You are on page 1of 79



Internal Control
Any action taken by
management to
enhance the
likelihood that
objectives and goals
will be achieved.

Types of Control Activities

Entity wide Control
A control that operates across an
entire entity and such, is not bound
by, or associated with individual

Types of Control Activities

Process-Level Control
A more detailed control activity that
reduce risk relative to a group or
variety of operational level of
activities or transactions within an

Process-Level Control
Transaction Level
Specifically focused on reducing risk related to
individual operational task or processing of individual
transactions. They are designed to ensure that individual
transactions are accurately process in a timely manner.
Transaction approval, transaction verification,
transaction re-calculation, transaction confirmation

Application Level
Implemented to ensure that systems operate as
System integrity and validation checks

Types of Control
Key Control Activity
Primary Control Activity

A control activity designed to

reduce risk associated with a
critical business objective.

Types of Control Activities

Secondary Control
Designed to either
reduce risk associated
with business objectives
that are not critical to
the organizations
survival or success. It
serves as back up to key

Types of Control Activities

Compensating Control
It is not directly related to the risk it
mitigates, and is not enough to fully
mitigate the risk by itself. It is taken
together with other control activities
that are in place which contribute to
the overall effective mitigation of risk.

Types of Control Activities

Compensating Control Activity
It is designed to supplement key
control activities that may be either
ineffective or do not fully mitigate a
risk or group of risks by themselves
to an acceptable level. It serves as
redundancy to multiple key control
activities at the same time.

Types of Control Activities

Detective Control
A control activity designed
undesirable events
that have already
must occurred in a timely
basis to be

Types of Control Activities

Preventive Control
A control activity designed to deter
unintended events from occurring in
the first place.

Types of Control Activities

Directive control
A control activity that gives explicit
direction regarding what actions
need to take place to cause or
encourage a desirable event to

Types of Control Activities

Corrective Control
A control activity in, which detected
omissions and errors are corrected.

Types of Control Activities

General Information
Technology Control Activity
Operates across all IT systems and
are in place to ensure the integrity,
reliability, and accuracy of the
application systems.


1. The act or art of
managing : the
conducting or
supervising of
something (as a
2. The collective body
of those who manage
or direct an

1. to exercise restraint or direction
2. to eliminate or prevent the
flourishing or spread of

1. the body of
procedures and
methods used in
any specific
2. method of
way of

Methods used by the

management who
supervises to guide and
restraint the entity or the

Management controls as all the

policies and procedures conceived and
put in place by an entity's
management to ensure:

the economical, efficient, and effective

achievement of the entity's objectives;
adherence to external rules (laws, regulations,...)
and to management policies;
the safeguarding of assets and information;
the prevention and detection of fraud and error;
the quality of accounting records and the timely
production of reliable financial and
management information.

Types of management
1. Financial reporting
2. Performance monitoring
3. Effective communications

Financial Reporting
it is essential that management
receive a timely, reliable flow of
information about its financial status
and that management initiate
prompt corrective action when the
accounting data indicate a significant
deviation from the budget.

Performance Monitoring
it is essential that
management track the
performance of the
organization against its
stated goals

Effective Communications
managers recognize that
subordinates and front-line workers
perform better if they have a clear
understanding of the mission and
goals of the organization and the
purpose being

1. Supervision
Is a good tool to
employees know
what they are
doing and
perform to the

2. Authorization
Helps ensure activities and
transactions fall in in line with set

3. Segregation of duties
To guard against the risk of staff
collusion, error, and breach of

4. Procedures
Are needed to address the risk of
confusion, abuse, inefficiency, and
breach of regulations or obligations,
and they will be as comprehensive as
called for to manage these risks

5. Reconciliations

Ensuring nothing is missing or is

incorrectly recorded or stored


- Is a body of guiding principles
that form a template against which
organizations can evaluate a
multitude of business practices.
- Specific to the practice of internal
auditing, various frameworks are
used to assess the design and
operating effectiveness of internal

SOUCE: INTERNAL AUDITING: Assurance & Consulting Services

The International Standards for

the Professional Practice of
Internal Auditing (Standards)
provides the following guidance relative
to the use of frameworks:
In general, a framework provides a
structural blueprint of how a body of
knowledge and guidance fit together. As
a coherent system, it facilitates
consistent development, interpretation,
and application of concepts,
methodologies, and techniques useful to
a discipline or profession.

SOUCE: INTERNAL AUDITING: Assurance & Consulting Services


SOUCE: INTERNAL AUDITING: Assurance & Consulting Services

Internal control is broadly

defined as a process, effected by
an entitys board of directors,
management and other
personnel, designed to provide
reasonable assurance regarding
the achievement of objectives in
the following categories:
Effectiveness and efficiency of
Reliability of financial reporting.
Compliance with applicable
laws and regulations.



Control Environment
The control environment sets the tone of an
organization, influencing the control consciousness
of its people. It is the foundation for all other
components of internal control, providing discipline
and structure. Control environment factors include
the integrity, ethical values and competence of the
entitys people; managements philosophy and
operating style; the way management assigns
authority and responsibility, and organizes and
develops its people; and the attention and
direction provided by the board of directors.

Risk Assessment
Every entity faces a variety of risks from
external and internal sources that must be
assessed. A precondition to risk assessment is
establishment of objectives, linked at different
levels and internally consistent. Risk
assessment is the identification and analysis of
relevant risks to achievement of the objectives,
forming a basis for determining how the risks
should be managed. Because economic,
industry, regulatory and operating conditions
will continue to change, mechanisms are
needed to identify and deal with the special
risks associated with change.

Control Activities
Control activities are the policies and
procedures that help ensure management
directives are carried out. They help ensure
that necessary actions are taken to address
risks to achievement of the entitys
objectives. Control activities occur throughout
the organization, at all levels and in all
functions. They include a range of activities
as diverse as approvals, authorizations,
verifications, reconciliations, reviews of
operating performance, security of assets and
segregation of duties.

Information and Communication

Pertinent information must be identified, captured and
communicated in a form and timeframe that enable people to
carry out their responsibilities. Information systems produce
reports, containing operational, financial and compliance-related
information, that make it possible to run and control the business.
They deal not only with internally generated data, but also
information about external events, activities and conditions
necessary to informed business decision-making and external
reporting. Effective communication also must occur in a broader
sense, flowing down, across and up the organization. All personnel
must receive a clear message from top management that control
responsibilities must be taken seriously. They must understand
their own role in the internal control system, as well as how
individual activities relate to the work of others. They must have a
means of communicating significant information upstream. There
also needs to be effective communication with external parties,
such as customers, suppliers, regulators and shareholders.

Internal control systems need to be monitoreda
process that assesses the quality of the systems
performance over time. This is accomplished
through ongoing monitoring activities, separate
evaluations or a combination of the two. Ongoing
monitoring occurs in the course of operations. It
includes regular management and supervisory
activities, and other actions personnel take in
performing their duties. The scope and frequency of
separate evaluations will depend primarily on an
assessment of risks and the effectiveness of ongoing
monitoring procedures. Internal control deficiencies
should be reported upstream, with serious matters
reported to top management and the board.


Different Frameworks:
Same Goals
- Frameworks provide a systematic
step by step method of evaluating
and addressing the adequacy of
control in multiple dimensions of a
- It provides a tool that helps
management and auditors evaluate
adequacy of control in multiple
dimensions of the business.

Alternative control frameworks:

1. Criteria of Control Board Guidance on
Control Framework (CoCo)
2. Internal Control: Guidance for directors on
the Combined Code

Criteria of Control (CoCo) Framework

was first published by the Canadian
Institute of Chartered Accountants in 1995.
CoCo describes internal control as actions
that foster the best result for an


CoCo: Monitoring and Learning

Environment should be monitored to obtain information that may signal a
need to re-evaluate the organizations objectives and controls.
Performance should be monitored against the targets and indicators
identified in the organizations objectives and plans.
Information needs and related information systems should be reassessed
as objectives change or as reporting deficiencies are identified.
Follow up procedures should be established and performed to ensure
appropriate change or action occurs.
Management should periodically assess the effectiveness of control in its
organization and communicate the results to those whom it is


Objectives of COSO and



Internal Control: Guidance for

directors on the Combined
Code (Turnbull)

The Turnbull Report was first published in

1999 and set out best practice on internal
control for UK listed companies.

In October 2005 the Financial Reporting

Council (FRC) issued an updated version of
the guidance with the title 'Internal
Control: Guidance for Directors on the
Combined Code'.

The Guidance is intended

Reflect sound business practice whereby
internal control is embedded in the business
processes by which a company pursues its
Remain relevant over time in the continually
evolving business environment; and
Enable each company to apply it in a manner
which takes account of its particular

The guidance is based on the adoption by a

companys board of a risk-based approach
to establishing a sound system of internal
control and reviewing its effectiveness.
This should be incorporated by the
company within its normal management
and governance processes. It should not be
treated as a separate exercise undertaken
to meet regulatory requirements.








Brief History of Risk

Peter L. Bernstein provides an extensive
history of risk in Against the Gods: The
Remarkable Story of Risk, his book, which
outlines the involving acceptance and
understanding of risk over century. [1]

3rd and 2nd century BC

Early Egyptian Civilization
Greek and Roman Civilizations (600 AD)
Renaissance Period ( mid-17th century)
18th century

Definition of Risk
Risk is the possibility of an event occurring that
will have an impact on the achievement of
objectives. It is measured in terms of impact
and likelihood. (IIAs International Standard).
Possibility is a chance that something might exist,
happen, or be true. The state or fact of being possible
something that might be done or might happen.
Impact is the effect on achievement of goals and
objectives when the risk happens.
Likelihood is theprobability of aneventor situation
taking place.

Origin of Risk
Risk came from an Italian word
risicare, which means to dare: a
choice under uncertain conditions
(rather than fate). (Internal
Auditing Assurance & Consulting

Mitigation Strategy
How are you going to manage a risk?

Manage the Risk

Risk Management
is a process for identifying, assessing,
and prioritizing risks of different kinds.
A variety of strategies is available,
depending on the type of risk and the
type of business.[5]

Enterprise-wide risk
management (ERM)

is a structured, consistent and continuous process

across the whole organization for identifying,
assessing, deciding on responses to and reporting
on opportunities and threats that affect the
achievement of its objectives.[6]

Other Terminologies:
Risk Appetite
is the level of risk that an organization is willing to accept.

Risk Management Framework

is the totality of the structures, methodology, procedures
and definitions that an organization has chosen to use to
implement its risk management processes.
Risk Management Processes
are the processes to identify, assess, manage, and control
potential events or situations, to provide reasonable
assurance regarding the achievement of the organizations
Risk Maturity
is the extent to which a robust risk management approach
has been adopted and applied, as planned, by management
across the organization to identify, assess, decide on
responses to and report on opportunities and threats that

Operational Risk
An event, action or occurrence that impacts the effective and
efficient use of the institutions resources to achieve its major
activities through management processes and procedures.

Reporting Risk
An event, action or occurrence that impacts the reliability of the
institutions external and internal reporting.
Compliance Risk
An event, action or occurrence that impacts the institutions
compliance with applicable laws, rules and regulations.

Reputation Risk
An event, action or occurrence that impacts how the institution
is valued or perceived.
Strategic Risk
An event, action or occurrence that impacts the institutions
ability to achieve high level goals aligned with and supporting
the mission.

Audit Risk
The risk that an auditor will not discover errors or
intentional miscalculations while reviewing a
company's or individual's financial statements.
Business Risk
The possibility that a company will have lower than
anticipated profits, or that it will experience a loss
rather than a profit.
Financial Risks
are part ofthe financial structure of your business,
business transactions, and the financial systems
Residual Risk
The remaining risk subsequent to risk management
activities and/or controls.

Risk Responses
are the means by which an organization elects to manage
individual risks. The main categories are to tolerate the risk; to
treat it by reducing its impact or likelihood; to transfer it to
another organization or to terminate the activity creating it.
Internal controls are one way of treating a risk.
Risk Assessment
Process by which risk is evaluated from two dimensions: 1)
probability/likelihood of the risk event taking place, and 2) impact
of the risk event on the institution.
is the written and signed representation from any manager that
the risk management strategies applicable to that manager have
been properly executed and documented.
Collaborative Assurance
is the partnership of management and internal audit to provide the
governance function with some level of assurance about all the


Internal Auditing Assurance & Consulting

Servicesby: Kurt F. Reding, Paul J. Sobel, Urton L.
Anderson, Michael J. Head, Sri Ramamoorti, Mark
Salamasick contributing writer: Cris Riddle



- The intentional use of deceit, a trick, or
dishonest means to
deprive another of money, property, or of a
legal right.
(Principles and Contemporary Issues in Internal Auditing, Second Edition by Lee,
Haron, et al.)

- Consists of knowingly making material

misrepresentations of fact, with the intent
of inducing someone to believe the
falsehood and act on it and, thus, suffer a
loss or damage.
(Auditing & Assurance Services Fourth Edition by Louwers, Ramsay, et al.)

White-collar crime
the misdeeds of people who wear
ties to work and steal with a pencil or
a computer terminal.
Produces ink stains instead of blood

Common Fraud Types:

False Accounting / Fraudulent
Financial Reporting
Asset Misappropriation
Computer Fraud
Intellectual Property Fraud
Theft or Infringement by Third
Money Laundering
Investment Scheme Fraud

False Accounting
- Main aim is to present the results and affairs
of the organization in a better light than what is
really the case.
Asset Misappropriation
- Any business asset may be stolen by
employees or third parties, or by employees and
third parties acting in collusion.
Computer Fraud
- A computer is used as the object, subject, or
tool of a fraud.

Intellectual Property Fraud

- Employee and management fraud can
include direct theft of intellectual property.
- Off-book frauds that occur in the form
of: Kickbacks or commission, Bid rigging,
or gifts or gratuities.
Money Laundering
- The mechanism by which the proceeds
of crime are distributed.

Investment Scheme Fraud

- Can be thought of as third-party
asset misappropriation.

Management Fraud
(Fraudulent Financial Reporting)

A deliberate fraud committed by

management that injures investors
and creditors through materially
misleading information.

Factors related to Management

Unfavorable economic conditions
within the industry
Insufficient working capital
Dependence on one or two major
clients or transactions
Reduced ability to acquire credit or

Generally consists of:
The fraud act itself
The conversion of
assets to the
fraudsters use
The cover-up

Employee Fraud Red Flags


Lose sleep
Drink too much
Take drugs
Become irritable easily
Cant relax
Get defensive, argumentative
Cant look people in the eye
Sweat excessively
Work alone,
Work late, among others.

Characteristics of Fraudsters:

Educated beyond high school

Likely to be married
Probably not tattooed
Member of a church
Range in age from teens to over 60
Socially conforming
Employment tenure from 1 to 20 years
No arrest record
Usually act alone

Factors related to Employee


Rationalization or lack of integrity
High personal debts or financial losses
Inadequate income to support lifestyle
Perceived inequalities in the
Resentment of superiors
Frustrations with the job.