1.2 Internal Control and Risk

Internal Auditing
Maria Cristina T. Lacsamana

CPA, CIA, CISA
Internal Control and Risk
Sources
Materials Publisher
International Standards for the 2012 The Institute of Internal
Professional Practice of Internal Auditors, Inc.
Auditing
Code of Ethics 2009 The Institute of Internal
Auditors, Inc.
Practice Advisories 2013 The Institute of Internal
Auditors, Inc.
Gleim CIA Review 2013 Gleim Publications, Inc.
17th Edition
Syllabus
A. Types of Controls
B. Management Control Techniques
C. Internal Control Framework Characteristics
and Use
D. Alternative Control Frameworks
E. Risk Vocabulary and Concepts
F. Fraud Risk Awareness
Overview of Control
Control
Do you lock the doors of your house before
you leave?
Do you leave your valuables in the car when
you park it in a public place?
When buying a cell phone or a laptop, do you
look at several brands, specifications and
price before you decide to buy?
Overview of Control
Control
Do you set rules in your house?
Do you exercise and take vitamins?
Do you have a home budget?
Do you save a portion of your allowance?
Do you have an insurance coverage?
Overview of Control
Control
Any action taken by management, the board,
and other parties to manage risk and increase
the likelihood that established objectives and
goals will be achieved.
Management plans, organizes, and directs the

performance of sufficient actions to provide
reasonable assurance that objectives and goals
will be achieved.
Overview of Control
Control Processes
Policies, procedures, and activities that are part
of a control framework, designed and operated
to ensure that risks are contained within the
level that an organization is willing to accept.
Overview of Control
Control Process
Establish
standards
Reappraise
Measure
the standard
performance
based on
vs. standards
experience
Take Examine &

corrective analyze
action deviations
Overview of Control
Control Process
Control requires feedback on the results of
organizational activities for the purposes of
measurement and correction.
An evaluation-reward system should be
implemented to encourage compliance with
the control system.
The cost of control must not be greater that its
benefits.
Types of Controls
Primary Controls
1st line of defense of key control activities
Controls that must operate effectively to
reduce a significant risk to an acceptable
level
Controls that, if omitted, would make it very
difficult to achieve the desired outcome or
business objective.
Types of Controls
Primary Controls
Preventive controls
Detective controls
Corrective controls
Directive controls
Types of Controls
Secondary Controls
Serve as a back up to a key control
Controls that help the process run smoothly
but are not essential.
Reduce risk associated with business
objectives that are not critical to the
organizations survival or success.
Types of Controls
Secondary Controls
Compensatory controls
Complementary controls
Types of Controls
Application Controls
Also called technical controls
Process- or transaction-level controls that
are usually specific to a given application but
may also control larger technical processes.
Types of Controls
Application Controls
Input controls
Process controls
Output controls
Types of Controls
Time-Based Classification
1. Feedback controls
2. Concurrent controls
3. Feedforward controls
Types of Controls
Financial vs. Operating Controls
1. Financial controls
2. Operating controls
Types of Controls
People-Based vs. System-Based Controls
1. People-based controls
2. System-based controls
Types of Controls
Use of a Control Matrix
Control A Control B Control C Control D
Risk 1
Risk 2
Risk 3
Risk 4
Risk 5
Risk 6
Accounting Cycles and Associated
Controls
1. Internal controls
2. Segregation of duties
Authorization
Recording
Custody
3. Organizational hierarchy
4. Accounting cycles
Controls
Organizational Hierarchy
VP Chief Chief VP VP
Operations Accounting Officer Financial Officer Admin HR
(Controller) (Treasurer)
Sales A/R Cash Receipts Mail Room HR
Purchasing Billing Cash Disbursements
Warehouse A/P Credit
Receiving GL
Shipping Inventory Control
Production Cost Accounting
Payroll
Controls
Accounting Cycle
1. Sales-Receivables
2. Cash Receipts
3. Purchases-Payables
4. Cash Disbursements
5. Payroll
Scope
and Use
Management Controls
Roles and Responsibilities
1. BOD
2. Management
3. Internal auditors
4. Other personnel
Management Controls
Roles and Responsibilities
Roles Responsibilities
BOD Guidance and oversight
Management
Senior management Sets the tone at the top
Directly responsible for internal controls
Ensure control activities are implemented
Department head Communicate and implement the control
activities
Internal auditors Evaluate adequacy, efficiency and
effectiveness
Contribute to the improvement of risk
management processes
Other personnel Take actions needed to effect controls
Management Controls
Control Techniques
1. Imposed control vs. Self control
2. Organization
3. Policies
4. Procedures
5. Personnel
6. Accounting
7. Budgeting
8. Reporting
Scope
and Use
Internal Control Framework
Globally Accepted Framework
COSO
CoCo
Turnbull
COBIT
eSAC
COSO
U.S. Sarbanes-Oxley Act of 2002
The SEC specifically refers to the COSO

framework as an example of a framework
suitable for organizations to compare their
system of internal controls against to be
compliant with section 404 of the Sarbanes-
Oxley Act, which governs all entities, foreign or
domestic, wishing to access the U.S. capital
market.
COSO
Internal Control Integrated Framework
Published by the Committee of Sponsoring
Organizations of the Treadway Commission
A voluntary private sector organization
dedicated to improving the quality of financial
reporting through business ethics, effective
internal controls, and corporate governance.
USA
1992
COSO Control Objectives
Internal control is a process, effected by an
entitys board of directors, management, and
other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives in the following
categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and
regulations
COSO Control Objectives
An ongoing process; a means to an end, not
an end in itself.
Effected by people; not merely policy manuals
and forms, but people functioning at every
level of the organization.
Geared to achieve the objectives in several
overlapping categories.
Can be expected to provide only reasonable
assurance on the achievement of operational,
financial reporting, and compliance objectives
COSO Components of Internal Control
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
Component Description
Control Sets the tone of an organization by influencing
environment the control consciousness of its people.
Foundation for all other components of internal
control providing discipline and structure.
Risk Identification and analysis of relevant risks to
assessment achieve the objectives, forming a basis for
determining how the risks should be managed.
Control Policies and procedures that help ensure that
activities management directives are carried out, and that
necessary actions are taken to address risk to
achieve the objectives.
Component Description
Information Pertinent information must be identified,
and captured, and communicated in a form and time
communication frame that enable people to carry out their
responsibilities.
Effective communication must also occur in a
broader sense,
Monitoring Internal control systems need to be monitored
a process that assesses the quality of the
systems performance over time.
Accomplished through ongoing monitoring
activities, separate evaluations, or a
combination of the two.
Control Environment
1. Integrity and ethical values
2. Board of Directors
3. Management philosophy and operating style
4. Organization structure
5. Financial reporting competencies
6. Authority and responsibility
7. Human resources
Control Environment
Knowledgeable &
experienced Staff
Business
objectives Team spirit
communicated
Risk Assessment
I think Im
going to fall
Risk Assessment
Identify potential problem that Regularly monitor

may result to non-attainment
of objectives changing conditions
Risk Assessment
1. Changes in the operating environment
2. New personnel
3. New or revamped information system
4. Rapid growth
5. New technology
6. New business lines, products or activities
7. Corporate restructuring
8. Expanded foreign operations
Control Activities
1. Performance reviews by top managers
2. Performance reviews at the functional or
activity level
3. Analysis of performance indicators
4. Information processing
5. Physical controls
6. Segregation of duties
Information and Communication
1. Information system
2. Communication
Information and Communication
OPEN DISCUSSION
OF PROBLEMS
AVAILABILITY OF SOURCES
OF INFORMATION
Monitoring
1. On-going activities
2. Separate evaluations
Monitoring
COMPARISON OF
EXPENSES VS. BUDGET
1,150.00
1,100.00
1,050.00
1,000.00
950.00
900.00 ACTUAL
850.00
BUDGET
Q1
INDEPENDENT AUDITS Q2
Hard and Soft Controls
Hard Control
Formal, objective and quantitatively
measurable.
Relates to the processes and activities those
people do.
Soft Control
Informal, subjective and intangible.
Relate to the culture - the way people do their
work to meet the objectives of the
organization
Soft Control
Control Self-Assessment (CSA)
A variety of assessment techniques, including
facilitated workshops and surveys in which the
assessment is performed by people involved
in the area or process being assessed rather
than an independent party.
Scope
and Use
Alternative Control Frameworks
1. Guidance on Control (CoCo)
2. Internal Control: Guidance for Directors on
the Combined Code (Turnbull Report)
3. Control Objectives for Information Related
Technology (COBIT5)
4. Electronic Systems Assurance and Control
(eSAC)
CoCo
Criteria of Control Board
The Canadian Institute of Chartered
Accountants
Canada
1995
CoCo Components of Internal Control
1. Purpose
2. Commitment
3. Capability
4. Monitoring
5. Learning
Turnbull Report
Internal Control Guidance for Directors on
the Combined Code
The Institute of Chartered Accountants
England and Wales
1999
Turnbull Components of Internal Control
2. Information & communication processes
3. Monitoring
4. Embeddedness in operations
5. Response to risk
6. Changes in reporting
COBIT 5 Key Principles
1. Meeting stakeholder needs
2. Covering the enterprise end-to-end
3. Applying a single, integrated framework
4. Enabling a holistic approach
5. Separating governance from management
eSAC Control Objectives
1. Operating effectiveness and efficiency
2. Reporting of financial and other
management information
3. Compliances with laws and regulations
4. Safeguarding of assets
eSAC IT Business Assurance Objectives
1. Availability
2. Capability
3. Functionality
4. Protectability
5. Accountability
Scope
and Use
Risk Vocabulary and Concepts
Risk
Possibility that an event will occur and
adversely affect the achievement of
objectives.
Inherent Risk
Combination of internal and external risk
factors in their pure, uncontrolled state.
Gross risk assuming there are no internal
control activities in place
Risk in the absence of a risk response.
Residual Risk
Portion of inherent risk that remains after
management takes action to reduce the
impact and likelihood of an adverse event.
Risk after the risk response.
Risk Appetite
Amount of risk an entity is willing to accept in
a pursuit of its objectives.
Risk Appetite High Risk Limit

Cash flow P5m borrowing cost impact
Health & safety Zero deaths/injuries
Turnover High turnover of 30%
Inherent risk Risk response = Residual risk
If residual risk < risk appetite, system of internal

control is operating at an acceptable level.
Inherent risk Risk response = Residual risk
If residual risk > risk appetite, system of internal

control is not operating at an acceptable level.
Risk Response
Risk avoidance
Risk retention
Risk reduction
Risk sharing
Risk exploitation
COSO ERM Framework
ERM
A process, effected by an entitys board of
directors, management and other personnel
Applied in strategy setting and across the
enterprise
Designed to identify potential events that may
affect the entity and manage risk to be within
its risk appetite
To provide reasonable assurance to meet its
objectives
COSO ERM Components
1. Internal environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk responses
7. Information and communication
8. Monitoring
ERM Responsibilities
Roles Responsibilities
BOD Guidance and oversight
Management
Senior management Sets the tone at the top
Ensure sound risk management processes are
in place
Department head Communicate and implement the control
activities
Risk committee and Coordinate entitys risk management activities
Chief risk officer
Internal auditors Evaluate adequacy, efficiency and
effectiveness
Contribute to the improvement of risk
management processes
ERM Limitations
1. Faulty human judgment
2. Cost-benefit considerations
3. Simple error or mistakes
4. Collusion
5. Management override of ERM decisions
Scope
and Use
Fraud Risk Awareness
Fraud
Any illegal act characterized by deceit,
concealment, or violation of trust.
These acts are not dependent upon the
threat of violence or physical force.
Perpetrated by parties and organizations to:
- obtain money, property, or services
- avoid payment or loss of services
- Secure personal or business advantage
Effects of Fraud
Monetary losses from fraud are significant,
but its full cost is immeasurable in terms of
time, productivity, and reputation, including
customer relationships.
Causative Factors of Fraud
Pressure or incentive (need to satisfy)
Opportunity (ability to commit fraud)
Rationalization (ability to justify the fraud)
Examples of Fraud
Asset misappropriation
Skimming
Lapping
Kiting
Disbursement fraud
Expense reimbursement
Payroll fraud
Financial statement misrepresentation
Examples of Fraud
Information misrepresentation
Corruption
Bribery
Conflict of interest
Diversion of transaction
Wrongful use of confidential or proprietary
information
Related party fraud
Tax evasion
Fraud Prevention
Actions to discourage fraud and limit the
exposure when it occurs.
Strong ethical culture and setting the correct
tone at the top are essential to prevention.
Fraud Prevention System
1. Control environment
2. Fraud risk assessment
4. Fraud-related information and
communication
5. Monitoring
Responsibilities
1. Management
Primarily responsible for establishing and maintaining
control.
2. Internal auditor
Primarily responsible for preventing fraud by
examining and evaluating the adequacy and
effectiveness of control.
Not responsible for designing and implementing fraud
prevention controls.
Not responsible for the detection of fraud, but they
must always be alert to the possibility of fraud.
Symptoms of Fraud
Document symptom
Lifestyle symptom
Behavioral symptom
Situational pressure; personal/organizational
Opportunity to commit
Rationalization
Indicators of Fraud
Low-level Fraud
Relief of economic hardship, desire of
material gain, or a drug/gambling habit
Executive Fraud
Stock price, large bonus
Indicators of Fraud
Lack of employee rotation in sensitive
positions
Inappropriate combination of job duties
Unclear lines of responsibility and
accountability
Unrealistic sales or production goals
Refusal to take vacations or promotion
Controls not applied consistently
Indicators of Fraud
High reported profits when competitors are
suffering from an economic downturn
High turnover among supervisory positions
in finance and accounting
Excessive or unjustifiable use of sole-source
procurement
Increase in sales far out of proportion to the
increase in cost of goods sold
Detection of Fraud
Nature and extent of the procedures
performed to detect fraud depend on the
circumstances of the engagement, including
the features of the organization and the
internal auditors risk assessment
Analytical procedures that are routinely
performed may provide an early indication of
fraud.

1.2 Internal Control and Risk

Uploaded by

Copyright:

Available Formats

1.2 Internal Control and Risk

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1.2 Internal Control and Risk

Uploaded by

Copyright:

Available Formats

What are the different types of controls discussed?

What are the steps involved in the control process?

Internal Auditing

Maria Cristina T. Lacsamana

Management plans, organizes, and directs the

Take Examine &

The SEC specifically refers to the COSO

Identify potential problem that Regularly monitor

Risk Appetite High Risk Limit

Inherent risk Risk response = Residual risk

If residual risk < risk appetite, system of internal

Inherent risk Risk response = Residual risk

If residual risk > risk appetite, system of internal

You might also like