Internal Control Cooperative Accountancy Week Compatibility Mode

7/23/2012
Internal Control System:

Vital Tool for Cooperative Governance
Cooperative Day
In Celebration of the Accountancy Week
PHILIPPINE INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS
July 20, 2012
Hotel Intercontinental Manila, Makati City
RUFO R. MENDOZA, PhD

Certified Public Accountant
Development and Governance Adviser
Research and Training Consultant
7/23/2012 Internal Control System 2
1
7/23/2012
7/23/2012 Internal Audit Seminar for PICPA 4
2
7/23/2012
Bank of Credit
and
Commerce
International
Barings Bank
Maxwell
Communications
3
7/23/2012
Corporate Governance
has had a history of reacting to
scandal and abuse
rather than being
PROACTIVE
Citibank exec goes missing;

millions stolen
abs-cbnNEWS.com
(August 20, 2010)
7/23/2012 8
4
7/23/2012
Inaccurate Financial
Missing Documents
Reports
Lack of Written Procedures Customer Complaints
Causes of the Failure of Cooperatives in

the Philippines
• Incompetent management • Lack of adequate safeguard
• Lack of proper understanding against unscrupulous officers
of the principles, practices true • Dominance of the
aims, and purposes individualistic attitude
• Improper use of credits • Inability to secure adequate
• Defective securities capital
• Political interference • Dependence on alien suppliers
• Lack of compensation of and distributors
officers • Ineffectiveness of the
• Inadequate character and government and promotion of
moral responsibility cooperative organizations
• Inadequate marketing facilities
5
7/23/2012
Internal Control Frameworks
• COSO
• CoCo
• Cadburry Report
• COBIT
• ISO
1970’s
• 1977 - Foreign Corrupt Practices Act
• 1985 – National Commission on
Fraudulent Financial Reporting
– Treadway Commission
!Committee of Sponsoring Organizations

(COSO)
6
7/23/2012
COSO A voluntary private sector organization dedicated to

improving the quality of financial reporting through
Committee of business ethics, effective internal controls, and
Sponsoring corporate governance
Organizations
1992 Issued the Internal Control-
Integrated Framework
1994 Amended the framework

to expand the scope to
address additional
controls pertaining to
safeguarding of assets
2006 Issued the Internal

Control over Financial
Reporting- Guidance for
Smaller Public Companies
Key Internal Control Concepts

" Internal control is a process. It is a means to an end,
not an end in itself.
" Internal control is affected by people. It’s not merely
policy, manuals, and forms, but people at every level
of an organization.
" Internal control can be expected to provide only
reasonable assurance, not absolute assurance, to an
entity’s management and board.
" Internal control is geared to the achievement of
objectives in one or more separate but overlapping
categories.
7
7/23/2012
Internal Control
• A process effected by an entity’s board of
directors, management and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories:
– Effectiveness and efficiency of operations
– Reliability of operations
– Compliance with applicable laws and regulations

COSO
Internal Three Objectives
Control
Framework Units or
Activities
of an
Entity
Five Components
8
7/23/2012
COCO
Criteria of Control
• actions that foster the best result for an
organization
• contribute to the achievement of the
organization’s objectives, focus on:
– effectiveness and efficiency of operations;
– reliability of internal and external reporting;
– compliance with applicable laws and regulations
and internal policies.
COCO
Criteria of Control
• Internal control comprises those elements of an
organization. including
– resources
– systems
– processes
– culture
– structure
– Tasks
taken together, support people in the achievement of
the organization’s objectives
9
7/23/2012
Purpose
A sense of direction.
What are we here for?
Monitoring and Commitment

Learning A sense of identity
A sense of evolution. and values.
What Progress? Do we want to do
What Next? a good job?
ACTION
Capability
A sense of competence.
What action do we need to
take?
COSO CoCo
a process, effected by an those elements of an
entity’s board of directors, organization (including its
management, and other resources, systems, processes,
personnel, designed to provide culture, structure and tasks)
reasonable assurance regarding that, taken together, support
the achievement of objectives. people in the achievement of
the objectives.
• effectiveness and efficiency • effectiveness and efficiency
of operations; of operations
• reliability of financial • reliability of internal and
reporting; and external reporting; and
• compliance with applicable • compliance with applicable
laws and regulations laws and regulations and
internal policies
10
7/23/2012
Cadburry Report
1992
Three Basic Recommendations
• CEO and Chairman of companies should be
separated
• Boards should have at least three non-
executive directors, two of whom should
have no financial or personal ties to
executives
• Each board should have an audit committee
composed of non-executive directors
COBIT
Control Objectives for Information and
Related Technology
1996
• Focuses primarily on efficiently and effectively

monitoring information systems
• Emphasizes the role and impact of IT control as
it relates to business processes
• Can be used by management to develop clear
policy and good practice for control of IT
11
7/23/2012
COBIT
Control Objectives for Information and
Related Technology
1996
Definition of Internal Control
The policies, procedures, practices, and organizational

structures are designed to provide reasonable
assurance that business objectives will be achieved
and that undesired events will be prevented or
detected and corrected.
Internal Audit is part of the organization that

helps achieve organizational goals.
ORGANIZATION RISKS
Internal
Audit
INTERNAL The achievement of
CONTROLS organizational goals is
hindered by risks.
What is an internal What is a risk?

Organizations have
control?
goals which they
A risk is a set of
aim to achieve.
Internal control is a circumstances that
process which hinder the achievement
addresses the risk. of goals or objectives.
12
7/23/2012
CONTROLS
INTERNAL AUDIT
Controls exist
to manage risks • Assists management
on controls and risks
RISKS
promote
GOVERNANCE
Reasonable Assurance
Internal control, no matter how

well designed and operated,
can provide only reasonable
assurance regarding
achievement of an entity’s
objectives. The likelihood of
100%
achievement is affected by
limitations inherent in all
internal control systems.
13
7/23/2012
Changing View on
Internal Controls
AGENCY/
BUSINESS
INTERNAL
ACCOUNTING CONTROLS
CONTROL
Who is Everyone in
responsible for the
internal control? Organization!!!
Board of Directors:
• Governance, guidance,
and oversight
Management:
• Owner
Other Employees:
• Information and
Communication
Internal Auditors:
• Monitoring and Evaluation
14
7/23/2012
Roles and Responsibilities
1. Board of directors and audit

committee
2. Management
3. Other entity personnel
4. Internal auditors
5. Independent auditors
6. Other external parties
How Much Do Internal Controls Cost?
The cost of Sometimes there

implementing a is no out-of-pocket
specific control should
not exceed the
cost to establish
expected benefit of the an adequate
control. control.
The potential loss • Realignment of duty or

assignments
of a computer
printer may justify • Voided receipts are
the cost of a door approved by someone
(manager) other than the
lock but not an one preparing the
alarm system. receipts
15
7/23/2012
Five Components
of Internal Control
Control Environment
Risk Control Information and

Monitoring
Assessment Activities Communication
COMPONENT
1 The Control Environment
• The control environment sets the tone of an

organization, influencing the control
consciousness of its people.
• It is the foundation for all other components of

internal control, providing discipline and
structure.
• It represents an organization’s first line of

defense to mitigate the risks.
16
7/23/2012
The Control Environment
Integrity and ethical values Organizational structure
Commitment to competence Assignment of authority

and responsibility
Management’s philosophy Human resources

and operating style policies and practices
Board of directors or audit

committee participation
COMPONENT
RISK ASSESSMENT
2
Every entity faces a variety of risks from external

and internal sources that must be assessed. A
precondition to risk assessment is establishment of
objectives, linked at different levels and internally
consistent.
Risk assessment is the identification and analysis of

relevant risks to achievement of objectives, forming a
basis for determining how the risks should be
managed.
17
7/23/2012
Objective- Risk Managing

Setting Identification Change
and Analysis
• Operations • External • Changed Operating
Environment
• Financial • Internal • New Personnel
Reporting • New or Revamped
• Likelihood Information System
• Compliance or • New Technology
Frequency • New Lines, Products, and
Activities
• Impact • Corporate Restructuring
• Foreign Operations
Entity-Level
Functional or Business Unit Level
Activity Level
COMPONENT
CONTROL ACTIVITIES
3
Control activities are policies and procedures

that help ensure that management directives
are carried out.
They help ensure that necessary actions are

taken to address risks to achievement of the
entity’s objectives.
Control activities have various objectives and

are applied at various organizational and
functional levels.
18
7/23/2012
CONTROL ACTIVITIES
a. Proper Authorization Procedures

b. Adequate Segregation of Duties
c. Information Processing Controls
d. Physical Controls
e. Adequate Documents and Records
f. Verification
g. Reconciliation
h. Independent Performance Reviews
i. Supervision
1 2 3 4
Authorization Custody of Recording Review and
of Assets Transactions Reconciliation
Transactions
1. Separation of authorization to execute transactions from the

custody of related assets
2. Separation of custody of assets from recording
3. Separation of recording from operational responsibility
4. Total separation of review and reconciliation
19
7/23/2012
Four kinds of functional responsibilities that should be

performed by different work units, or at a minimum, by
different persons within the same unit:
1. Authorization to execute transactions: This

duty belongs to persons with authority and
responsibility to initiate and execute
transactions.
– General authorization
– Specific authorization
2. Recording transactions: This duty refers to

the accounting or recordkeeping function, which
in most organizations, is accomplished by
entering data into a computer system.
Four kinds of functional responsibilities that should be

performed by different work units, or at a minimum, by
different persons within the same unit:
3. Custody of assets involved in the

transactions: This duty refers to the actual
physical possession or effective physical
control/safekeeping of property.
4. Periodic reviews and reconciliation of

existing assets to recorded amounts: This
duty refers to making comparisons at regular
intervals and taking appropriate action to
resolve differences.
20
7/23/2012
Adequate Separation
of Duties
Custody of assets Accounting

Authorization The custody of
of transactions related assets
Operational Record-keeping
responsibility responsibility
IT Duties User departments
Traditional Segregation of Duties
21
7/23/2012
IT Functions Requiring Segregation
c. Information Processing Control
• General controls—those that apply to computer

information systems as a whole and include controls
related matters such as data centre organization,
hardware and systems software acquisition and
maintenance, and back up and recovery procedures.
• Application controls—those that apply to processing

of specific types of transactions such as invoicing,
paying suppliers, and preparing payroll.
22
7/23/2012
c. Physical Control Over Assets And Records
Physical precautions
Controls related to IT equipment,

programs, and data files
Backup and
Physical Access
recovery
controls controls
procedures
Document/Form Design
Prenumbered consecutively
Prepared at the time of transaction
Simple enough to ensure understanding
Designed for multiple uses
Constructed to encourage correct preparation
23
7/23/2012
f. Independent Checks or Verification
These involve the verification of work performed by other people or

departments, or the proper measurement of recorded amounts.
The need for independent checks

arises because the operation of internal
controls tends to change over time unless
there is a mechanism for frequent review.
g. Periodic Reconciliations
Managers should provide for periodic comparison of

recorded amounts with independent evidence of
existence and valuation. The individuals to do this,
however, should not also have responsibility for
authorization of the related transactions, accounting
or recordkeeping, or custodial responsibility for the
assets.
Periodic comparisons may include reconciliation of bank

statements, inventory counting, confirmation of
accounts receivable and accounts payable. The more
frequent the comparisons, the greater the opportunity
to detect errors. For other records, the frequency of
periodic comparisons must be balanced against the
costs and benefits.
24
7/23/2012
h. Performance Reviews
These involve managers’ participation in the supervision of

operation. Frequent performance reviews give managers a
great chance of detecting errors, and can include
management review and analysis of:
– Reports that summarize the detail of account balances

such as aged trial balance of accounts receivable or
report of sales activity by division, product, or
salesperson
– Actual performance compared with budgets, forecasts

or previous period amounts.
i. Supervision
• The effectiveness of any system of internal control depends on

continuous, qualified supervision of all staff. In fulfilling their
responsibilities, managers and supervisors should:
– Assign tasks and establish written procedures for completing
assignments.
– Systematically review each staff member's work.
– Approve work at critical points to ensure quality and
accuracy.
– Provide guidance and training when necessary.
– Provide documentation of supervision and review (e.g.,
initialing examined work).
• Adequate and timely supervision is especially important in small
departments, where limited personnel make it difficult to
establish a complete segregation of duties.
25
7/23/2012
TYPES OF INTERNAL
CONTROL ACTIVITIES
PREVENTIVE DETECTIVE CORRECTIVE

CONTROLS CONTROLS CONTROLS
Designed to Designed to Designed to

discourage identify an error remedy the
errors or or irregularity effects caused
irregularities after it has by adverse
occurred events
Examples of Preventive Controls
• Reading and understanding

applicable areas of the entity’s
Policy Manual
• A manager’s review of purchases for

a proper business purpose prior to
approval
• A computer application that

requires password protection
26
7/23/2012
Examples of Detective Controls
• An exception report from the

electronic timekeeping system
• A comparison of transactions on
monthly operating reports with
departmental source documents
• A manager’s review of long

distance telephone charges
Examples of Corrective Controls
• Changing recruitment policies to

attract qualified personnel.
• Disciplining an employee for

violating a “No Smoking” safety
regulations in hazardous areas.
• Revising a report you have

written because you are
dissatisfied with it.
27
7/23/2012
COMPONENT INFORMATION AND

4 COMMUNICATION
• Pertinent information must be identified, captured and
communicated in a form and timeframe that enable people to
carry out their responsibilities.
• Information systems produce reports, containing operational,

financial and compliance-related information, that make it
possible to run and control the business.
• They deal not only with internally generated data, but also
information about external events, activities and conditions
necessary to informed business decision-making and external
reporting.
INFORMATION AND COMMUNICATION
• Effective communication must occur in a broader sense, flowing

down, across and up the organization.
• All personnel must receive a clear message from top

management that control responsibilities must be taken
seriously. They must understand their own role in the internal
control system, as well as how individual activities relate to the
work of others. They must have a means of communicating
significant information upstream.
• There also needs to be effective communication with external

parties, such as customers, suppliers, regulators and
shareholders.
28
7/23/2012
COMPONENT
5 MONITORING
Process of assessing the quality of internal control performance over
time. It involves assessing the design and operation of controls on a
timely basis and taking the necessary corrective actions. It is done to
ensure that controls continue to operate effectively.
Management’s ongoing and periodic assessment

of the quality of internal control performance …
to determine whether controls are operating
as intended and modified when needed.
Monitoring Component
Ongoing Monitoring
Management, supervisory, and other monitoring activities in the
ordinary course of operations that assess the quality of internal
controls
Separate Monitoring
Evaluation focusing directly on system effectiveness with a scope
and frequency dependent on the assessment of risks, and
ongoing monitoring
Reporting Deficiencies
Upstream reporting of internal control deficiencies, with certain
matters reported to top management and the board
29
7/23/2012
Hard Controls
Soft Controls
“Activities”
“People”
Reviews
Openness
Inspections
Shared Values
Policies
Clarity
Reconciliations
Commitment to
Competence Structure
Honesty Limits of Authority
High Expectations User Aids and
Password
Communications
Physical Counts
LIMITATIONS OF INTERNAL CONTROL

1. Internal control must be attained at reasonable
cost
2. Not full-proof
3. Susceptibility to human fallibility
4. Affected by organizational changes
5. Effectiveness depends on compliance or

implementation
30
7/23/2012
Factors that Reduce or Eliminate

Effectiveness of Controls
• Errors in human judgments (since decisions

must be made based on available information
and on time, sometimes under pressures;
personal carelessness; distraction or fatigue
of personnel performing a control
procedure)
• Breakdowns (due to misunderstanding of

instructions or technology errors)
Factors that Reduce or Eliminate

Effectiveness of Controls
• Management override of certain policies

and procedures
• Collusion among individuals to circumvent

control procedures
• Excessive controls is costly and

counterproductive; but too little control
presents undue risk
31
7/23/2012
What happens if the Internal Control System is

Weak?
• Wasteful and inefficient use of resources
• Poor management decisions
• Unintentional errors in recording/ processing data
• Accidental loss or destruction of data
• Loss of assets or resources through carelessness or

pilferage
Possible Hazards Arising from Weak Internal

Control System
• Lack of compliance with laws, rules and regulations

and other management policies
• Embezzlement (theft or misappropriation of agency

resources accompanied by falsification of records or
documents to conceal theft)
• Other illegal acts of members of organization
32
7/23/2012
COSO Enterprise Risk Management Model/Framework
33

Internal Control Cooperative Accountancy Week Compatibility Mode

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Internal Control Cooperative Accountancy Week Compatibility Mode

Загружено:

Авторское право:

Доступные форматы

7/23/2012

Internal Control System:

RUFO R. MENDOZA, PhD

7/23/2012 Internal Control System 2

7/23/2012 Internal Control System 3

7/23/2012 Internal Audit Seminar for PICPA 4

7/23/2012 Internal Control System 5

has had a history of reacting to

scandal and abuse

rather than being

Citibank exec goes missing;

Lack of Written Procedures Customer Complaints

7/23/2012 Internal Control System 9

Causes of the Failure of Cooperatives in

7/23/2012 Internal Control System 10

Internal Control Frameworks

7/23/2012 Internal Control System 11

!Committee of Sponsoring Organizations

7/23/2012 Internal Control System 12

COSO A voluntary private sector organization dedicated to

1994 Amended the framework

2006 Issued the Internal

Key Internal Control Concepts

7/23/2012 Internal Control System 14

– Effectiveness and efficiency of operations

– Compliance with applicable laws and regulations

7/23/2012 Internal Control System 16

7/23/2012 Internal Control System 17

7/23/2012 Internal Control System 18

Monitoring and Commitment

7/23/2012 Internal Control System 21

• Focuses primarily on efficiently and effectively

7/23/2012 Internal Control System 22

Definition of Internal Control

The policies, procedures, practices, and organizational

7/23/2012 Internal Control System 23

Internal Audit is part of the organization that

What is an internal What is a risk?

7/23/2012 Internal Control System 24

7/23/2012 Internal Control System 25

Internal control, no matter how

7/23/2012 Internal Control System 26

7/23/2012 Internal Control System 27

7/23/2012 Internal Control System 28

Roles and Responsibilities

1. Board of directors and audit

7/23/2012 Internal Control System 29

How Much Do Internal Controls Cost?

The cost of Sometimes there

The potential loss • Realignment of duty or

7/23/2012 Internal Control System 30

Risk Control Information and

7/23/2012 Internal Control System 31

• The control environment sets the tone of an

• It is the foundation for all other components of

• It represents an organization’s first line of

7/23/2012 Internal Control System 32

The Control Environment

Integrity and ethical values Organizational structure

Commitment to competence Assignment of authority

Management’s philosophy Human resources

Board of directors or audit

Every entity faces a variety of risks from external

Risk assessment is the identification and analysis of