

➢ Benefit rather than encumber(hinder)

management.

➢ Are not stand-alone practices; they

are
woven into day-to-day responsibilities.

➢ Are cost-effective.
19
 Basic Internal Control Structure
The most widely accepted internal control
framework in the United States, describes
internal control as consisting of five
components that management designs and
implements to provide reasonable assurance
that its control objectives will be met.
Each component contains many controls, but
auditors concentrate on those designed to
prevent
or detect material misstatements in the financial
statements.
20
 Internal control components
The internal control components include
the following
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
systems support
5. Monitoring
21
 Internal Control Framework…
Five Inter-Related Standards: COSO’S

Monitoring
Assessment

Control
Environment

Information &
Control Activities

22
 1. Control Environment
❖ Foundation for all other standards of
internal
control.
❖ Pervasive influence on all the decisions and
activities of an organization.
❖ Effective organizations set a positive “tone
at the top”.
❖ Factors include the integrity, ethical values
and competence of employees, and,
management’s philosophy & operating style
❖ The control environment serves as the umbrella
for the other four components.
23
The Control Environment
The control environment consists of the
actions,
policies, and procedures that reflect the
overall
attitudes of top management, directors,
and
owners of an entity about internal control
and
its importance to the entity.
 To understand and assess the control
environment,
auditors should consider the most important
control subcomponents, …

24
The Control Environment
… which are:
1. Integrity and ethical values
2. Commitment to competence
3. Board of directors’ audit committee
participation
4. The audit committee’s independence
5. Organizational structure
6. Human resource polices and practices
25
 2. Risk Assessment
❑ Risks are internal & external events (economic
conditions, staffing changes, new systems,
regulatory changes, natural disasters, etc.) that
threaten the accomplishment of objectives.

▪ Risk assessment is the process of identifying,

evaluating, and deciding how to manage these
events…
▪ What is the likelihood of the event occurring? What
would be the impact if it were to occur? What can
we do to prevent or reduce the risk?

26
 3. Control Activities
❑ Tools—policies, procedures, processes—
designed and implemented to help ensure
that management directives are carried out.
❑ Help prevent or reduce the risks that can
impede the accomplishment of objectives.
❑ Occur throughout the organization, at all
levels, and in all functions.
❑ Includes approvals, authorizations,
verifications, reconciliations, security of
assets, reviews of operating performance,
and segregation of duties.
27
 4. Communication & Information
❑ Pertinent information must be captured,
identified and communicated on a timely
basis.

❑ Effective information and

communication
systems enable the organization’s people
to exchange the information needed to
conduct, manage, and control its
operations.
28
 5. Monitoring
❑ Internal control systems must be monitored
to assess their effectiveness… Are they
operating as intended?

❑ Ongoing monitoring is necessary to react

dynamically to changing conditions…Have
controls become outdated, redundant, or
obsolete?

❑ Monitoring occurs in the course of everyday

operations, it includes regular management &
supervisory activities and other actions
personnel take in performing their duties.
29
 KeyInternal Control
Activities/Components

30
1. Separation of Duties
➢ Divide responsibilities between different
employees so one individual doesn’t
control all aspects of a transaction.
➢ Reduce the opportunity for an
employee
to commit and conceal errors
(intentional or unintentional) or
perpetrate fraud.
31
 Adequate Separation of Duties

Custody of assets Accounting

Authorization The custody of

of transactions related assets

Operational Record-keeping
responsibility responsibility

IT duties User departments

32
 2. Documentation
▪ Document & preserve evidence to
substantiate:
➢ Critical decisions and significant
events...typically involving the use,
commitment, or transfer of resources.
➢ Transactions…enables a transaction to be
traced from its inception to completion.
➢ Policies & Procedures…documents which set
forth the fundamental principles and methods
that employees rely on to do their jobs.
33
Adequate Documents and Records

Pre-numbered consecutively

Prepared at the time of transaction

Simple enough to ensure understanding

Designed for multiple use

Constructed to encourage correct preparation

34
 3. Authorization & Approvals
➢ Management documents and
communicates which activities require
approval, and by whom, based on the
level of risk to the organization.
➢ Ensure that transactions are approved
and executed only by employees acting
within the scope of their authority
granted by management.

35
Proper Authorization of Transactions
and Activities

General authorization

Specific authorization

36
 4. Security of Assets
➢ Secure and restrict access to equipment,
cash, inventory, confidential information, etc.
to reduce the risk of loss or
unauthorized use.
➢ Perform periodic physical inventories to
verify
existence, quantities, location, condition, and
utilization.
➢ Base the level of security on the vulnerability
of items being secured, the likelihood of loss,
and the potential impact should a loss occur.
37
 Physical Control over Assets
and Records

The most important type of protective

measure for safeguarding assets and
records is the use of physical precautions.

38
 5. Reconciliation & Review
➢ Examine transactions, information, and
events to verify accuracy, completeness,
appropriateness, and compliance.
➢ Base level of review on materiality, risk, and
overall importance to organization’s
objectives.
➢ Ensure frequency is adequate enough to
detect and act upon questionable activities in
a timely manner.

39
Independent Checks on Performance

The need for independent checks arises

because internal control tends to change
over time unless there is a mechanism
for frequent review.

40
6. Information and Communication

The purpose of an accounting information

and communication system is to…

initiate, record, process, and report

the entity’s transactions and to maintain
accountability for the related assets.

41
 Limitations of Internal Control
❑Internal control; no matter how well designed,
implemented and conducted, can provide only
reasonable assurance to management and the
board of directors of the achievement of an
entity’s objectives.
▪ In considering limitations of internal control, two
distinct concepts must be recognized.
❑ The first set of limitations acknowledges that
certain events or conditions are simply beyond
management’s control.
42
 Limitations of Internal Control
❑The second acknowledges that no system
of
internal control will always do what it is
designed to do.
❑ The best that can be expected in any
system of internal control is that
reasonable
assurance be obtained
❑The effectiveness of internal control is
limited by the realities of human frailty in
the making of business decisions.
43
 Limitations of Internal Control
❑Internal control may not result in
the
intended objectives due to:
➢Human judgment;
➢External events;
➢Management override; and
➢Collusion.
44
Limitations of Internal Control
Human judgment:
❑ Some decisions based on human
judgment may later, with the clarity of
hindsight (perception after the fact),
be
found to produce less than desirable
results, and may need to be changed.
45
 External events
❑For objectives relating to the
effectiveness
and efficiency of an entity’s operations—
achieving its mission, value propositions
(e.g., productivity, quality, and customer
service), profitability goals, and the like—
internal control cannot provide
reasonable
assurance of the achievement when
external events may have a significant
impact on the achievement of objectives
and the impact cannot be mitigated to an
acceptable level.
46
 Management override:
❑The term “management override” is
used
here to mean overruling prescribed
policies or procedures for illegitimate
purposes with the intent of personal gain
or an enhanced presentation of an entity’s
performance or compliance. Examples
include:
❑increase reported revenue to cover an
unanticipated decrease in market share,
47
Management override…
❑Enhance reported earnings to meet
unrealistic budgets,
❑Boost the market value of the entity
prior
to a public offering or sale,
❑Meet sales or earnings projections to
bolster bonus payouts tied to
performance,
❑Appear to cover violations of debt
covenant agreements,
❑Hide lack of compliance with legal
requirements,
48
 Collusion:
❑can result in internal control deficiencies.
Individuals acting collectively to perpetrate
and conceal an action from detection often
can alter financial or other management
information so that it cannot be detected
or
prevented by the system of internal
control.
❑Collusion can occur, for example,
between
an employee who performs controls and a
customer, supplier, or another employee.
49
Limitations of Internal Control
Additionally,
➢ Staff size limitations may obstruct efforts to
properly
segregate duties, which requires the implementation
of compensating controls to ensure that objectives
are achieved.
➢ A limitation inherent in any system is the element
of
human error, misunderstandings, fatigue and
stress.
➢ Employees are to be encouraged to take earned
vacation time in order to improve operations by
enabling employees to overcome or avoid stress and
fatigue.
50
 Evaluating Internal Control
❑Evaluating and improving internal
control
are among the core competencies of many
professional accountants.
❑Professional accountants can play a
leading
role in ensuring that internal control forms
an integral part of an organization’s
governance system and risk management.
❑IFAC provides the following key
principles
for evaluating and improving internal
control.
 Evaluating Internal Control…
❑The organization should make internal control
part of risk management and integrate both in its
overall governance system.
❑The organization should determine the various
roles and responsibilities with respect to internal
control, including the governing body,
management at all levels, employees, and
internal and external assurance providers, as well
as coordinate the collaboration among
participants.

52
Evaluating Internal Control…
❑The governing body and management should
foster
an organizational culture that motivates members
of the organization to act in line with risk
management strategy and policies on internal
control.
❑The governing body and management should link
achievement of the organization’s internal control
objectives to individual performance objectives.
❑The governing body, management, and other
participants in the organization’s governance
system
should be sufficiently competent to fulfill the
internal control responsibilities associated with
their roles.
53
 3. Control and Accounting
Information
Systems
Internal Controls
• Processes implemented to provide assurance that
the following objectives are achieved:
 Safeguard assets
 Maintain sufficient records
 Provide accurate and reliable information
 Prepare financial reports according to established criteria
 Promote and improve operational efficiency
 Encourage adherence with management policies
 Comply with laws and regulations
54
3. Control and Accounting
Information
Systems…
Functions of Internal Controls
• Preventive controls
 Deter problems from occurring
• Detective controls
 Discover problems that are not prevented
• Corrective controls
 Identify and correct problems; correct and
recover from the problems.
55
 3. Control and Accounting
Information
Systems…
• Control Frameworks
• COBIT (Control Objectives for Information and
Related Technologies)
– Framework for IT control
• COSO
– Framework for enterprise internal controls (control-
based approach)
• COSO-ERM
– Expands COSO framework taking a risk-based
approach
56
3. Control and Accounting
Information
Systems…
• COBIT Framework
• Current framework version is COBIT5
• Based on the following principles:
– Meeting stakeholder needs
– Covering the enterprise end-to-end
– Applying a single, integrated framework
– Enabling a holistic approach
– Separating governance from management
57
3. Control and Accounting
Information
Systems…
• COBIT5 Separates Governance from
Management
58
3. Control and Accounting
Information
Systems…
• Components of COSO Frameworks

COSO-ERM
 Internal environment
 Objective setting
 Event identification
 Risk assessment
 Risk response
 Control activities
 Information and
 communication
 Monitoring 59
 3. Control and Accounting
Information
Systems…
Internal Environment
• Management’s philosophy, operating style, and risk
appetite.
• Commitment to integrity, ethical values, and competence
• Internal control oversight by Board of Directors
• Organizational structure
• Methods of assigning authority and responsibility
• Human resource standards
60
3. Control and Accounting
Information
Systems…
Objective Setting
• Strategic objectives
 High-level goals
• Operational objectives
 Effectiveness and efficiency of operations
• Reporting objectives
 Improve decision making and monitor performance
• Compliance objectives
 Compliance with applicable laws and regulations
61
3. Control and Accounting Information
Systems…
Event Identification
Identifying incidents both external and internal to
the
organization that could affect the achievement of the
organization’s objectives.
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?
62
3. Control and Accounting
Information
Systems…
Risk Assessment
Risk is assessed from two perspectives:
• Likelihood
▫ Probability that the event will occur
• Impact
▫ Estimate of potential loss if event occurs
Types of risk
• Inherent
▫ Risk that exists before plans are made to control it
• Residual
▫ Risk that is left over after you control it
63
 3. Control and Accounting
Information
Systems…
Risk Response
• Reduce
Implement effective internal control
• Accept
Do nothing, accept likelihood and impact of risk
• Share
Buy insurance, outsource, or hedge
• Avoid
Do not engage in the activity
64
 3. Control and Accounting
Information
Systems…
Control Activities
• Proper authorization of transactions and activities
• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguarding assets, records, and data
• Independent checks on performance
65
3. Control and Accounting
Information
Systems…
Segregation of Duties
66
3. Control and Accounting Information
Systems…
Monitoring
• Perform internal control evaluations (e.g., internal audit)
• Implement effective supervision
• Use responsibility accounting systems (e.g., budgets)
• Monitor system activities
• Track purchased software and mobile devices
• Conduct periodic audits (e.g., external, internal, network
security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement fraud hotline➔ a direct telephone line set up for
this
purpose.
67