Internal Control Processes

The Developing Concept of Internal Control

 1948 definition of internal control:
o Internal control comprises the plan of organisation and the co-ordinate methods
and measures adopted within a business to safeguard its assets, check the
accuracy and reliability of its accounting data, promote operational efficiency, and
encourage adherence to prescribed managerial policies.
 In 1958, AICPA distinguished between accounting and administrative control, as they
needed to provide a focus on the controls most relevant to their members engaged as
external auditors:
o Accounting control comprises the plan of the organisation and the procedures
and records that are concerned with the safeguards of assets and the reliability
of financial records.
o Administrative control includes, but is not limited to, the plan of organization
and the procedures and records that are concerned with the decision
processes leading to management’s authorization of transactions.

Contemporary Understanding of Internal Control

 1992 COSO definition of internal control – generally accepted current definition of
internal control
o Internal control is broadly defined as a process, effected by the entity’s board of
directors, management and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following categories:
 Effectiveness and efficiency of operations.
 Reliability of financial reporting.
 Compliance with applicable laws and regulations.

PARADIGM 1: COSO ON INTERNAL CONTROL

 Per COSO, control depends on each of the other functions of
management. There is no control without:
 Planning—for instance, design of the right procedures (which is part of planning) is
essential for effective control. There has to be a plan against which to exercise control.
Without a plan there can be no control.
 Organising—for instance, structuring the business into subdivisions and determining
reporting arrangements. To illustrate the proximity between organising and controlling it
is illuminating to remember that Fayol used the label “span of control” to describe the
issue of how many subordinates one boss might supervise—yet this is clearly a matter of
organisation as well as of control.
  Directing and leading—few would question that the quality of leadership impacts upon
control.
 Staffing—too few or too many staff can lead to things getting out of control—as can
incompetent, disloyal, dishonest or lazy staff.
 Co-ordinating—is the art of ensuring that happenings occur in harmony with each
other—without which things will be out of control.

COSO’s FIVE INTERNAL CONTROL COMPONENT (CRIME)

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring

COSO’s ‘‘Control Environment’’ Component

 The attitude and actions of the board and management regarding the significance of
control within the organization. The control environment provides the discipline and
structure for the achievement of the primary objectives of the system of internal control.
 “Tone at the top” - company's management and board of director's leadership and
their commitment to being honest and ethical.
 Of the five essential internal control components, the control environment can be
regarded as the foundation component: if the control environment is unsound it is
most likely that the other four components will also be inadequate. The control
environment includes the following elements (CHAOMI)
o Integrity and ethical values.
o Management’s philosophy and operating style.
o Organizational structure.
o Assignment of authority and responsibility.
o Human resource policies and practices.
o Competence of personnel.

COSO’s ‘‘Risk Assessment’’ Component

 Risk assessment - the identification of threats to the organisation, their assessment
or measurement and deciding how they should be responded to.
 The identification of risk within a business should be an ongoing process sensitive to the
implications of changed market conditions, operational workloads, macroeconomic
parameters, and so on. Effective management should be able to anticipate the need for
change and accordingly evaluate the amendments to the corporate risk profile. Identified
risks should be prioritised and control objectives established in every case.
 Objectives may be classified in a number of ways, for example:
o Operations Objectives (e.g. performance/profitability goals)
o Financial Reporting Objectives (e.g. accurate statements prepared in accordance
with prevailing requirements)
 o Compliance Objectives (e.g. adherence to relevant sector regulations, legislation,
board policies, covenants entered into with third parties, etc.)

COSO’s ‘‘Control Activities’’ Component

Control activities are the policies and procedures that help ensure management directives are
carried out. They include a range of activities as diverse as approvals, authorizations,
verifications, reconciliations, reviews of operating performance, security of assets and
segregation of duties. Additional examples are:
 Purchasing limits
 Approvals
 Security
 Specific policies

COSO’s ‘‘Information and Communication’’ Component

Information and communication – Pertinent information must be identified, captured and
communicated in a form and timeframe that enable people to carry out their responsibilities.
Information systems produce reports containing operational, financial and compliance-related
information that makes it possible to run and control the organization. Effective communication
also must occur in a broader sense, flowing down, across and up the organization. Examples
include:
 Vision and values or engagement survey
 Issue resolution calls
 Reporting
 University communications (e.g., emails, meetings)

COSO’s ‘‘Monitoring Component

 Monitoring – Internal control systems need to be monitored, a process that assesses the
quality of the system's performance over time. This is accomplished through ongoing
monitoring activities, separate evaluations or a combination of the two. Ongoing
monitoring occurs in the course of operations. Internal control deficiencies should be
reported upstream, with serious matters reported to top management and the Regents.
Examples include:
o Monthly reviews of performance reports

o Internal audit function

PARADIGM 2: TURNBULL ON INTERNAL CONTROL

An internal control system encompasses the policies, processes, tasks, behaviours and other
aspects of a company that, taken together:
• facilitate its effective and efficient operation by enabling it to respond
appropriately to significant business, operational, financial, compliance and other
risks to achieving the company’s objectives. This includes the safeguarding of
assets from inappropriate use or from loss and fraud, and ensuring that liabilities
are identified and managed;
• help ensure the quality of internal and external reporting. This requires the
maintenance of proper records and processes that generate a flow of timely,
relevant and reliable information within and outside the organisation;
• help ensure compliance with applicable laws and regulations, and also with
internal policies with respect to the conduct of business.

Turnbull essential components of internal control:

1. Control environment and control activities
2. Risk assessment
3. Information and communication
4. Monitoring

PARADIGM 3: COCO ON INTERNAL CONTROL

The internal control framework of the Canadian Institute of Chartered Accountants’ Criteria of
Control Board (“CoCo”) is less “mechanical” and more “behavioural” than the COSO internal
control framework and, arguably, has advantages in application within organisations that are
more participative and less hierarchical, as well as being a valuable control framework to use in
control self assessment situations.

Control comprises those elements of an organization (including its resources, systems, processes,
culture, structure and tasks) that, taken together, support people in the achievement of the
organization’s objectives. These objectives fall into one or more of the following categories:
• Effectiveness and efficiency of operations includes objectives related to an organization’s
goals, such as customer service, the safeguarding and efficient use of resources, profitability and
meeting social obligations. This includes the safeguarding of the organization’s resources from
inappropriate use or loss and ensuring that liabilities are identified and managed.
• Reliability of internal and external reporting includes objectives related to matters such as
the maintenance of proper accounting records, the reliability of information used within the
organization and of information published for third parties. This includes the protection of
records against two main types of fraud: the concealment of theft and the distortion of results.
• Compliance with applicable laws and regulations and internal policies includes objectives
related to ensuring that the organization’s affairs are conducted in accordance with legal and
regulatory obligations and internal policies.
In any organization of people, the essence of control is purpose, commitment, capability, and
monitoring and learning.
A person performs a task, guided by an understanding of its purpose (the objectives to be
achieved) and supported by capability (information, resources, supplies and skills). The person
will need a sense of commitment to perform the task well over time. The person will monitor
his or her performance and the external environment to learn about how to do the task better and
about changes to be made.

“Purpose” groups the criteria that provide a sense of the organisation’s direction—that is, “what
to do”. “Commitment” groups the criteria that provide a sense of the organisation’s identity and
values—that is, “wanting to do it”. “Capability” groups the criteria that provide a sense of the
organisation’s competence—that is, “Tools to do it”. “Monitoring and learning” groups the
criteria that provide a sense of the organisation’s evolution—that is, “Are we doing it?”

PARADIGM 4: A SYSTEMS/CYBERNETICS MODEL OF INTERNAL CONTROL

Conceptually this paradigm views the organisational process as analogous to, for instance, an air
conditioning system. The plan is the room temperature setting of the thermostat. Actual
performance is monitored and compared to the plan. If a significant variance between “plan” and
“actual” occurs, then the control system makes a decision to switch the fan on or off in order
that, and until, room temperature is within an acceptable tolerance of the planned temperature.
So the control system is continuously interpreting information available to it. In this system the
monitoring and decision taking is automated or programmed into the programmer or controller.
In business automated, electronic monitoring and decision taking is excellent if it is feasible to
do it in this way while taking appropriate account of all of the variables, and so long as
customers and others are prepared to tolerate, even welcome, interfacing with impersonal
systems. Electronic controls tend to be more reliable than mechanical controls and mechanical
controls tend to be more reliable than controls that require manual oversight. In practice,
effective internal control is likely to rely on a combination of manual and automated activities.

Basic Elements of a Control System

 The “control object” is the variable of the system’s behaviour which is to be monitored
and controlled.
 The “detector” is the part of the system which measures (or monitors) the control object.
 The “reference point” is the standard against which the actual performance of the
control object is compared.
 The “comparator (analyser)” makes the comparison and assesses whether or not it is
significant.
 The “activator” takes the decision which is intended to restore actual performance to
what is desired.
PARADIGM 5: CONTROL BY DIVISION WITH SUPERVISION
This model of internal control is based on the premise that effective control may be achieved by
means of an appropriate combination of various opportunities to “divide” (“separate off” or
“segregate”), together with supervision. Designing our control processes to take advantage of
sensible opportunities to divide may be a costless way of achieving effective internal control as it
may be just a matter of allocating work in ways that reduce the likelihood that errors and losses,
deliberate or accidental, will occur.

PARADIGM 6: CONTROL BY CATEGORY