CONTROL

FRAMEWORKS
CHAPTER 5
 INTERNAL CONTROL
FRAMEWORKS

These are structures that organize, categorize, and

sometimes prioritize an organization’s internal
controls. By definition, internal controls are practices
put in place to create value for stakeholders and
minimize risks, so frameworks make it easier to
manage these diverging dynamics and evaluate the
results more systematically.
 There are several control frameworks in place and they are
usually implemented voluntarily as as means to improve
business results:

 COSO’s Internal Control Integrated Framework (ICIF) is arguably

the most widely known internal controls framework in the
world.
 IT controls are a subset of internal controls related to
information technology (IT). IT control frameworks include:
Control Objectives for Information and Related Technology
(COBIT), The International Organization for Standardization
(ISO) 17799, and The Information Technology Infrastructure
 Library (ITIL).
 The Capability Maturity Model Integration (CMMI) is widely
used in project
 management, process assessment, and performance
improvement environments.

COSO of the Treadway Commission is a private
sector initiative formed in 1985 to sponsor this
National Commission on Fraudulent Financial
Reporting. It's goal was to improve the quality
of financial reporting through a focus on
corporate governance, ethical contains 17
principles representing the fundamental
concepts associated with each component.
COSO states that an entity can achieve effective
internal control by applying all principles, which
apply to operations, reporting, and compliance
objectives.
The COSO Framework is typically represented in
the form of a cube showing the five components
of internal control, the three categories of
objectives, and the entity’s structure, which is
represented by the third dimensionpractices,
and internal control.
 CONTROL ENVIRONMENT

This refers to the workplace environment,

characterized by the way the organization is
structured, the manner of leadership, the degree of
openness, management’s operating style, having and
practicing the tenets of its code of ethics and
statement of values. This also includes the tone at
the top and the degree to which there is congruence
between management’s “talk” and its “walk.”
In other words, do managers practice what they
preach?
 PRINCIPLES UNDERLYING THE CONTROL
ENVIRONMENT

 The organization should demonstrate a commitment to integrity and

ethical values. They cares not only about what is achieved, but also how
those results were achieved
 The board of directors demonstrates independence from management
and exercises oversight of the development and performance of internal
control.
 Management establishes, with board oversight, structures, reporting
lines, and appropriate authorities and responsibilities in the pursuit of
objectives.
 The organization demonstrates a commitment to attract, develop, and
retain competent Individuals in alignment with objectives: The words
“people are our greatest asset”
 The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
 RISK ASSESSMENT
RISKS
- are those events that can jeopardize the organization’s
ability to achieve its objectives. In other words, they represent
what can go wrong while engaged in business activities in the
pursuit of organizational goals.

RISK ASSESSMENT
- the process of identifying, assessing, and measuring risks to
the organization, program, or process under review. One of
the key benefits of this approach is that it provides the
context for the identification of risks. This is so because risks
are only relevant to the extent that they jeopardize the
achievement of objective
 BUSINESS AND PROCESS RISK

This is the risk that the organization’s processes are not effectively
obtaining, managing, and disposing their assets, that the organization is
not performing effectively and efficiently in meeting customer needs, is
not creating value or is diluting value by suffering the degradation of
financial, physical, and information assets.

 Capacity risk: Insufficient capacity limits the ability to meet demand in

the short and long term, or excess capacity threatens the firm’s ability to
generate competitive profit margins
 Execution risk: Inability to produce consistently without compromising
quality
 Supply chain risk: Being unable to maintain a steady stream of supplies
when needed

Business interruption risk: This risk stems from the unavailability of raw
materials, IT, skilled labor, facilities or other resources that threaten the
organization’s ability and capacity to
 continue operations

 Human resources risk: A lack of knowledge, skills, and experiences among

the organization’s key personnel that threatens the ability to achieve
business objectives

 Health and safety risk: Failure to provide a safe working environment for
workers exposes the organization to compensation liabilities, loss of
business reputation, and other costs

◾ Leadership risk: Workers are not being led effectively resulting in lack of
direction, motivation to perform, customer focus, management credibility,
and trust
TECHNOLOGY AND INFORMATION TECHNOLOGY
RISK
These risks relate to conditions where IT is not operating as intended, the integrity
and reliability of data is compromised, and significant assets are exposed to
potential loss or misuse. It also relates to the inability to maintain critical systems
and processes. It includes:

◾ Data integrity: Reliability and completeness of data flows, inbound and

outbound from/to customers, vendors, regulators, investors, and other
stakeholders.
◾ Infrastructure risk: Risk that the organization’s IT infrastructure is obsolete, or
lacks the IT infrastructure, such as hardware, software, networks, and people it
needs to effectively support the information requirements.
◾ Commerce risk: Events that compromise B2B, and B2C financial and data flows,
data integrity, and security
◾ Access risk: Failure to adequately restrict access to information could result in
unauthorized use of confidential information.
◾ Availability risk: Unavailability of information when needed could threaten the
continuity of the organization’s operations and processes
 PERSONNEL RISK

Relate to conditions that limit the organization’s ability to obtain, deploy,

and retain sufficient numbers of suitably qualified and motivated workers.

◾ Availability risk: Sufficient workers and subject matter experts to

support the organization’s present and future needs
◾ Competence risk: Workers’ ability to perform their duties efficiently and
successfully
◾ Judgment risk: Workers’ capacity to make sensible decisions based on
relevant circumstances
◾ Malfeasance risk: Wrongdoing perpetrated by employees, contractors,
suppliers, or customers
◾ Motivation risk: Demotivated workers fail to apply creativity and
discipline to their tasks resulting in lower production, lower quality, poor
service, and higher turnover and absenteeism
 FINANCIAL RISK
Financial risks can result in poor cash flows, currency and interest rate
fluctuations, and an inability to move funds quickly and without loss of
value to where they are needed. Examples include

◾ Resources risk: Availability of funds when needed and their judicious use
for business purposes
◾ Commodity prices risk: Fluctuations in prices expose the organization to
lower margins or trading losses
◾ Foreign currency risk: Changes in foreign exchange rates can result in
the economic loss of some of the value of the asset
◾ Liquidity risk: This is the loss exposure due to an inability to meet cash
flow obligations, or the lack of buyers and sellers in a market (i.e., illiquid
market)
◾ Market: Movements in prices, rates, and indices affect the value of the
organization’s financial assets and stock price. This could also affect its cost
of capital and its ability to raise capital
 SOCIAL RISK
Social risk relates to dynamics where an issue affects stakeholders who
can form negative perceptions that can cause some form of damage to
the organization. Social risk can be influenced by strategic and
operational decisions management makes that affect issues stakeholders
care about.

◾ Demographics risk: Changes that affect purchasing preferences, staff

availability, or the cost to maintain a healthy workforce
◾ Privacy risk: Preferences that curtail the capture, storage, use, and
dissemination of personal information
◾ CSR: Requirements for social involvement and investment that diverts
time and other resources from the organization’s primary activities
◾ Mobility: Dynamics that change the preferences of workers and
customers to work, and live in ways that support the organization’s
needs and product
 POLITICAL RISK

This is a type of risk faced by organizations, investors, and governments. It

refers to the effects that political decisions, events, or conditions can
cause when they affect the profitability of a business, or the ability to
operate freely. It has to do with the complications organizations may
encounter as a result of political decisions. Examples include
◾ Regulations and legislation risk: New or changes to existing regulations
that limit the organization’s ability to engage in its normal business
activities
◾ Public policy risk: Stakeholder demands affecting the organization’s
operations
◾ Instability risk: Civil or military unrest that disrupts the organization’s
activities
 Risk assessment requires management to consider the impact of
possible changes in the external environment and within their own
business model that could make internal control ineffective. This
includes focusing on clearly articulating objectives relating to
operations, reporting, and compliance so any risks to those objectives
can be identified and assessed.

“In planning the engagement, internal auditors must consider:

◾ The objectives of the activity being reviewed and the means by

which the activity controls
its performance.

◾ The significant risks to the activity, its objectives, resources, and

operations and the means
by which the potential impact of risk is kept to an acceptable level”
(Standard 2201).
 When objectives are missing or undefined, internal auditors must
engage with management and help them define goals. This is
important because there are many issues that are likely to emerge
when goals are not defined, ranging from confusion and lack of
coordination, to a limited sense of purpose and outright waste
while employees work aimlessly.

If the goals have been defined, but are inadequate, internal

auditors should engage management
to develop improvements.
The SMARTER model is very useful when developing
organizational and personal goals. SMARTER is a
mnemonic* that helps you remember the elements
of well-developed goals. According to Wikipedia,
George Doran first mentioned SMART goals in the
November 1981 issue of Management Review.
 SPECIFIC

By being specific, goals become clearer and they avoid the ambiguity that
can often impair goalsetting. Managers and employees know what they
are expected to do and can focus their energy, resources, and priorities
accordingly to accomplish them. Another important characteristic of
specific goals is that they are easier to quantify and monitor for
performance evaluations.

When formulating goals, process owners should consider the following

questions:
◾ What has to be to be accomplished?
◾ Who is involved in getting this done?
 MEASUREABLE

When goals are measurable it is easier to link their completion to the

performance monitoring and rewards mechanism. Having a method to
measure the degree of success accomplishing the related goal is
essential. In fact, the lack of oversight and clear metrics to gauge
performance is a common reason goals are ineffective and individuals
fail to achieve them. Workers focus on what is measured, especially
when the results affect their performance evaluations and
compensation.

 What must be done to demonstrate progress?

◾ What is the quantitative and qualitative evidence that will show we
achieved the goal?†
 ACHIEVABLE

Goals can be deemed achievable when they are aligned with the mission
of the organization and the individual. Furthermore, by making them
aspirational and ambitious, they build confidence and serve to motivate
those involved to pursue something great. It also helps when the goals
have milestones and checkpoints that will allow the person responsible for
their completion to witness progress.

◾ Does the goal carry specific parameters so it is tangible?

◾ Are there adequate resources available to work on the task?
 Is there a strategy and/or plan to get this goal accomplished?
 Is there enough motivation propelling this endeavor?
 RELEVANT

Goals should also be aligned with the mission and strategy of the
organization, the process, and the individual. A common discovery when
reviewing processes is that there are tasks performed that do not add
value to the process or the customer.

◾ How does this activity help to meet the needs of the customer?
◾ Is this activity essential?
◾ Is this the best way to perform this activity in terms of time, effort, and
related tools (e.g., forms and data input)?
◾ What is the significance of this goal to my career and those of my team?
 TIME BOUND

“A goal without a deadline is nothing but a dream” is an expression often

heard. It is quite simple, yet it is the root cause why many items on
people’s to-do lists never get completed. Setting deadlines require making
a commitment to oneself and the person who oversees the completion of
the goal. In the absence of a deadline, completion of the item is left to a
classification of “ongoing,” and that can carry on in near perpetuity due to
procrastination or excuses.

◾ Are there milestone dates that must be met in the interim to show we
reached a significant change or stage of development in our work?
◾ When must the goal be achieved and what evidence is needed to prove it
was done?
◾ What is the most efficient way of achieving the goal so we can
accomplish it as quickly as possible
 EVALUATED

Goals must be evaluated to determine if they meet the SMARTER

elements, but also to determine if they meet ethical and ecological
considerations.

◾ Are the metrics associated with this goal evaluated? How frequently?
◾ Does the goal infringe on my values, the organization’s, and society’s?
◾ Will there be negative environmental impacts while pursuing this goal?
◾ Who has to evaluate the appropriateness, timeliness, and other
attributes of the goal?
 REWARDING

The rewards received should be commensurate with the effort exerted

and the outcome achieved. If the amount of effort is greater than the
reward, chances are that workers will eventually lower the amount of
sacrifice made.

What are the benefits to my customers for achieving this goal?

What are the benefits to the organization for achieving this goal?
What emotional, financial, and professional benefit will I enjoy?
 CONTROL ACTIVITIES
Controls are actions established through policies and procedures that
mitigate the likelihood and/or impact of risks. Controls are performed at
all levels of the organization, at various stages within processes and over
the technological infrastructure of the organization.

Control activities can be categorized as

Preventive controls are those activities that act before the error or omission can
occur and reduce the likelihood and/or impact of the event.
Detective controls identify errors or anomalies after they have occurred and alert
the need for corrective action.
Directive controls are temporary controls that are implemented to redirect
employee actions. They are sometimes referred to as corrective controls
Compensating or mitigating controls are those that are put in place when a
control is not where it is expected as proper design would stipulate
 INFORMATION AND COMMUNICATION

Communication is one of the most important activities in organizations. At

the most basic level, relationships grow out of communication, and the
effective functioning and even survival of organizations is based on having
effective relationships

Information is also necessary for the organization to perform internal

control activities that support achievement of objectives. Information
constitutes the data that will be used during reconciliations. It is needed
when reviewing supporting documents before authorizing a purchase. It is
needed when performing inventory counts or verifying that a user is
authorized to access certain records in a computer system.
 MONITORING ACTIVITIES

Monitoring activities consist of ongoing, separate or a

combination of evaluations used to determine whether each
of the five components of internal control is present and
functioning. Ongoing evaluations are built into business
processes at different levels of the organization and provide
timely information on how well or poorly these activities are
performing