UNDERSTANDING

INTERNAL CONTROL
Prepared by Marco Fernando L. Ng, CPA, CIA, CFE, CGMA
 Marco Fernando L. Ng CPA, CIA, CFE, CGMA
Managing Partner Direct Tel : 0922-856-0648
M. Ng & T. Lopez Partnership Firm Tel Landline : 045-322-8033
Angeles City, Pampanga Email :mtpf.marcong@gmail.com

Background Experience
• Marco is the Managing Partner of M. Ng & T. Lopez Marco has performed various audit services and fraud investigation namely to the following
Partnership Firm, one of the dynamic accounting and industry:
assurance firm in Angeles City.
Importer/Distributor – Managed the forensic audit of a partnership, engage in importing and
• Marco is one of founders of the Firm which started on
distribution of animal and pet products, relating to allegation of misappropriation of cash
November 2013. Prior to this, he started his career with
collections and diversion of partnership funds by the managing partner and employees. The
one of the big 4 firms in the Philippines where he spent 4
project entailed performing procedures to establish the amount involved in the said employee
years conducting external audit engagement with Public
fraud.
and Private companies. Then he joined the biggest
auditing firm in the Philippines where he spent 3 years
Multinational Company – Managed the independent review of costing methodology and analysis
doing Fraud Investigation and Dispute services for large
of costing data of a multinational company based in the Philippines, with export business to other
multinational companies and state auditors of the
countries. The review was made to support a dispute in another country involving the
Philippines. And finally he spent 3 years conducting
multinational company. The project entailed procedures in documenting cost allocation process
external and internal audit work in New York and Los
and gathering information regarding the computation of gross margin and earnings before taxes
Angeles California for one Hedge Funds and Private
Equity Funds with one of the largest US firm.
Government sector –supervised the development and preparation of a fraud audit manual to be
Skills and affiliation integrated in the regular audit of Government agencies. These project required review of the
• Marco is Certified Fraud Examiner (CFE), Certified current state of fraud auditing within the audit institution, developing and preparing the fraud
Internal Auditor (CIA), Certified Public Accountant (CPA) audit manual, developing of training materials, and conducting of training programs of selected
Both in the Philippines and in the US, and a Chartered state auditors.
Global Management Accountant.
Health Service - Supervised and helped assist the forensic audit of a private hospital relating to
• Marco has maintained his membership with the allegation of improper of cash collections made by the company’s procurement manager from
Association of Certified Fraud Examiner (ACFE), Institute external sales agents.
of Internal Auditors (IIA), American Institute of 2
Accountants (AICPA), Chartered Institute of Management
Accountants (CIMA), and Philippines Institute Certified
Public Accountants (PICPA).
 COURSE OBJECTIVES
 Appreciate Internal Controls
 Assess the Company’s Internal Control using the
COSO Framework
 Perform Internal Control Assessment
 Formulate audit program for internal control
testing and substantive testing
WHAT IS INTERNAL CONTROL?
In its broadest form, internal control is defined as a
process typically established at the organization’s
highest level such as the board of directors and through
its management and associates, provides the
stakeholders with assurances that the company’s
reporting is reliable, efficient, and in compliance with
existing regulations and legal requirements.
WHAT IS INTERNAL CONTROL? CONT…
 Internal control is what we do to see that the
things we want to happen will happen
 And the things we don’t want to happen won’t
happen.
PRIMARY OBJECTIVES OF THE INTERNAL
CONTROL

 Accurate Financial Information

 Compliance with Policies and Procedures
 Safeguarding Assets
 Efficient Use of Resources
 Accomplishment of Objectives and Goals
RESPONSIBILITY FOR INTERNAL CONTROL

 Management is responsible for establishing and

maintaining the control environment. Auditors
play a role in a system of internal controls by
performing evaluations and making
recommendations for improved controls.
Furthermore, every employee plays a role in
either strengthening or weakening the Institution’s
internal control system. Therefore, all employees
need to be aware of the concept and purpose of
internal controls.
TYPES OF INTERNAL CONTROL

 Preventive controls
 Detective controls
 Corrective controls

 It is much more costly to discover errors and

frauds with detective and corrective controls than
it is to discourage them with preventive controls
 COSO
• Formed in 1985 in response to
corrupt and unethical
business practices in the
1970’s to the early 1980’s;
• Initiated by five professional
organization with the aid of
Congress;
• COSO Internal Control
Framework was finalized
during the 1992 by PwC;
• Now currently used by
majority of US, Canadian, and
European firms in evaluating
their Internal Controls,
particularly their Control
Environment or Control over
Financial Reporting.
 COSO
 Committee of Sponsoring Organizations of the
National Commission of Fraudulent Financial
Reporting (Treadway Commission)
TREADWAY COMMISSION
Internal Control –
An Integrated Framework (COSO)
KEY CONCEPTS OF INTERNAL CONTROL

 Internal control is a process. It is a means to an

end, not an end in itself.
 Internal control is affected by people. It's not
merely policy, manuals, and forms, but people at
every level of an organization.
 Internal control can be expected to provide only
reasonable assurance, not absolute assurance,
to an entity's management and board.
 Internal control is geared to the achievement of
objectives in one or more separate but
overlapping categories.
INTERRELATED COMPONENTS OF INTERNAL
CONTROL
INTERRELATED COMPONENTS OF INTERNAL CONTROL
WHY ASSESS CONTROL RISK?
 Management should now transition to Risk
Management-Based Internal Approach;
 An effective system of internal control provides
reasonable assurance regarding achievement of an
entity’s objectives. To have an effective system of
internal control relating to one, two, or all three
categories of objectives each of the five
components must be present and operate together
in a manner that reduces, to an acceptable level,
the risk of not achieving an objective.
Internal Control—Integrated Framework
COSO FRAMEWORK:
CONTROL ENVIRONMENT

 Sets the tone of an

organization,
influencing the control
consciousness of its
people.
 It is the foundation for
all other components.
COSO FRAMEWORK:
CONTROL ENVIRONMENT

 Philosophy And operating  Functioning of board

style
 Authority and responsibility
 Integrity And ethical values
 Internal audit
 Organizational structure
 Human resources policies
 Commitment to competence
 External environment
 The control environment is concerned with the
actions, policies, and procedures that reflect the
overall attitude of the client’s top management,
directors, and owners of an entity about internal
control and its importance.
1. Integrity and ethical values
2. Commitment to competence
3. Board of directors and audit committee
4. Management’s philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices
 Management
actions to remove
incentives that
prompt a person to
behave improperly.
Communication of
behavioral standards
by codes of conduct
and example.
 Management’s
consideration of the
competence levels
for specific jobs and
how those translate
into requisite skills
and knowledge.
 Board delegates
responsibility for internal
control to management and
is charged with regular
independent assessments of
management-established
internal control.
The major stock exchanges
require listed companies to
have an audit committee
composed of entirely
independent directors who
are financially literate.
Management, through its activities, provides clear signals to employees
about the importance of internal control. For example, are sales and
earnings targets unrealistic, and are employees encouraged to take
aggressive actions to meet those targets.
Understanding the
client’s
organizational
structure provides
the auditor with an
understanding of
how the client’s
business functions
and implements
controls.
 Formal methods of
communication
including:
Top management
memoranda concerning
internal control
Organizational operating
plans
Employee job
descriptions
If employees are honest
and trustworthy, other
controls can be absent
and reliable financial
statements will still
result.
Methods by which
persons are hired,
trained, promoted, and
compensated are
important elements of
internal control.
COSO FRAMEWORK:
RISK ASSESSMENT

 The entity's
identification and
analysis of relevant
risks to achievement of
its objectives.
 COSO's Enterprise
risk management
(ERM) framework
COSO ERM FRAMEWORKS
 Presence or Absence of Environmental Controls:
Exposure for the organization from simple embarrassment to
moderate economic loss or bankruptcy

 Audit ability and Control Consciousness:

Each level of control must be reviewed from the top to bottom and
documented

 Top-Down Leadership:
Involves all the employees in a company
 COSO ERM FRAMEWORKS
Those charged
with Governance

Organize - Plan - Direct -

Control
Events Results
Processing

Control Functions

Authorize - Segregate - Communicate - Monitor

Duties Compliance
Management
 COSO FRAMEWORK:
CONTROL ACTIVITIES

• The policies and procedures that help ensure management

directives are carried out.
– Physical controls over the security of assets
– Segregation of duties
– Information Processing
• Approvals and authorization
• Verifications and reconciliations
– Performance reviews
CONTROL PROCEDURES:
SEPARATION OF DUTIES
 Authorization separate from processing
 Custody of assets separate from the record
keeping
 Successful
fraud should require collusion
between two or more individuals with
incompatible responsibilities.
 Separation of the
functions of
authorization,
recordkeeping, and
custody.
Separating IT duties
from User
Departments
CONTROL PROCEDURES:
SEPARATION OF DUTIES

Authorization
Minimize abuse and
Ethical Risk due to too
much Power!

Segregation
Of Duties

Recording
Custody
CONTROL PROCEDURES:
SEPARATION OF DUTIES

Will open the floor for

Fraud Risk!
 General
authorization is
permissible for
routine events for
which there are
policies to follow.
For some
transactions specific
authorization is
needed on a case-
by-case basis.
 Prenumbered
consecutive
documents so missing
items are noticed
Prepared as near to
transaction time as
possible
Good design with
instructions and
appropriate spaces
CONTROL PROCEDURES:
INFORMATION PROCESSING CONTROLS

 Information technology general controls (ITGC)

 Physical security
 Hardware controls
 Segregation of IT duties
 Documentation
 Back-up procedures

 Information technology application controls (ITAC)

 Input controls
 Processing controls
 Output controls

 Spreadsheet controls
 Deterrents to
prevent physical
access. Incorrect
Access controls to Password
prevent getting into
computer system.
Backup and
recovery procedures
Personnel are likely to
forget or
intentionally fail to
follow procedures,
or they may become
careless unless
someone observes
and evaluates their
performance.
COSO FRAMEWORK:
INFORMATION AND COMMUNICATION
• The identification, capture, and exchange of
information in the form and time frame that enables
people to carry out their responsibilities.
COSO FRAMEWORK:
MONITORING

 Management’s process that assesses the quality

of the internal control's performance over time.
 Ongoing monitoring activities;
 Internal auditing
 Follow-up of reporting errors
 Separate Evaluations
INTERRELATED COMPONENTS OF INTERNAL CONTROL

Why change? Control Environment

• Integrity and ethical
Values
Now • Control consciousness
and operating style

• Risk Management
Philosophy
Future • Risk Culture
• Risk Appetite
INTERRELATED COMPONENTS OF INTERNAL CONTROL

Why change? Risk Assessment

• One time section in
Strategic Planning
Now Event
• Minimal Support for
Judgements

• Ongoing Activity
• Integrated with
Future Company’s Strat Plan
• Inherent and Residual
Risk consideration
INTERRELATED COMPONENTS OF INTERNAL CONTROL

Why change? Control Activities

• General and application
Controls focus

Now • Focus on Automated and

Manual Controls
• Routine and non-routine
controls

• Identify and evaluate range

of possible responses

Future • Integrated with Company’s

Strategies, Operation,
Financial and Compliance
Objective
INTERRELATED COMPONENTS OF INTERNAL CONTROL

Why change? Information & Communication

• Focuses on Reporting
and Compliance
Now Controls
• Internal and External
information

• Includes Strategic and

Operational
Future requirements of the
Company
INTERRELATED COMPONENTS OF INTERNAL CONTROL

Why change? Monitoring

• Focuses more on Control
Activities

Now • Tone at the Top

• Facilitate possible risk

responses across the Company

Future • Evaluation is on all part of the

Framework
• Recommends ways to enhance
controls
QUESTION #1

 Which of the following is NOT true about?

a. ERM is a bottom-up view of the key risks
facing the organization.
b. ERM links growth, risk and return.
c. ERM aligns risk appetite and strategy.
d. ERM identifies and manages cross-
enterprise risk.
QUESTION #1

 Which of the following is NOT true about?

a. ERM is a bottom-up view of the key
risks facing the organization.
b. ERM links growth, risk and return.
c. ERM aligns risk appetite and strategy.
d. ERM identifies and manages cross-
enterprise risk.
QUESTION #2

 Internal control is a process designed to provide

reasonable assurance regarding the achievement
of which objective?
a. Effectiveness and efficiency of operations
b. Reliability of financial reporting
c. Compliance with applicable laws and
regulations
d. All of the above
QUESTION #2

 Internal control is a process designed to provide

reasonable assurance regarding the achievement
of which objective?
a. Effectiveness and efficiency of operations
b. Reliability of financial reporting
c. Compliance with applicable laws and
regulations
d. All of the above
QUESTION #3

 Risks relevant to financial reporting include which

of the following?
a. External events
b. Internal events
c. Circumstances that might affect reliable
financial reporting
d. All of the above
QUESTION #3

 Risks relevant to financial reporting include which

of the following?
a. External events
b. Internal events
c. Circumstances that might affect reliable
financial reporting
d. All of the above
 Responsible party to design and monitor

Executive Management
Environmental
Controls (Board of Directors)
(Management
Controls)

System Middle Management

Controls
(process (Department
controls) Mangers)

Transaction Processing Controls

(Products & Services Controls) Work Staff
(Operations)
ORGANIZATION Top
Mgmt
Environment and Related Day to Day
Supervision/
Management
Controls
IT Facility

Business Systems
SYSTEMS
Environment and Related
Controls

Individual Applications Within Systems

TRANSACTION
Transaction Within Applications
Activities and Related Routine Transactions -- Nonroutine
Transactions
Controls Processing Methods for Transactions

Structure of the control environment

 Multiple Management Layers
There are different levels of management in an organization
from Board of Directors and chief executive to operating levels

CEO
Top
CFO COO

Staff Staff Staff Staff Middle

Day to Day
Transaction
Originates
Output
Procedures for Processing Transaction

Procedures for Controlling Transaction Process

 Environmental or Management Controls:

These are classified as administrative controls

by the AICPA.
 System or Process Controls:

The controls that define the management

aspects of individual application systems.
 Transaction Processing Controls:

The controls that oversee the processing of

individual business transactions.
 Environmental Control:
Executive Management & Information
Technology Management
 System & Transaction Processing Controls:
Functional Management
 Review of Adequacy:
Independent & Internal Auditors
GENERAL PHASES OF INTERNAL CONTROL
EVALUATION
 Phase 1: Understand and document
 Understand the client’s internal control
 Document the understanding of internal control
 Internal Control questionnaire
 Narrative
 Accounting and control system flowcharts

 Phase 2: Assess control risk (Preliminary)

 Phase 3: Testing and reassessment
 Perform test of controls audit procedures
 Re-assess control risk
AN AUDIT OF INTERNAL CONTROL
Phases of the engagement
1. Plan the engagement
2. Use a top-down approach to gain an understanding
a) Identify entity-level controls
b) Walkthroughs
3. Testing internal control effectiveness
a) Design effectiveness
b) Operating effectiveness
4. Evaluating control deficiencies
a) Deficiencies
b) Significant deficiencies
c) Material weaknesses
5. Wrapping up: Forming an opinion on the effectiveness of
internal control
6. Reporting on internal control
STEP 1: PLAN THE AUDIT
 Consider knowledge of industry
 Consider knowledge of business
 Consider extent of changes in operations
 Consider extent of changes in internal control
 Evaluation must be done for all relevant assertions for all
significant accounts or disclosures. Thus, significant
accounts, locations, and assertions must be identified.
 The key to determining whether an account, location, or
assertion is significant is whether there is a more-than-
reasonable possibility that a material misstatement could
be associated with it.
 Just as control risk is used to determine the nature,
timing, and extent of substantive procedures, inherent
risk is used to determine the nature, timing, and extent
of tests of controls.
STEP 2: USE A TOP-DOWN APPROACH TO
GAIN AN UNDERSTANDING

 Identify entity-level controls

 Perform walkthroughs
 Auditor must perform work related to:
 Company-wide anti-fraud programs
 Controls that have a pervasive effect

 Auditor must obtain “principal evidence,” but can

incorporate work of internal auditors and others
 Must assess competence and objectivity
 Limited reliance
 Can’t reduce work on control environment
ENTITY-LEVEL CONTROLS

 Controls related to the control environment.

 Controls related to management override.
 Centralized processing and controls including
shared service environments.
 Controls to monitor results of operations.
 Controls to monitor other controls.
 Management’s risk assessment.
 Period-end financial reporting process
 Policies that address significant business control
and risk management practices
TEST CONTROLS: DESIGN
EFFECTIVENESS
 Design effectiveness determines whether the controls
over business process, if operating effectively, would be
expected to prevent or detect errors or fraud that could
result in a material misstatement in the transactions of the
entity.
 After an understanding of internal controls is gained
through inquiry, inspection, and observation, the controls
are evaluated for the possibility that the controls would not
prevent or detect a misstatement.
TEST CONTROLS: OPERATING
EFFECTIVENESS
 Operating effectiveness is whether the control
is operating as designed and whether the
person performing the control possesses the
necessary authority and qualifications to perform
the control effectively.
 A sample of transactions is examined using inquiry,
observation, inspection, and reperformance.
 Tests of controls are not performed if design is not
effective.
STEP 4A: EVALUATE CONTROL
DEFICIENCIES
 Whether the result of a design deficiency or an
operating deficiency, an internal control deficiency
exists when the design or operation of a control does
not allow the entity’s management or employees to
detect or prevent misstatements in a timely fashion.
 A design deficiency is a problem relating to either a
necessary control that is missing or an existing control that is so
poorly designed that it fails to satisfy the control’s objective.
 An operating deficiency, on the other hand, occurs when
a properly designed control is either ignored or inappropriately
applied (possibly because employees are poorly trained).
 More serious internal control deficiencies can be
categorized into one of two groups, significant
deficiencies or material weaknesses, depending on
their severity.
STEP 4B: IDENTIFY SIGNIFICANT
DEFICIENCIES
 Significant deficiencies are defined as
conditions, or combinations of conditions, that
could adversely affect the organization’s ability
to initiate, record, process, and report error or
misstatement in their day to day transactions.
 While not material, they are important enough
to bring to the attention of those charged with
governance.
 Absence of appropriate separation of duties.
 Absence of appropriate reviews and approvals of
transactions.
 Evidence of failure of control procedures.
STEP 4C: IDENTIFY MATERIAL
WEAKNESSES
 A material weakness in internal control is defined as
a deficiency, or combination of deficiencies, that results
in a reasonable possibility that a material
misstatement would not be prevented or detected on
a timely basis.
 Restatement of previously issued financial statements or
internal reports to reflect the correction of a misstatement.
 Evidence of material misstatements (caught by the audit team)
that were not prevented or detected by client’s internal controls.
 Indication of fraud (either material or immaterial) by senior
management.
SUMMARY OF INTERNAL CONTROL
DEFICIENCIES

 Three categories
 Internal control deficiency
 Significant deficiency
 Material weaknesses

 The difference between a significant deficiency

and a material weakness is the (1) likelihood and
(2) materiality that a potential (or actual)
material misstatement would not be detected on a
timely basis.
STEP 5: WRAPPING UP:
FORMING AN OPINION ON THE EFFECTIVENESS OF
INTERNAL CONTROL OVER SIGNIFICANT PROCESS

 Auditors can issue one of three types of

opinions on internal control over control
activities:
 Unqualified. No material weaknesses found.
 Disclaimer of opinion. The audit team cannot
perform all of the procedures considered necessary.
 Adverse opinion. One or more material weaknesses
found.
STEP 6: REPORTS ON INTERNAL CONTROL
 Separate report on internal control
 Extra paragraph added to report on internal control
referencing opinion on process audited.
 Integrated audit report and report on internal
control
 Includes auditor’s opinions on 1) internal control
effectiveness, and 2) recommendation for further
improvements.
REPORTING TO AUDIT COMMITTEE ON
INTERNAL CONTROL RELATED MATTERS

 Sarbanes-Oxley requires that the report be in

writing.
 The auditor may communicate during or after
audit.
 Communications with management is not
required; however, communications with
management or other individuals within the entity
who may, in the auditor's judgment, benefit from
the communications are not precluded.
LIMITATIONS OF INTERNAL CONTROL

 Human error
 Collusion
 Management override
 Cost/benefit analysis
 There is often a trade-off between the cost and the
effectiveness of internal controls.
 The concept of reasonable assurance recognizes that
the cost of an entity’s internal control should not exceed
the benefits that are expected to be derived.
QUESTION #4

Control activities can be defined as:

a. A means to an end
b. Authorized procedures
c. The particular category in which a control is placed
d. The actions of people to help ensure that management
directives necessary to address risks are carried out
QUESTION #4

Control activities can be defined as:

a. A means to an end
b. Authorized procedures
c. The particular category in which a control is placed
d. The actions of people to help ensure that
management directives necessary to address risks
are carried out