M G T 2 0 9

Overview of Internal control

Companies establish goals and objectives and then assess the risks of achieving those objectives. As a response to the
assessed risk, the company may design and implement internal control to have a reasonable assurance that the objectives will be
achieved.

 Assessment of control risk and consideration of internal control are important steps in the audit process.
 Control risk – risk that the entity’s internal control may not detect or prevent a material misstatement

Internal Control
- process designed and effected by those charged with governance, management, and other personnel to provide reasonable
assurance about the achievement of the entity’s objectives with regard to (1) reliability of financial reporting (financial
reporting objective), (2) effectiveness and efficiency of operations (operational objective), and (3) compliance with
applicable laws and regulations (compliance objective)

4 essential concepts embodied in the said definition

a. Internal control is a process.

 It is a not an end in itself. Instead, it is a means of achieving the entity’s objectives.

b. Internal control is effected by those charged with governance and management, and by other personnel.
 Responsibility of the management: to establish a control environment and maintain policies and procedures
to assist in achieving the entity’s objectives
 Responsibility of those charged with governance: to ensure the integrity of accounting and financial
reporting systems through oversight of management

c. Internal control can be expected to provide reasonable assurance of achieving the entity’s objectives.
 Only reasonable assurance, not absolute assurance (because of inherent limitations that may affect the
effectiveness of internal control)
 Examples of limitations: usual requirement that the cost of internal control should not exceed the expected
benefits to be derived, reality that human judgment in decision making can be faulty and subject to bias
 Internal control can help But internal control cannot
1. Achieve organizational, operational, and 1. Ensure organizational success
financial goals
2. Prevent loss of resources 2. Ensure absolute protection of assets
3. Support reliable financial reporting 3. Ensure the reliability of financial reporting
4. Support compliance with laws, regulations, 4. Ensure absolute compliance with laws,
and internal policies and procedures to avoid regulations, and policies and procedures
damage to reputation and other
consequences

d. Internal control is designed to help achieve the entity’s objectives.

 Achievement of objectives depends not only on management decisions but also on competitor’s actions and other factors outside
the entity.

Internal Control System – all the policies and procedures (internal controls) adopted by the management of an entity to assist in
achieving management’s objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including
adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and
completeness of the accounting records, and the timely preparation of reliable financial information.

 Internal control structures vary from one company to the next, depending on factors such as size of the business,
nature of operations, geographical dispersion of activities, and organizational objectives.

A. Control Environment – overall attitude, awareness, and actions of directors and management regarding the internal control
system and its importance in the entity

 A strong control environment does not, by itself, ensure the effectiveness of the internal control system.

Subcomponents of the Control Environment

1. Communication and enforcement of integrity and ethical values
 Management should establish ethical standards that discourage employees from engaging in dishonest, unethical,
or illegal acts that could materially affect the financial statements.

2. Commitment to competence
 The entity should consider the level of competence required for each task and translate it to requisite knowledge
and skills.
 3. Participation by those charged with governance
 The entity must have an audit committee, which will be responsible for overseeing the financial reporting policies
and practices of the entity.

4. Management’s philosophy and operating style

 The auditor should assess the management attitudes towards financial reporting and their emphasis on meeting
projected profit goals because these will significantly influence the risk of material misstatements in the financial
statements.

5. Organizational structure
 This provides a framework for planning, directing, and controlling the entity’s operations.

6. Assignment of authority and responsibility

 Appropriate methods of assigning responsibility must be implemented to avoid incompatible functions and to
minimize the possibility of errors because of too much workload assigned to an employee.

7. Human resources policies and procedures

 The entity must implement appropriate policies for hiring, training, evaluating, promoting, and compensating
entity’s personnel because the competence of the entity’s employees will bear directly on the effectiveness of
the entity’s internal control.

B. Entity’s Risk Assessment Process

 Entity’s business objectives cannot be achieved without some risks.

Risk Assessment – identification, analysis, and management of risks pertaining to the preparation of financial statements

 The basic concepts of the entity’s risk assessment process are relevant to every entity, regardless of size, but the risk
assessment process is likely to be less formal and less structured in small entities than in larger ones.

C. Information and Communication System

Information system – consists of infrastructure (physical and hardware components), software, people, procedures, and
data
- encompasses methods and records that
1. Identify and record all valid transactions
2. Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial
reporting
3. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial
statements
4. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting
period
5. Present properly the transactions and related disclosures in the financial statement
  The SEC Code of Corporate Governance provides that companies should maintain a comprehensive and cost-efficient
communication channel for disseminating relevant information.

 Communication – continual, iterative process of providing, sharing, and obtaining necessary information.
- can be made electronically, orally, or through the actions of management.
- can take such forms as policy manuals, accounting and financial reporting manual, and memoranda.

D. Control Activities – policies and procedures that help ensure that management directives are carried out, for example,
that necessary actions are taken to address risks that threaten the achievement of the entity’s objectives

Major Categories of Control Procedures

1. Performance Review

Examples
a. comparing actual performance with budgets, forecasts, and prior period performance
b. investigating performance indicators based on operating and financial data
c. reviewing functional or activity performance

2. Information Processing Controls – policies and procedures designed to require authorization of transactions and to
ensure the accuracy and completeness of transaction processing

Classification of Control Activities

a. General controls – control activities that prevent or detect errors or irregularities for all accounting systems
b. Application controls – controls that pertain to the processing of a specific type of transaction

Control activities related to the processing of transactions

a. Proper authorization of transactions and activities
b. Segregation of duties
c. Adequate documents and records
d. Access to assets
e. Independent checks on performance

3. Physical Controls – controls that encompass the physical security of assets, authorization for access to computer
programs and data files, and the periodic counting and comparison with amounts shown on control records

Examples
a. Petty cash should be kept locked in a fireproof safe.
b. Cash received by retail clerks should be entered into a cash register to record all cash received.
c. Accounts receivable records should be stored in a locked, fireproof safe. If the records are computerized, adequate
backup copies should be maintained and access to the master files should be restricted via passwords.
d. Raw material inventory should be retained in a locked storeroom with a reliable and competent employee controlling
access.
e. Perishable tools should be stored in a locked storeroom under control of a reliable employee.
 f. Manufacturing equipment should be kept in an area protected by burglar alarms and fire alarms and kept locked when
not in use.
g. Marketable securities should be stored in a safety deposit vault.

4. Segregation of Duties – assigning the responsibilities of authorizing transactions, recording transactions, and maintaining
custody of assets to different people
- purpose: to reduce the opportunities of allowing any person to be in a position to both perpetrate and conceal
errors or fraud in the normal course of the person’s duties

E. Monitoring of Controls – process that an entity uses to assess the quality of internal control over time
- involves assessing the design and operation of controls on a timely basis and taking corrective action as necessary
- accomplished through
1. Ongoing monitoring activities – built into the normal recurring activities of an entity
- include regularly performed supervisory and management activities
- example: continuous monitoring of customer complaints

2. Separate evaluations – performed on a non-routine basis

- example: periodic audits by the internal auditors

COSO - Committee of Sponsoring Organizations of the Treadway Commission

- a joint initiative dedicated to provide thought leadership through the development of frameworks and guidance on enterprise risk
management, internal control and fraud deterrence.

The 2013 Framework sets out 17 principles representing the fundamental concepts associated with each component.
Because these principles are drawn directly from the components, an entity can achieve effective internal control by applying all
principles. All principles apply to operations, reporting, and compliance objectives.

Control Environment (5) Demonstrates commitment to integrity and ethical values

Exercises oversight responsibility
Establishes structures, reporting lines, authorities, and responsibilities
Demonstrates commitment to competence
Enforces accountability

Risk Assessment (4) Specifies appropriate objectives

Identifies and analyzes risks
Assesses fraud risks
Identifies and analyzes significant changes
Control Activities (3) Selects and develops control activities
Selects and develops general controls over technology
Deploys control activities through policies and procedures

Information and Communications (3) Uses relevant information

Communicates internally
Communicates externally

Monitoring Activities (2) Conducts ongoing and/or separate evaluations

Evaluates and communicates internal control deficiencies