Internal

Controls
Noelito M. Sales, CPA, MBA, CTT
 Introduction

• Good governance is dependent on a management that

understands the risks it faces and is able to keep control
of the business.
• Internal control is the most important and fundamental
concept that an internal auditor must understand.
• The control framework covers the risk management
process and the use of tailored control mechanisms is a
fundamental aspect of business life.
 Why Controls?

• Internal controls are put in place to keep the company on

course toward profitability goals and achievement of its
mission, and to minimize surprises along the way.
• Internal controls promote efficiency, reduce risk of asset
loss, and help ensure the reliability of financial statements
and compliance with laws and regulations.
• There are increasing calls for better internal control
systems
 Why Controls?

• Where there are risks to the achievement of objectives,

controls have to be put in place to address these risks.
• If not failure becomes likely.
• At the same time, controls cost money and they have to
be worthwhile.
• A lot depends on the risk appetite and what is considered
acceptable as opposed to unacceptable to the
organization and its stakeholders.
 Why Controls?

• A company’s system of internal control has a key role in

the management of risks that are significant to the
fulfilment of its business objectives.
• A sound system of internal control contributes to
safeguarding the shareholders’ investment and the
company’s assets.
• Internal control facilitates the effectiveness and efficiency
of operations, helps ensure the reliability of internal and
external reporting and assists compliance with laws and
regulations.
 Why Controls?

• Control is about achieving objectives, dealing with risk

and keeping things in balance.
 Why Controls?

An internal control system encompasses the policies,

processes, tasks, behaviors and other aspects of a
company that, taken together:
• Facilitate its effective and efficient operation by enabling it to
respond appropriately to significant business, operational,
financial, compliance and other risks to achieving the company’s
objectives.
• Help ensure the quality of internal and external reporting.
• Help ensure compliance with applicable laws and regulations, and
also with internal policies with respect to the conduct of business.
Management’s Responsibilities

• The board of directors is responsible for the company’s

system of internal control.
• It should set appropriate policies on internal control and
seek regular assurance that will enable it to satisfy itself
that the system is functioning effectively.
• The board must further ensure that the system of internal
control is effective in managing risks in the manner which
it has approved.
Management’s Responsibilities

While the board sets overall direction, it is management

who must implement good controls by considering the
following:
• Determine the need for controls
– Managers must be able to isolate a situation where there is a
need for specific internal controls and respond appropriately.
• Design suitable controls
– Once the need for controls has been defined, management
must then establish suitable means to install them.
Management’s Responsibilities

• Implement these controls

– Managers are then duty-bound to ensure that the control
processes are carefully implemented.
• Check that they are being applied correctly
– Management and not internal audit is responsible for ensuring
that control mechanisms are not being by-passed but are fully
applied as they were originally intended.
• Maintain and update the controls
– Securing control is a continuous task that should be at the
forefront of management concerns
 Internal Audit’s Role

• The internal audit activity should assist the organization in

maintaining effective controls by evaluating their
effectiveness and efficiency and by promoting continuous
improvement.
 Internal Audit’s Role

The auditors’ role regarding systems of internal control is

distinguished from management’s in that it covers:
• Assessing those areas that are most at risk in terms of the key
control objectives that we have already mentioned
• Defining and undertaking a program for reviewing these high
profile systems that attract the most risk.
• Reviewing each of these systems by examining and evaluating
their associated systems of internal control to determine the
extent to which the key control objectives are being met.
 Internal Audit’s Role

The auditors’ role regarding systems of internal control is

distinguished from management’s in that it covers:
• Advising management whether or not controls are operating
adequately and effectively so as to promote the achievement of
the system’s/control objectives.
• Recommending any necessary improvements to strengthen
controls where appropriate, while making clear the risks involved
for failing to effect these recommended changes.
• Following up audit work so as to discover whether management
has actioned agreed audit recommendations.
 Internal Audit’s Role

Need for internal audit function:

• There should be an effective and comprehensive internal
audit of the internal control system carried out by
operationally independent, appropriately trained and
competent staff.
• The internal audit function, as part of the monitoring of the
system of internal controls, should report directly to the
board of directors or its audit committee, and to senior
management.
 Internal Audit’s Role

Need for internal audit function:

• The internal audit function is an important part of the
ongoing monitoring of the system of internal controls
because it provides an independent assessment of the
adequacy of, and compliance with, the established
policies and procedures.
 Internal Audit’s Role

Four key aspects of the scope of controls:

• Reliability and integrity of financial and operational
information.
• Effectiveness and efficiency of operations.
• Safeguarding of assets.
• Compliance with laws, regulations, and contracts.
 Building the Control Model

One important feature of control relates to the need to

contain activity within set limits or boundaries.
 Making Controls Work

• Control may be seen as one of the single most important

topics that the auditor needs to master.
• The main justification for the internal auditing function
revolves around the need to review systems of internal
control with all other audit activities being to an extent
subsidiary to this task.
 Making Controls Work

There are a number of issues that underlie the concept of

controls:
• Controls are all means devised to promote the
achievement of agreed objectives.
• All controls have a corresponding cost and the idea is that
the ensuing benefits should be worth the required outlay.
• Controls belong to those who operate them and should
not be viewed in isolation.
 Making Controls Work

There are a number of issues that underlie the concept of

controls:
• Internal control is all about people since controls work well
only if they are geared to the user’s needs in terms of
practicality and usefulness.
• Overcontrol is as bad as under-control.
• Controls fall out of date as risks change and systems adapt to
the latest environmental forces.
• The organizational culture affects the type of control features
that are in place.
 Control Framework

• The wide view of controls means that internal controls

cover all aspects of an organization and there is a clear
need for a way of pulling together control concepts to form
an integrated whole.
 Control Framework
• The control framework needs to be in place to promote
the right control environment.
Control Framework
 Control Framework
Control Environment
• Sets the tone of an organization, influencing the control
consciousness of its people.
• It is the foundation for all other components of internal control,
providing discipline and structure.
• It includes factors such as factors the integrity, ethical values
and competence of the entity’s people; management’s
philosophy and operating style; the way management assigns
authority and responsibility, and organizes and develops its
people; and the attention and direction provided by the board
of directors.
 Control Framework
Risk Assessment
• Identification and analysis of relevant risks to
achievement of the objectives, forming a basis for
determining how the risks should be managed.
• The risk assessment stage arises naturally from the
control environment where people want to get their control
right by focusing them to prioritized risks.
 Control Framework
Control Activities
• Policies and procedures that help ensure management
directives are carried out.
• They help ensure that necessary actions are taken to address
risks to achievement of the entity’s objectives.
• Occur throughout the organization, at all levels and in all
functions.
• Include a range of activities as diverse as approvals,
authorizations, verifications, reconciliations, reviews of
operating performance, security of assets and segregation of
duties.
 Control Framework
Information and Communication
• Pertinent information must be identified, captured and
communicated in a form and timeframe that enable
people to carry out their responsibilities.
• Information systems produce reports, containing
operational, financial and compliance-related information,
that make it possible to run and control the business.
• Effective communication also must occur in a broader
sense, flowing down, across and up the organization.
 Control Framework
Monitoring
• A process that assesses the quality of the internal control
system’s performance over time.
• Accomplished through ongoing monitoring activities, separate
evaluations or a combination of the two.
• Internal control deficiencies should be reported upstream,
with serious matters reported to top management and the
board.
• Internal control monitoring should assess the quality of
performance over time and ensure that the findings of audits
and other reviews are promptly resolve.
 Other Control Models
• Criteria of Control (CoCo)
• The International Organizations of Supreme Audit
Institutions
• Control Objectives for Information and Related
Technology (CobiT)
Links to Risk Management
 Links to Risk Management
• CRSA where inherent risks are considered and assessed
in a workshop setting to ensure any controls that need
updating are firmly related to the risks that have been
debated.
• Corporate governance arrangements involving the role
and responsibilities of the main board and audit
committee.
 Control Mechanisms
• Are all those arrangements and procedures in place to
ensure the business objectives may be met.
• They consist of individual mechanisms used by people
and processes throughout the organization and they
should exhibit certain defined attributes:
– They should be clearly defined and understood by all users.
– Mechanisms should be established to monitor the extent to
which control is being applied in practice.
– Their use should be agreed by management and the staff who
operate them.
 Types of Controls
1. Directive
– To ensure that there is a clear direction and drive towards achieving
the stated objectives.
– These are positive arrangements to motivate people and give them
a clear sense of direction (and the ability) to make good progress.
2. Preventive
– To ensure that systems work in the first place.
– These may include employing competent staff, high moral
standards, segregation of duties and generally establishing a good
control environment.
– Physical and access controls such as lock, passwords and security
personnel are all designed to stop people breaching the system.
 Types of Controls
3. Detective
– These controls are designed to pick up transaction errors that
have not been prevented.
– They cover controls such as supervisory review, internal
checks, variance reporting, spot checks and reconciliations.
4. Corrective
– The final category of controls ensures that where problems
are identified they are properly dealt with.
– These include management action, correction and follow-up
procedures.
 Controls in Practice
Some traditional control mechanisms applied in practice are:
• Authorization
• Physical access restrictions
• Supervision
• Compliance checks
• Procedure Manuals
• Recruitment and staff development practices
• Segregation of duties
 Controls in Practice
Some traditional control mechanisms applied in practice are:
• Organization
• Sequential numbering of documents and controlled
stationery
• Reconciliations
• Project and procurement management
• Financial systems controls
• IT security
• Performance management
 Suitability of Controls
There are some danger signs that should be looked for that
might lower the efficiency of the control environment:
• Ability of senior management to override accepted control
• Lack of staff and vacant posts
• Poor control culture
• Staff collusion
• Reliance on a single performance indicator
• Reliance on memory
• Retrospective transaction recording
• Uncontrolled delegation of tasks
Importance of Procedures
Importance of Procedures
 Importance of Procedures
By going through the nine-stage model, there is a better
change to get procedures both correct, understood and
accepted in the operation in question.
1. Development
– this involves reviewing the underlying processes, simplifying
them and working with users – then drafting an agreed
document that reflects the required activities.
2. Induction
– it is important to introduce the procedure to new starters and
show existing staff a new or improved procedure.
 Importance of Procedures
3. The training manual
– an outline manual can be provided or a more comprehensive
package with exercises can be given to them to work through.
4. Outline
– A short-cut outline document with key tasks and processes
summarized for use thereafter.
5. Training
– Seek to develop the underlying skills and the appropriate
attitudes as a parallel training initiative.
 Importance of Procedures
6. Appraisal
– Link the way staff are using procedures in their performance
appraisal framework.
7. Discipline
– If all else fails, staff may need to be disciplined for breach of
procedure.
8. The review process
– Keeping the procedure relevant, vibrant and up to date.
9.Compliance
– Ensure staff comply with procedure.
Integrating Controls
 Integrating Controls
Performance
• The process of assessing risk must fit and be integrated
with the performance management system.
• Dealing with risk properly is part of good management and
should therefore be a task that is measured along with
other obligations for managers and teams throughout the
organization.
 Integrating Controls
Communication
• The control model is improved by the addition of good
communications in the organization.
• It is the main way of achieving assent from all the players in
the operation and is a key consideration when devising
control solutions.
 Integrating Controls
Policy, competence and training
• Policy on Internal Control – sets standards, roles and key
messages on what internal control means and what
mechanisms are available to help promote good control and so
turn aspirations into achievements.
• Competence – employees should have an understanding of
internal controls and the ability to recognize and apply suitable
techniques and mechanisms to address unacceptable risks.
• Training and development – required to ensure the set
competencies are obtained and applied to the workplace.
 The Fallacy of Perfection
1. Internal control can ensure an entity’s success
– Or it will ensure achievement of basic business objectives or
will, at the least, ensure survival.
– Even effective internal control can only help an entity achieve
these objectives.
– But internal control cannot change an inherently poor manager
into a good one.
– And, shifts in government policy or programs, competitors’
actions or economic conditions can be beyond management’s
control.
– Internal control cannot ensure success, or even survival.
 The Fallacy of Perfection
2. Internal control can ensure the reliability of financial
reporting and compliance with laws and regulations.
– An internal control system, no matter how well conceived and operated,
can provide only reasonable – not absolute – assurance to management
and the board regarding achievement of an entity’s objectives.
– Affected by limitations inherent in all internal control systems.
– Include the realities that judgments in decision-making can be faulty, and
that breakdowns can occur because of simple error or mistake
– controls can be circumvented by the collusion of two or more people, and
management has the ability to override the system.
– Resource constraints, and the benefits of controls must be considered
relative to their costs.
Internal Control Awareness
Training
Internal Control Awareness
Training
Audit of inherent risk
• The role of internal audit and external audit.

Audit of residual risk

• Internal audit – risks that remain after controls have been
applied are fully understood and acceptable.

Statement of Internal Control

• Feed into the published statement on internal control
Internal Control Awareness
Training
Gap
• Breaks through the upper and lower control parameters.
• An extra capacity to allow for growth and the potential to
reach outside the norm, challenge existing assumptions
and search for new corporate inspiration.
• Important so that control frameworks don’t just contain
activities, but also allow for some experimentation and
innovation, that break the rules but still sit within the
constitution.
Thank You!