Internal Control

C C Chavez
Internal Control Definition
 Internal control is broadly defined as a
process, effected by an entity's board of
trustees, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives
relating to operations, reporting and
compliance.
Control Objectives
 Operations Objectives – Effectiveness and
efficiency of operations including operational and
financial performance goals, and safeguarding
assets against loss.
 Reporting Objectives – Internal and external
financial and non-financial reporting goals,
encompassing reliability, timeliness, transparency
or other terms of regulators, recognized standard
setters or the entity’s policies.
 Compliance Objectives – adherence to laws and
regulations to which the entity is subject.
 Five framework components
 Control environment: The control environment sets the tone of an
organization, influencing the control consciousness of its people. It is
the foundation for all other components of internal control, providing
discipline and structure. Control environment factors include the
integrity, ethical values, management's operating style, delegation of
authority systems, as well as the processes for managing and
developing people in the organization.
 Risk assessment: Every entity faces a variety of risks from external
and internal sources that must be assessed. A precondition to risk
assessment is establishment of objectives and thus risk assessment is
the identification and analysis of relevant risks to the achievement of
assigned objectives. Risk assessment is a prerequisite for determining
how the risks should be managed.
 Control activities: Control activities are the policies and procedures
that help ensure management directives are carried out. They help
ensure that necessary actions are taken to address the risks that may
hinder the achievement of the entity's objectives. Control activities
occur throughout the organization, at all levels and in all functions.
They include a range of activities as diverse as approvals,
authorizations, verifications, reconciliations, reviews of operating
performance, security of assets and segregation of duties.
Information and communication: Information systems play a key
role in internal control systems as they produce reports, including
operational, financial and compliance-related information, that
make it possible to run and control the business. In a broader
sense, effective communication must ensure information flows
down, across and up the organization. For example, formalized
procedures exist for people to report suspected fraud. Effective
communication should also be ensured with external parties,
such as customers, suppliers, regulators and shareholders about
related policy positions.
Monitoring: Internal control systems need to be monitored—a
process that assesses the quality of the system's performance
over time. This is accomplished through ongoing monitoring
activities or separate evaluations. Internal control deficiencies
detected through these monitoring activities should be reported
upstream and corrective actions should be taken to ensure
continuous improvement of the system.
 Effective Internal Control and Limitations
of the ICCF
 ICCF COSO_Executive_Summary_final_may20_e.pdf
Cadbury Committee on ICS
Responsibilities

The board of directors is responsible for the company's system of internal control. It should set
appropriate policies on internal control and seek regular assurance that will enable it to satisfy
itself that the system is functioning effectively. The board must further ensure that the system of
internal control is effective in managing those risks in the manner which it has approved.

In determining its policies with regard to internal control, and thereby assessing what constitutes
a sound system of internal control in the particular circumstances of the company, the board's
deliberations should include consideration of the following factors:
• the nature and extent of the risks facing the company;
• the extent and categories of risk which it regards as acceptable for the company to bear;
• the likelihood of the risks concerned materialising;

• the company's ability to reduce the incidence and impact on the business of risks that do

materialise; and
• the costs of operating particular controls relative to the benefit thereby obtained in managing

the related risks.

  It is the role of management to implement board policies on risk
and control. In fulfilling its responsibilities management should
identify and evaluate the risks faced by the company for
consideration by the board and design, operate and monitor a
suitable system of internal control which implements the policies
adopted by the board.
 
 All employees have some responsibility for internal control as part
of their accountability for achieving objectives. They, collectively,
should have the necessary knowledge, skills, information, and
authority to establish, operate and monitor the system of internal
control. This will require an understanding of the company, its
objectives, the industries and markets in which it operates, and
the risks it faces.
Elements of a sound system of internal control
 An internal control system encompasses the policies, processes,
tasks, behaviours and other aspects of a company that, taken
together:
 facilitate its effective and efficient operation by enabling it to

respond appropriately to significant business, operational,

financial, compliance and other risks to achieving the company's
objectives. This includes the safeguarding of assets from
inappropriate use or from loss and fraud and ensuring that
liabilities are identified and managed;
 help ensure the quality of internal and external reporting. This

requires the maintenance of proper records and processes that

generate a flow of timely, relevant and reliable information from
within and outside the organisation;
 help ensure compliance with applicable laws and regulations, and

also with internal policies with respect to the conduct of business.

A company's system of internal control will reflect its control
environment which encompasses its organisational structure. The
system will include:
• control activities;
• information and communications processes; and
• processes for monitoring the continuing effectiveness of the system
of internal control.
The system of internal control should:
• be embedded in the operations of the company and form part of its
culture;
• be capable of responding quickly to evolving risks to the business
arising from factors within the company and to changes in the business
environment; and
• include procedures for reporting immediately to appropriate levels of
management any significant control failings or weaknesses that are
identified together with details of corrective action being undertaken.
A
 sound system of internal control reduces, but cannot eliminate, the
possibility of poor judgement in decision-making; human error; control
processes being deliberately circumvented
by employees and others; management overriding controls; and the
occurrence of unforeseeable circumstances. 
A
 sound system of internal control therefore provides reasonable, but
not absolute, assurance that a company will not be hindered in achieving
its business objectives, or in the orderly and legitimate conduct of its
business, by circumstances which may reasonably be foreseen.
A
 system of internal control cannot, however, provide protection with
certainty against a company failing to meet its business objectives or all
material errors, losses, fraud, or breaches of laws or regulations.

 
 Fraud and Internal Audit
The Institute of Internal Auditors’ (IIA’s) IPPF defines fraud as:
 “Any illegal act characterized by deceit, concealment, or violation of

trust. These acts are not dependent upon the threat of violence or
physical force. Frauds are perpetrated by parties and organizations
to obtain money, property, or services; to avoid payment or loss of
services; or to secure personal or business advantage.”

Another definition of fraud from the publication “Managing

the Business Risk of Fraud: A Practical Guide,” sponsored
by The IIA, the American Institute of Certified Public
Accountants, and the Association of Certified Fraud
Examiners, states:
“Fraud is any intentional act or omission designed to deceive
others, resulting in the victim suffering a loss and/or the
perpetrator achieving a gain.”

Frauds are characterized by intentional deception or misrepresentation.

This practice guide may refer to certain actions as “fraud,” which may also
be legally defined and/or commonly known as corruption.
 Fraud Awareness
 Increased levels of fraud, a heightened regulatory environment, and p
ointed questions from internal and external auditors and boards of dir
ectors have caused companies to increase vigilance in their efforts to a
ddress fraud.

 Even amidst a culture of heightened awareness, however, an organizati

on may be the victim of fraud and yet be unaware of this reality. Frau
dulent schemes are often ongoing crimes that can last for months or ev
en years before detection, making it difficult to measure the losses asso
ciated with fraud.

 Many fraud schemes are not publicized or even detected, making it dif
ficult to measure the losses associated with fraud.

 Fraud losses that are known and confirmed make clear that the cost is
high. The true cost of fraud, however, is even higher than just the loss
of money, given its impact on time, productivity, reputation, and custo
mer relationships.
Internal Audit Responsibilities During Audit Engagement

Internal auditors evaluate risks faced by their organizations based on audit

plans with appropriate testing.
Internal auditors need to be alert to the signs and possibilities of fraud
within an organization.
While external auditors focus on misstatements in the financial statements
that are material, internal auditors are often in a better position to detect
the symptoms that accompany fraud.
Internal auditors usually have a continual presence in the organization
that provides them with a better understanding of the organization and its
control systems.
Specifically, internal auditors can assist in the deterrence of fraud by
examining and evaluating the adequacy and the effectiveness of internal
controls.
In addition, they may assist management in establishing effective fraud
prevention measures by knowing the organization’s strengths and
weaknesses and providing consulting expertise.
 The importance an organization attaches to its internal audit
activity is an indication of the organization’s commitment to
effective internal control and fraud risk management.
 The internal auditor’s roles in relation to fraud risk
management could include:
 initial or full investigation of suspected fraud,
 root cause analysis and control improvement
recommendations,
 monitoring of a reporting/ whistleblower hotline,
 and providing ethics training sessions.
 If assigned such duties, internal auditing has a responsibility to
obtain sufficient skills and competencies, including knowledge
of fraud schemes, investigation techniques, and laws.
 Internal auditors may conduct proactive auditing to search for
misappropriation of assets and information
misrepresentation.
 This may include the use of computer-assisted audit
techniques, including data mining, to detect particular types
of fraud.
 Internal auditors also can employ analytical and other
procedures to find unusual items and perform detailed
analyses of high-risk accounts and transactions to identify
potential fraud.
 At the appropriate time when enough information has been
obtained, the CAE should keep senior management and the
audit committee informed of special investigations in-
progress and completed.
External Auditors
The
 organization’s external auditors have a responsibility to comply with
professional standards and to plan and perform the audit of the organization’s
financial statements to obtain reasonable assurance about whether the financial
statements are free of material misstatement and whether the misstatements
were caused by error or fraud.
Whenever
 the external auditor has determined there is evidence that fraud may
exist, the external auditor’s professional standards typically require that the
matter be brought to the attention of an appropriate level of management.
The
 external auditor typically reports fraud involving senior management directly
to those charged with governance (e.g., the audit committee).