INTERNAL CONTROL

What are

INTERNAL CONTROLS? Why are they IMPORTANT?

   What Is Internal Control ?

A process effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievements of objectives in the following categories:

•  Effectiveness & efficiency of operations. •  Reliability of financial reporting.

•  Compliance with applicable laws and regulations. •  Safeguarding of assets •  Adherence to managerial policies

� When you leave your house, did you check if all lights are off and doors lock?

� Do you keep your ATM PIN (passwords) only to yourself? Maintain a back-up known only to you?

� Do you require receipts for all your purchases? � Do you monitor your finances?

Consider your own personal internal control system:

An integral process •  A series of actions throughout the operations on an

ongoing basis •  Built in rather built on; embedded with the management

processes of planning, organizing, budgeting, staffing, implementing, and monitoring

•  Not stand alone or separate specialized systems within an agency

•  Interwoven into and made an integral part of each system that management uses to regulate and guide its operations

Internal Control

Which also means: Internal control is a process. It is a means to an end, not an end itself. �  Internal control is effected by people.

It’s not merely policy manuals and forms, but people functioning at every level of the organization.

�  Internal control is geared to the achievement of objectives in several overlapping categories.

�  Internal control only provides reasonable assurance to an institution’s leaders regarding achievement of operational, financial reporting and compliance objectives.

The policies, procedures and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept.

Control Processes

ISPPIA Definition

Examples: •  Proper procedures for authorization •  Adequate separation of duties •  Adequate documents and records •  Physical control over assets and records •  Independent checks on performances •  Accountability •  Flow of financial information

Internal Control System (ICS) •  Encompasses the policies, processes, tasks, behaviour

and other aspects of a company that taken together: Ø Facilitate its effective and efficient operation by enabling

it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company’s objectives;

Ø Help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation;

The IA Handbook, third edition by KHS Pickett

Internal Control System (ICS)

Ø  Help ensure compliance with applicable laws and

regulations, and also with internal policies with respect to the conduct of business

The IA Handbook, third edition by KHS Pickett

Control – any action taken by management, the board, and other

parties to manage risk and increase the likelihood that established objectives and goals will be achieved.

- management plans, organizes, and directs the performance

of sufficient actions to provide reasonable assurance that objectives and goals will be achieved

ISPPIA Definition

The Four Functions of Management

Planning

Organizing

Influencing

Controlling

Planning -  Process of determining how the organization can get

where it wants to go and what the organization will do to accomplish its objectives

-  Concerned with organizational success in the near future (short term) as well as in the more distant future

IIA-P

The Four Functions of Management

Organizing -  Process of establishing orderly uses for all resources

within the management system by assigning tasks developed under the planning function to various individual or groups within the organization

-  Creates a mechanism to put plans into action

IIA-P

The Four Functions of Management

Influencing -  Process of guiding the activities of organization

members in appropriate directions -  Concerned primarily with people within organization -  Ultimate purpose is to increase productivity -  Motivating, leading, directing, or actuating

IIA-P

The Four Functions of Management

Controlling -  Process managers go through to control -  Systematic effort to compare performance to

predetermined standards, plans or objectives to determine whether performance is in line with those standards or needs to be corrected

IIA-P

The Four Functions of Management

Management’s responsibility on ICS

•  Determine the need for controls •  Design suitable controls •  Implement these controls •  Check that these controls are being applied correctly •  Maintain and update the controls

The IA Handbook, third edition by KHS Pickett

IA’s role in ICS

2100 – Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. 2130 – Control The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

IIA-P

IA’s role in ICS

2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: • Achievement of the organization’s strategic objectives; • Reliability and integrity of financial and operational

information; • Effectiveness and efficiency of operations and programs; • Safeguarding of assets; and • Compliance with laws, regulations, policies, procedures,

and contracts. 2130.C1 – Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization’s control processes.

IIA-P

IA Role on ICS

•  Assessing those areas that are most at risk in terms of key control objectives

•  Defining and undertaking a programme for reviewing

reviewing high profile systems that attract the most risk •  Reviewing each of these systems by examining and

evaluating their associated ICS to determine the extent to which the five key control objectives are being met

IIA-P

IA Role on ICS

•  Advising management whether or not controls are operating adequately and effectively so as to promote the achievement of the system’s/control objectives

•  Recommending any necessary improvements to

strengthen controls where appropriate, while making clear the risks involved for failing to effect these recommended changes

•  Following up audit work so as to discover whether

management has actioned agreed audit recommendations

IIA-P

The Three Lines of Defense

First – functions that own and manage risk Second – functions that oversee risks Third - the functions that provide independent assurance

IIA-P

The Three Lines of Defense

First Operational Management •  responsible for maintaining effective internal controls

and for executing risk and control procedures on a day-to-day basis

•  Responsible for implementing corrective actions to address process and control objectives

•  Operational managers OWN and MANAGE risks

IIA-P

The Three Lines of Defense

Second Management oversight functions •  Pertains to the various risk control and compliance

oversight functions established by management such as:

IIA-P

ü Risk management ü Compliance ü Controllership ü Quality

ü  Inspection ü  Security ü  Legal ü  Environmental

The Three Lines of Defense

Second: Responsibilities •  Supporting management policies, defining roles and

responsibilities, and setting goals for implementation •  Providing risk management framework •  Identifying known and emerging issues •  Identifying shifts in the organization’s implicit risk

appetite

IIA-P

The Three Lines of Defense

Second: Responsibilities •  Assisting management in developing processes and

controls to manage risks and issues •  Facilitating and monitoring implementation of effective

risk management principles by operational management

•  Monitoring the adequacy and effectiveness of internal controls, accuracy and completeness of reporting, compliance with laws and regulations, and timely remediation of deficiencies

IIA-P

The Three Lines of Defense

Third Internal Audit Internal Auditors provide the Board of Directors and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization

IIA-P

Types of Management Control Techniques

1.  Direct Supervision and Observation 2.  Financial Statements 3.  Budgetary Control 4.  Break Even Analysis 5.  Return on Investment 6.  Management Audit 7.  Management Information System 8.  PERT and CPM Techniques 9.  Self-Control 10. Management by Objectives

IIA-P

Direct Supervision and Observation

•  Oldest technique of controlling. The supervisor himself

observes the employees and their work. This brings him in direct contact with the workers. So, many problems are solved during supervision.

•  The supervisor gets first hand information, and he has

better understanding with the workers. This technique is most suitable for a small-sized business.

http://kalyan-city.blogspot.com/2011/05/control-techniques-10-types-of.html

•  Collection of reports about an organization's financial results, financial condition, and cash flows.

They are useful for the following reasons:

ü  To determine the ability of a business to generate cash, and the sources and uses of that cash.

ü  To determine whether a business has the capability to pay back its debts.

ü  To track financial results on a trend line to spot any looming profitability issues.

ü  To derive financial ratios from the statements that can indicate the condition of the business.

ü  To investigate the details of certain business transactions, as outlined in the disclosures that accompany the statements.

http://www.accountingtools.com

Financial Statements

Budgetary Control

A budget is a set of interlinked plans that quantitatively describe an entity's projected future operations. It is used as a yardstick against which to measure actual operating results, for the allocation of funding, and as a plan for future operations. A planning and controlling device; budgetary control is done for all aspects of a business such as income, expenditure, production, capital and revenue.

http://www.accountingtools.com http://kalyan-city.blogspot.com/2011/05/control-techniques-10-types-of.html

The breakeven point is the sales volume at which a business earns exactly no money. The breakeven point is useful in the following situations: •  To determine the amount of remaining capacity after the

breakeven point is reached, which tells you the maximum amount of profit that can be generated.

•  To determine the impact on profit if automation (a fixed cost) replaces labor (a variable cost)

•  To determine the change in profits if product prices are altered •  To determine the amount of losses that could be sustained if the

business suffers a sales downturn

http://www.accountingtools.com

Break Even Analysis

Return on Investment

A performance measure used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments. To calculate ROI, the benefit (return) of an investment is divided by the cost of the investment; the result is expressed as a percentage or a ratio. The return on investment formula:

http://www.investopedia.com

•  Uses organizational objectives as the primary means of managing organizations

Basic parts: ü  all individuals in an organization are assigned a

specialized set of objectives (mutually agreed upon by the individuals and their managers) within a normal operating period

ü  Performance review s are conducted periodically to determine the progress of attainment of objectives

ü  Rewards are given to individuals on the basis of how close they come to reaching their goals

IIA-P

Management by Objectives

•  A systematic examination of decisions and actions of the management to analyse the performance.

•  Involves the review of managerial aspects like organizational objective, policies, procedures, structure, control and system in order to check the efficiency or performance of the management over the activities of the Company.

https://en.wikipedia.org/wiki/Management_auditing

Management Audit

Program Evaluation and Review Technique (PERT) A statistical tool, used in project management which was designed to analyze and represent the tasks involved in completing a given project Most commonly used methods for project management. Critical Path Method (CPM) •  A method of project planning consisting of a number of well defined

and clearly recognizable activities.

•  An algorithm for scheduling a set or project activities

http://civilengineersforum.com/pert-cpm/ https://en.wikipedia.org/wiki/

PERT and CPM Techniques

PERT

PERT chart for a project with five milestones (10 through 50) and six activities (A through F). Using CPM: The project has two critical paths: activities B and C, or A, D, and F – giving a minimum project time of 7 months with fast tracking.

https://en.wikipedia.org/wiki/

•  A computerized database of financial information organized and programmed in such a way that it produces regular reports on operations for every level of management in a company. It is usually also possible to obtain special reports from the system easily.

•  The main purpose of the MIS is to give managers feedback about their own performance; top management can monitor the company as a whole. Information displayed by the MIS typically shows "actual" data over against "planned" results and results from a year before; thus it measures progress against goals.

http://www.inc.com/encyclopedia/management-information-systems-MIS.html

Management Information System (MIS)

•  Self-directed control; a person is given freedom to set his own targets, evaluate his own performance and take corrective measures as and when required

•  Self-control is commonly required for top level managers

•  The superiors must control the important activities of the subordinates.

Self-Control

http://kalyan-city.blogspot.com

     Control  Categories  

SGV & Co Materials

•  Key and significant control Minimum set of controls that can provide reasonable assurance that the risk is mitigated, provided that the controls are designed properly, operating as intended and are demonstrable.

•  Secondary control Any other controls not defined as key or significant. These are supplemental controls frequently used to improve the timeliness of detection of issues or backlog controls used as emergency “catch-alls”.

       Types of Controls

IIA-P Materials

Preventive

Corrective

Directive Detective

•  designed to limit the possibility of an undesirable outcome being realized

•  attempt to stop a risk from occurring

•  designed to limit the scope for loss and reduce any undesirable outcomes which have been realized

•  may also provide a route of recourse to achieve some recovery against loss or damage

•  designed to ensure that a particular outcome is achieved •  attempt to avoid risks by providing specific ways to do things

•  designed to identify occasions of undesirable outcomes having been realized

•  their effect is, by definition, “after the event” so they are only appropriate when it is possible to accept that the loss or damage has incurred

•  attempt to determine if a risk has occurred

� Manual � Automated

Internal controls can be classified as:

� General - relate to the overall information-processing environment.

�  Application - ensure the completeness and accuracy

of transaction processing, authorization, and validity.

Automated Controls classified as:

General Controls �  Entity wide security program planning and

management; �  Access controls limit or detect access to computer

resources for both physical and logical controls; �  Controls on the development, maintenance and

change of application software �  System software controls �  Segregation of duties �  Service continuity controls

Application controls 1.  Data Capture Controls – ensures that all transactions are

recorded in the application system, transactions are recorded only once, and rejected transactions are identified, controlled, corrected, and reentered into the system.

2.  Data Validation Controls – ensures that all transactions are properly valued.

3.  Processing Controls – ensures the proper processing of transactions.

4.  Output Controls – ensures that computer output is not distributed or displayed to unauthorized users.

5.  Error Controls – ensures that errors are corrected and resubmitted to the application system at the correct point in processing.

       Controls vs. Cost

IIA-P Materials

Systems-Based, Preventive Control

People-Based, Preventive Control

Systems-Based, Detective Control

People-Based, Detective Control

More Reliable/ Desirable

Less Reliable/ Desirable

Economical – able to perform functions/tasks using the least amount of resources within a specified timeframe Efficient – “doing things right” given the available resources and within a specified timeframe -  Delivering a given quantity and quality of outputs with minimum inputs

or maximizing outputs with a given quantity and quality of inputs -  Prioritization and leveraging of resources Effective – “doing the right things”, able to deliver major final outputs and outcomes and able to contribute to the attainment of goals and objectives

Economical, Efficient, and Effective Operations

Characteristics of an Effective Control

•  Addresses root cause •  Considers cost •  Simple •  Leaves tracks •  Embedded •  Combination of “soft” and “hard” controls •  Covers adequately the Internal Control components and

objectives

   

Who is Responsible for Internal Control?

   

Virtually all employees play some role in effecting control.

Benefits of Internal Control

�  help prevent errors and irregularities �  if they occur, help ensure they are detected timely �  encourage adherence to prescribed policies and

procedures �  protect employees:

1) by clearly outlining tasks and responsibilities, 2) by providing checks and balances, and 3) from being accused of misappropriations, errors or irregularities. (Source: Internal Controls, Office of the Internal Auditor, Washington State University http://

internalaudit.wsu.edu/internalcontrols.html

   

What Internal Control Can Do

•  It can help achieve performance & profitability targets. •  It can help prevent loss of resources. •  It can help ensure reliable financial reporting. •  It can help ensure compliance with laws. •  It can help an entity get to where it wants to go and

avoid pitfalls and surprises along the way.

   

What Internal Control Cannot Do

•  It cannot ensure success. •  It cannot ensure the reliability of financial reporting. •  It cannot ensure compliance with laws and regulations.

“Internal controls, no matter how well designed and operated, can provide only reasonable

assurance to management regarding achievements of an entity’s objectives.”