Control and Audit System

AQ016-3-3
INTERNAL CONTROL SYSTEM

The COSO* Definition of

Internal Control
Internal control is a process, effected by an
entitys board of directors, management, and
other personnel, designed to provide reasonable
assurance
regarding
the
achievement
of
objectives in the following categories:

Effectiveness and efficiency of operations

Reliability of financial reporting
Compliance with applicable laws and regulations

* Committee Of Sponsoring Organizations of the Treadway

Commission

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

Simple Definition
Internal control is what we do to see that
the things we want to happen will happen

And the things we dont want to happen

wont happen.
AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

Internal Controls Are

Common Sense
What do you worry about going wrong?
What steps have been taken to assure it
doesnt?
How do you know things are under
control?

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

Internal Controls are everywhere:

You exercise internal control principles in your
personal life when you:
Lock your house when you leave
Keep copies of important papers in your safety
deposit box
Balance your checkbook
Keep your ATM/debit card PIN number separate
from your card
Make travel plans

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

Objectives of Internal
Controls

Strategic high-level goals and objectives, aligned

with and supporting the mission.
Operational effective and efficient use of
resources.
Reporting integrity and reliability of reporting.
Compliance compliance with applicable laws and
regulations.
Stewardship protection and conservation of
assets.

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

Business analysis, program

design or
think C.A.R.E.S.

Compliance with applicable laws and regulations.

Accomplishment of the entitys mission
(objectives and goals).

Relevant and reliable financial reporting.

Effective and efficient operations.

Safeguarding of assets.

Can anyone think of anything in the Public

Service that is not impacted by internal controls?

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

The big picture

Internal controls are a key component to Enterprise Risk
Management (ERM)
a process, effected by an entitys board of directors, management and
other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.

The Provincial government has embraced a risk based

approach through all aspects of its operations

AQ016-3-3-CAS

Results based plans

Transfer Payment Accountability Directive
Quarterly risk reporting
Certificate of Assurance and Audit
Accountability and Transparency (Accountability Directive FAA, FTAA etc.)

INTERNAL CONTROL SYSTEM

Weak Internal Controls

Increase Risk Through

Business Interruption - system breakdowns or catastrophes,

excessive re-work to correct for errors.

Erroneous Management Decisions - based on erroneous,

inadequate or misleading information.

Fraud, Embezzlement and Theft -by management,

employees, customers, vendors, or the public-at-large.

Statutory Sanctions- penalties arising from failure to comply

with regulatory requirements, as well as overt violations.
Excessive Costs/Deficient Revenues - expenses which could
have been avoided, as well as loss of revenues to which the
organization is entitled.
Loss, Misuse or Destruction of Assets -unintentional loss of
physical assets such as cash, inventory, and equipment.

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

But too much of a good thing.

When looking at controls

More is not necessarily better

Controls that do not work together leaving holes
Cost of duplicated or inefficient controls.
Controls that do not align with the importance of the risks

Complex and poorly implemented controls

Not understood or followed
Inconsistently applied
Control effectiveness can degrade over time

No value for money

Controls cost money
Duplication of ineffective controls do not provide benefits

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

COSOS Internal Control

Framework
Five Inter-Related Standards:
Monitoring

Risk
Assessment

Control
Environment
Information &
Communication

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

Control
Activities

1. Control Environment

Foundation for all other standards of internal

control.
Pervasive influence on all the decisions and
activities of an organization.
Effective organizations set a positive tone at
the top.
Factors include the integrity, ethical values and
competence of employees, and, managements
philosophy & operating style.
Examples of soft controls:

AQ016-3-3-CAS

Management philosophy
Organizational structure
Communication
Competency of employees
INTERNAL CONTROL SYSTEM

Public Service of Ontario Act

(PSOA)
The following are the purposes of this Act:
1. To ensure that the public service of Ontario is effective in serving the
public, the government and the Legislature.
2. To ensure that the public service of Ontario is non-partisan, professional,
ethical and competent.
3. To set out roles and responsibilities in the administration of the public
service of Ontario.
4. To provide a framework in law for the leadership and management of the
public service of Ontario.
5. To set out rights and duties of public servants concerning ethical conduct.
6. To set out rights and duties of public servants concerning political activity.
7. To establish procedures for the disclosure and investigation of
wrongdoing in the public service of Ontario and to protect public servants
who disclose wrongdoing from reprisals.

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

2. Risk Assessment

Risks are internal & external events (economic

conditions, staffing changes, new systems,
regulatory changes, natural disasters, etc.) that
threaten the accomplishment of objectives.
Risk assessment is the process of identifying,
evaluating, and deciding how to manage these
events What is the likelihood of the event
occurring? What would be the impact if it were to
occur? What can we do to prevent or reduce the
risk?

Have any of you been through a risk

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

3. Control Activities

Tools - policies, procedures, processes -designed

and implemented to help ensure that management
directives are carried out.
Help prevent or reduce the risks that can impede
the accomplishment of objectives.
Occur throughout the organization, at all levels,
and in all functions.
Includes training, approvals, authorizations,
verifications, reconciliations, security of assets,
reviews of operating performance, and segregation
of duties.
Types of Controls

AQ016-3-3-CAS

Preventative
Detective
INTERNAL CONTROL SYSTEM

4. Communication and
Information

AQ016-3-3-CAS

Pertinent information must be captured, identified

and communicated on a timely basis.
Effective information and communication systems
enable the organizations people to exchange the
information needed to conduct, manage, and
control its operations.

INTERNAL CONTROL SYSTEM

5. Monitoring
Internal control systems must be monitored to
assess their effectiveness Are they operating as
intended?
Ongoing monitoring is necessary to react
dynamically to changing conditionsHave
controls become outdated, redundant, or
obsolete?
Monitoring occurs in the course of everyday
operations, it includes regular management &
supervisory activities and other actions personnel
take in performing their duties.
Periodic testing can be done by the process
owner, internal audit and external audit.

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

Benefits from Strong Internal

Controls

AQ016-3-3-CAS

Reducing and preventing errors in a costeffective manner.

Ensuring priority issues are identified and
addressed.
Protecting employees & resources.
Providing appropriate checks and
balances.
Having more efficient audits, resulting in
shorter timelines, less testing, and fewer
demands on staff.
INTERNAL CONTROL SYSTEM

Effective Internal
Controls

Make sense within each organizations

unique operating environment.

Benefit rather than encumber

management.

Are not stand-alone practices; they are

woven into day-to-day responsibilities.

Are cost-effective.

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

Important Concepts

Internal control is a process;

it is a means to an end, not an end itself.

Internal control is effected by people; its

not merely policy manuals and forms but
people at every level of an organization.

Internal control can be expected to only

provide reasonable assurance, not
absolute assurance.

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

Five Key Internal Control

Activities

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

1. Separation of Duties

AQ016-3-3-CAS

Divide responsibilities between different

employees so one individual doesnt
control all aspects of a transaction.
Reduce the opportunity for an employee to
commit and conceal errors (intentional or
unintentional) or perpetrate fraud.

INTERNAL CONTROL SYSTEM

2. Documentation
Document & preserve evidence to
substantiate:
Critical decisions and significant
events...typically involving the use,
commitment, or transfer of resources.
Transactionsenables a transaction to be
traced from its inception to completion.
Policies & Proceduresdocuments which
set forth the fundamental principles and
methods that employees rely on to do
their jobs.

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

3. Authorization & Approvals

AQ016-3-3-CAS

Management documents and

communicates which activities require
approval, and by whom, based on the level
of risk to the organization.
Ensure that transactions are approved and
executed only by employees acting within
the scope of their authority granted by
management.

INTERNAL CONTROL SYSTEM

4. Security of Assets

AQ016-3-3-CAS

Secure and restrict access to equipment,

cash, inventory, confidential information,
etc. to reduce the risk of loss or
unauthorized use.
Perform periodic physical inventories to
verify existence, quantities, location,
condition, and utilization.
Base the level of security on the
vulnerability of items being secured, the
likelihood of loss, and the potential impact
should a loss occur.
INTERNAL CONTROL SYSTEM

5. Reconciliation & Review

Examine transactions, information, and

events to verify accuracy, completeness,
appropriateness, and compliance.
Base level of review on materiality, risk,
and overall importance to organizations
objectives.
Ensure frequency is adequate enough to
detect and act upon questionable
activities in a timely manner.

Timing of reconciliations and monitoring

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

Today, tomorrow and the next day

Think about C.A.R.E.S. when ever you are
providing analysis or developing policies or
implementing programs
Beware of the pitfalls more is not always
better, controls must be maintainable
Think about the things that worry you in your job
and try to think of how internal controls could
help elevate your worry.

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

Next topic :
Internal Control in Planning

AQ016-3-3-CAS

INTERNAL CONTROL SYSTEM

28