Module 4.

1 Control
Definition of Internal Control  (Institute of Internal Auditors)
Control (IIA PA 2100)
 is any action taken by management, the board, and other parties to manage risk and increase the likelihood
that established objectives and goals will be achieved.
 Management plans organize and direct the performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved.
 
2130 -Guidance on Control
 The internal audit activity must assist the organization in maintaining effective controls by evaluating their
effectiveness and efficiency and by promoting continuous improvement.
 The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks
within the organization's governance, operations, and information systems regarding the: 

o Achievement of the organization's strategic objectives.
o Reliability and integrity of financial and operational information.
o Effectiveness and efficiency of operations and programs.
o Safeguarding of assets.
o Compliance with laws, regulations, policies, procedures, and contracts.
 Internal auditors must incorporate knowledge of controls gained from consulting engagements into an
evaluation of the organization's control processes.
 
Definition of Internal Control  (according to COSO)
Internal Control
 is the process, effected by an entity's Board of Trustees, management, and other personnel, designed to
provide reasonable assurance regarding the achievement of objectives in the following categories:
1. Reliability of financial reporting,
2. Effectiveness and efficiency of operations, and
3. Compliance with applicable laws and regulations.
 
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
 A voluntary organization dedicated to improving the quality of financial reporting through
o Business ethics
o Effective internal controls and
o Corporate governance
 The goal is to provide thought leadership dealing with Enterprise Risk Management (ERM), Internal
Control, and fraud deterrence.
 In 1992 COSO released its Internal Control -integrated Framework (the original Framework),
 Organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (NCFFR
 The NCFFR (also called the Treadway Commission) is a private sector that:
o Studied the causal factors that can lead to fraudulent financial reporting.
o Developed recommendations for public companies and auditors, SEC and other regulators, and
educational institutions.
o The First Chairman of the NCFFR was James C. Treadway

 
Fundamental Concepts of Internal Control
Fundamental Concepts of Internal Control
 
1. Internal Control is a process because it involves
 Setting standards – specific goals or objectives by which performance is compare and classified in terms of:
o Quantity (number of units to be produced
o Quality (rejects, rework costs)
o Time ( schedules, promised deliveries)
o Cost (the number of money needed to produce the required number of units)
 Measuring performance – use appropriate measures for the performance of activity being monitored.
 Evaluation and Correction – care must be taken in comparing like items
 
2. Internal Control is affected by people
 Board of Directors and Senior Management
 Organization Managers
 Internal and External Auditors
 
3. Internal control provides a reasonable assurance - It is not absolute because of limitations in control
 Human Judgment
 Breakdowns
 Management Override
 Collusion
 Custom, culture, the corporate governance system, and an effective control environment
 Cost should not exceed the benefits of control.
 
4. Internal Control is geared to the achievement of objectives
Three Categories of Objectives
 Operations Objectives- pertains to the effectiveness and efficiency of the entity’s operations
 Reporting Objectives- pertains to the reliability of reporting. Internal and external financial and non-
financial reporting
 Compliance Objectives -pertains to adherence to laws and regulations to which the entity is subject

 
The Nature of Control
 Performance is measured against a standard
 Performance is regulated or corrected (if necessary) in light of that measurement (timeliness of feedback is
important -the essence of control)
 
Internal Control Responsibility
 Management Responsibility with the participation of all persons within the organization.
 Each Manager controls his area.
 Auditors provide assurance about the effectiveness of risk management and control.
 
Purpose of Control ensures that:
 Financial and Operational information is reliable and possesses integrity
 Operations are performed efficiently and achieve effective results
 Assets are safeguarded.
  Actions and decisions of the organization are in the compliance with laws, regulations and contracts.
 
The Five (5) Major Components of Control

1. Control environment: Factors that set the tone of the organization, influencing the control consciousness of its
people.
Elements of the control environment 
 Integrity and ethical values,
 Commitment to competence
 Human resource policies and practices,
 Assignment of authority and responsibility,
 Management's philosophy and operating style,
 Board of Director's or Audit Committee participation, and
 Organizational structure.
 
2. Risk Assessment: Risks that may affect an entity's ability to properly record, process, summarize, and report
financial data such as:
 Changes in the Operating Environment (e.g. Increased Competition)
 New Personnel, New Information Systems
 Rapid Growth
 New Technology, New Lines, Products, or Activities
 Corporate Restructuring, Foreign Operations
 Accounting Pronouncements
 
3. Control Activities: Various policies and procedures that help ensure those necessary actions are taken to address
risks affecting achievement of entity's objectives.
 Control devices can be:

o Quantitative (budgets, quotas, schedules, charts)
o Qualitative (job instructions, quality control standards and employment criteria)
 Elements of control activities:
o
 Policies -stated principles that requires, guides, or restriction actions.
 Procedures – methods employed to carry out the activities.
 Factors to consider in developing control Activities
o Performance reviews (review of actual against budgets, forecast
o Information processing (checks for accuracy, completeness, authorization
o Physical controls (physical security)
o Segregation of duties
 
4. Information and communication -relevant internal and external information should be identified, captured, and
communicated in a timely manner and appropriate forms.
5. Monitoring: Assessment of the quality of internal control performance over time.

 The (3) Internal Control Frameworks

 Internal Control - integrated framework issued by COSO (Links to an external site.)
 Guidance on control issued by CoCo or the Canadian Institute of Chartered Accountants
  Internal guidance for Directors on the Combined Code (Turnbull) issued by the Institute of Chartered
Accountants-England Wales
 
Sarbanes -Oxley Act 0f 2002  (Links to an external site.)
 required listed companies to adopt a suitable control framework
 placed the responsibility on internal control as the responsibility of the Chief Executive Officer (CEO) and
Chief Financial Officer (CFO).
 
Internal Audits Role in Organizational Control
 The IAA is part of management concern for the total control process
 Internal Auditors must be familiar with organizational arrangements.
 Internal auditors must relate operational arrangements to operational deficiencies.
 
Reportable Conditions or Control weaknesses involve  significant deficiencies in:
 The control environment such as managements override of control procedures
 The accounting system such as inadequate record-keeping
 Control procedures such as failure to prepare reconciliations on a timely basis.
 The communication to the management of material weaknesses should be in writing.
 
Types of Internal Controls
 Preventive: Designed to keep errors or irregularities from occurring in the first place.
o Authorization
o Reporting
o custody
 Detective or corrective: Designed to detect errors or irregularities that may have occurred.

o Reports of access by employees
o Reconciliation of listings (record of inventory to actual inventory)
o Monitoring of contribution recipients
 Directive: to cause or encourage a desirable event to occur
o Financial or accounting controls (proper authorizations, appropriate accounting, safeguarding of
assets, compliance with laws, rules and regulations
o Administrative controls (support activities )l
o Feedback controls (obtain information about completed activities
o Concurrent controls (adjust ongoing processes)

 
Characteristics of Effective Control
 Economical, Meaningful, Appropriate, Congruent, Timely, Simple, Operational
 
Fundamental Controls over business processes
 Manual Accounting System – segregation of duties
 Computerized Accounting System- limitation of access to terminals through the use of passwords
4.2 Governance
         In the corporate form of organization, owners (shareholders) are separated from operations (management) of
the firm. This creates an agency problem.
       The agency problem happens when the management (agents) does not act in the best interest of the
shareholders. Managers may be tempted to engage in self-serving activities. Effective corporate governance involves
developing an appropriate legal structure and establishing appropriate incentives ( like compensation packages) and
monitoring devices to prevent this inappropriate activity.
 
The Revised Code of Corporate Governance (CCG) provides that:
 the Board is primarily accountable to the shareholders
 should provide reports on the corporation's performance, positions, and prospects on a quarterly basis,
including interim and other reports that could adversely affect the business and to other regulators as
required by law.
 all covered corporations should implement and establish their corporate governance rules in accordance
with the Code.
 the rules should be embodied in a manual for use by the Management and the Board
 the manual should have been approved by the SEC and be made available to shareholders at reasonable
business days.
 
The Definition of Corporate Governance
 The combination of processes and structures implemented by the board to inform, direct, manage and
monitor the activities of the organization toward the achievement of its objectives.
 the process conducted by the Board of Directors to authorize, direct, oversee management towards the
achievement of organizations' objectives.
 the system by which organizations are directed and controlled. (According to the IIA). It includes systems
and procedures for making a decision on corporate affairs.
 
Key points in Governance
 Governance begins with the Board of Directors and its committees.
 The board must understand and focus on the needs of key stakeholders.
o direct stakeholders
o indirect stakeholders
o influencing stakeholder
 Day to day governance is executed by the management of the organization. (Senior Executive s and Line
Managers roles are carried out through risk management activities.)
 Internal and external auditors provide management and the Board with assurances regarding the
effectiveness of governance activities.
 
The Role of the IAA in Corporate Governance
The Audit Committee (IAC) should provide oversight of financial reporting, risk management, internal control,
compliance, ethics, management, internal auditors, and the external audit. While
IIA Standard 2110 - Guidance on Governance
 The internal audit activity must assess and make appropriate recommendations for improving the
governance process in its accomplishment of the organization objectives:
o Promoting appropriate ethics and values within the organization
o Ensuring effective organizational performance management and accountability
o Communicating risk and control information to appropriate areas of the organization
o Coordinating the activities of and communicating information among the board, external and
internal auditors, and management
  The internal audit activity must evaluate the design, implementation, and effectiveness of the organization's
ethics-related objectives, programs, and activities.
 The internal audit activity must assess whether the information technology governance of the organization
supports the organization's strategies and objectives
4.3 Risk Management
             Enterprise Risk Management (ERM) helps align the risk appetite of the organization. A key aspect of the
ERM is the identification and management of events that have a negative impact, positive impact, or both. Events
with negative impacts represent risks. While events with positive impacts may offset the negative impacts or
represent opportunities.
 
Definition of Enterprise Risk  Management
Institute of Internal Auditors
 the process to identify, assess, manage, and control potential events or situations to provide reasonable
assurance regarding the achievement of the organization's objectives.
Risk
 Risk is the possibility of an event occurring that will have an impact on the achievement of objectives.
 Risk is measured in terms of impact and likelihood (bankruptcies, fraud, Restatement of Earnings, rising
stock shares, loss of customers, etc)
 
Characteristic of an Effective ERM
 the process to identify, evaluate, analyze, respond to monitor, and communicate on risk.
 Is affected by people of all levels.
 occurs strategy meeting
 applies to every unit
 provides reasonable but not absolute assurance due to the following limitations such as judgement,
breakdowns, management override, and cost over benefit
 enables continuous improvement in decision making
 help achieve the objective,
 
Management Responsibility
 The Senior Management / CEO is responsible for implementing the strategy.
 The Board is responsible for setting the strategy.
 
The Role of  the IAA in Risk Management
IIA Standard 2120 - Guidance on Risk Management
 The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk
management processes as part of its assurance activities.
o provide advice and challenge or support management's decision on risk, as opposed to making risk
management decisions
o address risk consistent with engagement objectives.
o be alert to the existence of other significant risks during consulting engagement.
 When assisting management in establishing or improving risk management processes, internal auditors
must refrain from assuming any management responsibility by actually managing risks.
 Classification of Assurance Activities:
o Assurance Activities (Core Internal Audit Roles)
o Consulting Activities  (Legitimate Internal Audit Roles)
 
Components of the ERM
1. Internal Environment
 basis for all the other components of the ERM providing discipline and structure.
 encompasses the tone of the organization, sets the basis for how risk is viewed and addressed by an
organization's people, including risk management philosophy and risk appetite, integrity and ethical values.
 The Board of Directors - a critical part of the internal environment.
o Provides oversight over management's implementation of the ERM
o helps to make sure that it is effective.
 Integrity and Ethical values help ensure the management and other individuals within the organization
are not inclined to engage in illegal activities.
 The competent and well-trained employee, appropriate organizational structure, assigned authority, and
responsibility.
 Risk appetite - the amount of risk an organization is willing to accept to achieve its goals.
o risk tolerance- acceptable variation with respect to a particular objective
2. Objective Setting
 must exist before management can identify potential events affecting achievement.
 Strategic objectives -high-level goals aligned with the organization's mission. Linked and integrated with
specific objectives established for various activities.
 Three categories of Objectives:
o Operations objectives -relate to the effectiveness and efficiency of operations
o Reporting Objectives- relate to reliable reporting of internal/external, financial/non-financial
information.
o Compliance Objectives-relate to adherence to laws and regulations.
3. Event Identification
 Potential internal and external events affecting the achievement of an organization's objectives must be
distinguished between risk and opportunities.
 Event - incident that occurs or might occur that affects the implementation of strategy or achievement of
objectives.
o Negative event (risks) -requires a response
o Positive events (opportunities)
 Event Identification Techniques
o event inventories -detailed listing of potential events
o internal analysis - done at staff meeting, may use information from stakeholders
o escalation or threshold triggers - management pre-determined limits that cause an event to be 
further assessed
o facilitated workshops or interviews -soliciting information about events from management and
staff
o process flow analysis -braking processes down into inputs, task and responsibilities and outputs to
identify when the event is likely to occur.
o loss event data methodologies - developing repositories of data on past loss events, management
can identify event trends and root causes.
4. Risk Assessment
 Risks are assessed based on their likelihood to occur and impact.
 Types of Risk
o Inherent Risk - risk to the organization if management does not alter its likelihood or impact.
o Residual risk -the risk of the event after considering the managements response
 Qualitative techniques are used when the risks are not quantifiable
 o Probabilistic model  - value at risk, cash flow risk earnings at risk etc,
o Non-probabilistic model - use of subjective assumptions such as sensitivity measures, stress test
and scenario analysis.
5. Risk Response
 Avoidance - exiting the activity that gives rise to the risk.
 Reduction- taking action to reduce risk likelihood or  impact or both (additional control processes)
 Sharing - reducing risk likelihood or impact by transferring or sharing a portion of the risk.
 Acceptance (retention)- No action is taken because the risk is consistent with the risk appetite of the
organization
6. Control Activities
 Policies and procedures should be established and implemented to ensure the risk responses are effectively
carried out.
7. Information and Communication
 Relevant information should be identified, captures and communicated to enable people to carry out their
responsibilities
 
Limitations of ERM
 Risk is uncertain
 ERM can't provide reasonable assurances that objectives will be achieved
 ERM can't provide absolute assurance with respect to any of the objective categories