Internal Control Fundamentals

Internal Control
Fundamentals using the
COSO Model
Rosalinda D. Evangelista PhD., CPA
Resource Person

COSO
(Committee of Sponsoring Organizations)
Sponsoring organizations
AICPA
AAA
FEI
IIA
IMA

COSO
(Committee of Sponsoring Organizations)
History several business failures in the
1980s prompted creation of the Treadway
Commission
formed in 1985 to examine causes of fraudulent
financial reporting.

Charged with creating a control model.

Result: Report titled Internal Control
Integrated Framework, published in 1992.

COSO
(Committee of Sponsoring Organizations)
COSO model was considered to be best
practices, but had no teeth.
Renewed interest today because of recent
accounting scandals and Sarbanes-Oxley
Act of 2002 (SOX).
COSO model is still considered by many
to be the best internal control guide
available.

Sarbanes-Oxley Act of 2002

(Corporate Governance & Accounting
Reform Legislation)

Applies to SEC companies

Reforms aimed at companies, auditors,
board members and lawyers
Section 404 provision requires
companies to adopt and evaluate
internal controls.

COSO Definition of Internal Control

Internal control is a processdesigned to provide
reasonable assurance regarding the
achievement of objectives in the following
categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations

Types of Controls
Internal controls may be:
Preventive - designed to keep errors or

irregularities from occurring.

Detective - designed to detect errors or

irregularities that have already occurred.

Corrective - designed to correct errors or

irregularities that have been detected.

Who is Responsible for Internal

Control?
The organizations leadership is ultimately
responsible.
Everyone in an organization plays some role in
effecting control. All personnel should be
responsible to communicate problems in
operations, deviations from established
standards, and violations of policy or law.

Who is Responsible for Internal

Control?
Auditors contribute to the effectiveness of
controls, but they are not responsible to
establish or maintain them.

Five Components of an Integrated

System of Internal Controls
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring

Control Environment (1) ethical tone

established by management; foundation for all other
components; tone at the top (soft controls)

Factors include:
Integrity & Ethical Values must be clearly
communicated, in writing and by example.
Commitment to Competence
Management Philosophy & Operating Style
Organizational Structure
Human Resource Policies & Procedures
practices related to hiring, training, evaluation,
promoting, compensating, etc.

How do you Evaluate Soft

Controls?
Subjective - the only valid measure of their
effectiveness may be employees
perceptions.
Most modern internal control evaluation
practices have a strong element of selfassessment, which requires a partnership
between auditors and their clients.

Risk Assessment (2) mechanism

to identify, analyze and manage risks faced
by the institution.

The risk is that we may not accomplish our

objectives.
Factors:

External Factors - economic changes, changing

needs & expectations of clients, legislation &

regulations, technological developments, natural
disasters.

Internal Factors - new personnel, new computer

systems/processes, low morale.

Risk Assessment continued

After risks have been identified, they
must be analyzed - assess the likelihood of
the risk occurring; estimate the impact of a
risk if it does occur; consider how to manage
the risk.
We cannot anticipate every potential

risk

Control Activities (3) - policies (what

should be done) and procedures (how it
should be done) designed to help ensure that
objectives are achieved. (Hard controls)
Types of control activities:
Transaction Approvals, Authorizations,
Verifications
Reconciliations
Performance reviews, benchmarking,
trend analysis

Control Activities continued

Physical controls - restrict access to equipment,
conduct inventories, secure/count cash, etc.

Segregation of Duties - different people should

be responsible for:

authorizing transactions
recording transactions (accounting)
handling the related assets (custody)
monitoring transactions (reconciling, verifying).

Information Systems general controls and

application controls.

Information System Control Activities

General controls:
Segregation of duties within IT environment
Backup and recovery policies & procedures
Program development & documentation
controls
Hardware / access controls (i.e. passwords)
Virus detection software
Firewalls

Information System Control Activities

Application controls:
Input controls (authorization, validation,
error notification i.e. field checks, limit
checks, sequence checks)
Processing controls batch totals, audit
trails
Output controls listing of master file
changes, error listings

Information & Communication (4)- the

ability to capture and exchange information in a
way that allows employees to carry out their
responsibilities.
To be effective, the information system must have
adequate resources and be able to provide data
that is:
Relevant to established objectives (operational,
financial, compliance-related)
Accurate and in sufficient detail
Understandable and in usable form
Provided to the right people in time to allow
appropriate action.

Effectiveness of Information &

Communication Systems
Effective communications flow:
Up & down the organization clear
messages from the top regarding
philosophy, objectives and policies, and a
means for personnel to communicate
upstream.
Across the organization individuals and
departments sharing information across
organizational lines.

Monitoring (5) assessing the quality of

performance over time and making any
necessary modifications.
Activities include:
Management review of financial reports for
propriety and trends.
Review and analysis of tips and complaints from
external sources.
Comparison of recorded data with physical assets.
Self assessments, internal audits, external reviews
Established means to report and correct
deficiencies

Limitations of Internal Controls

Judgement - decisions are made by

humans, often under pressure and time

constraints, based on information at hand.
Breakdowns - Employees may not
understand instructions or may simply make
mistakes. Errors may result from new
systems and processes.
Management Override - high level personnel
may be able to override prescribed policies
and procedures.

Limitations of Internal Controls

continued
Collusion - two or more individuals,
working together, may be able to
circumvent controls.
Cost vs. Benefit - The risk of failure and
the potential effects must be weighed
against the cost of establishing controls.

Balancing Risk and Controls

not having an effective balance may cause:

Excessive Risks
- Loss of Assets, Donors, Grants &
Contracts, State funding
- Poor Business Decisions
- Noncompliance with laws & regulations
- Increased Regulations
- Public Scandals

Balancing Risk and Controls

not having an effective balance may cause :

Excessive Controls
- Increased Bureaucracy
- Increased Complexity
- Increased Cycle Time
- Increase in Non-Value Added Activities
- Reduced Productivity

Integrated System of Internal

Controls
An effective system of internal controls requires:
All 5 components working together
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring
Everyone in the organization playing an active
role

Internal Controls are Everyones

Business!