Governance, Business Ethics, Risk

Management and
Internal Control

Jesse Rey L. Meneses, CPA, MBA, CrFA

Eugene V .Villaceran, CPA, MBA, CTT
(2022)
Copyright

This is an exclusive and copyrighted property of REX Book Store, Inc.

All rights reserved. No part of this material shall be reproduced,
distributed, or transmitted in any form or by any means, including
photocopying, recording, or other electronic or mechanical methods,
without the prior written consent of REX Book Store, Inc.
 Chapter 4:
Introduction to
Risk Management
“What Can Go Wrong?”
Learning objectives:

At the end of the chapter, the students will be able to:

a. describe risk and its characteristics;

b. identify the different types of risk;
c. articulate the need for risk management;
d. describe the steps in managing risks; and
e. identify globally-recognized risk management frameworks.
Lesson Key Concepts and Examples
Definition of Risk

• Risk - the possibility of an occurrence of an event that adversely could affect the
achievement of business objectives.

• Risk is asking yourself, “what can go wrong?”

Examples of risk

Business Objective Event

1. Generating P10 million profit Increase in production and operating
costs
2. Manufacturing 20,000 Loss of supply of raw materials needed
units of the product in production
3. Producing reliable financial statements Clerical errors in recording transactions

4. Reducing bad debts by 20% Bankruptcy of a major customer

5. Uninterrupted computer Brownouts, computer breakdown, flood
processing of business in the office

transactions
Internal events
Event Potential impact
1. Internal fraud ∙ Financial loss
∙ Damage to the reputation of the company

2. Machine breakdown ∙ Disruption in the production process

∙ Failure to deliver finished goods to customers

3. Accident in the factory ∙ Physical injuries, loss of lives

∙ Increase in medical costs

4. Violation of laws and ∙ Fines and penalties

regulations ∙ Potential criminal prosecution of erring
corporate officers and employees
External events
Event Potential impact
1. Economic recession ∙ Decline in sales revenue and
operating profit
∙ Possible closure of the
business
2. Entry of more competitors in ∙ Loss of market share
the market ∙ Decline in sales revenue

3. Bankruptcy of a major ∙ Failure to collect receivables

customer ∙ Decline in cash balance

4. Pandemic (e.g., COVID-19, ∙ Disruption in business

SARS) and natural calamities operations
(flood, earthquakes, volcanic ∙ Decline in revenue and profit
eruption) ∙ Possibility of closure of the
business
Categories of Risk

• Financial risks - the likelihood that the company might incur a financial loss, or
suffer a decline in profit, capital, investment, or cash flows, on account of the
occurrence of events or transactions.

• Nonfinancial risks – a type of risk, other than financial risks, that can negatively
affect the company (e.g., breakdown of machines, loss of raw materials)
Credit risk

• Credit risk - the risk that a counterparty such as a customer or a borrower might fail to
pay its account on the due date

• For instance, there is a possibility that a borrower of a bank will be unable to pay
his or her loan on the maturity date.

• Sometimes referred to as default risk

• Credit risk is present in all activities where there is an expectation of repayment.

Liquidity risk

• Liquidity risk - the risk that the business will be unable to meet its financial obligations
as they fall due because of insufficient cash.

• Liquidity risk also includes the possibility that the business may not be able to:
• Convert its noncash assets into cash on short notice.
• Borrow funds from banks and other creditors with reasonable interest and payment
terms.
Interest rate risk

• Interest rate risk - the potential decline in earnings due to changes in interest
rates

• If the company has variable rate loan payable, increase in the market rate of
interest will increase total interest expense resulting to lower profit.

• Occurs because the business may have a disproportionate amount of fixed and
variable interest rate instruments
Foreign currency risk

• Foreign currency risk - the risk that fluctuations in exchange rates could affect
the profit of the business.

• For example, a weakening of the Philippine peso will result to a foreign currency
loss to a Philippine importer of goods.

• The Philippine importer will have to convert more Philippine pesos into dollars to
pay off the transaction.
Other price risk

• Other price risk - the risk that changes in specific prices (stock price, purchase
price, index) could affect the profit or cash flow of the business.

• For instance, a decline in the price of shares owned by the company traded in the
stock exchange will result to a decrease in the value of the stock investments.
Business risk

• Business risk - possibility that the business may not be able to generate sufficient
revenue, or the chance that operating costs will increase

• For example, an increase in raw material cost will result to a decline in the gross
profit margin of the company.

• When the company is unable to achieve its sales target, revenues will not be
enough to cover operating costs.
Operational risk

• Operational risk - the risk that business operations will be disrupted due to
inadequate or failed systems, processes, people, breaches in internal controls, or
other unforeseen catastrophes

• The company uses internal controls (e.g., business continuity plans, preventive
maintenance) to mitigate the effect of operational risks.
Legal risk or compliance risk

• Legal or compliance risk - the risk that the company might fail to comply with
applicable laws and regulations

• This risk also includes the possibility of not complying with contractual
obligations to other entities.

• This type of risk may result to fines and penalties as well as possible criminal
prosecution of erring company officers and employees.
Health and safety risk

• Health and safety risk - the risk that unforeseen events could result to injuries,
illnesses, or even loss of lives

• Examples include injuries sustained by workers in the factory, transmission of

COVID-19 virus to company staff.

• This kind of risk increases the medical costs that will be incurred by the company.
Environmental risk

• Environmental risk - the risk that the company may fail to control or minimize
factory wastes, emissions, and other pollutants arising from its business activities.

• Failure to remedy this negative contribution of the company to the environment

could result to possible government sanctions such as huge amounts of fines and
penalties, or even business closure.
Strategic risk

• Strategic risk - the risk of selecting an inappropriate corporate strategy or the

failure of implementing an appropriate strategy

• This type of risk may result to failure to achieve long-term strategic goals, loss of
market share, and shrinkage in corporate value.
Reputational risk

• Reputational risk - the risk that reputation or image of the company will be
damaged due to reasons such as improper acts of corporate officers, poor financial
performance, bad news about the company, among others

• This risk reduces the confidence of investors, customers, creditors, and other
entities with respect the status of the business.

• Reputational risk could result to the collapse of the company.

Financial reporting risk

• Financial reporting risk - the possibility that the financial statements of the
company will be incorrect due to errors, lapses, or failure to apply accounting
standards such as the International Financial Reporting Standards (IFRS).

• Unreliable financial statements could result to erroneous financial analysis

affecting the business decisions of investors and creditors.
Fraud risk

• Fraud risk - the risk arising from deceptive and intentional acts that results to
loss of company assets, resources, and reputation

• Examples of fraud include theft of cash and inventories, bogus deliveries, ghost
employees, window dressing of the financial statements, and the like.
Enterprise risk management, defined

• Enterprise risk management - a process, effected by an entity’s board of

directors, management, and other personnel, applied in strategy setting and across
the enterprise, designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.

• from COSO ERM Framework, 2004

Roles in risk management: BOD

• The Board of Directors conducts an oversight of the effectiveness of the

company’s risk management process.

• Risk oversight pertains to the periodic review and monitoring of the process
being used by management in addressing and controlling risks.

• It is common for large companies to have separate risk oversight committees

within the board.
Roles in risk management

• Management implements specific risk mitigation and control procedures in

managing the various types of risks affecting the company.

• Management also identifies and assesses risks prior to selecting the appropriate
risk response or controls.

• Many companies have risk managers who are the ones tasked to manage risks in a
professional and technical manner.
Roles in risk management: Internal auditors

• Internal auditors - conduct examination of the risk management and internal

control processes for the purpose of determining their effectiveness.

• Audit findings (e.g., weak risk processes) as well as their recommendations for
improvements are communicated to the Board of Directors, or to the Risk
Oversight Committee.
Risk appetite

• Risk appetite - the level of risk that the company can accept in pursuit of its
objectives

• Operating a business naturally involves the taking of risks.

• But risks must be kept to within acceptable or manageable levels.

• This is one of the aims of the risk management process - to keep risks within the
company’s risk appetite.
Steps in the Risk Management process

1. Setting of business objectives

2. Identify risks to those objectives.
3. Assess the risks identified in terms of likelihood and impact.
4. Respond to the assessed risks (accept, mitigate, share, avoid, transfer).
5. Implement the risk response (specific action plans or controls).
6. Monitor.
Categories of business objectives

• Strategic objectives - are high-level goals, aligned with and supporting the
organization's mission and long-term vision.

• Operational objectives - are goals that are related to the effective and efficient
use of corporate resources.
Categories of business objectives

• Reporting objectives - are goals relating to the reliability and transparency of

corporate reports such as financial and nonfinancial reports.

• Compliance objectives - are goals relating to compliance and conformity with

applicable laws and regulatory requirements.
Examples of business objectives

Category of objective Specific example

Strategic Increase market share of the company to
40% through business expansion.
Operational Achieve profit after tax of P100 million.
Reporting Generate financial statements that are
reliable and compliant with the International
Financial Reporting Standards (IFRS).
Compliance Compute, file, and pay taxes based on the
requirements of tax laws and BIR
Regulations.
Examples of risks to business objectives
Business objective
Increase market share of the
company to 40% through
business expansion.
Achieve profit after tax of P100
million.
Generate financial statements
that are compliant with the
International Financial
Reporting Standards (IFRS).
Compute, file, and pay taxes
based on the requirements of
tax laws and BIR Regulations.
Risk
∙ Possible entry of more competitors in the
market
∙ Change in the taste and preference of
customers
∙ Potential decline in the sales revenue of
the company
∙ Increase in production and operating
costs
∙ Complexity in applying complex
accounting requirements
∙ Changes in the IFRS
∙ Error in computing taxable income and
the tax due
∙ Intentional understatement of taxable
income to reduce the tax due
Assessing risks in terms of likelihood and impact

• “Likelihood” - the probability that the event will occur

• “Likelihood” is often classified into “high,” “moderate,” or “low.”

• “Impact” - the significance of the negative effect of the risk to the company

• The “impact” of a risk is also classified into “high,” “moderate,” or “low.”

• Analyzing risk in terms of “likelihood” and “impact” is known as risk assessment.

Risk responses

• Accept - Accepting the risk is permissible only if it is of minor effect to the

business or if its likelihood is “remote.”

• Reduce - Risks that are likely to happen or those that are expected to have a
significant impact to the business cannot be simply accepted.
• These risks should be mitigated or reduced to tolerable levels.
• Reducing risks can be done through implementing controls.
Risk responses

• Share - In some situations, the appropriate response might be to share or transfer

the risks to some other entity such as an insurance company.
• Example: Some risks of the company may be transferred or shared to an insurance
company.
Risk responses

• Avoid - Avoiding a risk may be the right response when management thinks that
mere reducing it is not enough.
• Examples:
• The company may terminate one of its product lines if it assesses that operating it has become too risky.
• The company may totally avoid entering into dollar-denominated transactions to eliminate foreign
currency risk.
Implementing the risk response
Risk
Loss of supply of raw materials
needed in production
Entry of more competitors in the
market
Possibility that customers will be
unable to pay their accounts on the
due date
Possibility that the business will run
out of cash
Clerical errors in the recording and
processing of transactions
Possibility of computer breakdown
and loss of data
Risk mitigating action or management control
∙ Identify alternative sources of raw materials.
∙ Maintain safety stock or buffer in raw materials
inventory
∙ Massive advertising to promote the company’s
product
∙ Product improvement through research and
development
∙ Proper evaluation of the paying ability of customers
and credit analysis
∙ Applying credit limits to customers
∙ Obtaining cash from preapproved and standby bank
credit lines
∙ Policy for converting investments into cash.
∙ Computerization of transaction processing
∙ Auditing of the recorded transactions to determine
correctness
∙ Use of uninterruptible power supply (UPS)
∙ Backup procedures on computer files
Monitor risks and the risk management process

• The risk management process must be continuously monitored to determine if it

remains to be effective and efficient over time.

• Management cannot make the erroneous assumption that an effective risk

management process will remain to be effective over time.

• A risk management process that is effective today may no longer be effective for
the next period. This is because risks are always changing.
Risk management frameworks

• Committee of Sponsoring Organizations (COSO) Enterprise Risk Management

framework (2004)

• ISO 31000 - Risk Management is a series of risk management standards

formulated by the International Organization for Standardization.
• Provides a set of principles and guidelines for the design, implementation, and
evaluation of the risk management process for companies across different
industries
Basic steps - ISO 31000

1. Identification of all risks that could prevent the company from achieving its
business objectives

2. Analysis of risks including an understanding of their causes and effects

3. Determination whether identified risks are tolerable or not

Basic steps - ISO 31000

4. Treatment of significant risks by way of mitigating procedures and thereby

reduce impact and/or the likelihood of the risks

5. Monitoring risk management strategy and implementation to determine gaps that

should be addressed

6. Communication of information pertaining to the risk management process of the

company
Lesson Activities and/or Practice Exercises
Activity 1 (Group Work): Identifying business objectives and
corresponding risks
Select a business in your locality. Think of the top five (5) business objectives of your selected business.
For every identified business objective, identify at least three (3) risks. Use the following template:

Business Objective Risks

1. a.
b.
c.
2. a.
b.
c.
3. a.
b.
c.
4. a.
b.
c.
5. a.
b.
c.
Activity 2 (Group Work): Risks and Management
Action Plans
From your output in Activity 1, select at least five (5) risks to achieving business objectives. Identify
management action plans that may be applied in addressing the selected risks. Use the following
template:

Identified Risk Management action plan

Activity 3: Internet assignment

Make a group research about the top five (5) global risks being experienced by
companies. You may use the following table:

Risk Effects Actions to address the risk

1.

2.

3.

4.

5.
Conclusion:

• Risk is the chance for a potential loss or the probability of not achieving a
business objective.

• Risks can be categorized into financial risks and nonfinancial risks. There are
many examples of risks for each category.

• In light of the above, companies must implement a robust and comprehensive risk
management system to ensure the achievement of business objectives.
Conclusion:

• Companies may select from a variety of risk management frameworks to be used

in formulating their risk processes.

• There are several risk management frameworks that can be adopted by companies
such as COSO Enterprise Risk Manaegement or ISO 31000 - Risk Management.
References:
Meneses, Jesse Rey L. and Villaceran, Eugene V. 2022. Governance, Business
Ethics, Risk Management and Internal Control. Quezon City: Rex Book Store,
Inc.
The Committee of Sponsoring Organizations of the Treadway Commission. 2004.
COSO Enterprise Risk Management - Integrated Framework.
 Chapter 5:
Assessment of Risks and Selection
of Risk Strategies
Learning objectives:

At the end of the chapter, the students will be able to:

a. identify the components of the risk management process;

b. articulate the assessment of risks in terms of likelihood and impact;
c. discuss appropriate risk responses and specific risk strategies;
d. document the risk assessment process using a template; and,
e. describe the importance of monitoring of risk mitigation and control activities.
Lesson Key Concepts and Examples
Components of COSO Risk Management (2004)

• Business objectives (top view)

• Components (front view)

• Applied to the entire enterprise,

division, business units, or even
subsidiaries
Internal environment

• Internal environment - reflects the company’s risk management philosophy, risk

appetite, board oversight, commitment to ethical values and competence of the
human resource, and the assignment of authority and responsibility.
Internal environment

• The internal environment encompasses the "tone at the top" and it influences the
governance process as well as the risk and control consciousness of people in the
company.

• The board and management must have an awareness and understanding of risks to
effectively perform their execution (management) and oversight (board)
functions on the effectiveness of the risk management process.
Objective setting

• Objective setting - precondition to event identification, risk assessment, and risk

response

• Business objectives are categorized into strategic, operational, reporting, and

compliance.
Objective setting

• Without the setting of clear objectives, it is impossible to identify risks (events or

conditions that may prevent the company from achieving its business objectives).

• The business objectives are formulated within the company's risk appetite or the
level of risk that the company can accept.
Event identification

• Management identifies potential events that may affect the company’s ability to
achieve its strategic, operational, reporting, and compliance objectives.

• These potential events can be internal or external.

Event identification

• In identifying risks, management applies various event identification techniques

such as facilitated workshops, technical sessions, brainstorming, and the like.

• Regardless of the method used, the aim is to identify a comprehensive listing of

risks that may affect the company.
Risk assessment

• Risks are assessed in terms of likelihood and impact.

• Likelihood and impact assessments may be “high,” “moderate,” or “low.”

• In addition, inherent and residual risks will also be assessed.

• Inherent risk - susceptibility of failing to achieve a business objective

• Residual risk - the risk that remains after applying management’s response to the risk
Example of risk scoring for “likelihood”

Risk score Description

1 There is only a REMOTE chance that the
event will happen.
2 It is LESS LIKELY that the event will happen.

3 It is LIKELY that the event will happen.

4 It is VERY LIKELY that the event will

happen.

5 It is VIRTUALLY CERTAIN to happen.

Example of risk scoring for “impact”

Risk score Description

1 Insignificant or negligible impact

2 Minor impact

3 Moderate impact

4 Major impact

5 Catastrophic effect
Risk map

• Significant risks (in red)

are those which have “high”
likelihood and “high” impact.
Concept of residual risk
Risk mitigating plan/
Control activity
Inherent risk Residual risk
1. Inventory spoilage for a Inventory spoilage is reduced to
manufacturer could ● Changing the factory layout only P5,000.
amount to P5 million. ● Engineering and inventory
controls

2. A 30% decline in the number Decline in profit will only be 1%.

of passengers for an airline ● Opening of new flight routes
company due to increase in ● Improving customer service
competition. ● Reducing airfare fees

3. A bank’s operating loss could The operating loss is reduced to

amount to $20 million due to ● Credit assessment of borrowers’ $15 million.
increase in bad debts. ability to pay
● Credit limits on amounts to be
lent

• Residual risk - risk that remains after applying controls and mitigating
management plans
Risk response

• After risks are assessed, management will select the right risk response.

• Risk responses:
Accept the risk.
Mitigate (reduce) the risk.
Share the risk.
Avoid the risk.
Risk response

• Only nonsignificant risks may be accepted (e.g., with minimal controls).

• Significant risks (high likelihood, high impact) cannot be accepted, but should be
mitigated by controls or management actions, shared through insurance, or totally
avoided (exiting a risky business venture or product line).
Control activities

• Management carries out specific risk mitigation policies and control procedures
throughout the organization, at all levels and in all functions, to help ensure that
risk responses are properly implemented.

• Control activities to be deployed must be integrated with risk response.

• Control activities may be preventive, detective, and corrective.

Information and communication

• The company identifies, captures, and communicates pertinent information from internal
and external sources to enable personnel in carrying out their responsibilities.

• Without the communication of reliable and relevant information, people in the company will
not be able to perform their functions in an appropriate manner.
Information and communication

• Communication can be internal (within the company) or external (communicating with

those outside of the company such as suppliers, customers, credits, and government
agencies).

• Communication can also be inbound (to the company) or outbound (from the company).
Monitoring

• Monitoring - process for determining whether the components of the risk

management process remain to be effective over time

Two types of monitoring:

• Ongoing monitoring - usually done by managers in the course of performing
their duties

• Separate evaluations - usually done by internal auditors

Example of controls linked with risk assessments
Assess
Combined Significant risk Risk Response Control Activity
Risk risk score (Yes/No)?
Likelihood
Impact
1. Possibility of computer Mitigate Backup
breakdown and data loss procedures
4 4 16 Yes

Business
continuity plan
2. Potential cash deficit Mitigate Contingency
funding plan
4 5 20 Yes Standby credit
lines with bank

3. Risk of cybercrime 4 4 16 Yes Mitigate Information

technology
security controls
Lesson Activities and/or Practice Exercises
Activity 1. Assessing risks and selecting an appropriate control
activity
Directions: Select a business (e.g., bank, manufacturer, electric utility, merchandiser). Identify five (5)
risks to the operation of your chosen business, assess those risks, select the right risk response and
specific control activity.

Risk Response
Risk Assess Combined risk Significant risk (e.g., reduce, Specific
score (Yes/No)? share, avoid, Control Activity
Likelihood Impact accept)
Activity 2 - Continuation of activity 1
Directions: Using your chosen business in Activity 1, list specific examples of activities or procedures
falling under the eight (8) components of the original COSO ERM Framework. Use the following
template:

Component Specific Activity/Procedure/Policy

Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication

Monitoring activities
Activity 3: Internet assignment
Research on the risk management processes of at least two (2) listed
companies and discuss these to the class. This information may be found in
annual reports posted on their corporate websites.

For U.S. companies, you may find these information on the company’s
Form 10-K. For Philippine companies, you may find these on the company’s
Form 17-A.
Conclusion:

• The risk management process begins with the setting of clear business objectives
and subsequently identifying threats to achieving those goals.

• Business objectives are categorized into strategic, operational, reporting, and

compliance.
Conclusion:

• The identified risks are then assessed in terms of likelihood and impact for the
purpose of determining the appropriate risk response and the specific management
action or control.

• Applicable risk responses may accept the risk (for insignificant risks) and mitigate
or share the risk for significant risks.
Reference:

The Committee of Sponsoring Organizations of the Treadway Commission. 2004.

COSO Enterprise Risk Management - Integrated Framework.
 Chapter 6:
Concept of Internal Control
Learning objectives:

At the end of the chapter, the students will be able to:

a. define internal control;

b. explain the COSO Internal Control - Integrated Framework;
c. articulate the three (3) categories of internal control objectives;
d. identify the five (5) components of internal control;
e. identify the inherent limitations of internal control; and,
f. explain how specific control activities are selected.
Lesson Key Concepts and Examples
COSO Definition of Internal Control

• Internal control - process effected by the board of directors, management, and

other personnel designed to provide reasonable assurance regarding the
achievements of business objectives.

• From the COSO Internal Control - Integrated Framework

Internal control is a process

• It is not an isolated procedure.

• It is comprised of an interrelated sets of policies, procedures, and activities that

work together for the achievement of business objectives.

• Under the COSO Framework, internal control is comprised of five interrelated

components.
Internal Control provides reasonable assurance and not an absolute
assurance because of inherent limitations of internal control

•Management's usual requirement that a control be cost

effective, i.e., that the cost of a control procedure not be
disproportionate to the potential loss due to fraud or error;
•The fact that most controls tend to be directed at anticipated
types of transactions (routinary) and not at unusual
(non-routinary) transactions;
•The potential for human error due to carelessness,
distraction, mistakes of judgment or the misunderstanding of
instructions;
Internal Control provides reasonable assurance and not an absolute
assurance because of inherent limitations of internal control

•The possibility of circumvention of controls through

collusion with parties outside the entity or with employees of
the entity
•The possibility that a person reasonable for exercising control
could abuse that responsibility, for example, a member of
management overriding a control;
•The possibility that procedures may become inadequate due
to changes in condition and compliance with procedures may
deteriorate.
Internal control must be effected for the achievement of
business objectives
• Internal control must be put into effect by people from all levels within
the company.

• Internal control is not a mere checklist of dos and don'ts.

• Internal control is not an end in itself; rather, it is a means toward

achieving the objectives of the company.
COSO Internal Control

3 business objectives:
• Effective and efficient operations
• Reliability of financial and nonfinancial reporting
• Compliance with laws and regulations

5 components:
• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
COSO requirements to conclude that internal
control is effective
1. Each of the five components must be present and functioning.
• “Present” - the five components exist in the system of internal control
• “Functioning” - the components are being implemented over time

2. The five components must “operate together” in an integrated manner.

• The components of internal control are not to be treated in isolation; rather, they need to
operate in an integrated manner.
Control environment
• Control environment - foundation of internal control and reflects the “tone at the
top” of the organization

• Reflects the attitudes, awareness, and actions of senior management and BOD
regarding the importance of internal control

• Without an effective control environment, the structure of control will collapse.

What are included in the control environment?

a. Integrity and ethical values;

b. Management’s philosophy and operating style;
c. Organizational structure;
d. Commitment to competence;
e. Human resource policies and procedures; and
f. Functioning of the board of directors.
Risk assessment

• Risk assessment - process for identifying and assessing those risks that may prevent
the achievement of business objectives

Steps:
• Objective setting
• Risk identification
• Risk analysis (likelihood, impact)
• Risk response
Control activities

Control activities - specific actions established through policies and procedures

• Performance reviews
• Information processing
• Physical controls
• Segregation of duties
Information and communication
• Information is necessary for the entity to carry out internal control responsibilities to support
the achievement of its objectives.

• Management obtains, generates, and uses relevant and quality information from both
internal and external sources to support the functioning of internal control.

• Communication - the continual, iterative process of providing, sharing, and obtaining

necessary information
Information and communication

• Internal communication - the means by which information is disseminated throughout the

organization, flowing up, down, and across the company

• External communication is twofold, namely as follows: it enables inbound communication

of relevant external information, and provides information to external parties in response to
requirements and expectations.
Monitoring

• Monitoring of internal control is essential because internal control that is effective

today may no longer be effective months or a year from now.

• In addition, internal control is subject to obsolescence.

• Monitoring is done through:

• Ongoing routine monitoring
• Separate evaluations
Limitations of internal control

• Internal control provides reasonable assurance that the business objectives will be achieved.

• Limitations of internal control:

• Collusion
• Management override
• Human factors (e.g., fatigue, misintepretation of facts, errors in judgment)
• Cost-benefit considerations
Lesson Activities and/or Practice Exercises
Activity 1: Surveying an actual establishment’s controls

Select a small business in your locality. With the owner’s permission, attempt to identify control policies and procedures
that the business implements. Map these specific control policies and procedures to the five (5)
components of internal control. Use the following format:

Policy/Procedure Component/s
Example: Control environment
1. The business hires only competent staff.

2. The internal auditor reports audit findings and Monitoring Information and communication
recommendations to the owner on a periodic basis.

3.
4.
5.
6.
Activity 2: Identifying internal controls in a business
Identify internal controls that are being implemented in the following business establishments:

1. Department store

Image from: Pexels, public domain.

2. Bank

Image from: Pexels, public domain.

Activity 2: Identifying internal controls in a business
Identify internal controls that are being implemented in the following business establishments:

3. Convenience store

Image from: Pexels, public domain.

4. Supermarket

Image from: Pexels, public domain.

Activity 3. Group work: Demonstrate how the internal control
components “operate together.”

Requirement:

Demonstrate to the class how the five (5) components of internal control operate
together under the COSO Framework.

Use a hypothetical business situation and give specific examples.

Conclusion:

• The internal control system is not an isolated procedure; rather, it is a set of

interrrelated set of policies, procedures, and activities that work together to
achieve the objectives of the business.

• Under the COSO Framework, there are five (5) components of internal control,
namely: control environment, risk assessment, information and communication,
control activities, and monitoring.

• Under the COSO Framework, the components must operate together in an

integrated manner to reduce at an acceptably low level the risk of not achieving a
business objective.
Conclusion:

• Internal control provides only a reasonable assurance that business objectives will
be achieved because there is no perfect control system.

• There are inherent limitations on internal control, namely: collusion, possibility of

management override of controls, cost-benefit considerations, human factors,
among others.
References:

Meneses, Jesse Rey L. and Villaceran, Eugene V. 2022. Governance, Business Ethics,
Risk Management and Internal Control. Quezon City: Rex Book Store, Inc.
The Committee of Sponsoring Organizations of the Treadway Commission. 1992.
Internal Control - Integrated Framework.
 Chapter 7:
Internal Control
in Action
Learning objectives:

At the end of the chapter, the students will be able to:

a. differentiate between entity-level and transaction-level controls;

b. differentiate between hard and soft controls;
c. differentiate between preventive, detective, and corrective controls;
d. identify specific internal control procedures in the major accounts;
e. define the concept of control deficiency; and,
f. identify the types of control deficiencies.
Lesson Key Concepts and Examples
Entity-level controls

• Entity-level controls - controls that are applied broadly at the company level and
affects the functioning of transaction-level controls.

Examples:
• Functioning of the board of directors
• Code of conduct in the workplace
• Controls under the risk assessment component
• Monitoring process
• Code of corporate governance
Transaction-level controls

• Transaction-level controls - internal control procedures deployed and

implemented for every major transaction and accounts of the company

• When compared to entity-level controls, transaction-level controls are more

specific and applicable to specific business processes or transactions such as
revenue and collections, expenditures and disbursements, production process,
payroll, and the like.
Types of controls

As to lines of defense, internal controls are classified into:

• Preventive controls - first line of defense

• Detective controls - controls aimed at identifying discrepancies, errors, or fraud

that may have taken place

• Corrective controls - intended to rectify the errors, discrepancies, or fraud

detected by controls
Examples of controls for Cash

• Pre-numbered use of official receipts

• Daily deposit of collections
• Bonding (through an insurance company) of cash custodians
• Authorization for the opening of bank accounts
• Comparison of deposit slips with cash book
• Separation of duties between cashier personnel and accounting personnel
Examples of controls for Cash

• Use of cash registers

• Preparation of daily cash collection reports
• Use of cash vaults and locks
• Access to cash vaults only given to authorized cash personnel
• Preparation of monthly bank reconciliations
Examples of controls for Sales and A/R

• Credit approval before making deliveries of products to customer

• Use of credit limits for customers
• Use of pre-numbered sales order
• Independence or separation between credit and sales department
• Pre-numbering of shipping documents
Examples of controls for Sales and A/R

• Control over returned goods

• Control over scrap sales
• Periodic reconciliation of A/R subsidiaries with A/R control account
• Periodic confirmation of customers’ A/R balances
Examples of controls for Inventories

• Periodic inventory counts

• Use of perpetual inventory records
• Periodic comparison of general ledger (GL) and perpetual inventory records
• Periodic comparison of inventory records against physical count
• Investigation of discrepancies in case of inventory short or overage
• Use of pre-numbered receiving reports
Examples of controls for Inventories

• Separation of inventory custodian from inventory accounting/record keeping function

• Adequacy of insurance on inventories
• Physical safeguards on inventory against fire and other catastrophes
• Physical safeguards against theft of inventories
Examples of controls for Fixed Assets

• Use of detailed property records

• Periodic comparison of property records with physical assets
• Periodic counts of fixed assets
• Policy on capitalization of expenditures
Examples of controls for Fixed Assets

• Physical safeguards over assets (e.g., machines, equipment, facilities)

• Use of property identification numbers (for specific identification of assets)
• Adequacy of insurance over fixed assets
• Fixing of the accountability of fixed asset custodians
Examples of controls for Payroll

• Effective hiring procedures

• Maintenance of personnel data records (201 files)
• Use of time clock or through biometric device
• Supervisor review of time cards
• Review of payroll calculations (gross salaries, withholding tax, SSS premiums,
net pay)
Examples of controls for Payroll

• Procedures in distributing payroll checks

• Control over unclaimed wages
• Transmittal to the bank of official roster of employees for ATM payroll
arrangements
• Periodic head count of all company personnel
Accounts Payable (A/P) and Purchases

• Independence of A/P function from purchasing function

• Periodic reconciliation of A/P Subsidiary records with the A/P
Control account
• Control over purchase returns
• Review of vendor’s invoices
• Matching of purchase order, receiving report and vendor invoice
• Reconciliation of vendor statements with A/P detail
• Review of A/P debit balances
• Review of unmatched receiving reports
Accounts Payable (A/P) and Purchases

• Review of A/P postings

• Bidding procedures for significant purchases
• Investigation of discount not taken
• Periodic comparison with budgets
• Checking for personal purchases
• Vendor accreditation procedures
• System access to create, edit or delete purchase orders is restricted to
authorized personnel
Accounts Payable (A/P) and Purchases

• Ability to create or add or delete purchase orders is restricted to

authorized personnel
• Periodic audit of A/P balances
• Comparison of purchase amounts to budgets
Definition of Fraud

• Fraud – an intentional act by one or more individuals among management, those

charged with governance, employees, or third parties, involving the use of
deception to obtain an unjust or illegal advantage

• Types of fraud:
• Fraudulent financial reporting
• Misappropriation of assets
• Corruption
Fraudulent Financial Reporting
Misappropriation of Assets
Elements of the Fraud Triangle

• Incentives or pressures to commit fraud

• Perceived opportunities

• Rationalizations
Control deficiency

• A control deficiency is a (a) missing control, or an (b) existing control that is not
designed properly, or is properly designed but is not operating effectively.

Two types of control deficiency:

• Deficiency in Design - A critical control is not properly designed.

• Deficiency in Operation - A critical control is designed properly but does not

perform in the intended manner.
Internal audit

• Internal audit - an independent and objective assurance that provides service to

the company in the areas of operations, reporting, compliance, and finance

• Traditionally, internal auditors are employees of the company.

• Because of changes in organizational trends, internal audit service is now

typically outsourced from outside accounting and audit firms.
Scope of internal audit work

• Operational audits - intended to ascertain whether management has conducted

business operations effectively and efficiently

• Compliance audits - intended to determine whether the company or any of its

department is able to adhere to prevailing laws and regulations

• Financial audits - focused on determining whether the company’s finance

function as well as financial reports are accurate or reliable
Lesson Activities and/or Practice Exercises
Activity 1: Hard and soft controls

Go to your favorite grocery or supermarket. List at least 10 internal controls that the grocery or
supermarket is implementing. Classify the controls into hard controls and soft controls. Use the following
template:
Internal control Hard or soft control?
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Activity 2. Classifying controls into preventive, detective or
corrective
Classify internal control 1 through 10 into preventive, detective, or corrective controls.

Internal control Preventive, detective, or corrective?

Segregation of incompatible duties
Reconciliation procedures
Making adjustment entries in the records
Uninterruptible power supply (UPS)
Approval or authorization controls
Cash vaults and locks
Vendor accreditation process
Implementation of internal auditor’s recommendation on the
improvement of processes
Conducting surprise cash counts
Confirmation of accounts receivable balances
Activity 3: Fraud risks classified as to fraud
triangle elements
Give at least five (5) examples of fraud risks categorized into pressures, opportunities, and
rationalizations. Use the following template:

Pressures Opportunities Rationalizations

1. 1. 1.

2. 2. 2.

3. 3. 3.

4. 4. 4.

5. 5. 5.
Conclusion:

• The business should apply a mix of controls, both entity-level controls and
specific transaction-level controls.

• Specific control activities are further categorized into preventive, detective, and
corrective controls.

• For documentation and reference purposes, the business must have an internal
control manual of procedures.
Conclusion:

• Fraud is an intentional act by one or more individuals among management, those

charged with governance, employees, or third parties, involving the use of
deception to obtain an unjust or illegal advantage.

• Fraud is categorized into fraudulent financial reporting, asset misappropriation,

and corruption.

• To understand fraud, one must consider the elements of the fraud triangle which
are incentives or pressures, perceived opportunities, and rationalizations.
Conclusion:

• Internal audit, as an independent and objective assurance service provides

improvements in the company’s operational, reporting, and compliance aspects.

• To add value to the company, internal auditors perform operational audits,

financial audits, and compliance audits.
References:

Meneses, Jesse Rey L. and Villaceran, Eugene V. 2022. Governance, Business

Ethics, Risk Management and Internal Control. Quezon City: Rex Book Store,
Inc.
The Committee of Sponsoring Organizations of the Treadway Commission. 1992.
Internal Control - Integrated Framework.