PART I - 2

UNDERSTANDING
YOUR ORGANIZATION’S
INTERNAL CONTROL
SYSTEM (ICS)
 INTERNAL CONTROL
INTEGRATED FRAMEWORK
(FRAMEWORK)
COSO 1992
INTERNAL CONTROL
OBJECTIVES
 EFFECTIVENESS AND EFFICIENCY
OF OPERATIONS.

 RELIABILITY OF OPERATIONAL AND

FINANCIAL REPORTING.

 COMPLIANCE WITH LAWS,

REGULATIONS, AND CONTRACTS

 SAFEGUARDING OF ASSETS.
Internal Control Components

1. CONTROL ENVIRONMENT

2. RISK ASSESSMENT
Internal Control Components

3. CONTROL ACTIVITIES

4. INFORMATION AND
COMMUNICATION

5. MONITORING
 THE CONTROL ENVIRONMENT
The control environment sets the
tone of an organization by
influencing the control
consciousness of people. The
attitude and actions of the board
and management regarding the
significance of control within the
organization. It is the foundation for
all other components of internal
control, providing discipline and
structure for the achievement of the
primary objectives of the system of
internal control.
THE CONTROL ENVIRONMENT FACTORS
• Integrity and Ethical Values
• Commitment to Competence
• Board of Directors
or Audit Committee
• The “tone at the top”
Management Philosophy
and Operating Style
• Organizational Structure
• Assignment of Authority ,Responsibility,
Accountability & People Development
• Human Resource Policies
and Practices
 RISK ASSESSMENT
Every entity faces a variety of risks from external and
internal sources that must be assessed. A
precondition to risk assessment is establishment of
objectives, linked at different levels and internally
consistent. Risk assessment is the identification and
analysis of relevant risks to achievement of
objectives, forming a basis for determining how the
risks should be managed. Because economic,
industry, regulatory and operating conditions will
continue to change, mechanisms are needed to
identify and deal with the special risks associated with
change.
WHAT IS RISK?
 Risk is the possibility of a potential
threat occurring that will have an
adverse impact on the achievement
of objectives.
 Risk is measured in terms of
consequences, likelihood and
velocity* of risks.
*recently added by RM Experts

The IIA Standards Glossary

Hence, risk …
… is a chance or probability of a threat occurring.

… the threat can be loss or harm or missed

opportunity.

… will negatively impact on the organization’s

objectives and goals.

… is an inescapable part of any organization.

… may lead to higher rewards if managed in a timely

and cost-effective manner.
 RISK ASSESSMENT
It implies;

1. Risk identification
- related to the objectives of the organization
- comprehensive
- includes risks due to external and internal
factors

2. Risk evaluation
- estimating the significance of the risk
- assessing the likelihood of the risk occurrence
 RISK ASSESSMENT
It implies;

3. Assessment of the risk appetite of the organization

4. Development of responses
- Four types of responses to risk must be
considered; transfer, tolerance, treatment or
termination; of these, risk treatment is the most
relevant because effective internal control is the
major mechanism to treat risk;
- the appropriate controls involved can be either
detective or preventive.
 RISK ASSESSMENT
As governmental, economic, industry,
regulatory and operating conditions are in
constant change, risk assessment should
be an ongoing iterative process.

It implies identifying and analyzing altered

conditions and opportunities and risks (risk
assessment cycle) and modifying internal
control to address changing risk.
 RISK ASSESSMENT
• CONSISTENCY OF PLANS, BUDGETS
AND STRATEGY TO OVERALL
OBJECTIVES

• IDENTIFICATION OF CRITICAL
SUCCESS FACTORS

• MANAGING CHANGE
Elements of Risk

Elements Description/Example
An event • From outside or
• Inside the organization

Has a probability or likelihood • May not be happening, may have

of happening happened in the distant past and
may recur or might happen

Impact on strategic objectives • Loss or harm

and mission • Missed opportunity

Velocity • The speed at which a risk may

occur
UNDERSTANDING OF THE AGENCY’S
BUSINESS-RISK FACTORS:

 QUALITY OF INTERNAL CONTROL SYSTEM

 SIZE OF THE ORGANIZATIONAL UNIT
 RECENT CHANGES IN
OPERATION/ADMINISTRATIVE SYSTEM
 COMPLEXITY OF OPERATIONS
 BUDGET (GENERAL APPROPRIATIONS ACT)
 RECENT CHANGE IN KEY PERSONNEL
 TIME SINCE LAST AUDIT
 EXTENT OF COMPUTERIZED DATA
PROCESSING
 EXTENT OF REGULATIONS
THE RISK ASSESSMENT PROCESS

Identify Agency Objectives

Critical Success Factors

Identify Key Operating Units

Identify Business Processes for Each Operating Units

Identify Key Risks Affecting Each Operating Process

Measure the Risks and Summarize Results For Each Operating Unit
 RISK ASSESSMENT

A PROPERLY CONCEIVED AND IMPLEMENTED RISK

ASSESSMENT SHOULD:

 PROVIDE THE BASIS FOR DECIDING WHETHER

WHAT TYPE OF RISK RESPONSES ARE NEEDED

 ENSURE THAT ADDITIONAL RESPONSES

COUNTER ACTUAL RISK
 RISK ASSESSMENT

A PROPERLY CONCEIVED AND IMPLEMENTED RISK

ASSESSMENT SHOULD:

 SAVE MONEY THAT MIGHT HAVE BEEN WASTED

ON UNNECESSARY RISK RESPONSES

 DETERMINE WHETHER RESIDUAL RISK

(THAT RISK WHICH REMAINS AFTER THE
RESPONSES HAVE BEEN INTRODUCED) IS
ACCEPTABLE
FACTS ON RISK AND RISK ASSESSMENT

A. MEASURING RISK IS NOT A PRECISE

SCIENCE, NOR IT NEED BE.

B. RISK ASSESSMENT AIDS THE PROCESS-

OWNER AND THE AUDITOR IN PLANNING.

C. RISK IS A CONCEPT. THE BASIC DIMENSIONS

ARE IMPACT AND LIKELIHOOD. IT IS A
MEASURE OF UNCERTAINTY. IN A BALANCED
SCALE, THERE ARE THREATS AND
OPPORTUNITIES. BOTH WILL HAVE TO BE
MANAGED.
FACTS ON RISK AND RISK ASSESSMENT

D. THE ORIGINS OF RISK ASSESSMENT LIE IN

STRATEGIC MANAGEMENT PLANNING.

E. THE STRATEGIC FRAMEWORK AND

EXPECTATIONS OF MANAGEMENT IS FOR
INTERNAL AUDIT TO FOCUS ON THE
RELATIONSHIP OF TIME, INTERNAL CONTROL
AND RISK.
A TYPICAL RISK PROFILE IN THE PUBLIC SECTOR

 SOCIAL RISK
 ECONOMIC RISK
 TECHNOLOGY RISK
 OPERATIONAL RISK
 PROGRAMS/PROJECTS RISK
 CONTINUITY RISK
 REPUTATION RISK
 HUMAN RESOURCES RISK
 CYCLE TIME RISK
 PARTNERING RISK
 COMPLIANCE/REGULATORY RISK
 POLITICAL RISK
 GOVERNANCE RISK
 COMMON RISK CATEGORIES

• COMPLIANCE
• ECONOMIC • PROGRAM RISK
• POLITICAL • CORRUPTION
• LAWS & • HR RISKS
STRATEGIC OPERATIONAL • IT/TECHNOLOGY
REGULATIONS
• SOCIAL • PARTNERING
• GOVERNANCE • CYCLE TIME
• FUNDING

• FOREIGN EXCHANGE
• NATURAL • LIQUIDITY
DISASTERS • POOR FINANCIAL
• TERRORISM HAZARD FINANCIAL MANAGEMENT
• EPIDEMICS • ACCOUNTING
PROBLEMS
What if the risk is not in the dictionary?

How will you identify risks?

 How not to state a risk
• Identifying risk as the opposite of the objective
or desired result.

Objective: To register 20% of poor households

Nation-wide in the PHILHEALTH by 2017.

May not be able to X this is the opposite of

Register 20% of poor the objective, not the
Households. Risk.
 How not to state a risk
• Identifying risk as an impact.

Objective: To register 20% of poor households

Nation-wide in the PHILHEALTH by 2017.

Health of children X this is the impact of the

May deteriorate risk, not the risk itself.
Further.
 How not to state a risk
• Identifying risk as the absence of controls.

Objective: To register 20% of poor households

Nation-wide in the PHILHEALTH by 2017.

Criteria of poor HHs are X this is a control, not the

not clear. risk itself.
 How to state a risk
• Identifying risk as the absence of controls.

An event Outcome expressed

may happen In terms of impact on
the Objectives/KRA

Which is the correct statement of risk?

1. ___ Personnel handling the selection of HHs are not adequately trained.
2.___ Errors in securing HH information.
3. ___ Target in the number of households selected are not achieved.
 ASSESSING RISKS

 MEASURING RISK IS AS CRITICAL A STEP

AS IDENTIFYING IT.

 ASSESS IN TERMS OF:

• Likelihood: How often can the risk occur?
What triggers/drives risks to occur?
• Impact: What is the consequence if it
occurs at that level?
• Velocity: How soon will the impact be
experienced from identification?
ASSESSING RISKS

MEASURING LIKELIHOOD, IMPACT AND

VELOCITY MAY BE:

1. QUANTITATIVE
o Historical/Predictive Models
o Non-probabilistic
o Probabilistic
o Based on benchmark

2. QUALITATIVE
Qualitative Methods

 Depends largely on the:

• Knowledge and judgment of the one assessing
• Understanding of potential events
• Surrounding context/environment

 Use when:
• Quantification is not possible
• Sufficient and credible data are not available
• Obtaining or analyzing data is not cost-effective.

 Ordinal measurement is the most common form

Likelihood Assessment
LIKELIHOOD DESCRIPTION PROBABILITY

3 Almost Evidence are Over 50% or once

certain available that a month
risk will happen
very soon
2 Possible Has happened in Less than or equal
some areas to 50% or once
every 2 years
1 Remote Remote and not Less than 5% or
possible once every 5 years
Impact Assessment

IMPACT SCALE DESCRIPTION

3 High Catastrophic or may threaten
program existence

2 Moderate Noticeable challenges to

achieving strategic and/or
financial targets

1 Low Neither strategic nor financial

impact
Velocity Assessment

VELOCITY SCALE DESCRIPTION

3 Fast In less than a year

2 Moderate 1 to 2 years

1 Slow Over 3 years

 Risk Assessment Approaches:

 Inherent Risk Assessment

• Assessment prior to implementation of internal controls
Ex. Assess human errors in performing transaction or
activity, assuming there is no related mitigating controls.

 Residual Risk Assessment

• The risk level remaining after management acts to
reduce the impact and likelihood of an adverse event,
including control activities in responding to a risk. It is
the risk managed within existing controls or control
systems.
• Assess human errors after considering existing internal
controls. Assumes controls are adequate & effective.
Alternative Risk Responses

RESPONSE DESCRIPTION
Avoid/Terminate Exit or Eliminate the source of the risk.
Get out of the activity
Share/Transfer Find a reliable partner or insure the
risk.
Reduce/Treat Mitigate the likelihood or impact of the
risk in case it happens
Accept/Tolerate Do nothing to mitigate but monitor the
risk
Exploit/Take Do circumstances arise that offer
Opportunity positive outcome?
Factors indicative of increased risk
reporting for an organization:
• Changes in the organization’s regulatory or operating
environment
• Changes in personnel

• Implementation of new or modified information system

• Rapid growth of the organization

• Changes in the technology affecting production

processes or information system

• Organizational restructurings
 CONTROL ACTIVITIES

Control activities are policies and

procedures that help ensure that
management’s directives are
carried out. These policies and
procedures promote actions that
address the risks that face the
organization.
 CONTROL ACTIVITIES

To be effective, control activities must

be appropriate, function consistently
according to plan throughout the
period, and be cost effective,
comprehensive, reasonable and
directly relate to the control
objectives. Control activities occur
throughout the organization, at all
levels and in all functions.
 CONTROL ACTIVITIES

• PHYSICAL CONTROLS

• SEGREGATION OF DUTIES

• BUSINESS PROCESS LEVEL

REVIEW

• DIRECT FUNCTIONAL OR
ACTIVITY MANAGEMENT
 CONTROL ACTIVITIES
Examples of Types of Control Activities:
 Authorization and approval procedures;
 Segregation of duties (authorizing, processing,
recording, reviewing;
 Control over access to resources and records;
 Verifications;
 Reconciliations;
 Reviews of operating performance;
 Reviews of operations, processes and activities;
 Supervision (assigning, reviewing and approving,
guidance and training).
 CONTROL ACTIVITIES
Information Technology Control Activities:

Information systems imply specific types of control

activities.

1. General Controls
General controls are the structure, policies
and procedures that apply to all or a large
segment of an entity’s information systems and
help ensure their proper operation They create
the environment in which application systems
and controls operate.
 CONTROL ACTIVITIES
Major Categories of General Controls:
1. Entity-wide security program planning and
management;
2. Access controls;

3. Controls on the development, maintenance and

change of the application software;

4. System software controls;

5. Segregation of duties; and
6. Service continuity.
 CONTROL ACTIVITIES
Information Technology Control Activities:

Information systems imply specific types of control

activities.
2. Application Controls
Application controls are the structure, policies
and procedures that apply to separate, individual
application systems, and are directly related to
individual computerized applications. These
controls are generally designed to prevent,
detect, and correct errors and irregularities as
information flows through information systems.
 CONTROL ACTIVITIES

Information Technology Control Activities:

General and application controls are

interrelated and both are needed to
help ensure complete and accurate
information processing. Because
information technology changes rapidly,
the associated controls must evolve
constantly to remain effective.
INFORMATION AND COMMUNICATION

Information is needed at all

levels of an organization to
assist management in
meeting the organization’s
objectives. Of major concern
to the internal auditors is the
information system, and the
way in which responsibilities
for internal control over
operational and financial
reporting are communicated
throughout the organization.
INFORMATION AND COMMUNICATION
• A precondition for reliable and relevant information
is the prompt recording and proper classification of
transactions and events.

• Pertinent information must be identified, captured

and communicated in a form and timeframe that
enables people to carry out their responsibilities
(timely communication to the right people).

• Therefore, the internal control system as such and

all transactions and significant events should be
fully documented.
INFORMATION AND COMMUNICATION
Information systems produce reports, containing
operational, financial and compliance-related
information, that make it possible to run and control
the organization. They deal not only with internally
generated data, but also information about external
events activities and conditions to informed business
decision-making and reporting.

Management’s ability to make appropriate decisions is

affected by the quality of information which implies that
the information should be appropriate, timely, current,
accurate and accessible.
INFORMATION AND COMMUNICATION
• Effective communication also must occur in a
broader sense, flowing down, across and up the
organization.
• All personnel must receive a clear message from
top management that control responsibilities must
be taken seriously.
• They must understand their own role in the
internal control system, as well as how individual
activities relate to the work of others.

There also needs to be effective communication

with external parties.
INFORMATION AND COMMUNICATION

• ACCURACY AND TIMELINESS OF

OPERATIONAL AND FINANCIAL INFORMATION

• ACCESS TO INTERNAL AND EXTERNAL

INFORMATION

• ALIGNMENT OF INFORMATION SYSTEMS TO

STRATEGY AND OBJECTIVES

• EMPLOYEES DUTIES – CONTROL

RESPONSIBILITY

• ORGANIZATIONAL COMMUNICATION
 MONITORING

Monitoring, the last component of

internal control, is a process that
assesses the quality of internal
control over time.

It is important to monitor internal control to

determine whether it is operating as
intended and whether modifications are
necessary. Monitoring can be achieved by
performing ongoing activities or by separate
evaluations or a combination of the two.
 MONITORING

Ongoing monitoring of internal

control is built into the normal recurring
activities of an entity. It includes regular
management and supervisory activities,
and other actions personnel take in
performing their duties.

Ongoing monitoring activities cover each

of the internal control components and
involve action against irregular, unethical,
uneconomical, inefficient and ineffective
control systems.
 MONITORING
The scope and frequency of separate
evaluations will depend primarily on an
assessment of risks and the effectiveness of
ongoing monitoring procedures. Specific
separate evaluations covers the evaluation
of the effectiveness of the internal control
system and ensure that the internal control
achieves the desired results based on
predefined methods and procedures.
Separate evaluations are monitoring
activities that are performed on a
nonroutine basis, such as periodic audits by
internal auditors.
 MONITORING

• MECHANISM TO EVALUATE
ONGOING ACTIVITIES AND REPORT
SERIOUS DEFICIENCIES

• REPORT REVIEW

• REVIEWS OF ONE-TIME ACTIVITIES

• CONTROL SYSTEMS ASSESSMENT

 MONITORING CONTROLS

UNMONITORED CONTROLS
TEND TO DETERIORATE
OVER TIME.
WHAT SHOULD BE MONITORED?

 PERFORMANCE vs. TARGETS

- OUTPUTS
- OUTCOMES
- INPUTS

 RISK INDICATORS

 INTERNAL CONTROLS
 MONITORING

 PURPOSE: Helps ensure that

internal controls operate effectively
and efficiently in managing risks and
increasing the chance that objectives
will be achieved.

From COSO Guidance on Monitoring

 MONITORING

 BENEFITS:
- Identify and correct internal control
problems on a timely basis.
- Produce more accurate and more reliable
information for decision-making.
- Prepare accurate and timely financial
statements
- Be in a position to provide periodic
assurance on adequacy and effectiveness
of internal controls
From COSO Guidance on Monitoring
IMPLEMENTING MONITORING
 Establishing a foundation:
- Proper tone at the top
- Effective organizational structure that
assigns monitoring roles to people with
appropriate capability, objectivity and
authority
- Starting point or “baseline” of known
effective internal controls from which
ongoing monitoring and separate
evaluations can be implemented.
From COSO Guidance on Monitoring
IMPLEMENTING MONITORING

 Designing and executing monitoring

procedures focused on persuasive
information about operation of controls
(e.g., key controls).

 Assessing and reporting result to

appropriate parties.
From COSO Guidance on Monitoring
 TYPES OF MONITORING

 Ongoing evaluations:
- Built into operational processes at
different levels of the organization.

- Provide timely information

From COSO Guidance on Monitoring

 TYPES OF MONITORING

 Separate evaluations:
- Conducted periodically
- Depending on assessment of risks
and
- Effectiveness of ongoing evaluations,
and
- Other management considerations
(e.g., compliance requirements)

From COSO Guidance on Monitoring

CONSIDERATIONS IN MONITORING

 Balanced ongoing and separate

evaluations:

 Rate of change in the environment and

operational processes when selecting
and developing ongoing and separate
evaluations.
CONSIDERATIONS IN MONITORING

 Design and current state of internal

control system are used to establish a
baseline for ongoing and separate
evaluations.

 Evaluators performing ongoing and

separate evaluations have sufficient
knowledge to understand what is being
evaluated.
CONSIDERATIONS IN MONITORING

 Ongoing evaluations are built into

operational processes and adjust to
changing conditions.

 Management varies the scope and

frequency of separate evaluations
depending on assessed risk.

 Separate evaluations are performed

periodically to provide objective feedback.
CHARACTERISTICS OF EVALUATORS

 Roles and Responsibilities:

 Determines what and how to monitor
 Assesses monitoring information
 Reaches conclusion on effectiveness
of controls
 Reports on conclusion
CHARACTERISTICS OF EVALUATORS
 Require:
 Objectivity
 Adequate skills, authority and resources
 Understanding of internal controls, risks that
controls are intended to manage
 Knowledge to spot deficiencies when these
arise and root causes of control weaknesses
or failures.
 Know how to compile relevant and reliable
information
 Present information according to the
expectations of management
OBJECTIVITY LEVELS IN MONITORING

SUPERVISORY IMPARTIAL
SELF-REVIEW PEER REVIEW REVIEW REVIEW

LEAST SOMEWHAT MORE MOST

OBJECTIVE OBJECTIVE OBJECTIVE OBJECTIVE
 DEFINITION OF
INTERNAL AUDITING1
“AN INDEPENDENT AND OBJECTIVE
ASSURANCE AND CONSULTING ACTIVITY
DESIGNED TO ADD VALUE AND IMPROVE AN
ORGANIZATION’S OPERATIONS. IT HELPS AN
ORGANIZATION ACCOMPLISH ITS OBJECTIVES
BY BRINGING A SYSTEMATIC, DISCIPLINED
APPROACH TO EVALUATE AND IMPROVE THE
EFFECTIVENESS OF RISK MANAGEMENT,
CONTROL AND GOVERNANCE.

1 INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK -IIA (1999)

INTERNAL CONTROL
COMPONENTS
PYRAMID
 COSO – Internal Control Framework

Internal Control Components

IN
FO
MONITORING

RM
IO

AT
AT

IO
IC

CONTROL

N
UN

ACTIVITIES

&
MM

CO
M
CO

M
UN
&

RISK ASSESSMENT

IC
N
IO

AT
AT

IO
N
RM

CONTROL
FO

ENVIRONMENT
IN
 INTERNAL CONTROL SYSTEM

CONTROL RISK CONTROL INFORMATION MONITORING

ENVIRONMENT ASSESSMENT ACTIVITIES AND
COMMUNICATION

INTERNAL
AUDIT
RELATIONSHIP OF OBJECTIVES
AND COMPONENTS

THERE IS A DIRECT RELATIONSHIP BETWEEN

OBJECTIVES , WHICH ARE WHAT THE ENTITY
STRIVES TO ACHIEVE, AND COMPONENTS,
WHICH REPRESENT WHAT IS NEEDED TO
ACHIEVE THE OBJECTIVES

INTERNAL CONTROL IS RELEVANT TO AN

ENTIRE ENTERPRISE, OR TO ANY OF ITS UNITS
OR ACTIVITIES
RELATIONSHIP OF OBJECTIVES
AND COMPONENTS

INFORMATION IS NEEDED FOR ALL FOUR

OBJECTIVES CATEGORIES - TO EFFECTIVELY
MANAGE BUSINESS OPERATIONS, PREPARE
FINANCIAL AND OPERATIONAL STATEMENTS
RELIABLY, SAFEGUARD ASSETS AND DETERMINE
COMPLIANCE
ALL FIVE COMPONENTS ARE APPLICABLE AND
IMPORTANT TO ACHIEVEMENT OF BUSINESS
OBJECTIVES
 INTERNAL CONTROL
INTEGRATED FRAMEWORK
(FRAMEWORK)
COSO 2013
 THE FRAMEWORK
• DEFINITION OF INTERNAL CONTROL

• OBJECTIVES , COMPONENTS, AND

PRINCIPLES

• EFFECTIVE INTERNAL CONTROL

• ADDITIONAL CONSIDERATIONS
 THE FRAMEWORK
• COMPONENTS
• CONTROL ENVIRONMENT
• RISK ASSESSMENT
• CONTROL ACTIVITIES
• INFORMATION AND
COMMUNICATION
• MONITORING ACTIVITIES
• LIMITATIONS OF INTERNAL
CONTROL
 Purpose of the Framework
• The purpose of the Internal Control –
Integrated Framework (Framework) is to
help management better control the
organization and to provide a board of
directors’¹ with an added ability to
oversee internal control.

¹The Framework uses the term “board of directors”, which

encompasses the governing body, including the board, board of
trustees, general partners, owner, or supervisory board.
• A system of internal control allows
management to stay focused on the
organization’s pursuit of its operations and
financial performance goals, while operating
within the confines of relevant laws and
minimizing surprises along the way.

• Internal control enables an organization to

deal more effectively with changing economic
and competitive environments, leadership,
priorities, and evolving business models.
 DEFINITION
OF
INTERNAL CONTROL
 DEFINITION OF INTERNAL CONTROL2
“ A process, effected by an entity’s board of directors,
management and other personnel,” designed to
provide reasonable assurance regarding the
achievement of objectives in the following
categories:
• Effectiveness and efficiency of operations.
• Reliability of Financial and Operational Reporting.
• Compliance with applicable laws, regulations and
contracts.
• Safeguarding of assets.
2COSO Internal Control –Integrated Framework Definition (1992)
 DEFINITION OF
INTERNAL CONTROL³
Internal control is a process, effected by an
entity’s board of directors, management
and other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives relating to
operations, reporting, and compliance.

³COSO Internal Control –Integrated Framework Definition (2013)

The COSO definition emphasizes that internal
control is:

• Geared to the achievement of objectives in one or

more separate but overlapping categories –
operations, reporting, and compliance

• A process consisting of ongoing tasks and

activities - a means to an end, not an end in itself.
• Effected by people - not merely about policy
and procedure manuals, systems, and forms, but
about people and the actions they take at every
level of the organization to effect internal control.
 The COSO definition emphasizes that internal
control is:

• Able to provide reasonable assurance, but not

absolute assurance, to an entity’s management
and board of directors
• Adaptable to the entity structure -- flexible in
application for the entire entity or for a
particular subsidiary, division, operating unit,
or business process

Throughout the Framework, the term “the entity and its subunits” refer collectively to the
overall entity, divisions, subsidiaries, operating units, and functions.
The COSO definition is intentionally broad for
two reasons:

• First, it captures important concepts that are

fundamental to how organizations design,
implement, and conduct internal control and
assess effectiveness of their system of internal
control, providing basis for application across
various types of organizations, industries and
geographic regions.
• Second, the definition accommodates subsets
of internal control.
OBJECTIVES

COMPONENTS

AND

PRINCIPLES
OBJECTIVES, COMPONENTS AND PRINCIPLES

An organization adopts a mission and vision,

sets strategies, establishes objectives it want
to achieve, and formulates plans for achieving
them.

Objectives may be set for an entity as a whole

or be targeted to specific activities within the
entity. Though many objectives are specific
to a particular entity, some are widely shared.
For example,

Objectives common to most entities are:

• Sustaining organizational success
• Reporting to stakeholders
• Recruiting and retaining motivated and
competent employees,
• Achieving and maintaining a positive
reputation,
• Complying with laws and regulations
FIVE COMPONENTS OF
INTERNAL CONTROL
 CONTROL ENVIRONMENT
 RISK ASSESSMENT
 CONTROL ACTIVITIES
 INFORMATION AND
COMMUNICATION
 MONITORING ACTIVITIES
 OBJECTIVES
Management, with board oversight, sets
entity-level objectives that align with the
entity’s mission, vision and strategies. These
high-level objectives reflect choices made by
management and board of directors about how
the organization seeks to create, preserve and
realize value for its stakeholders.
Setting objectives is a prerequisite to internal
control and a key part of the management
process relating to strategic planning.
 OBJECTIVES
• Individuals who are part of the system of
internal control need to understand the overall
strategies and objectives set by the organization.
• As part of internal control, management
specifies suitable objectives so that risks to the
achievement of such objectives can be identified
and assessed.
• Specifying objectives includes the articulation of
specific, measurable or observable, attainable,
relevant , and time-bound objectives.
CATEGORIES OF OBJECTIVES

• OPERATIONS OBJECTIVES

• REPORTING OBJECTIVES

• COMPLIANCE OBJECTIVES
 Safeguarding of Assets
• The operations category of objectives includes
safeguarding of assets, in other words,
protecting and preserving entity assets.

• The efficient use of an entity’s assets and

prevention of loss through waste, inefficiency
or poor business decisions relate to broader
operations objectives and are not specific
consideration relating to safeguarding of
assets.
 Safeguarding of Assets
• Laws, rules, regulations, and external standards
have created an expectation that management
reporting on internal control and includes
controls relating to preventing and detecting
unauthorized acquisition, use , or disposition of
entity assets.
• In addition, some entities consider safeguarding
of assets a separate category of objective, and
that view can be accommodated within the
application of the Framework.
 Basis of Objectives Categories
• Some objectives are derived from the regulatory
or industry environments in which the entity
operates. These objectives are established largely
by law or regulation, and fall into the category of
compliance, external reporting or both.
• Operations and internal reporting objectives are
based more on the organization’s preferences,
judgments, and choices. These objectives vary
widely among entities simply because of
informed and competent people may select
different objectives.
Components and Principles of Internal Control

• The Framework sets out five components of

internal control and seventeen principles
representing the fundamental concepts
associated with components.
• These components and principles of internal
control are suitable for all entities.
• All seventeen principles apply to each category
of objective, as well as to objectives and sub-
objectives within a category.
Component: Control Environment

The control environment is the set of

standards, processes and structures that
provide the basis for carrying out internal
control across organization. The board of
directors and senior management establish
the tone at the top regarding the importance
of internal control and expected standards
of conduct.
Component: Control Environment

Five Principles relating to Control Environment:

1. The organization demonstrates a

commitment to integrity and ethical values.
2. The board of directors demonstrates
independence from management and
exercises oversight of the development and
performance of internal control.
Component: Control Environment
Five Principles relating to Control Environment:

3. Management establishes, with board oversight,

structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of
objectives.
4. The organization demonstrates a commitment
to attract, develop, and retain competent
individuals in alignment with objectives.
Component: Control Environment

Five Principles relating to Control Environment:

5. The organization holds individuals

accountable for their internal control
responsibilities in the pursuit of objectives.
Component: Risk Assessment

Risk assessment involves a dynamic and

iterative process for identifying and analyzing
risks to achieving the entity’s objectives,
forming a basis for determining how risks
should be managed. Management considers
possible changes in the external environment
and within its own business model that may
impede its ability to achieve its objectives.
 Component: Risk Assessment
Four Principles relating to Risk Assessment:

6. The organization specifies objectives with

sufficient clarity to enable the identification
and assessment of risks relating to objectives.
7. The organization identifies risks to the
achievement of its objectives across the entity
and analyzes risks as a basis for determining
how the risks should be managed.
 Component: Risk Assessment

Four Principles relating to Risk Assessment:

8. The organization considers the potential for

fraud in assessing risks to the achievement
of objectives.
9. The organization identifies and assesses
changes that could significantly impact the
system of internal control.
 Component: Control Activities
Control activities are the actions established
by policies and procedures to help ensure that
management directives to mitigate risks to the
achievement of objectives are carried out.

Control activities are performed at all levels

of the entity and at various stages within
business processes, and over the technology
environment.
 Component: Control Activities
Three Principles relating to Control Activities:

10. The organization selects and develops

control activities that contribute to the
mitigation of risks to the achievement of
objectives to acceptable levels.
11. The organization selects and develops
general control activities over technology to
support the achievement of objectives.
 Component: Control Activities

Three Principles relating to Control Activities:

12. The organization deploys control activities

through policies that establish what is
expected and procedures that put policies
into action.
 Component: Information and
Communication
Information is necessary for the entity to carry
out internal control responsibilities in support of
achievement of its objectives. Communication
occurs both internally and externally and
provides the organization with the information
needed to carry out day-to-day controls.
Communication enables personnel to understand
internal control responsibilities and their
importance to the achievement of objectives.
 Component: Information and
Communication
Three Principles relating to Information and
Communication:
13. The organization obtains or generates and
uses relevant, quality information to support
the functioning of internal control.
14. The organization internally communicates
information, including objectives and
responsibilities for internal control, necessary
to support the functioning of internal control.
Component: Information and
Communication
Three Principles relating to Information and
Communication:

15. The organization communicates with

external parties regarding matters
affecting the functioning of internal
control.
Component: Monitoring Activities

Ongoing evaluations, separate evaluations, or

some combination of the two are used to
ascertain whether each of the five components
of internal control, including controls to effect
the principles within each component, is present
and functioning. Findings are evaluated and
deficiencies are communicated in a timely
manner, with serious matters reported to the
senior management and to the board.
 Component: Monitoring Activities
Two Principles relating to Monitoring Activities:

16. The organization selects, develops and performs

ongoing and/or separate evaluations to ascertain
whether the components on internal control are
present and functioning.
17. The organization evaluates and communicates
internal control deficiencies in a timely manner
to those parties responsible for taking corrective
action, including senior management and the
board of directors, as appropriate.
 INTERNAL CONTROL
STANDARDS FOR THE
PHILIPPINE PUBLIC SECTOR
ICSPPS 2018
OBJECTIVES

COMPONENTS

AND

PRINCIPLES
 OBJECTIVES
1. OPERATIONS Executing orderly, economical, efficient, effective and
ethical operations

2. REPORTING Developing, maintaining, and making available reliable and

relevant financial and non-financial information and by
means of a fair disclosure of that information in timely
reports to internal as well as external stakeholders

3. COMPLIANCE Complying with applicable laws, rules , regulations and

policies

4. SAFEGUARDING Safeguarding resources against loss, misuse, and damage due

OF ASSETS to waste, abuse, mismanagement, errors, fraud, and
irregularities
ICSPPS 2018

COMPONENTS

AND

PRINCIPLES
Component: Control Environment

Five Principles relating to Control Environment:

1. Management demonstrates personal and

professional integrity and ethical values.
2. Management sets the “tone at the top”.
3. Management establishes an appropriate
government structure
Component: Control Environment
Five Principles relating to Control Environment:

4. Management exhibits commitment to

competence; and
5. Management establishes human resource
policies and procedures
 Component: Risk Assessment
Three Principles relating to Risk Assessment:
6. Management identifies and defines
objectives and risk tolerance in specific and
measurable terms.
7. Management identifies, evaluates and
assesses agency’s risks; and
8. Management determines appropriate response
to the identified, evaluated and assessed
agency’s risks.
 Component: Control Activities
Three Principles relating to Control Activities:
9. Management designs control activities which
are appropriate, consistently functioning
according to plan throughout the period,
cost-effective, comprehensive, reasonable
and directly related to the control objectives.
10. Management develops control activities
which include diverse policies and
procedures; and
 Component: Control Activities

Three Principles relating to Control Activities:

11. Management develop effective information

technology control activities
 Component: Information and
Communication
Three Principles relating to Information and
Communication:
12. Management develops and maintains reliable
and relevant financial and non-financial
information;
13. Management communicates information
throughout the agency; and
14. Management communicates information with
external parties.
 Component: Monitoring

Two Principles relating to Monitoring:

15. Management establishes and operates activities

to monitor the internal control system, and
evaluates the results; and
16. Management takes appropriate actions on the
findings and recommendations of audit and
other reviews.
 EFFECTIVE
INTERNAL CONTROL
 REQUIREMENTS FOR EFFECTIVE
INTERNAL CONTROL
AN EFFECTIVE SYSTEM OF INTERNAL CONTROL
REDUCES, TO AN ACCEPTABLE LEVEL, THE RISK OF
NOT ACHIEVING AN OBJECTIVE RELATING TO ONE,
TWO OR ALL THREE CATEGORIES, IT REQUIRES
THAT:
• EACH OF THE FIVE COMPONENTS OF
INTERNAL CONTROL AND RELEVANT
PRINCIPLES IS PRESENT AND FUNCTIONING.

• THE FIVE COMPONENTS ARE OPERATING

TOGETHER IN AN INTEGRATED MANNER.
 REQUIREMENTS FOR EFFECTIVE
INTERNAL CONTROL
IN DETERMINING WHETHER A SYSTEM OF
INTERNAL CONTROL IS EFFEECTIVE,
MANAGEMENT EXERCISES JUDGMENT
IN ASSESSING WHETHER EACH OF THE
FIVE COMPONENTS AND RELEVANT
PRINCIPLES IS PRESENT AND
FUNCTIONING AND COMPONENTS ARE
OPERATING TOGETHER.
REQUIREMENTS FOR EFFECTIVE
INTERNAL CONTROL
WHEN INTERNAL CONTROL IS DETERMINED TO BE EFFECTIVE,
SENIOR MANAGEMENT AND THE BOARD HAVE REASONABLE
ASSURANCE OF THE FOLLOWING CATEGORIES OF OBJECTIVES:
 OPERATIONS – the organization:
• Achieves an effective and efficient operations
• Understands the extent to which operations are managed
efficiently and effectively.
 REPORTING – the organization prepares reports in
conformity with laws, rules, regulations, standards and with
entity’s specified objectives and related policies.
 COMPLIANCE – the organization complies with applicable
laws, rules and regulations
SUITABILITY AND RELEVANCE OF
COMPONENTS AND PRINCIPLES

THE FRAMEWORK VIEWS ALL COMPONENTS

AND PRINCIPLES AS SUITABLE AND
RELEVANT TO ALL ENTITIES.

ACCORDINGLY, IF A RELEVANT PRINCIPLE IS

NOT PRESENT AND FUNCTIONING, THE
ASSOCIATED COMPONENT CANNOT BE
PRESENT AND FUNCTIONING.
 PRESENT AND FUNCTIONING

• “Present” refers to the determination that

components and relevant principles exist in the
design and implementation of the system of
internal control to achieve specified objectives.

• “Functioning” refers to the determination that

components and relevant principles continue to
exist in the conduct of the system of internal
control to achieve specified objectives.
 OPERATING TOGETHER
THE FRAMEWORK REQUIRES THAT ALL
COMPONENTS OPERATE TOGETHER IN AN
INTEGRATED MANNER.
• “Operating together” refers to the determination
that all five components collectively reduce, to an
acceptable level, the risk of not achieving an
objective.
COMPONENTS THAT ARE PRESENT AND
FUNCTIONING CAPTURE THE INHERENT
INTERDEPENDENCIES AND LINKAGES
AMONG THEM.
EXAMPLES OF COMPONENTS
OPERATING TOGETHER
 EXAMPLE OF COMPONENTS OPERATING
TOGETHER

• The organization establishes expected

standards of conduct and sets performance
measures and incentives within the Control
Environment to reduce the potential for
fraudulent behavior and may impact the
assessed level of fraud risk evaluated within
Risk Assessment.
 EXAMPLE OF COMPONENTS OPERATING
TOGETHER

• The development and deployment of

policies and procedures as part of the
Control Activities contributes to the
mitigation of risks identified and analyzed
within Risk Assessment.
 EXAMPLE OF COMPONENTS OPERATING
TOGETHER

• The processing of relevant quality information

within Information and Communication
supports the deployment of business process
and transaction controls within Control
Activities and performance of ongoing and
separate evaluations of such controls within
Monitoring Activities.
 EXAMPLE OF COMPONENTS OPERATING
TOGETHER

• The communication of internal control

deficiencies to those responsible for taking
corrective actions as part of Monitoring
Activities requires a full understanding of
the entity’s structures, reporting lines,
authorities and responsibilities as set forth
in the Control Environment and as
communicated within Information and
Communication.
 Deficiencies of Internal Control
• “Internal control deficiency” refers to a
shortcoming in a component or components
and relevant principle(s) that reduces the
likelihood of an entity achieving its objectives.

• An internal control deficiency or combination

of deficiencies that severely reduces the
likelihood that the entity can achieve its
objectives is referred to as a “major
deficiency”.
 Deficiencies of Internal Control
• When a major deficiency exists, the
organization cannot conclude that it has met
the requirements for an effective system of
internal control.
• A major deficiency exists in the system of
internal control when management determines
that a component and one or more relevant
principles are not present and functioning or
that components are not operating together.
 Deficiencies of Internal Control

• A major deficiency in one component cannot

be mitigated to an acceptable level by the
presence and functioning of another
component.
• Similarly, major deficiency in a relevant
principle cannot be mitigated to an acceptable
level by the presence and functioning of other
principles.
 Deficiencies of Internal Control
• In determining whether components and relevant
principles are present and functioning, management
can consider controls to effect principles.
For instance, in assessing whether the principle Assesses
Fraud Risk may not be present or functioning, the
organization can consider controls to effect other
principles, such as those relating to Establishes
Structure, Authority and Responsibility and Enforces
Accountability. By considering controls initially
considered in the context of other principles,
management may be able to determine that the principle
Assesses Fraud Risk is present and functioning.
 ADDITIONAL
CONSIDERATIONS
 Judgment
• The Framework requires judgment in
designing, implementing, and conducting
internal control and assessing the
effectiveness. The use of judgment
enhances management’s ability to make
better decisions about internal control,
but cannot guarantee perfect outcome.
 Judgment
Management exercises judgment in
important areas such as;
• Applying internal control components
relative to categories of objectives
• Applying internal control components
and principles within the entity structure
• Specifying suitable objectives and sub-
objectives and assessing risks to
achieving objectives.
 Judgment
Management exercises judgment in important
areas such as;
• Selecting, developing and deploying
controls necessary to effect principles
• Assessing whether components are present,
functioning and operating together
• Assessing whether principles are relevant to
the entity and present and functioning
 Judgment

Management exercises judgment in

important areas such as;
• Assessing the severity of one or more
internal control deficiencies in
accordance with applicable laws, rules,
regulations, and external standards, or
with the Framework.
 Points of Focus
• The Framework describes points of
focus that are important characteristics
of principles.
• Management may determine that some
of these points of focus are not
suitable and relevant and may identify
and consider other based on specific
circumstances of the entity.
 Points of Focus
• Points of focus may assist management in
designing, implementing, and conducting
internal control and in assessing whether
the relevant principles are in fact present
and functioning.
• The Framework does not require that
management assess separately whether
points of focus are in place .
 Controls to Effect Principles
Embedded within the internal control
process are controls, which consist of
policies and procedures:
• Policies reflect management or board
statements of what should be done to
effect control.
• Procedures are actions that implement
policies.
Controls to Effect Principles

• Organizations select and develop

controls within each component to
effect relevant principle.
• Controls are interrelated and may
support multiple objectives and
principles.
 Controls to Effect Principles

• The Framework does not prescribe

specific controls that must be selected,
developed and deployed for an
effective system of internal control.
• That determination is a function of
management judgment based on
factors unique to each entity.
 Controls to Effect Principles
Factors:
• Laws, rules, regulations, and standards
applicable to the entity.
• Nature of the entity’s business and
markets in which it operates.
• Scope and nature of the management
operating model
 Controls to Effect Principles

Factors:
• Competency of the personnel
responsible for internal control
• Use of and dependence on technology
• Management’s responses to assessed
risks.
 Organizational Boundaries

The Framework can be applied to the

entire entity regardless of what choices
management makes about how it will
execute business activities that support
its objectives, either directly or through
external relationships.
 Technology
• Technology may be essential to support
management’s pursuit of the entity’s objectives
and to better control the organization’s activities
• Technology is often referred to by other terms,
such as “management information systems” or
“information technology”.
• The Framework uses the term “technology” to
refer to all computerized systems, including
software applications running on a computer and
operational control systems.
 Larger versus Smaller Entities
• The principles underlying components of
internal control are just as applicable for
smaller entities as for larger ones.
• However, implementation approaches may
vary for smaller entities
• Smaller entities have unique advantages,
which can contribute to effective internal
control – wider span of control by senior
management and greater direct interaction
with personnel.
Benefits and Costs of Internal Control
Benefits:
• Provides management and the board with
added confidence regarding the
achievement of objectives
• Provides feedback on how a business is
functioning, it helps reduce surprises.
• Reliable reporting that supports
management and board decision making.
Benefits and Costs of Internal Control
Benefits:
• Consistent mechanisms for processing
transactions, supporting quality of information
and communications across organization.
• Increase efficiency within functions and
processes
• A basis for decisions where highly subjective
and substantial judgment is needed.
• Ability and confidence to communicate
business performance
Benefits and Costs of Internal Control
Costs:
• Considering trade-offs between recruiting and
retaining staff with a higher level of
competency and the related higher
compensation costs.
• Assessing the efforts required to select,
develop, and perform control activities, the
potential incremental efforts that the activity
adds to the business process.
Benefits and Costs of Internal Control
Costs:
• Assessing the impacts of added reliance on
technology. The cost associated with selecting,
developing, and maintaining, and updating the
technology could be substantial.
• Understanding how changes in information
requirements may call for greater data
collection, processing and storage that could
trigger exponential growth in data volume.
 Documentation
Reasons to develop and maintain
documentation:
• Provide clarity around roles and
responsibilities.
• Effective documentation assists in capturing
the design of internal control and
communicating the who, what, when, where,
and why of internal control execution.
 Documentation
Reasons to develop and maintain
documentation:
• Documentation provides evidence of the
conduct of internal control, enables proper
monitoring, and supports reporting on
internal control effectiveness.
• Documentation provides a means to retain
organizational knowledge and mitigate the
risk of having the knowledge within the
minds of a limited number of employees.
 COMPONENT
PRINCIPLE
POINT OF FOCUS
 KEY LINKAGES
Components of
OBJECTIVES RISKS Effective
Internal Control

Must be 17 Principles
Risks Relate
Articulated and Supporting
To Objectives
Measureable Components

Points of Focus
COSO’s 17 PRINCIPLES OF INTERNAL CONTROL
 The Framework Changes the Nature of
Operational Audits

• Internal audit should work on addressing

internal control in;

Objectives - Risks – Internal Control

APPROACH
 TYPES OF
CONTROL ACTIVITIES
TYPES OF CONTROL ACTIVITIES:

 TIMING/ PLACEMENT
- PREVENTIVE
- DIRECTIVE
- DETECTIVE
- CORRECTIVE/RECOVERY

 EFFECT ON OBJECTIVES
- KEY CONTROLS
- FAIL-PROOF CONTROLS

 DATA PROCESSING
AUTOMATED (SYSTEM-BASED) VS.
MANUAL (PEOPLE-BASED)
TIMING OF INTERNAL CONTROLS

RISKS: UNDESIRABLE EVENTS

PREVENTIVE PREVENTIVE PREVENTIVE

DETECTIVE DETECTIVE DETECTIVE

CORRECTIVE CORRECTIVE CORRECTIVE

PREVENTIVE CONTROLS

DESCRIPTION EXAMPLES

DESIGNED TO KEEP ERRORS SEGREGATION OF DUTIES

OR IRREGULARITIES FROM
OCCURING IN THE FIRST SETTING SPENDING LIMITS
PLACE BY DISCOURAGING OR
PRE-EMPTING ERRORS OR AUTHORIZATION/APPROVAL
IRREGULARITIES FROM MATRIX
OCCURING.
ACCESS RESTRICTIONS
THEY ARE MORE COST-
EFFECTIVE THAN DETECTIVE
CONTROLS.
DIRECTIVE CONTROLS

DESCRIPTION EXAMPLES

DESIGNED TO ENCOURAGE JOB DESCRIPTION

OR CAUSE A DESIRABLE
OUTCOME TO BE ACHIEVED. PLANS AND PROGRAMS

TRAINING
BROAD IN NATURE
IT CONFIGURATION
STANDARDS
DETECTIVE CONTROLS

DESCRIPTION EXAMPLES

DESIGNED TO SEARCH FOR REVIEWS AND COMPARISON

AND IDENTIFY ERRORS
AFTER THEY HAVE EXCEPTION REPORTS
OCCURRED.
PERFORMANCE
MORE EXPENSIVE THAN MEASUREMENT
PREVENTIVE CONTROLS BUT
STILL ESSENTIAL TO MEASURE RECONCILIATIONS
THE EFFECTIVENESS OF
PREVENTIVE CONTROLS.
REVIEW LOGS FOR EVIDENCE
THEY ARE THE ONLY WAY TO OF MISCHIEF
EFFECTIVELY CONTROL CERTAIN
TYPES OF ERROR. FIREWALLS
CORRECTIVE/ RECOVERY CONTROLS

DESCRIPTION EXAMPLES

DESIGNED TO PREVENT DISCIPLINARY ACTIONS

RECURRENCE OF ERRORS..
FILING SUITS IN COURT
USED WHEN IMPROPER
OUTCOMES OCCUR AND ARE RESTORE DATA FROM BACK-
DETECTED. UP FOLLOWING A FAILURE
(RECOVERY CONTROL)
USUALLY THE LAST RECOURSE,
BUT CAN BE COSTLY.
RECONCILIATIONS
ASSIST INDIVIDUALS IN THE
INVESTIGATION AND CHARGE BACK OF DOUBLE
CORRECTION OF CAUSES OF OR WRONG PAYMENT
EXPOSURES THAT HAVE BEEN
DETECTED.
PURPOSE OF CONTROLS

REDUCE THE IMPACT OF THE RISK

IF IT OCCURS
CORRECT

REDUCE THE IMPACT OF THE RISK THAT

DETECT OCCURRED BY EARLY DETECTION

REDUCE THE CHANCE OF A BAD EVENT

PREVENT/DIRECT OCCURRING OR INCREASE CHANCE OF
A GOOD OUTCOME.
EFFECT ON OBJECTIVES:

- KEY CONTROLS

- FAIL-PROOF CONTROLS
KEY CONTROLS

DESCRIPTION EXAMPLES

ITS FAILURE COULD PASSWORDS

MATERIALLY AFFECT
OBJECTIVES REVIEW AND APPROVALOF:

IF OTHER CONTROLS FAIL, - CONTROL MODIFICATIONS

KEY CONTROLS CAN BE - CHANGES TO MASTER FILES
RELIED UPON TO PREVENT - PROGRAM MODIFICATIONS
AND/OR DETECT RISKS.

Note: Not all preventive controls

are key controls.
HOW TO IDENTIFY KEY CONTROLS

IDENTIFY STEPS AND ACTIONS WHICH, IF NOT EXECUTED,

COULD RESULT IN THE FAILURE OF THE PROCEDURE TO
MANAGE RISKS AND MEET ITS GOALS.

SUCH STEPS CAN BE IDENTIFIED BY ASKING THE FOLLOWING

QUESTIONS:

- WHAT ARE THE MOST IMPORTANT STEPS/ACTIONS

WHICH KEEP THE PROCESS ON TRACT?

- WHAT STEPS/ACTIONS HELP DETECT SIGNIFICANT

ERRORS?

- WHAT STEP WILL ENSURE CHANGES ARE

VALID/AUTHORIZED?
HOW TO IDENTIFY KEY CONTROLS

FACTORS TO IDENTIFY KEY CONTROLS:

 CONTROLS REQUIRING SPECIALIZED SKILL OR

TRAINING

 CONTROLS REQUIRING HIGH DEGREE OF JUDGEMENT

 MANUAL CONTROLS ARE MORE SUSCEPTIBLE TO

HUMAN ERROR

 KNOWN CONTROL FAILURES

 LIKELIHOOD THAT A CONTROL FAILURE MAY NOT BE

DETECTED
FAIL-PROOF CONTROLS

DESCRIPTION EXAMPLES

AUTOMATICALLY PREVENTS COLOR-CODING FORMS

AN EXISTING DEFECT FROM
MOVING FORWARD IN THE IN AN AUTOMATED
PROCESS. PROCUREMENT
SYSTEM,BUYERS CANNOT
BY PREVENTING, PROCESS A PURCHASE
CORRECTING, OR DRAWING REQUISITION (PR) UNLESS IT
ATTENTION TO HUMAN HAS BEEN PROPERLY
ERRORS AS THEY OCCUR. APPROVED.

A BEHAVIOR-SHAPING
CONSTRAINT DESIGNED INTO
A PROCESS TO PREVENT
INCORRECT OPERATION BY
THE USER..
FAIL-PROOF CONTROLS: CALL CENTERS

 Agent-Assisted Automation (AAA) enables agents to get the

required disclosures from customers using pre-recorded audio
files.

 These disclosures are required before customers can make a

purchase or seek assistance from the agents.

 By integrating the AAA with customer relationship

management software, the agent cannot complete the order
until the required disclosures are played.

 Poor training, fatigue, forgetfulness and limits on human

consistency can lead agents to skip key steps in the process.

 AAA, thus helps to improve productivity and consistency

among agents.
AUTOMATED CONTROLS

 GENERAL CONTROLS
- DATA CENTER OPERATIONS
- SYSTEMS SOFTWARE ACQUISITION
AND MAINTENANCE
- ACCESS SECURITY
- APPLICATION SYSTEMS DEVELOPMENT
AND MAINTENANCE

 APPLICATION CONTROLS
- PROCESSING OF SPECIFIC APPLICATION,
e.g., RUNNING A PROGRAM TO PREPARE
CASH GRANTS PER MONTH.
 CONTROLS CATEGORIES

USES EXAMPLES
1. STANDARDIZE PERFORMANCE - TIME AND MOTION STUDIES,
FOR INCREASING EFFICIENCY INSPECTIONS, WRITTEN
AND REDUCING COSTS. PROCEDURES OF WORK
SCHEDULES

2. CONSERVE COMPANY ASSETS - ALLOCATION OF

RESPONSIBILITIES, SEPARATION
OF OPERATIONAL, CUSTODIAL
AND ACCOUNTING ACTIVITIES
AND ADOPTION OF PROPER
AUTHORITIES AND RECORD
KEEPING

3. STANDARDIZE QUALITY - INSPECTION, STATISTICAL

QUALITY CONTROL AND
PRODUCT SPECIFICATION
 CONTROLS CATEGORIES
USES
4. PROVIDING FREE LIMITS TO USE
OF DELEGATED AUTHORITY
WITHOUT FURTHER TOP
MANAGEMENT APPROVAL.
5. MEASURE ON THE JOB
PERFORMANCE
6. PLANNING FUTURE
OPERATIONS
EXAMPLES
- ORGANIZATION AND PROCEDURE
MANUALS, POLICY DIRECTIVES
AND INTERNAL AUDIT
- SPECIAL REPORTS, INTERNAL
AUDITS, BUDGETS, STANDARD
COSTS AND OUTPUT PER HOUR
PER EMPLOYEE
- SALES AND PRODUCTION
FORECASTS,BUDGETS, COST
STANDARDS AND OTHER
STANDARDS FOR
MEASUREMENT
CONTROLS CATEGORIES

USES EXAMPLES
7. PERMIT TOP MANAGEMENT TO - MASTER BUDGET, POLICY
KEEP VARIOUS PLANS AND MANUALS, ORGANIZATIONAL
PROGRAMS IN BALANCE. MANUALS, AND THE USE OF
OVERSIGHT COMMITTEES AND
MANAGEMENT CONSULTANTS.

8. MOTIVATE PERSONNEL - PROMOTIONS, REWARD FOR

SUGGESTIONS, PROFIT SHARING
AND OTHER METHODS OF
RECOGNIZING ACHIEVEMENT.
COMMON CONTROL ACTIVITIES

SEGREGATION OF DUTIES
PHYSICAL
AUTHORIZATION AND APPROVAL
MANAGEMENT
SUPERVISION
ORGANIZATION
ARITHMETIC AND ACCOUNTING
PERSONNEL
CRITERIA FOR INTERNAL CONTROL

STANDARD 2130 – CONTROL

 The internal audit activity must assist the

organization in maintaining effective
controls by evaluating their effectiveness
and efficiency and by promoting
continuous improvement.

The IIA Inc. Standards

CONTROL CRITERIA

 Adequate criteria are needed to evaluate

governance, risk management and controls

Internal Auditors must ascertain the extent to which

management and/or the board has established
adequate criteria to determine whether objectives and
goals have been accomplished.

If adequate, internal auditors must use such

criteria in their evaluation. If inadequate, internal
auditors must work with management and/or the board
to develop appropriate evaluation criteria
The IIA Standards 2210.A3
CRITERIA FOR CONTROLS
 All controls must have a criteria, depending on the
control objectives (e.g. operational, reliability of
information, compliance and safeguarding)

Internal Auditors must assess if the existing criteria are

appropriate and clear.

If the criteria are absent, inappropriate or vague

- Research or benchmark on relevant criteria
- Recommend these to Management
- Management is responsible for accepting or
declining, but must be able to explain why it is
declining the recommendation and present
counter-criterion or criteria.
EVALUATING CONTROL CRITERIA
INADEQUATE OR
MISSING
CRITERIA?

MANAGEMENT TO
DEVELOP
ADEQUATE APPROPRIATE
CRITERIA? CRITERIA

EVALUATE CONTROLS
EVALUATING CONTROLS

DETERMINE GENERAL CRITERIA

ADEQUACY
EFFECTIVENESS
EFFICIENCY
ECONOMY
TIMELINESS

IDENTIFY SUB-CRITERIA FOR GENERAL CRITERIA

EX. EFFECTIVENESS OF TRAINING AS A CONTROL

CONSIDER IF CONTROLS ARE COST EFFECTIVE

EFFECTIVENESS OF CONTROLS

HOW WELL INTERNAL CONTROLS ENABLE AN

ENTITY TO ACHIEVE ITS OBJECTIVES DEPENDS ON:

CONTROL CRITERIA

TIMING OF CONTROLS

IMPLEMENTATION OF CONTROLS

ABILITY TO STOP RISKS FROM INCREASING OR

DRIVE RISKS TO DECREASE (KEY CONTROLS)
CONTROL CRITERIA

ADEQUACY
At the least, all key controls exist and are executed
effectively and efficiently.

EFFECTIVENESS
The control is able to prevent, detect or correct risks
as planned or intended (doing the right things to
manage risks)

EFFICIENCY AND ECONOMY

Doing controls the right way (method is efficient) at the
minimum usage and least possible cost (resources
are economical)
 CONTROL CRITERIA

RISK CONTROL CRITERIA SUB-CRITERIA

IP HHs IN TRAIN IP EFFECTIVE - QUALITIES OF AND
REMOTE LEADERS ON CRITERIA FOR
AREAS MAY THE PROGRAM SELECTION OF IP
NOT BE LEADERS ARE
REACHED SPECIFIC, CLEAR AND
RESULTING TO DOCUMENTED
POOR HHs NOT - TRAINING DESIGN,
BENEFITTING CONTENT AND
FROM THE DELIVERY ARE
PROGRAM RELEVANT, SPECIFIC
CLEAR AND
DOCUMENTED
- THERE IS A PROPER
REVIEW AND
APPROVAL OF THESE
CRITERIA
Internal Control and the Management Process

Internal Control is part of management’s

overall responsibility, the five
components are discussed in the context
of the management of the entity. Not
every decision or action of management,
however, is part of internal control.
Internal Control and the Management Process

• Having a board that comprises directors

with sufficient independence from
management and that carries out its
oversight role is part of internal control.
Approving a particular mission or vision
is not part of internal control.
Internal Control and the Management Process

• Making strategic decisions impacting

entity’s objectives is not part of internal
control.
• Setting the overall level of acceptable
risk and associated risk appetite is part
of strategic planning and enterprise risk
management, not part of internal
control.
Internal Control and the Management Process

• Selecting and developing controls

designed to mitigate risks based on the
organizational risk assessment process
is part of internal control; however
choosing which risk response is
preferred to address specific risk is not
part of internal control.
Internal Control and Objective-Setting
As part of internal control, an organization
specifies objectives by:
• Articulating and codifying specific, measurable
or observable, attainable, relevant and time-
based (SMART) objectives;
• Assessing suitability of objectives and sub-
objectives for internal control based on facts,
circumstances, and established laws, rules,
regulations, and standards;
• Communicating objectives and sub-objectives
throughout the entity.
EFFECTIVENESS OF
INTERNAL CONTROL
INTERNAL CONTROL CAN BE JUDGED EFFECTIVE IN EACH
OF THE OBJECTIVES CATEGORIES, RESPECTIVELY, IF THE
BOARD OF DIRECTORS AND MANAGEMENT HAVE
REASONABLE ASSURANCE THAT:
• THEY UNDERSTAND THE EXTENT TO WHICH THE
ENTITY’S OPERATIONS OBJECTIVES ARE BEING
ACHIEVED.

• PUBLISHED OPERATIONAL REPORTS AND FINANCIAL

STATEMENTS ARE BEING PREPARED RELIABLY.

• APPLICABLE LAWS AND REGULATIONS ARE BEING

COMPLIED WITH.

• ASSETS AND INFORMATION ARE SAFEGUARDED.

EFFECTIVENESS OF
INTERNAL CONTROL

DETERMINING WHETHER A
PARTICULAR INTERNAL CONTROL
SYSTEM IS “EFFECTIVE” IS A
SUBJECTIVE JUDGEMENT
RESULTING FROM AN ASSESSMENT
OF WHETHER THE FIVE
COMPONENTS ARE PRESENT AND
FUNCTIONING EFFECTIVELY.
EFFECTIVENESS OF
INTERNAL CONTROL
THEIR EFFECTIVE FUNCTIONING
PROVIDES THE REASONABLE
ASSURANCE REGARDING THE
ACHIEVEMENT OF ONE OR MORE
OF THE STATED CATEGORIES OF
OBJECTIVES.

THUS, THESE COMPONENTS ARE

ALSO THE CRITERIA FOR
EFFECTIVE INTERNAL CONTROL.
Limitations of Internal Control

The Framework recognizes that while an

effective system of internal control
provides reasonable assurance of
achieving the entity’s objectives,
inherent limitations do exist. Even an
effective system of internal control can
experience a failure.
Limitations of Internal Control

These limitations may result from the:

• Suitability of objectives established as
a pre-condition to internal control
• Reality that human judgment in
decision making can be faulty and
subject to bias
 Limitations of Internal Control
These limitations may result from the:
• Breakdowns that can occur because of
human failures such as errors
(misunderstanding of instructions,
mistakes of judgment, carelessness,
distraction or fatigue)
• Ability of management to override
internal control
Limitations of Internal Control
These limitations may result from the:
• Ability of management, other
personnel, and/or third parties to
circumvent controls through collusion
• External events beyond the
organization’s control (changing
conditions, differences and conflicts)
Limitations of Internal Control

These limitations preclude the board

and management from having
absolute assurance of the
achievement of the entity’s
objectives – that is, internal control
provides reasonable assurance but
not absolute assurance.
END