LLSMS2090

Audit and Control

Anne-Catherine Provost
INTERNAL CONTROL
Academic year 2022-2023
CONCRETE EXAMPLES
 INTERNAL CONTROL DEFINITION

Internal control is broadly defined as a process, effected by an

entity’s board of directors, management and other personnel,
designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:

1. Effectiveness and efficiency of operations

2. Reliability of financial reporting
3. Compliance with applicable laws and regulations
4. Safeguarding of assets

(COSO)
How well you How well you
use your get to your
resources EFFICIENCY VS. EFFECTIVENESS objectives

1 PALLET
1 DAY TO BUILD 1 TABLE

S CE N A R I O S C E N AR I O
1 2

2 pallets – 1 day 1 pallet - 2 days

 INTERNAL CONTROL DEFINITION

• A control will be those activities that are performed on a

periodic and consistent basis to provide management with
comfort that an objective is being achieved.

• Activities designed to mitigate risk and reinforce the validity

of the desired outcome.

Example: With SOX, internal controls over financial reporting are designed
and operate with the objective of preparing financial statements that
completely and accurately reflect the results of operations
FEATURES OF INTERNAL CONTROL
 FEATURES OF INTERNAL CONTROL

Who? Who executes the control activity?

Who is responsible for the control activity?
What? What is to be ensured by the control activity?
How? How is the control executed?
Which are the activity steps the control owner is executing?
How is the control activity documented?
Where? Where is the control activity within the activities executed?
When? At which point is the control activity executed?
How often is the control activity executed?
Why? Why is the control activity executed?

7
FEATURES OF INTERNAL CONTROL

8
 FRAMEWORKS

Three IC frameworks recognized globally:

1. Internal control –Integrated Framework (COSO)

2. Guidance on Control (CoCo)

3. Internal Control: Revised Guide for Directors on the

Combined Code (Turnbull Report)
COSO IC – INTEGRATED FRAMEWORK

10
 COSO IC – INTEGRATED FRAMEWORK

1. Operations: effectiveness and efficiency of the entity’s operations, including

operational and financial performance goals, and safeguarding of assets against loss

2. Reporting: internal, external, and non-financial reporting

3. Compliance: adherence to law and regulations to which the entity is subject, but also
policies, plans, rules, procedures, contracts, or other requirements

11
 COSO IC – INTEGRATED FRAMEWORK

Control environment: norms, values, ethics, style of management, history, culture,

shared values

Risk assessment : identification and evaluation

Control activities: actions taken by management, the board and other parties to
mitigate risk and increase the likelihood that established objectives and goals will
be achieved

Information & communication: High quality information must be communicated

appropriately (relevant, accuracy, timely, availability, appropriate)

Monitoring: ongoing evaluations of the entire process and recommendations for

improvement
12
 COSO IC – INTEGRATED FRAMEWORK

The COSO framework explicitly identified 17 broad principles

that represent the fundamental concepts associated with the
components of internal control, and apply to all organizations

13
 COSO IC – INTEGRATED FRAMEWORK
Control environment

14
 COSO IC – INTEGRATED FRAMEWORK
Risk assessment

15
 COSO IC – INTEGRATED FRAMEWORK
Control activities

16
 COSO IC – INTEGRATED FRAMEWORK
Control activities

Preventive: prevent that an error or misstatement can occur (e.g., storing

cash in a locked safe and segregating duties)

Detective: detect that an error or misstatement has occurred. It alerts

the proper people after an unwanted event (e.g., a burglar alarm)

Directive: Policy and procedure or guidance with instructions how to

perform a task. It causes or encourages the occurrence of a desirable event
(e.g., policy and procedures, employee training, job descriptions, etc.)

Corrective: Correct the negative effects of unwanted events (e.g., a

requirement that all cost variances over a certain amount be justified).
Also, another control that covers the failure of one control and corrects the
error or misstatement caused by the failure of one control.
17
 COSO IC – INTEGRATED FRAMEWORK

Control activities

18
 COSO IC – INTEGRATED FRAMEWORK
Control activities

LESS EFFECTIVE MORE LESS EFFECTIVE MORE

19
 COSO IC – INTEGRATED FRAMEWORK

Control activities

Control activities occur throughout the organization, at all levels and in all
functions.

Entity level controls: Help to ensure that management directives pertaining to

the entire entity are carried out
e.g. job descriptions, code of conduct, controls over the period-end financial
reporting process, whistle-blower hotline

Process/transaction-level controls: Operate over one or more relevant

assertions within a single process/transaction
e.g. invoice approval
20
 COSO IC – INTEGRATED FRAMEWORK
Control activities

Authorization and approval: formal authorization and approval

System access: The ability that individual users or groups of users have within a
computer information system processing environment, as determined and
defined by access rights configured in the system

Safeguard controls: The restriction of access to information or physical assets

Exception/edit reports: A report that is generated by an entity to monitor

something and followed up on through to resolution

Reconciliation: The matching of two independent data sources leading to the

identification and investigation of discrepancies on a timely basis
21
 COSO IC – INTEGRATED FRAMEWORK

Control activities

Segregation of duties: assigning different people the responsibilities of

authorizing transactions, recording transactions, and maintaining custody
of assets

Key performance indicators: Financial and non-financial quantitative

measurements that are collected by the entity, either continuously or
periodically, and used by management to evaluate

Management review: Review of information by the management of an

organization on a regular basis

22
 COSO IC – INTEGRATED FRAMEWORK
Control activities

Example: Car company

• Operation objective: Use > 75% of productive capacity of plants

• Risk event: Disruption of plant

• Risk response/reduction: Insurance coverage

• Control activities:

 Quarterly review of company’s coverage

 Review of compliance with negotiated terms and conditions
of the insurance agreement 23
 COSO IC – INTEGRATED FRAMEWORK
Information activities

24
 COSO IC – INTEGRATED FRAMEWORK
Monitoring activities

25
 KEY ASPECTS OF IC

Linked to the achievement of objectives

• It’s a process, not an end in itself

• Effected by people

• Providing only reasonable assurance

• Adaptable to the entity structure

26
KEY ASPECTS OF IC

27
 LIMITATIONS OF IC

• Human errors

• Management override

• Collusion

• Changing conditions

• Lack of/insufficient segregation of duties

• Inadequate knowledge of policies, procedures, or governing regulations

• Form over substance

28
SOX –INTERNAL CONTROLS OVER
FINANCIAL REPORTING

29
 SOX –INTERNAL CONTROLS OVER
FINANCIAL REPORTING
Section 404: requires CEO and CFO of publicly traded companies to opine on
the design adequacy and operating effectiveness of internal controls over
financial reporting, as part of financial statements.
• All publicly traded US corporations are required to maintain an adequate
system of internal controls
• Corporate executives and boards of directors must ensure that these
controls are reliable and effective
• Independent external auditors must attest to the adequacy of the internal
control system
• Section 302 mandates disclosure of any changes in internal controls

COSO, CoCo, and Turnbull used as frameworks for the assessment

30
SOX –INTERNAL CONTROLS OVER
FINANCIAL REPORTING

31
COSO AND THE THREE LINES (OF
DEFENSE) MODEL

32
 TENTATIVE PLANNING
Date Time Type of lecture and topic TO DO BEFORE CLASS
10/06 8.30-9.45/10.00- In-class discussion: Case 1 (Lego)
11.15/11.30-12.45
13.30-16.30 In-class lecture: Internal control
Submit one-pager on individual reading 2 (Internal
Time to work on individual assignment 2: Internal audit and risks audit and risks) before 10/07 8 AM
10/13 10.45-12.45 In-class lecture: Audit Watch video on Internal audit in preparation for
lecture
13.30-16.30 Guest lecture: The role and challenges facing internal auditor (Dirk Debruyne) Prepare for case 2 (Société Générale) and submit
Time to work on group assignment: Case 2 – Société Générale report before 10/19 2 PM
10/20 8.30-9.45/10.00- In-class discussion: Case 2 (Société Générale) Watch video on Fraud in preparation for case 2
1. Watch video on Internal audit in preparation for lecture.
11.15/11.30-12.45
13.30-16.30 Guest lecture: Internal audit (Mark Dekeyser, IIABel) Read IIA guidelines

Time to work on group assignment: Case 3 – Bharat Petroleum Prepare for case 3 (Bharat Petroleum) and submit
2. Reflect on the following 3 questions for the guest lecture: report before 10/26 2 PM
10/27 8.30-9.45/10.00- In-class discussion: Case 3 (Bharat Petroleum)
11.15/11.30-12.45
 AfterQ&A
13.30-16.30 my -studies, I will start
Wrap up: Discussion exam my career with a job in external audit with one of the big 4
(Deloitte, EY,onKPMG
Time to work or PwC)
group assignment: Written – Yes/No – why
report Submit group assignment (Written report) before
10/28 6 PM
 After my studies, I will start my career with a job in internal audit. Yes/No – Why
 In your opinion, what are the competencies needed to be a good auditor (internal
and/or external)? Name at least 3 of them.

(Next week : Preparation for Case 2- Deadline : 10/19, 2PM) 33