What are

INTERNAL CONTROLS?
Why are they IMPORTANT?
A process effected by an entity’s board of directors, management and
other personnel, designed to provide reasonable assurance regarding
the achievements of objectives in the following categories:

• Compliance with applicable laws and regulations.

• Adherence to managerial policies
• Reliability of financial reporting.
• Effectiveness & efficiency of operations.
• Safeguarding of assetss
An integral process
• A series of actions throughout the operations on an ongoing basis

• Built in rather built on; embedded with the management processes of

planning, organizing, budgeting, staffing, implementing, and monitoring

• Not stand alone or separate specialized systems within an organization

• Interwoven into and made an integral part of each system that management
uses to regulate and guide its operations
Which also means:

Internal control is a process. It is a means to an end, not an end itself.

• Internal control is effected by people.

- not merely policy manuals and forms,
but people functioning at every level of the organization.
• Internal control is geared to the achievement of
objectives in several overlapping categories.
• Internal control only provides reasonable assurance
regarding achievement of operational, financial reporting and compliance
objectives.
CONTROL

• Any action taken by management, the board, and other parties to

manage risk and increase the likelihood that established
objectives and goals will be achieved. Management plans,
organizes, and directs the performance of sufficient actions to provide
reasonable assurance that objectives and goals will be achieved.

Control Processes

• The policies, procedures and activities that are part of a control framework (e.g.,
COSO ICIF) designed and operated to ensure that risks are contained within the level
that an organization is willing to accept.
❑ Proper procedures for authorization e.g. approval or sign-off of documents

❑ Adequate separation of duties e.g. custody, authorization and reporting

❑ Adequate (enough or complete) documents and records

❑ Physical control over assets and record e.g. locking of warehouse

❑ Independent checks on performances

❑ Accountability

❑ Flow of financial information e.g. approval path

• Establishing standards for the operation to be controlled
• Measuring performance against the standards
• Examining and analyzing deviations
• Taking corrective action, and
• Reappraising the standards based on experience
• Effectiveness & efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
• Safeguarding of assets
• Adherence to managerial policies
Economical, Efficient, and Effective Operations
Economical
- able to perform functions/tasks using the least amount of resources within a specified
timeframe

Efficient
- “doing things right” given the available resources and within a specified timeframe
- Delivering a given quantity and quality of outputs with minimum inputs or maximizing
outputs with a given quantity and quality of inputs
- Prioritization and leveraging of resources

Effective
- “doing the right things”, able to deliver major final outputs and outcomes and able to
contribute to the attainment of goals and objective
- directing, executing and implementing
Reliability of financial reporting
❑ These pertain to internal and external financial and non-financial reporting and may
encompass reliability, timeliness, transparency, or other terms as set forth by
regulators, recognized standard setters, or the entity’s policies.

❑ Must be (characteristics)
✓ Neutral - free from any bias
✓ Fairly presented - true and fair view
✓ Prudent (high degree of caution) must be taken into account when assumption is
required
✓ Complete – include all financial information, transactions, and events plus non-
financial information
✓ Accurate – supported by verifiable evidence/document
Compliance with applicable laws and regulations
❑ Adherence to laws, regulations, guidelines and specifications relevant to its
organization and operations.

❑ Examples:
✓ SEC issuances
✓ BIR regulations
✓ Sarbanes Oxley Act
✓ BSP Manual of Regulations for Banks
✓ Consumer protection
✓ Data privacy
✓ BASEL III Frameworks (international regulatory framework for banks)
✓ Labor Codes
✓ Contracts/Agreements
Safeguarding of assets
❑ Prevention or timely detection of unauthorized acquisition, use or disposition of the
company’s assets.

❑ Protecting the firm’s assets against loss due to theft/fraud, accidental destruction and
errors.

❑ Examples:
✓ Segregation of duties (i.e., recording, authorization and custody of assets shall be
handled by separate employees)
✓ Dual signature on checks (e.g. four eyes principle)
✓ Physical locks on inventory warehouse
✓ Employee background checks
Adherence to managerial policies
❑ Managerial policies
✓ defines the scope or spheres within which decisions can be taken by the
subordinates in an organization.
✓ guidelines to govern its actions; directs the performance of an outcome
✓ deals with acquisition, use, control and disposition of resources

❑ Examples:
✓ Human resource policies
✓ Operations policies
✓ Accounting policies
✓ Accountability policies
✓ Reporting policies
 General Classification of Controls

Financial Controls Operations Controls

• Procedures, policies and means by • Controls that are used in the

which an organization monitors and management of processes of directing
controls the direction, allocation, and and controlling and are based on
usage of its financial resources. comparison of results with standards.
• Ex: Periodic review of credit policy, • Designed to ensure that day-to-day
disbursement policies, reconciliation of actions are consistent with established
subsidiary ledger to controlling account, plans and objectives.
financial statement analysis, budget • Ex: manual of operations, job
descriptions, flow of information,
security matrix, level of approving
authorities, performance evaluation
 Classification of Controls
As to Importance
Primary (key and significant) Controls Secondary Controls

• Control that is essential for a business • Control that takes place after the
process; typically takes place during the process it applies to (i.e., reporting or
process it applies to. ongoing monitoring)
• Minimum set of controls that can • Any other controls not defined as key
provide reasonable assurance that the or significant. These are
risk is mitigated, provided that the supplemental controls frequently
controls are designed properly, used to improve the timeliness of
operating as intended and are detection of issues or backlog controls
demonstrable (clearly apparent or used as emergency “catch-all”
capable of being logically proved) • Controls for risks rated as “moderate”
• Controls for risks rated as “high” or “low”
 Classification of Controls
Primary Controls
Preventive Controls Detective Controls
- designed to limit the possibility of an - designed to identify occasions of
undesirable outcome undesirable outcomes having been realized
- attempt to stop a risk from occurring - attempt to determine if a risk has occurred
- Ex: use of passwords, segregation of - Ex: reconciliation, inventory count, cash
duties, storing petty cash in locked safe count, burglar alarm

Directive Controls Corrective Controls

- designed to ensure that a particular - designed to limit the scope for loss and
outcome is achieved reduce any undesirable outcomes which have
- attempt to avoid risk by providing specific been realized
ways to do things - may also provide a route of recourse to
- Ex: policies, procedures, employee achieve some recovery against loss or
trainings, job descriptioins damage
- Ex: data back-ups can be used to restore lost
data in case of a fire or other disaster
 Classification of Controls
Secondary Controls
Compensatory (mitigative) Controls Complementary Controls
- May reduce risk when the primary - Work with other controls to reduce risk
controls are ineffective to an acceptable level
- However, they do not, by themselves, - Ex: segregation of accounting and
reduce the risk to an acceptable level custody of cash receipts is
- Ex: supervisory review when segregation complemented by obtaining deposit
of duties is not feasible, as when a store slips validated by the bank
clerk is the only employee present at
closing. Accordingly, the clerk counts cash
at the end of the day without supervision.
The compensation control performed the
next morning is for a supervisor to
reconcile the count with the cash register
data.
 Classification of Controls
Time-based Controls
Feedforward Controls Feedback Controls
- Anticipate and prevent problems - Report information about completed
- Require a long-term perspective activities
- Ex: organizational policies and procedures - Permit the improvement in future
performance by learning from past
Concurrent Controls mistakes
- Ex: inspection of completed goods
- Adjust ongoing processes; these real-time
followed by performing variance analysis
controls monitor activities in the present
procedures helps identify deviations from
and to prevent them from deviating too far
what was expected. Thus, inspection and
from standards
analysis of variance provide feedback on
- Ex: close supervision of production-line
how well the completion of the goods meet
workers
expectations.
 Classification of Controls
As to “Who Performs”
Manual Controls Automated (Application) Controls
- Performed by individuals outside of a - Performed automatically by the system
system - Ensure the completeness and accuracy of
- Applicable when judgment and discretion transaction processing, authorization and
are required validity
- Configuration setting in a system that prevents
- Ex: bank reconciliation, matching of cash or detects problems
received against open AR balance - Ex: two-factor authentication on user log-in,
automatic lock-out a user after three attempts
of incorrect password
IT-Dependent Manual Controls
- Performed by individuals outside of a IT General Controls
system but requires some level of - Refers to overall info-processing environment
system involvement - Ex: policy management, logical access (pw
- Ex: System Administrator’s review of over infra, apps, and data ), change
users’ log report (generated by the system) management, physical security
All employees play some role in effecting control!!!
• Determine the need for controls

• Design suitable controls

• Implement these controls

• Check that these controls are being applied correctly

• Maintain and update the controls

Source: The IA Handbook, third edition by KHS Pickett

• Evaluation of the adequacy and effectiveness of controls in responding to risks within the
organization’s governance, operations, and information systems.

• Assessing those areas that are most at risk in terms of key control objectives.

• Defining and undertaking a program (audit procedures) for reviewing high profile systems
that attract the most risk.

• Reviewing each of these systems by examining and evaluating their associated ICS to
determine the extent to which the five key control objectives are being met.

• Advising management whether or not controls are operating adequately and effectively so
as to promote the achievement of the system’s/control objectives.

• Recommending any necessary improvements to strengthen controls where appropriate,

while making clear the risks involved for failing to effect these recommended changes.

• Following up audit work so as to discover whether management has actioned agreed audit
recommendations
Source: IIA-P
❑ Addresses root cause
❑ Considers cost
❑ Simple
❑ Leaves tracks (audit trail)
❑ Embedded

❑ Combination of “soft” and “hard” controls

❑ Covers adequately the Internal Control components and objectives
❑ SOFT CONTROL – is a control measure that intervenes in or appeals to
employees’ individual performance (e.g. the communication of ethical values,
fostering of mutual trust - conviction, personality, ethical climate, morale,
integrity and competencies).

❑ HARD CONTROL – is a control measure that lead to directly visibly changed

direction or action. It can be clearly observed and are therefore easy to test.
(e.g. compliance with specific policies and procedures - organizational
structure, assignment of authority and responsibility, and human resource
policies)
• It can HELP
✓ achieve performance & profitability targets
✓ prevent loss of resources
✓ ensure reliable financial reporting
✓ ensure compliance with laws
✓ prevent errors and irregularities, if they occur, help ensure timely detection
✓ an entity get to where it wants to go
• It encourage adherence to prescribed policies and procedures
• It can protect employees
✓ by clearly outlining tasks and responsibilities,
✓ by providing checks and balances, and
✓ from being accused of misappropriations, errors or irregularities.

(Sources: Internal Controls, Office of the Internal Auditor, Washington State University;
http://internalaudit.wsu.edu/internalcontrols.html; IIA-P
 Internal control processes which do not reflect changed operating conditions,
specific agency activities or potential new risks
 Collusion by staff for personal gain or other motives
 Controls failing to capture or flag unusual transactions
 Controls and processes being viewed as a hindrance in the delivery of agency
services so are overridden
 System omissions, human factors, resource constraints or lack of system
flexibility
“Internal controls, no matter how well designed and operated, can
provide only reasonable assurance to management regarding
achievements of an entity’s objectives.”