INTERNAL CONTROLS

GEETALI TARE IAAS

 Internal Control Defined
Internal control is a process designed to
provide reasonable assurance regarding
the achievement of objectives in the
following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and
regulations
 Some key points

• People at every level of an

organization affect internal
control.
• Internal control is, to some degree,
everyone's responsibility.
Effective internal control helps an organization
achieve its objectives.

• It is a built-in part of the management

process (i.e., plan, organize, direct and
control).
• It keeps an organization on course
toward its objectives and the
achievement of its mission, and
minimizes surprises along the way.
• Internal control promotes effectiveness and
efficiency of operations, reduces the risk of asset
loss, and helps to ensure compliance with laws
and regulations.
• It also ensures the reliability of financial
reporting (i.e., all transactions are recorded and
that all recorded transactions are real, properly
valued, recorded on a timely basis, properly
classified, and correctly summarized and
posted).
 Internal control can provide only
reasonable assurance

• Effective internal control helps an organization

achieve its objectives; it does not ensure success.
• There are several reasons why internal control
cannot provide absolute assurance that
objectives will be achieved:
– Cost/benefit realities,
– Collusion among employees, and
– External events beyond an organization's control.
 Internal Control Process

This process consists of 5 interrelated

components:
• Control (or Operating) environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
All internal control components must be present to
conclude that internal control is effective.
 Control Environment

• The control environment is the control

consciousness of an organization;
• It is the atmosphere in which people
conduct their activities and carry out their
control responsibilities.
• An effective control environment is an
environment where competent people:
– understand their responsibilities,
– the limits to their authority, and
– are knowledgeable, mindful, and committed
to doing what is right and doing it the right
way.
• The control environment is greatly
influenced by the extent to which
individuals recognize that they will be
held accountable.
Components of control
environment
1. Integrity and Ethical Values
2. Commitment to competence
3. Management‘s Philosophy and
Operating Style
4. Organisational structure
5. Assignment of Authority and
Responsibility
6. Oversight groups
 Integrity and Ethical Values

• Formal codes of conduct & policies

communicating appropriate ethical and
moral behavioral standards and
addressing acceptable operational
practices and conflicts of interest.
• Management appropriately addresses
intervention or overriding internal control.
 Commitment to competence

• Management has identified and defined

the tasks required to accomplish particular
jobs and fill the various positions.
• Formal job descriptions & training needs’
analysis.
 Management’s Philosophy and Operating
Style
• Has an appropriate attitude toward risk-
taking.
• Endorses the use of performance-based
management.
• There has not been excessive personnel
turnover in key functions, such as
operations and program management,
accounting, or internal audit.
 Organisational structure

• The agency’s organizational structure is

appropriate for its size and the nature of
its operations.
• Balancing the degree of centralization
versus decentralization.
• Key areas of authority and responsibility
are defined & communicated throughout
the organization.
• Clear reporting relationships.
Human Resource Policies and Practices

• Policies and procedures are in place for

hiring, orienting, training, evaluating,
counseling, promoting, compensating,
disciplining, and terminating employees.
 Oversight Groups
• Within the organisation, there are mechanisms in
place to monitor and review operations and
programs.
• The agency has an audit committee or senior
management council consisting of high-level line
and staff executives that review the internal audit
work and coordinate closely with the external
auditors.
• The internal audit operation it reports to the entity’s
head.
• Internal audit reviews that unit’s activities and
systems and provides information, analyses,
appraisals, recommendations, and counsel to
management.
 Risk Assessment
The central theme of internal control is
(1) to identify risks to the achievement of an
organization's objectives and
(2) to do what is necessary to manage those
risks.
Thus, setting
goals and objectives is a precondition to
internal controls.
 Setting organisational objectives

• Operational objectives: achievement of the basic

mission(s) of a department and the effectiveness
and efficiency of its operations, including
performance standards and safeguarding
resources against loss.
• Financial reporting objectives: preparation of
reliable financial reports, including the
prevention of fraudulent public financial
reporting.
• Compliance objectives: adherence to applicable
laws and regulations.
• Risk assessment is the identification and analysis
of risks associated with the achievement of
operations, financial reporting, and compliance
goals and objectives.
• This, in turn, forms a basis for determining how
those risks should be managed.
Identify Risks after Determining Goals

• A risk is anything that could jeopardize the

achievement of an objective.
– What could go wrong?
– How could we fail?
– What must go right for us to succeed?
– Where are we vulnerable?
– What assets do we need to protect?
– Do we have liquid assets or assets with alternative
uses?
– How could someone steal from the department?
– How could someone disrupt our operations?
– How do we know whether we are achieving
our objectives?
– On what information do we most rely?
– On what do we spend the most money?
– How do we bill and collect our revenue?
– What decisions require the most judgment?
– What activities are most complex?
– What activities are regulated?
– What is our greatest legal exposure?
 The costs of risks
• When evaluating the potential impact of risk,
both quantitative and qualitative & qualitative
costs need to be addressed.
• Quantitative costs: cost of property, equipment,
or inventory, cash dollar loss, damage and repair
costs, cost of defending a lawsuit, etc.
• Qualitative costs: Loss of public trust, violation
of laws, default on a project, bad publicity.
 Risk analysis
• Management has established a formal process to
analyze risks, and that process may include informal
analysis based on day-to-day management
activities.
• Criteria have been established for determining low,
• medium, and high risks.
• Appropriate levels of management and employees
are
• involved in the risk analysis.
• The risks identified and analyzed are relevant to the
corresponding activity objective.
 Managing Risk During Change
• Management must give special attention to risks
presented by changes:
– the hiring of new personnel to occupy key
positions
– introduction of new or changed information
systems
– rapid growth and expansion or rapid
downsizing.
– the production or provision of new outputs or
services.
– establishment of operations in a new
geographical area.
 Control Activities

Control activities are actions,

supported by policies and procedures
that, when carried out
properly and in a timely manner,
manage or reduce risks.
 Preventive Controls

• Preventive controls attempt to deter or

prevent undesirable events from
occurring.
• They are proactive controls that help to
prevent a loss.
• Examples: separation of duties, proper
authorization, adequate documentation,
and physical control over assets.
 Detective Controls

• Detective controls attempt to detect

undesirable acts.
• They provide evidence that a loss has
occurred but do not prevent a loss from
occurring.
• Examples: reviews, analyses, variance
analyses, reconciliations, physical
inventories, and audits.
 Some Control Activities
• Approvals, Authorizations, and Verifications
(Preventive).
• Reconciliations (Detective).
• Reviews of Performance (Detective).
• Security of Assets (Preventive and Detective).
• Segregation of Duties (Preventive).
• Controls over Information Systems (Preventive
and Detective).
 Approvals
• Written policies and procedures
• Limits to authority
• Supporting documentation
• Question unusual items
• No “rubber stamps”
• No blank signed forms
 Reconciliation
• A reconciliation is a comparison of different sets
of data to one another, identifying and
investigating differences, AND taking corrective
action, when necessary.
• A critical element of the reconciliation process
is to resolve differences.
• It does no good to note differences and do
nothing about it. Differences should be
identified, investigated, and explained --
corrective action must be taken.
 Reviews
• Budget to actual comparison
• Current to prior period comparison
• Performance indicators
• Follow-up on unexpected results or
unusual items
 Asset security
• Security of physical and intellectual assets
• Physical safeguards
• Perpetual records are maintained
• Periodic counts/physical inventories
• Compare counts to perpetual records
• Investigate/correct differences
 Segregation of duties
• No one person should...
> Initiate the transaction
> Approve the transaction
> Record the transaction
> Reconcile balances
> Handle assets
> Review reports
• At least two sets of “eyes”.
 Information systems
(1) General Controls and
(2) Application Controls.
 General Controls
• General controls apply to entire information
systems and to all the applications that reside on
the systems.
Examples:
• Access Security, Data & Program Security,
Physical Security
• Software Development & Program Change
Controls
• Data Center Operations
• Disaster Recovery.
 Application Controls
• Input Controls (Data Entry) complete and
accurate recording of authorized transactions
-Authorization
-Validation
-Error Notification and Correction
• Processing Controls: complete and accurate
processing of authorized transactions.
• Output Controls: complete and accurate audit
trail of the results of processing.
 Information &
Communications
• For an organisation to run and control its
operations, it must have relevant, reliable
information, both financial and non-
financial, relating to external as well as
internal events.
• That information should be recorded and
communicated to management and others
within the agency who need it and in a
form and within a time frame that enables
them to carry out their internal control
and operational responsibilities.
• Internally generated information critical to
achieving the organisation’s objectives,
including information relative to critical
success factors, is identified and regularly
reported to management.

• Pertinent information is identified, captured,

and distributed to the right people in sufficient
detail, in the right form, and at the appropriate
time to enable them to carry out their duties
and responsibilities efficiently and effectively.
 Forms & means of communication

• policy and procedures manuals,

• management directives,
• memoranda,
• bulletin board notices,
• internet and intranet web pages,
• Videotaped messages,
• e-mail, and
• speeches.
 Monitoring

Assessing the
quality of performance over time
and ensure that the findings of
audits and other reviews are
promptly resolved.
 Ongoing monitoring
• Management’s strategy provides for
routine feedback and monitoring of
performance and control objectives.
• Operating reports are integrated or
reconciled with financial and budgetary
reporting system data and used to manage
operations on an ongoing basis.
• Communications from external parties
corroborates internally generated data or
indicate problems with internal control.

• Data recorded by information and

financial systems are periodically
compared with physical assets and
discrepancies are examined.
 Separate Evaluations
• Consideration is given to the risk assessment results and
the effectiveness of ongoing monitoring when
determining the scope and frequency of separate
evaluations.
• Separate evaluations are often prompted by events such
as major changes in management plans or strategies,
major expansion or downsizing of the agency, or
significant changes in operations or processing of
financial or budgetary information.
• Separate evaluations are conducted by personnel with
the required skills that may include the agency’s external
auditor.
 Audit resolution
• The organisation should have a mechanism to
ensure the prompt resolution of findings from
audits and other reviews.
• The organisation should take appropriate
follow-up actions with regard to findings and
recommendations of audits and other reviews.
Internal Control Structures &
Policies Relevant To Audit

Control Environment
Accounting System
Control Procedures
 1. CONTROL ENVIRONMENT:
1. Management philosophy & operating style: supportive
attitude towards control
2. Organisational structure: clear lines of accountability
3. Audit committees: monitor control structure
4. Personnel policies & procedures: people properly
matched with tasks
5. Communication of authority & responsibility:
performance reporting, meetings, conferences as
effective communication devices.
6. Internal audit: effective control by identifying
problems & suggesting solutions.
 2. ACCOUNTING SYSTEM
1. Chart of accounts, accounting manuals & other
records: complete & accurate recording of
transactions & events.
2. Transaction documentation: effective “audit
trail” for recording of transactions & events.
3. Transaction review: prevention of
unauthorised transactions & detection of errors
in transaction processing & recording.
4. EDP controls: input editing & other
programmed controls to compensate for lack
of traditional controls.
 3. CONTROL PROCEDURES
1. Job descriptions, training programmes, hiring
policies: competence of personnel.
2. Policy & procedure manuals: adherence to
policy.
3. Planning, budgeting & performance reporting:
to establish long-range goals & plans to achieve
them; to monitor & correct performance.
4. Asset safeguards: asset management, limited
access & accountability controls.
5. Periodic inventories, cash counts & securities
counts: monitor access & accountability controls.