Batangas State University - TNEU Lipa

BACHELOR OF SCIENCE IN MANAGEMENT ACCOUNTING

BSMA 2101

CONCEPT OF
INTERNAL GROUP MEMBERS:
Albaytar, Angelic S.

CONTROL Taladro, Freymar B.

Mamiit, Kim David P.
Mitra, Marko C.

GROUP 5 Mendoza, Cherry Anne D.

Murphy, Allyssa Jhone E.
 03 Introduction

04 Learning Objectives

Internal Control and the Need for Internal

05
Framework - COSO

AGENDA 06 Categories of Internal Control Objectives

COSO Requirements for Integrated

07
Components

08 Link between Risks and Control Activities

09 Limitations of Internal Control

INTERNAL
CONTROL

CONTINUE
It aims to achive four
main objectives

01. 02. 03. 04.

to encourage
To safeguard to check the to promote
adherence to
assets accuracy and operational
prescribed
reliability of efficiency
managerial
accounting
policies
data
Internal Control
In layman’s terms, it is “what we
do to ensure that the things we
want to happen will happen and
the things we don’t want to
happen won’t happen.”
Internal Control
Process effected by the board of
directors, management, and
other personnel designed to
provide reasonable assurance
regarding the achievements of
business objectives.
Internal Control
Firstly, It is a process. It is not an isolated procedure.

Secondly, it is something that must be put into effect by people

from all levels within the company.

Last but not the least, internal control is not an end in itself;
rather, it is a means toward achieving the objectives of the
company.
The Need for an Internal Control
framework - COSO

Management and Auditors need to assess the

effectiveness of the internal control system of the
company. However, it will be difficult to make the
assessment if there are no criteria or benchmarks as
to what constitutes good internal control.
Thank you!
 Categories of
Internal Control
Objectives
CATEGORIES OF INTERNAL CONTROL OBJECTIVES

1.) Effective and Efficient Operations

2.) Reliability of financial and non financial

reporting

3.) Compliance with applicable laws and

regulations
One may conclude that managers and employees have
effectively carried out operations when revenue and
operating cash flow targets are achieved.

Efficient operations, on the other hand, is achieved

when the company is able to minimize operating
costs and avoid operational inefficiencies.

For instance, there are engineering controls and

proper factory layout in the factory in order to
achieve smooth operation in the production
process as well as to minimize spoilage of raw
materials.
In the area of treasury operations, cash accounts
should be safeguarded from theft. This may be
achieved through the utilization of physical controls
such as cash vaults, locks, CCTV cameras, and the like.
All collections from customers must be
remitted, recorded in the books, and deposited
the next banking day. There should be
segregation of incompatible duties such that no
person should be in complete control of a
transaction, from authorization, execution,
recording, and custody.
For instance, the cash custodian should not
be allowed to post transactions in the
official accounting records (which is a
recording function) because he/she holds
cash. On the other hand, the accounting
staff should not have cash custodial duty.
This is segregating recording from custodial
functions.
In the event of calamities such as flood, the
processing of transactions is assured because the
company implements business continuity plans such
as establishing a standby alternate office with
computers alongside backup controls.

The safeguarding of assets destruction is also part and

parcel of the operational objectives of internal control.
Many companies pay for insurance premiums so that
they might receive some proceeds from the insurance
company if assets get destroyed through fire and
other catastrophes.
If financial statements are to be useful to external as
well as internal users, they need to be reliable.
Inaccurate accounting records and unreliable
financial statements arise because of errors in
recording. Another cause of this is fraudulent
financial reporting more popularly known as "window
dressing"

WINDOW DRESSING - short-term strategy used in

accounting to make financial statements and
portfolios appear better and more enticing than
they actually are
In view of these errors or fraud that result to
unreliable financial reports, the company must
implement Internal Controls over Financial Reporting
(ICFR). An example is an accounting staff reviews
and reconciles cash, accounts receivable, inventory,
and other accounts. Discrepancies, if any, should be
corrected on a timely basis. Ideally, the person who
will conduct bank reconciliation is one who does not
have access to cash; hence, purely accounting
duties. Inventory counts must be performed
periodically in order to determine shortages or even
possible inventory pilferage.
The reliability objective of internal
control is not confined to financial
reports only but also to nonfinancial
reports. Nonfinancial reports should
also be reliable so as not to mislead
users. Examples of nonfinancial reports
include environmental and
sustainability reports.
Part and parcel of internal control is the assurance that
the company complies with applicable laws and
regulations. These include taxation, labor, environmental,
anti-money laundering, and corporation laws among
others.
Needless to say, failure to comply with laws and
regulations carries monetary penalties not to mention
possible prosecution and/or administrative charges to
be filed against erring corporate officers and
employees.
To enhance the degree of adherence to laws and
regulations, a compliance function must be
established within the company. For regulated
entities such as banks and insurance companies,
compliance departments are tapped to monitor
the company's adherence to laws and regulations.
The compliance department is usually headed by a
chief compliance officer.
 COSO
REQUIREMENTS
FOR
INTEGRATED
COMPONENTS
CONTROL ENVIRONMENT AND RISK
BACK TO AGENDA PAGE
ASSESSMENT
 BACK TO AGENDA PAGE

CONTROL ENVIRONMENT
The foundation of internal control is the control environment. It is a set of standards,
processes, and structures that provide the basis for carrying out internal control. Without an
effective control environment, internal control will not function properly.

The control environment is comprised of the following:

a. Integrity and ethical values;

b. Management's philosophy and operating style;
C. Organizational structure;
d. Commitment to competence;
e. Human resource policies and procedures; and
f. Functioning of the board of directors.
 BACK TO AGENDA PAGE

In addition, the control environment should ensure controls are in place in areas
such as:

•Hiring practices
•Code of ethical conduct
•Whistleblower policies
•Employee training Succession planning
•Clear lines of responsibility and authority
•Competence and independence of the board of directors and board committees
 BACK TO AGENDA PAGE

RISK ASSESSMENT

RISK ASSESSMENT IS AN ITERATIVE PROCESS FOR

IDENTIFYING AND ASSESSING THOSE RISKS THAT MAY
PREVENT THE ACHIEVEMENT OF ENTERPRISE OBJECTIVES.
 BACK TO AGENDA PAGE

First, management sets the company's operational and financial reporting and
compliance objectives. Then, risks that could prevent the achievement of these objectives
will be identified. This sub-process is known as risk identification.

The identified risks are subsequently assessed in terms of likelihood and impact. Likelihood
pertains to the probability of the occurrence of negative event. Impact pertains to the
significance, consequence, or magnitude of the identified risk to the company. This sub-
process is called risk analysis or risk assessment. The assessment of risks in terms of likelihood
and impact results to the determination whether such risks are significant or not. Significant
risks are typically those that have high risk scores for likelihood and impact.

The last step in this component is risk response. Risk responses include "accept," "mitigate,"
"share," "transfer," and "avoid." Risk acceptance is not an appropriate response for significant
risks. Significant risks should be mitigated by way of deploying control activities. Some risks can
be transferred through insurance. An example of totally avoiding risk is when a company
chooses to exit a market or drop one of its product lines due to market saturation
 PRESENTED BY MARKO C. MITRA

COSO Requirements for

Integrated Components
(Control Activities,
Information and
Communication, and
Monitoring Activites)
What is COSO
COSO is an acronym for the
Committee of Sponsoring
Organizations. These controls
provide reasonable assurance
that the organization is
operating ethically,
transparently and in
accordance with established
industry standards
Requirements for Integrated Components

Control Activities

Information and Communication

Monitoring Activities

RECRUITMENT AND SELECTION POLICY

SEPTEMBER 30, 2023
 Control Activities
Control activities are the specific actions established through policies and
procedures that help ensure that management's directives to mitigate risks to the
achievement of objectives are carried out.

Control activities Encompass the following;

Performance reviews - comparison of actual performance against budget and

forecast

Information processing - controls that check accuracy completeness and

authorization of transaction

Physical controls - activities that assure the physical security of assets and records

Segregation of duties - separation of the functions of transaction authorization,

record-keeping, and custody
RECRUITMENT AND SELECTION POLICY
SEPTEMBER 30, 2023
 Information and Communication
Information - is necessary for the entity to carry out internal control responsibilities
to support the achievement of its objectives. Management obtains, generates and
uses relevant and quality information from both internal and external sources to
support the functioning of internal control. For instance, managers need accounting
information in order to make business decisions.

Communication - is continual iterative process of providing, sharing, and obtaining

necessary information

Internal communication - is the means by which information is disseminated throughout the

organization, flowing up, down, and across the entity. It enables personnel to receive a
clear message from senior management that control responsibilities must be taken seriously.
For instance, the code of ethical conduct in the company must be communicated from top
management to rank-and-file personnel

RECRUITMENT AND SELECTION POLICY

SEPTEMBER 30, 2023
 Information and Communication
External Communication is two fold it enables inbound communication of relevant
external information and provides information to external parties in response to
requirements and expectations.

In-bound communication should ensure that correspondeces from government

agencies such as BIR (in the case of deficiency tax assessment letters), securities
and exchange commision, and other government regulators are properly received by
management

Management must reply in a timely manner to these letters from government

agencies through outbound communications

RECRUITMENT AND SELECTION POLICY

SEPTEMBER 30, 2023
 Monitoring Activities
Monitoring of internal control is essential because internal control that is effective
today may no longer be effective months or a year from now. In addition, internal
control is subject to obsolescence as a result, for instance of more sophisticated
fraud or cybercrime. The condition of internal control should be evaluated over a
period of time

Monitoring of controls is one of two types: ongoing monitoring and separate

evaluations. These two monitoring activities are used to ascertain whether each of
the five components of internal control is present and functioning.

Ongoing monitoring, built into business process at different levels of the entity,
provide timely information. An examples of ongoing monitoring is a routine review
of the purchasing manager of the procurement procedures in the company

RECRUITMENT AND SELECTION POLICY

SEPTEMBER 30, 2023
 Monitoring Activities
Separate evaluations, on the other hand, are conducted periodically, will vary in
scope and frequency depending on assessment of risks, effectiveness of ongoing
evaluations, and other management considerations. Separate evaluations of internal
control are often performed by internal auditors. Findings are evaluated against
criteria established by regulators, standard-setting bodies, or management and the
board of directors, and deficiencies are communicated to management and the
board of directors as appropriate

RECRUITMENT AND SELECTION POLICY

SEPTEMBER 30, 2023
Question
What are the five(5) COSO
Requirement for Integrated
Components ?

RECRUITMENT AND SELECTION POLICY

SEPTEMBER 30, 2023
LINK BETWEEN
RISKS AND
CONTROL
ACTIVITIES
By systematically linking risk to control
activities, organizations can enhance their
BACK TO AGENDA PAGE ability to manage uncertainty, optimize
performance, and achieve long-term success.
BACK TO AGENDA PAGE

AFTER SETTING BUSINESS OBJECTIVES, MANAGEMENT MUST IDENTIFY

SPECIFIC RISKS THAT ARE INTERNAL TO THE COMPANY. THESE
IDENTIFIED RISKS WILL BE ASSESSED IN TERMS OF LIKELIHOOD AND
IMPACT. THE RISK RATING FOR LIKELIHOOD AND IMPACT ARE
COMBINED TO DETERMINE THE COMBINED RISK SCORE.

Likelihood - how probable is it that the risk will occur?

Impact - if the risk does occur, how severe will its
effects be on the company?
BACK TO AGENDA PAGE

If the risk score is high, it is a significant risk.

Significant risks cannot simply be accepted.
On the contrary, they need to be mitigated
through the selection and deployment of
specific control activities.
 RISK ASSESSMENT TEMPLATE: LINKAGE OF RISKS AND
CONTROL ACTIVITIES
SIGNIFICANT
ASSESS CONTROL
COMBINED RISK RISK
RISK LIKELIHOOD IMPACT RISK SCORE (YES/NO) RESPONSE ACTIVITY
Cash vaults
1. Possibility of Daily cash position
theft of cash 4 4 16 YES MITIGATE reports
Bonding of the cash
custodian

2. Potential ghost 4 5 20 YES MITIGATE Use of biometrics

employee fraud
scheme Use of ATM payroll

3. Potential loss
of office supplies 2 1 2 NO ACCEPT Minimal controls
The table shows different responses to different risks. For instance, since Risk #1 and Risk #2 are
significant risks, owing to their high combined risk scores, the appropriate response is to “mitigate”.
To reduce the Risk #1 and Risk #2 to acceptably low levels, the company will select and deploy
strong control activities.

In the case of Risk #1, appropriate controls include cash vaults, preparation of daily cash positions
reports, and the bonding of the cash custodian. In the case of Risk #2, the controls to be deployed
include the use of biometrics devices to ensure that employees being paid for salaries have
actually rendered service to the company as well as salary payment through automated teller
machines (ATM). This requires employees to open a bank account. The company will transmit to the
bank the official roster of actual employees. Hence, a fictitious person cannot simply open an
account with the bank if his/her name is not on the official list.

In the example, since Risk #3 (potential loss of office supplies) is not a significant risk, the
company may simply choose “accept the risk” and implement only minimal procedures.
LIMITATIONS OF
INTERNAL
CONTROL
"The concept of internal control is not a guarantee
against errors, fraud, or inefficiencies; rather, it's a
BACK TO AGENDA PAGE framework that requires ongoing evaluation and
refinement to address its inherent limitations."
 Management Override

Human Factor

LIMITATIONS
Cost-Benefit Considerations

Possibility of
Collusion
Management
Override
A majority of the internal
policies are formulated and
implemented by upper
management. And often,
management can override
certain controls, even in
instances where they are
working correctly.
 Human
Factor
The effectiveness of an
internal control system is
limited by the reality that
human beings are not
perfect. Errors may occur
due to employee
carelessness, distraction, or
fatigue.
 Cost- Benefit
Considerations
The cost of establishing
and implementing
internal control should
not exceed the benefits
that could be derived
by the company.
Possibility of
Collusion
Even if there is segregation of
incompatible duties, fraud or
irregulatiry may still occur
because of collusion or
connivance. It can be difficult
to prevent employees from
working together to commit
fraud.

BACK TO AGENDA PAGE