Internal Controls

The topic of Internal Control consist of 2 Parts :

 Internal Control – Corporate Governance , Risk and Compliance

 Internal Control – System Controls and Security Measures

Two of the most important elements of internal control that candidates need to
understand are the segregation of duties and the elements that make up the components
of internal control.

Internal Control – Corporate Governance , Risk and Compliance

Corporate Governance
Corporate governance includes all of the means by which businesses are directed and
controlled, including the rules, regulations, processes, customs, policies, procedures,
institutions and laws that affect the way the business is administered.

Corporate Governance is Joint Responsibility of Board of Directors.

Corporate Governance also concerned with ‘agency problem’. Agency problem arise due to
ownership of corporation (shareholders) and manager of corporation (agents of share
holder) are two different people.

Corporate governance specifies the distribution of rights and responsibilities among the
various parties with conflicting priorities and concerns in an effort to mitigate the ‘agency
problem’ and bring about congruence between the goals of the shareholders and the goals
of the agents , like by attaching managers bonuses with increase in stock price of share
holders.

Corporate governance does not exist as a set of distinct and separate processes and
structures. It is interconnected with the company’s internal control and enterprise risk
management

The internal audit activity serves as the “eyes and ears” of management and the audit
committee and thus has an important role in the governance function of the organization

Corporate Governance formation :

Corporation is a legal entity created under authority of a state statute

Corporation ordinarily is treated as a legal person with rights and obligations separate from
its owners and managers

Corporations are governed by shareholders (owners) who elect a board of directors and
approve fundamental changes in the corporate structure
Directors establish corporate policies, adapt bylaws, and elect or appoint corporate officers
who carry out the policies in the day-to-day management of the organization

Incorporation may be in any state. Articles of incorporation must be filed with the secretary
of state or another designated official

Articles Must include :

 Corporation’s name (must differ from the name of any corporation authorized to do
business in the state)
 Number of authorized shares of stock
 Street address of the corporation’s initial registered office
 Name of the registered agent at that office
 Name and address of each incorporator
Bylaws govern the internal structure and operation of the corporation
 Initial bylaws are adopted by the incorporators or the board
 They may contain any provision for managing the business and regulating the
entity’s affairs that does not conflict with the law or the articles
Governance has two major components :
 Strategic Direction – Board is source of overall direction
 Oversight – Ultimate responsibility of Oversight
Board AUDIT COMMITTEE is responsible for promoting independence of external and
internal Auditor and to make sure they are not influenced with management
Management performs day to day management function and also risk management function
by evaluating and monitoring and also by creating risk committee if needed.

Foreign Corrupt Practices Act , 1977

 This Act amends the Securities Exchange Act of 1934 by prohibiting corrupt payment
whether or not doing business overseas and whether registered with SEC or not ,
from making any corrupt payments
 All Public companies must make and keep books, records, and accounts in
reasonable detail that accurately and fairly reflect transactions and dispositions of
assets
 All public companies registered under the 1934 act must devise and maintain a
system of internal accounting control sufficient to provide reasonable assurance
regarding Reporting and Accountability of Assets
 The anti-bribery provisions of the FCPA apply to all companies, regardless of
whether or not they are publicly traded.
 This prohibition is against corrupt payments to a foreign official, a foreign political
party or party official, or any candidate for foreign political office only.
 A corrupt payment is one that is intended to cause the recipient to misuse his or her
official position in order to wrongfully direct business to the payer, whether or not
the payment leads to the desired outcome
Sarbanes-Oxley Act , 2002
  It’s a response to numerous financial reporting scandals involving large public
companies.
 The act contains provisions that impose new responsibilities on issuers (public
companies) and their auditors. The act created the Public Company Accounting
Oversight Board (PCAOB), which establishes auditing standards for registered public
accounting firms to apply in their audits of issuers
 Each member of Issuer’s audit committee be an independent member of the board
of directors.
 Audit committee must have at least 3 independent members
 At least one member of the audit committee must be a financial expert
 Prohibited Non-Audit services. Section 201 (except non audit service like tax
services) if approved in advance by audit committee of a client , because their
provision creates fundamental conflict of interest for accounting firms
 Audit partner rotation. Section 203 of the act requires the lead auditor and the
reviewing partner to be rotated off the audit so that the same individual is not
supervising a client’s audit for an extended period of time. The lead audit partner
cannot perform audit services for more than 5 consecutive fiscal years of the audit
client
 Auditor Reports to Audit Committees , Section 204 , Accounting firm should report
to audit committee of issuer
 Corporate responsibility of a public company. Section 302 requires periodic
statutory financial reports to include certain certifications by CEO or CFO , that
reports is reviewed and does not any untrue statement and omit any material
information and is responsible for financial report and also internal controls
 Internal control report. Section 404 of the act requires management to establish
and document internal control procedures and to include in the annual report a
report on the company’s internal control over financial reporting
 Disclosure of Audit Committee financial Expert , Section 207 , each issuer of
publicly-traded securities to disclose whether or not the company’s audit committee
consists of at least one member who is a financial expert. If the audit committee
does not have at least one member who is a financial expert, the company must
state the reasons why not

Audit Approaches :

 Substantive Procedure (bottom up) : A bottom-up approach is not risk based and
views all controls equally, therefore, testing a high number of controls instead of
focusing on high-risk controls, processes, and transactions
 Balance Sheet Approach : substantive procedures are performed on balance sheet
accounts, with only limited procedures applied
 Systems Based : Auditors assess the effectiveness of the internal controls and then
perform substantive procedures primarily on accounts that are least likely to meet
systems objectives
 Risk Based (top down) : Audit on appropriate financial statement assertions based
on the auditor’s assessment of the risk of material misstatements. Auditor identify
the key day-to-day risks faced by a business, consider the effect these risks could
have on the financial statements, and plan their audit procedures accordingly
Audit Opinions : An external auditor may express four types of audit opinions in audit
reports on financial statements

 Unmodified (unqualified) opinion : financial statements are presented fairly, in all

material respects
 Qualified opinion : financial statements are presented fairly except for matter
described. Misstatements are material but not pervasive (misstatement are not
significant enough to cause statement as a whole to be misleading)
 Adverse opinion : financial statements are misstated severely and is misleading as a
whole , misstatements are material and pervasive
 Disclaimer of opinion : A disclaimer of opinion is used when the auditor has not been
able to gather enough information on the financial statements to express an opinion

Risk and Compliance

Every organization faces risks, that is, unforeseen obstacles to the pursuit of its objectives.
Risks take many forms and can originate from inside or outside the organization

Risk assessment is the process whereby management identifies the organization’s

vulnerabilities

All systems of internal control involve tradeoffs between cost and benefit. For this reason,
no system of internal control can be said to be “100% effective.” Organizations accept the
fact that risk can only be mitigated, not eliminated

Risk management is the ongoing process of designing and operating internal controls that
mitigate the risks identified in the organization’s risk assessment

Risk can be quantified as a combination of two factors: the severity of consequences and the
likelihood of occurrence. The expected value of a loss due to a risk exposure can thus be
stated numerically as the product of the two factors

Audit risk model, audit risk is defined as the risk that an auditor may express an
inappropriate opinion on materially misstated financial statements. The model may be
adapted to the system of internal control as follows:

1) Inherent risk (IR) is the susceptibility of one of the company’s objectives to obstacles
arising from the nature of the objective, assuming no related internal controls. For example,
a uranium mine is inherently riskier than a shopping mall.

2) Control risk (CR) is the risk that the controls put in place will fail to prevent an obstacle
from interfering with the achievement of the objective. For example, a policy requiring two
approvals for expenditures over a certain dollar amount could be bypassed by collusion.

3) Detection risk (DR) is the risk that an obstacle to an objective will not be detected before
a loss has occurred. For example, an embezzlement that continues for a year before
detection is much costlier than one that is discovered after 1 month.
4) Total audit risk (TR) may thus be stated as follows : TR = IR × CR × DR

The Committee of Sponsoring Organizations (COSO) was formed in 1985 to guide efforts to
articulate and improve accounting controls

COSO Internal Control Framework helps companies visualize three dimensions of internal
controls. There are 3 Dimensions of Internal Controls :

1- Why Internal control (Objectives of Internal Control)

 Operations : Entity mission (financial performance , productivity , Quality ,

Innovation , customer satisfaction) and safeguarding Assets
 Reporting : Reliable , timely and transparent financial and non-financial information
 Compliance : Law , Rules and Regulation

2- What is Internal Controls (Components of Internal Control)

 Control Environment : Ethical Values , Integrity , Corporate culture establishes

structure , reporting lines , Authority , accountabily
 Risk Assessment : Risk analysing and transaction risk , entity level risk (internal and
external)
 Control Activities : developing activities that can reduce risk to acceptable level ,
preventive and detective control
 Information and Communication : internally communicate information and also with
external parties
 Monitoring : evaluation and looking after internal controls and communicate
defeciencies

3- Where to have Internal Controls (Different parts of the organization require different
controls. Thus, companies should consider appropriate controls at each of the following
levels)

 Organization-wide (Entity Level)

 Division Level
 Operating Unit
 Function (Accounting , Marketing , IT)

Roles and Responsibilities Regarding Internal Control :

 Board of Directors and Committees

 Senior Management
 Internal Auditors
 Other Entity Personnels
 External Auditors
 Legislatures and Regulators
 Parties Interacting with Entity
 Financial Analyst and other agencies and news media
 Outsourced service providers
Flow Charting : It is the representation of a process using pictorial symbols and is useful in
understanding, evaluating, and documenting internal control and systems development.
Flowcharts provide a visual of the various steps of a process from beginning to end.
Flowcharts assist with identifying strengths and weaknesses in internal controls

Flow Charting symbols represents process end points and connectors and also represents
processes , and also represents input and output. Vertical (top to bottom) and horizontal
flowchart (system flowchart , flow back and forth between departments with activities and
documents)

PCAOB Approach :

 One of the requirements of the Sarbanes-Oxley Act is that the annual financial
statement audit also address the firm’s system of internal control over financial
reporting
 An Audit of Internal Control Over Financial Reporting That Is Integrated with An
Audit of Financial Statements,” to provide guidance when these two audits are
integrated
 It requires the external auditor to express an opinion on both the system of internal
control over financial reporting and the fair presentation of financial statements
 The auditor should use a top-down (risk-based) approach to audit internal controls
over financial reporting. Under the top-down approach, the auditor begins at the
financial statement level, focusing on entity-level controls, and then works down to
significant accounts and disclosures and their relevant assertions
 Auditos have to focus on the existence of material weaknesses in internal control
 Internal Control – System Controls and Security Measures

Control Process includes establishing standards , measuring performance , analysing

deviation , taking corrective action , reappraising standard based on experience

An evaluation reward system for encouraging compliance with the control system

Types of Controls
Primary Controls :

 Preventive Control - stops problems before they occur eg storing petty cash in safe
 Detective Control – altering after detective problem , installing alarm
 Corrective Control – correct the negative effect , isolating and removing virus
 Directive Control – encourage or cause occurrence of desirable event

Secondary Controls :

 Compensatory (mitigative) control – reduce risk when primary control did not work
 Complementary control – work with other control to reduce risk

Time Based :

 Feed back – control after its done and improvement in future , like inspection of
completed goods
 Concurrent – ongoing control
 Feed forward – anticipate and prevent problem , eg long term perspective ,
Organization policies and procedure

Financial VS Operating Control :

People based VS System based Control :

Information System Control – General Control & Application Control :

Control Activities :

 Segregation of duties - Authority to execute transactions , Recordkeeping of the

transactions , Custody of the assets affected by the transactions , Periodic
reconciliation of the existing assets to recorded amounts
 Independent check and verification – General ledger performing monthly
reconciliation is independent check on treasury function , confirmation of account
receivable
 Safeguarding control – lock base system of collecting cash
 Pre numbered forms – Purchase order form in sales department
 Specific Document Flow – Tracing (transaction forward) and Vouching (result
backward)
Information Security :
Goals of Information Security

 Availability
 Confidentiality
 Integrity

Steps in creating Information security Plan :

 Threats to an organizations information must be identified

 The risk that the identified threat entails (its likelihood) must be determined
 Control that will compensate for the identified risk should be designed
 The new control should be incorporated in to enterprise wide information security
plan
 Policies must be established regarding who will have access to organizations systems

Threat to Information System :

 Input manipulation – intrusion in to system by exploiting vulnerability

 Program alteration – Deliberate changing of processing routines of application
program
 Direct file alteration – Direct changing of data in a data base
 Data theft – copying of critical data from databases
 Sabotage – Disruption of system simply for revenge
 Malware – All harmful software including all these list
 Viruses – replicate themselves from one computer to another and making it slow
and even loss of data
 Logic bombs – same as virus in destroying data but cannot replicate , so remain in
one computer
 Worms – did not threaten data but can replicate rapidly and create traffic in server
 Trojan Horse – voluntarily installed in computer by user as it is disguised in program
which user intend to install
 Back doors – obtaining access to system while bypassing the usual password
controls
 Spyware – spies on user without his or her knowledge and collect data such as
history of keystrokes , through key logger software
 Ransomware – holds a file or computer hostage and demand ransom in return of
disclosing the weak spot
 Theft – Physical theft of laptops and other hardwares
 Phishing – attempt to acquire sensitive information by pretending to be trusted
source
System Development Control :

Effective system development require setting up of priority and achieved through steering
committee composed of both IT and end user functions

Control during the development and design and implementation of system. Only
programmer should be allowed for programming duties (neither system analyst nor
operator)

Operator should not have custody of files , only librarian should have

Physical Control :

By limiting physical access and environment damage

Access control : through password and ID number , system access log , Encryption , call
back , Automatic log off , Biometric technology

Environment Control : Facility should have proper cooling and heating system and fire
suppression system

Logical Control :

Authentication – only authorized person by use of ID and password

Authorization – only information related to its job responsibility

Input , Processing and Output Control :

Input control – Data submitted should be authorized , complete and accurate by

preformatting , Edit check , Limit checks , check digits , prompting by asking Question , Batch
total , Hash total and record count

Processing control – all data submitted for processing is processed and only approved data
are processed , by Validation , Arithmetic check , Sequence check

Output control – Assurance that processing was complete and accurate , Audit trail and
Error listing should be provided and checked

Computer Assisted Audit Technique :

Auditing around computer – by checking data manually and comparing with computer
processed result

Auditing through computer –

 Processing test data

 Parallel simulation
 Generalized audit software
  Data extraction technique
 Integrated test facility
 Application Tracing
 System Mapping

Storage Control :

Storing of Data , can be in two separate physical devise

Cloud computing – lower infrastructure cost but lower control is its advantage

Security Measures and Business Continuity Planning :

Inherent Risk of Internet :

Use of Data Encryption :

Firewalls :

Routine backup and Offsite Rotation :

Business Continuity Planning :