2

Brief History of Internal Control

1949 it was defined by the American Institute of Accountants (now
the AICPA)
1958 - a distinction between accounting controls and administrative
controls have been released
Accounting controls relate to safeguarding assets and reliability of
financial records

Administrative controls relate to operational efficiency and
adherence to managerial policies
1972 a clarification of controls, accounting controls provide
reasonable assurance
3
The COSO* Definition of Internal Control
* Committee of Sponsoring Organizations of the Treadway Commission
Internal control is a process, effected by an entitys board of directors,
management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following
categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
4
Definition of Internal Control
* Committee of Sponsoring Organizations of the Treadway Commission
Internal control is a companys system, defined and implemented
under its responsibility which aim to ensure:

laws and regulations are complied with
directional guideline were approved by higher management
companys internal process are functioning properly
financial information is reliable;

and generally, contributes to the control over its activities, to the
efficiency of its operations and to the efficient utilization of its resources
5

The reliability and integrity of information.
Compliance with policies, plans, procedures, laws and
regulations.
The safeguarding of assets.
The economical and efficient use of resources.
The accomplishment of established objectives and goals
for operations or programs.
Protiviti KnowledgeLeader (www.knowledgeleader.com)
Objectives of Internal Control
Internal controls are established to further strengthen:
6
Promote orderly, economical, efficient and effective operations,
and produce quality services and outcomes consistent with the
agencys mission

Safeguard resources against loss due to waste, abuse, errors and
fraud

Promote adherence to laws, regulations, policies, procedures and
contracts

Develop and maintain reliable financial and management data
and accurately present that data in timely reports to decision
makers
Purposes & Principles of Internal Control:
7
Simple Definition
Internal control is what we do to see that the
things we want to happen will happen

And the things we dont want to happen
wont happen.
8
Internal Control Myths and Facts
MYTHS:

Internal control starts with a strong set
of policies and procedures.

Internal control: Thats why we have
internal auditors!


Internal control is a finance thing.


Internal controls are essentially
negative, like a list of thou-shalt-nots.

Internal controls take time away from
our core activities of making products,
selling, and serving customers.
FACTS:

Internal control starts with a strong
control environment.

While internal auditors play a key
role in the system of control,
management is the primary owner
of internal control.

Internal control is integral to every
aspect of the business process.

Internal control makes the right
things happen the first time.

Internal controls should be built
into, not onto business
processes. They are integral!
Source: Institute of Internal Auditors
9
Why are Internal Controls Important?
C ompliance with applicable laws and regulations.
A ccomplishment of the entitys mission.
R elevant and reliable financial reporting.
E ffective and efficient operations.
S afeguarding of assets.
C
A
R
E
S
10
Why Internal Controls?
Effective internal
controls result in
improved performance,
efficiency, and business
process reengineering.
Internal control protects
you by catching small
mistakes before they
become big problems.
Internal control protects
the organization by
removing opportunities
for innocent mistakes
or intentional fraud.
or else..
11
Internal Control Limitation
Internal control can provide reasonable, not absolute, assurance that
the objectives of an organization will be met.

Effective internal control provides only timely information or feedback
on progress towards the achievement of operational and strategic
objectives, but cannot guarantee their achievement.

Internal control involves human action, which introduces the
possibility of errors in processing or judgment.
Control definition reflects certain fundamental concepts:
Internal control is a process; it is a means to an end, not an end itself

Internal control is effected by people; its not merely policy manuals
and forms but people at every level of an organization

Internal control can be expected to only provide reasonable
assurance, not absolute assurance

Internal control is geared to the achievement of objectives in one or
more separate but overlapping categories
COSOS Internal Control Framework
Five Inter-Related Standards:
Risk
Assessment
Control
Activities
Monitoring
Information &
Communication
Control
Environment
14
Control Environment
Foundation for all other standards of internal control

Pervasive influence on all the decisions and activities
of an organization

Effective organizations set a positive tone at the
top

Factors include the integrity, ethical values and
competence of employees, and, managements
philosophy & operating style
COSOS Internal Control Framework
Risks are internal & external events that threaten
the accomplishment of objectives

Risk assessment is the process of identifying,
evaluating, and deciding how to manage these
events
COSOS Internal Control Framework
Risk Assessment
Tools - policies, procedures, processes -designed
and implemented to help ensure that management
directives are carried out

Help prevent or reduce the risks that can impede
the accomplishment of objectives

Occur throughout the organization, at all levels, and
in all functions

Includes approvals, authorizations, verifications,
reconciliations, security of assets, reviews of
operating performance, and segregation of duties
COSOS Internal Control Framework
Control Activities
Pertinent information must be captured, identified
and communicated on a timely basis

Effective information and communication
systems enable the organizations people to
exchange the information needed to conduct,
manage, and control its operations
COSOS Internal Control Framework
Communication and Information
18
Internal control systems must be monitored to
assess their effectiveness Are they operating
as intended?

Ongoing monitoring is necessary to react
dynamically to changing conditionsHave
controls become outdated, redundant, or
obsolete?

Monitoring occurs in the course of everyday
operations, it includes regular management &
supervisory activities and other actions personnel
take in performing their duties.
Monitoring
COSOS Internal Control Framework
Everyone is responsible for Internal Controls!!!
Roles and responsibilities in internal control
Management: The Chief Executive Officer (the top manager) of the
organization has overall responsibility for designing and implementing
effective internal control.
Board of Directors: Management is accountable to the board of
directors, which provides governance, guidance and oversight. Effective
board members are objective, capable and inquisitive.
Auditors: The internal auditors and external auditors of the organization
also measure the effectiveness of internal control through their efforts.
Key Internal Control Activities
Segregation of Duties

Documentation

Authorization and Approvals

Security of Assets

Reconciliations and review

Supervision/monitoring of operations

Physical Safeguards

Analysis of Results

IT security
Segregation of duties
- dividing responsibilities between different employees so one doesnt
control all aspect of transaction
- reduce the opportunity for an employee to commit and conceal errors
Key Internal Control Activities
Documentation
- document preserve evidence to substantiate critical decisions and
significant events, transactions that enabled to be traced from its
inceptions to completion and policies and procedures
Authorizations and Approval
- Management documents and communicates which activities require
approval, and by whom, based on the level of risk to the organization.
Ensure that transactions are approved and executed only by employees
acting within the scope of their authority granted by management
Security of assets
- Secure and restrict access to equipment, cash, inventory,
confidential information, etc. to reduce the risk of loss or unauthorized
use. Perform periodic physical inventories to verify existence,
quantities, location, condition, and utilization.
Base the level of security on the vulnerability of items being secured,
the likelihood of loss, and the potential impact should a loss occur
Key Internal Control Activities
Reconciliations and Review
- Examine transactions, information, and events to verify accuracy,
completeness, appropriateness, and compliance. Base level of review on
materiality, risk, and overall importance to organizations objectives.
Ensure frequency is adequate enough to detect and act upon
questionable activities in a timely manner.

Monitoring/supervision
- observation or review of ongoing operational activity
Key Internal Control Activities
Reconciliations and Review
- usage of passwords, access logs, etc. to ensure access restricted to
authorized personnel
Physical Safeguard
- usage of cameras, locks, physical barriers, etc. to protect property
Analysis of Results
- periodic and regular operational reviews, metrics, and other key
performance indicators (KPIs)
25
Need for Strengthening Internal Control
a. Adequate and strong internal controls in government have been
found to be more effective than detailed audit in ensuring the
integrity of operations of the agency and the entire range of
administrative, financial, operating and reporting systems.

b. Weak internal controls lead to waste and misuse of government
resources and non-accomplishment of objectives.
26
Types of Internal Control
Accounting Controls
Financial Controls
Administrative Controls
pertain to the plan of organization, the procedures and record that
ensures he accuracy and the reliability of financial records.
include the methods and procedures concerned with the
safeguarding of assets and are designed to ensure transactions are
executed, access to assets is permitted and recorded accountability
for assets is compared with existing assets at reasonable intervals
and appropriate action is taken
include, but are not limited to, plan of organization, the procedures
and records concerned with the management decision processes
authorizing the transactions. They include controls over
administrative offices such as personnel records and administrative
functions.
Control Techniques
Internal control techniques are to be designed for and operated in
all agency activities to accomplish the control objectives consistently,
efficiently and effectively. There are two groupings of controls are:
1. Basic controls
2. Disciplinary controls
ensure that transactions are recorded completely and accurately and
the errors in execution of recording are detected as soon as possible,
regardless of whether the error is the processing of an unauthorized
transaction, the failure to process and authorized one, or the failure to
process such a transaction accurately.
ensure that proper and continued functioning of the basic controls
and include supervision, segregation of duties and custodial
arrangement
Five frequently recurring common control techniques
Control Techniques
Control over completeness of processing

Maintenance of subsidiary records supporting a control account

Posting to inventory records

Supervisory review and approval

Checking of extensions and additions
Control Techniques
Internal Control Techniques Accounting Control Purpose
Physical Safeguard Controls:
Burglar Alarms
Deterrence or detection of
theft of assets
Plant Security Guards To deter or detect theft of
assets by outsiders and by
employees seeking
unauthorized access to
assets
Organizational Controls:
Bonding of employees
occupying position of trust
To deter fraud and theft
Control Techniques
Internal Control Techniques Accounting Control Purpose
Organizational Controls:
Definite written assignments
of responsibilities for the
performance of each duty
required to transact business
Deterrence of fraud, theft,
and errors; assurance that
duties will be carried out
by qualified personnel;
and assurance of smooth
continuity of operations in
the event of personnel
changes
Accounting Policies
Use of control accounts
Deterrence and detection of
fraud, theft and error
31
Internal Control Techniques Accounting Control Purpose
Accounting Policies
Strict adherence to generally
accepted accounting
principles
Avoidance of disclosure
errors and improper
financial reporting
Clerical Practices:
Vertical and horizontal
addition of accounting work
sheets
Assurance against clerical
error
Independent verification of
clerical operations performed
To deter and detect fraud
and error
Control Techniques
Weak Internal Controls
Increase Risk Through
Business Interruption
system breakdowns or catastrophes,
excessive re-work to correct for errors.
Erroneous Management Decisions
based on erroneous, inadequate or
misleading information.
Fraud, Embezzlement and Theft
by management, employees, customers,
vendors, or the public-at-large.
Statutory Sanctions
penalties arising from failure to comply
with regulatory requirements, as well as
overt violations.
Excessive Costs/Deficient Revenues
expenses which could have been avoided,
as well as loss of revenues to which the
organization is entitled, and
Loss, Misuse or Destruction of Assets
unintentional loss of physical assets such
as cash, inventory, and equipment.
Weak Internal Controls
Increase Risk Through
Effective Internal Controls

Make sense within each organizations unique
operating environment.

Benefit rather than encumber management.

Are not stand-alone practices; they are woven
into day-to-day responsibilities, and

Are cost-effective.