1949 it was defined by the American Institute of Accountants (now the AICPA) 1958 - a distinction between accounting controls and administrative controls have been released Accounting controls relate to safeguarding assets and reliability of financial records
Administrative controls relate to operational efficiency and adherence to managerial policies 1972 a clarification of controls, accounting controls provide reasonable assurance 3 The COSO* Definition of Internal Control * Committee of Sponsoring Organizations of the Treadway Commission Internal control is a process, effected by an entitys board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations 4 Definition of Internal Control * Committee of Sponsoring Organizations of the Treadway Commission Internal control is a companys system, defined and implemented under its responsibility which aim to ensure:
laws and regulations are complied with directional guideline were approved by higher management companys internal process are functioning properly financial information is reliable;
and generally, contributes to the control over its activities, to the efficiency of its operations and to the efficient utilization of its resources 5
The reliability and integrity of information. Compliance with policies, plans, procedures, laws and regulations. The safeguarding of assets. The economical and efficient use of resources. The accomplishment of established objectives and goals for operations or programs. Protiviti KnowledgeLeader (www.knowledgeleader.com) Objectives of Internal Control Internal controls are established to further strengthen: 6 Promote orderly, economical, efficient and effective operations, and produce quality services and outcomes consistent with the agencys mission
Safeguard resources against loss due to waste, abuse, errors and fraud
Promote adherence to laws, regulations, policies, procedures and contracts
Develop and maintain reliable financial and management data and accurately present that data in timely reports to decision makers Purposes & Principles of Internal Control: 7 Simple Definition Internal control is what we do to see that the things we want to happen will happen
And the things we dont want to happen wont happen. 8 Internal Control Myths and Facts MYTHS:
Internal control starts with a strong set of policies and procedures.
Internal control: Thats why we have internal auditors!
Internal control is a finance thing.
Internal controls are essentially negative, like a list of thou-shalt-nots.
Internal controls take time away from our core activities of making products, selling, and serving customers. FACTS:
Internal control starts with a strong control environment.
While internal auditors play a key role in the system of control, management is the primary owner of internal control.
Internal control is integral to every aspect of the business process.
Internal control makes the right things happen the first time.
Internal controls should be built into, not onto business processes. They are integral! Source: Institute of Internal Auditors 9 Why are Internal Controls Important? C ompliance with applicable laws and regulations. A ccomplishment of the entitys mission. R elevant and reliable financial reporting. E ffective and efficient operations. S afeguarding of assets. C A R E S 10 Why Internal Controls? Effective internal controls result in improved performance, efficiency, and business process reengineering. Internal control protects you by catching small mistakes before they become big problems. Internal control protects the organization by removing opportunities for innocent mistakes or intentional fraud. or else.. 11 Internal Control Limitation Internal control can provide reasonable, not absolute, assurance that the objectives of an organization will be met.
Effective internal control provides only timely information or feedback on progress towards the achievement of operational and strategic objectives, but cannot guarantee their achievement.
Internal control involves human action, which introduces the possibility of errors in processing or judgment. Control definition reflects certain fundamental concepts: Internal control is a process; it is a means to an end, not an end itself
Internal control is effected by people; its not merely policy manuals and forms but people at every level of an organization
Internal control can be expected to only provide reasonable assurance, not absolute assurance
Internal control is geared to the achievement of objectives in one or more separate but overlapping categories COSOS Internal Control Framework Five Inter-Related Standards: Risk Assessment Control Activities Monitoring Information & Communication Control Environment 14 Control Environment Foundation for all other standards of internal control
Pervasive influence on all the decisions and activities of an organization
Effective organizations set a positive tone at the top
Factors include the integrity, ethical values and competence of employees, and, managements philosophy & operating style COSOS Internal Control Framework Risks are internal & external events that threaten the accomplishment of objectives
Risk assessment is the process of identifying, evaluating, and deciding how to manage these events COSOS Internal Control Framework Risk Assessment Tools - policies, procedures, processes -designed and implemented to help ensure that management directives are carried out
Help prevent or reduce the risks that can impede the accomplishment of objectives
Occur throughout the organization, at all levels, and in all functions
Includes approvals, authorizations, verifications, reconciliations, security of assets, reviews of operating performance, and segregation of duties COSOS Internal Control Framework Control Activities Pertinent information must be captured, identified and communicated on a timely basis
Effective information and communication systems enable the organizations people to exchange the information needed to conduct, manage, and control its operations COSOS Internal Control Framework Communication and Information 18 Internal control systems must be monitored to assess their effectiveness Are they operating as intended?
Ongoing monitoring is necessary to react dynamically to changing conditionsHave controls become outdated, redundant, or obsolete?
Monitoring occurs in the course of everyday operations, it includes regular management & supervisory activities and other actions personnel take in performing their duties. Monitoring COSOS Internal Control Framework Everyone is responsible for Internal Controls!!! Roles and responsibilities in internal control Management: The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. Board of Directors: Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. Auditors: The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. Key Internal Control Activities Segregation of Duties
Documentation
Authorization and Approvals
Security of Assets
Reconciliations and review
Supervision/monitoring of operations
Physical Safeguards
Analysis of Results
IT security Segregation of duties - dividing responsibilities between different employees so one doesnt control all aspect of transaction - reduce the opportunity for an employee to commit and conceal errors Key Internal Control Activities Documentation - document preserve evidence to substantiate critical decisions and significant events, transactions that enabled to be traced from its inceptions to completion and policies and procedures Authorizations and Approval - Management documents and communicates which activities require approval, and by whom, based on the level of risk to the organization. Ensure that transactions are approved and executed only by employees acting within the scope of their authority granted by management Security of assets - Secure and restrict access to equipment, cash, inventory, confidential information, etc. to reduce the risk of loss or unauthorized use. Perform periodic physical inventories to verify existence, quantities, location, condition, and utilization. Base the level of security on the vulnerability of items being secured, the likelihood of loss, and the potential impact should a loss occur Key Internal Control Activities Reconciliations and Review - Examine transactions, information, and events to verify accuracy, completeness, appropriateness, and compliance. Base level of review on materiality, risk, and overall importance to organizations objectives. Ensure frequency is adequate enough to detect and act upon questionable activities in a timely manner.
Monitoring/supervision - observation or review of ongoing operational activity Key Internal Control Activities Reconciliations and Review - usage of passwords, access logs, etc. to ensure access restricted to authorized personnel Physical Safeguard - usage of cameras, locks, physical barriers, etc. to protect property Analysis of Results - periodic and regular operational reviews, metrics, and other key performance indicators (KPIs) 25 Need for Strengthening Internal Control a. Adequate and strong internal controls in government have been found to be more effective than detailed audit in ensuring the integrity of operations of the agency and the entire range of administrative, financial, operating and reporting systems.
b. Weak internal controls lead to waste and misuse of government resources and non-accomplishment of objectives. 26 Types of Internal Control Accounting Controls Financial Controls Administrative Controls pertain to the plan of organization, the procedures and record that ensures he accuracy and the reliability of financial records. include the methods and procedures concerned with the safeguarding of assets and are designed to ensure transactions are executed, access to assets is permitted and recorded accountability for assets is compared with existing assets at reasonable intervals and appropriate action is taken include, but are not limited to, plan of organization, the procedures and records concerned with the management decision processes authorizing the transactions. They include controls over administrative offices such as personnel records and administrative functions. Control Techniques Internal control techniques are to be designed for and operated in all agency activities to accomplish the control objectives consistently, efficiently and effectively. There are two groupings of controls are: 1. Basic controls 2. Disciplinary controls ensure that transactions are recorded completely and accurately and the errors in execution of recording are detected as soon as possible, regardless of whether the error is the processing of an unauthorized transaction, the failure to process and authorized one, or the failure to process such a transaction accurately. ensure that proper and continued functioning of the basic controls and include supervision, segregation of duties and custodial arrangement Five frequently recurring common control techniques Control Techniques Control over completeness of processing
Maintenance of subsidiary records supporting a control account
Posting to inventory records
Supervisory review and approval
Checking of extensions and additions Control Techniques Internal Control Techniques Accounting Control Purpose Physical Safeguard Controls: Burglar Alarms Deterrence or detection of theft of assets Plant Security Guards To deter or detect theft of assets by outsiders and by employees seeking unauthorized access to assets Organizational Controls: Bonding of employees occupying position of trust To deter fraud and theft Control Techniques Internal Control Techniques Accounting Control Purpose Organizational Controls: Definite written assignments of responsibilities for the performance of each duty required to transact business Deterrence of fraud, theft, and errors; assurance that duties will be carried out by qualified personnel; and assurance of smooth continuity of operations in the event of personnel changes Accounting Policies Use of control accounts Deterrence and detection of fraud, theft and error 31 Internal Control Techniques Accounting Control Purpose Accounting Policies Strict adherence to generally accepted accounting principles Avoidance of disclosure errors and improper financial reporting Clerical Practices: Vertical and horizontal addition of accounting work sheets Assurance against clerical error Independent verification of clerical operations performed To deter and detect fraud and error Control Techniques Weak Internal Controls Increase Risk Through Business Interruption system breakdowns or catastrophes, excessive re-work to correct for errors. Erroneous Management Decisions based on erroneous, inadequate or misleading information. Fraud, Embezzlement and Theft by management, employees, customers, vendors, or the public-at-large. Statutory Sanctions penalties arising from failure to comply with regulatory requirements, as well as overt violations. Excessive Costs/Deficient Revenues expenses which could have been avoided, as well as loss of revenues to which the organization is entitled, and Loss, Misuse or Destruction of Assets unintentional loss of physical assets such as cash, inventory, and equipment. Weak Internal Controls Increase Risk Through Effective Internal Controls
Make sense within each organizations unique operating environment.
Benefit rather than encumber management.
Are not stand-alone practices; they are woven into day-to-day responsibilities, and