Internal Control
Internal Control
Internal Control
Companies establish goals and objective. And then assess the risk of achieving those objectives. As a
response to the assessed risk, the company may design and implement internal control to have a
reasonable assurance that objectives will be achieved.
Control is defined as any action taken by management, the board and other parties to manage risk and
increase the likelihood that the established policy and goals will be achieved. Management plans,
organizes, and directs the performance of sufficient actions to provide reasonable assurance that the
objectives and goals will be achieved. The term “controls” refers to any aspect of one or more of the
components of the internal control.
Internal control is the process designed and effect by those charged with governance, management and
other personnel to provide for reasonable assurance about the achievement of the entity’s objectives
with regard to reliability of financial reporting and efficiency of operations and compliance with
applicable laws and regulation. Internal control pertains to the actions that foster the best result for an
organization.
It follows that internal control is designed and implemented to address identified business risks than
threaten the achievement of any of the objectives.
Whether an entity achieves its objectives relating to financial reporting and compliance is determined by
activities within the entity’s control. However, achieving its objectives relating to operations will depend
not only on management’s decision but also on the competitor’s actions and other factors outside the
entity.
Internal control system means all the policies and procedures (internal controls) adopted by
management of an entity to assist in achieving management’s objectives of ensuring, as far as
applicable, the orderly and efficient conduct of its business, including adherence to management
policies, the safe guarding of assets, the prevention and detection of fraud and error, the accuracy and
completeness of the accounting records, and the timely preparation of reliable financial information.
Internal control structures vary significantly from one company to the next.
Factors such as size of the business, nature of operations, the geographical dispersion of its activities,
and objectives of the organization affect the specific control features of an organization. COSO is a joint
initiative to combat corporate fraud. However, certain elements of features must be present to have a
satisfactory system of control in almost any large-scale organization.
The internal control system extends beyond these matters which relate directly to the functions of the
accounting system and consists of the following components in accordance with the Committee on
Sponsoring Organizations (COSO) updated Internal Control – integrated frame work. The COSO
Framework is a system used to establish internal controls to be integrated into business processes.
Collectively, these controls provide reasonable assurance that the organization is operating ethically,
transparently and in accordance with established industry standards.
A. Control Environment
The control environment which means the overall attitude, awareness and actions of directors and
management regarding the internal control system and its importance in the entity. The attitude and
actions of the directors, management and employees that set the tone for control with the organization.
It talks about:
The control environment has an effect on the effectiveness of the specific control procedures. A strong
control environment, for example, one with tight budgetary controls and an effective internal audit
function, can significantly complement specific control procedures. Factors reflected in the control
environment include:
Control Environment is about Exercise integrity and ethical values, Make a commitment to competence,
Use the board of directors and audit committee, Facilitate management’s philosophy and operating
style, Create organizational structure, Issue assignment of authority and responsibility. Utilize human
resources policies and procedures.
The environment in which internal control operates has an impact on the effectiveness of the specific
control procedures.
Integrity and ethical values are essential elements of the internal control environment. They affect the
design, administration, and monitoring of other component of internal control. An entity’s ethical and
behavioral standards and the manner in which it communicates and reinforces them determine the
entity’s integrity and ethical behavior.
Integrity and ethical values include management’s action to remove or reduce incentives and
temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also
include the communication of entity values and behavioral standards to personnel through policy
statements, a code of conduct, and management’s example of appropriate behavior.
2) Commitment to Competence
Competence is the key and skills necessary to accomplish tasks that define an employee's job.
Commitment to competence means that management considers the competence levels for a particular
job in determining the skills and knowledge required of each employee and that it hires employee’s
competence to perform the task.
This refers to management’ s attitude towards (a) business risk, (b) financial reporting, (c) meeting
budget, profit and other established goals which all have impact on the reliability of the financial
statements. Management’s approach to taking and monitoring business risks, its conservative or
aggressive selection from alternative accounting principles, its conscientiousness and conservatism in
developing accounting estimates and its attitude toward information processing and the accounting
function and personnel are factors that affect the control environment.
5) Organizational Structure
The responsibilities and authorities of the various personnel within the organization should be
established in such a manner as to
(1) assist the entity in meeting its goals and objectives and
(2) ensure that transactions are processed, recorded, summarized and reported in an accurate and
timely manner.
Organizational structure provides the overall framework for planning, directing and controlling
operations.
Personnel within an organization need to have a clear understanding of their responsibilities and the
rules and regulations that govern their actions. Management may develop job descriptions, computer
system documentation. It may also establish policies regarding acceptable business practice, conflicts of
interest and code of conduct.
Perhaps the most important element of an internal accounting control system is the people who
perform and execute the established policies and procedures. Personnel policies should be adopted by
the client to reasonably ensure that only capable and honest persons are hired and retained. Policies
with respect to employee selection, training and supervision should be adopted and implemented by
the client. Square peg in a round hole, Square Peg, Round Hole: Dealing with An Employee Who Does
Not Fit In.
The selection of competent and honest personnel does not automatically assure that errors or
irregularities will not occur. However, adequate personnel policies, coupled with the design concepts
suggested earlier in this section, enhance the likelihood that the client’s policies and procedures will be
followed.
Risk assessment is the “identification, analysis, and management of risks pertaining to the preparation
of financial statements”. For example, risk assessment may focus on how the entity considers the
responsibility of transactions not being recorded or identifies and assesses significant estimates
recorded in the financial statements.
An entity’s risk assessment process is its process for identifying and responding to business risks and the
results thereof. For financial reporting purposes, the entity’s risk assessment process includes how
management identifies risks relevant to the preparation of financial statements that are presented
fairly, in all material respects in accordance with the entity's applicable financial reporting framework,
estimates their significance, assess the likelihood of their occurrence, and decides upon actions to
manage them.
Risks relevant to financial reporting include external and internal events and circumstances that may
occur and adversely affect an entity’s ability to initiate, record, process and report financial data
consistent with the assertions of management in the financial statements.
Once risks are identified, management considers their significance, the likelihood of their occurrence
and how they should be managed.
The basic concepts of the entity’s risk assessment process are relevant to every entity, regardless of size,
but the risk assessment process is likely to be less formal and less structured in small entities than larger
ones.
All entities should have established financial reporting objectives, but they may be recognized implicitly
rather than explicitly in small entities.
Management may be aware of risks related to these objectives without the use of a formal process but
through direct personal involvement with employees and outside parties.
Many small entities are carried out entirely by the engagement partner (who may be a sole
practitioner). In such situations, it is the engagement partner who, having personally conducted the
planning of the audit, would be responsible for considering the susceptibility of the entity’s financial
statements to material misstatement due to fraud and error.
Information System, including the Business Processes, Relevant to Financial Reporting and
Communication – An information system consists of infrastructure (physical and hardware components),
software.
People, procedures, and software will be absent, or have less significance, in systems that are exclusively
or primarily manual, many information systems make extensive use of IT.
The Information System, including Related Business Processes. Relevant to Financial Reporting – The
information system relevant to financial reporting objectives, which includes the accounting system,
consist of the procedures and records designed and established to:
• Initiate, record, process and report entity transactions (as well as events and conditions) and to
maintain accountability for the related assets, liabilities and equity;
• Resolve incorrect processing of transactions, for example, automated suspense files and
procedures followed to clear suspense items out on a timely basis;
• Process and account for system overrides or by passes to controls;
• Transfer information from transaction processing systems to the general ledger;
• Capture information relevant to financial reporting for events and conditions other than
transactions, such as the depreciation and amortization of assets and changes in the
recoverability of accounts receivables; and
• Ensure information required to be disclosed by the applicable financial reporting framework is
accumulated, recorded, processed, summarized and appropriately reported in the financial
statements.
Journal Entries
An entity’s information system typically includes the used of standard journal entries that are required
on a recurring basis to record transactions.
Examples might be journal entries to record sales, and cash disbursements in the general ledger, or to
record accounting estimates that are periodically made by management, such as change in the estimate
of uncollectible accounts receivable.
An entity’s financial reporting process also includes the use of non-standard journal entries to record
non-recurring, unusual transactions or adjustments.
Examples of such entries for a business combination or disposal or nonrecurring estimates such as the
impairment of an asset.
In manual general ledger system, non-standard journal entries may be identified through inspection of
ledgers, journals, and supporting documentation.
When automated procedures are used to maintain the general ledger and prepare financial statements,
such entries may exist only in electronic form and may therefore be more easily identified through the
use of computer-assisted audit techniques.
• Develop, purchase, produce, sell and distribute an entity’s products and services;
• Ensure compliance with laws and regulations; and
• Record information, including accounting and financial reporting information.
Business processes result in the transactions that are recorded, processed and reported by the
information system.
Obtaining an understanding of the entity’s business processes, which include how transactions are
originated, assists the auditor obtain an understanding of the entity’s information system relevant to
financial reporting in a manner that is appropriate to the entity’s circumstances.
It includes the extent to which personnel understand how their activities in the financial reporting.
It includes the extent to which personnel understand how their activities in the financial reporting
information system relate to the work of others and the means of reporting exceptions to an
appropriate higher level within the entity.
Communication takes such forms as policy manuals, accounting and financial reporting manuals, and
memoranda.
Communication also can be made electronically, orally, and through the actions of management.
Information systems and related business processes relevant to financial reporting in small entities are
likely to be less formal than larger entities but their role is just as significant.
Small entities with active management involvement may not need extensive descriptions of accounting
procedures, sophisticated accounting records, or written policies.
Communication may be less formal and easier to achieve in a small entity than in a larger entity due to
the small entity’s size and fewer levels as well as management’s greater visibility and availability.
D. Control Activities
Control activities are the policies and procedures that help ensure that management directives are
carried out, for example, that necessary actions are taken to address risks that threaten the
achievement of the entity’s objectives.
Controls activities are policies and procedure that guide employees’ actions to address risk and achieve
management activities.
Control activities, whether within IT or manual systems, have various objectives and are applied at
various organizational\ and functional levels.
a. Performance review
b. Information Processing Controls
1) Proper authorization of transactions and activities
2) Segregation of duties
3) Adequate documents and records
4) Safeguards over access to assets; and
5) Independent checks on performance
c. Physical controls
Limiting physical access to assets and records.
Only authorized personnel should have access to certain assets (particularly valuable or portable
ones)
A. Performance Review
In performance review management uses accounting and operating data to assess performance, and it
then takes corrective action.
• comparing actual performance (or operating results) with budgets, forecasts, prior performance,
or competitors’ data or tracking major initiatives such as cost-containment or cost
-reduction programs to measure the extent to which targets are being met.
Personnel at various levels in an organization may make performance reviews. Performance reviews
may be used by managers for the sole purpose of making operating decisions. For example, managers
may analyze performance data and base operating decisions on them because the data are consistent
with their expectations.
Information processing controls are policies and procedures designed to require authorization of
transactions and to ensure the accuracy and completeness of transaction processing.
Control activities may be classified according to the scope of the system they affect.
General controls are control activities that prevent or detect errors or irregularities for all accounting
system.
General controls affect all transaction cycles and apply to information processing as a center, hardware
and systems software acquisition and maintenance, and backup and recovery procedures.
Application controls are controls that pertain to the processing of a specific type of transaction, such as
payroll, or sales and collections.
These controls help ensure that transactions occurred, are authorized, and are completely and
accurately recorded and processed. Example of application controls include checking the arithmetical
accuracy of records, maintaining and reviewing accounts and trial balances, automated controls such as
input data and numerical sequence checks and manual follow-up of exception reports.
General IT – controls are policies and procedures that relate to many applications and support the
effective functioning of application controls by helping to ensure the continued proper operation of
information systems. Examples of such general IT – controls are programs change controls, controls that
restrict access to programs or data, controls over the implementation of new releases of packaged
software applications and controls over system software that restrict access to or monitor the use of
system utilities that could change financial data or records without leaving an audit trail.
Control Objectives for Information and Related Technologies, more popularly known as COBIT, is a
framework that aims to help organizations that are looking to develop, implement, monitor, and
improve IT governance and information management.
Internal controls relating to the accounting system are concerned with achieving objectives such as;
Control activities related to the processing of transactions may be grouped as follows: (1) proper
authorization, (2) design and use of adequate documents and records, and (3) independent checks on
performance.
Authorization for the execution of transaction flows from the stockholders to management and its
subordinates. Before a transaction is entered into with another party, certain conditions must usually be
met. As part of the evaluation of the potential transaction, documentation will be created.
The auditor uses this documentation to determine whether business transactions are properly
authorized. For example, the purchase of inventory may create a purchase order, a receiving report, and
a vendor invoice. By inspecting these documents and comparing them with company policy, the auditor
may be reasonably satisfied that a business transaction was authorized and executed in a manner
consistent with company policy.
2. Segregation of duties
An important element in designing internal accounting control system that safeguards assets and
reasonably ensures the reliability of the accounting records is the concept of segregation of
responsibilities.
No one person should be assigned duties that would allow that person to commit an error or perpetuate
fraud and to conceal the error or fraud. For example, the same person should not be responsible for
recording the cash received on account and for posting the receipts to the accounting records.
The use of adequate documents and records allow the company to obtain reasonable assurance that all
valid transactions have been recorded.
4. Access to assets
The resources of a client can be protected by the establishment of physical barriers and appropriate
policies. For example, inventories may be kept in a storeroom, or negotiable instrument may be place in
a safe deposit box.
The objective of a well-designed internal accounting control system is the adoption of procedures that
periodically compare the actual asset with its record balance. Regardless of the effectiveness of an
internal control system, some transactions may not be accurately recorded and some assets may
misappropriate.
To accomplished this period counts of assets by the client and comparing the counts to the balances in
the general ledger account. Example are the count of inventory and the preparation of monthly bank
reconciliation.
C. Physical Controls
• The physical security of assets, including adequate safeguards such as secured facilities over
access to assets and records.
• The authorization for success to computer programs and data files.
• The periodic counting and comparison with amounts shown on control records (for example,
comparing the results of cash, security and inventory counts with accounting records).
The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of
financial statement preparation, and therefore the audit, depends on circumstances such as when
assets are highly susceptible to misappropriation.
The concepts underlying control activities in small entities are likely to be similar to those in larger
entities, but the formality with which they operate varies. An appropriate segregation of duties often
appears to present difficulties in small entities.
E. Monitoring of Controls
Monitoring, the final component of internal control, is the process that an entity uses to assess the
quality of internal control over time. Monitoring involves assessing the design and operation of controls
on a timely basis and taking corrective action as necessary.
Management monitors controls to consider whether they are operating as intended and to modify them
as appropriate for changes in conditions.
In many entities, internal auditors evaluate the design and operation of internal control and
communicate information about strengths and weaknesses and recommendations for improving
internal control. Some monitoring activities include communications from external parties.
For example, customers implicitly corroborate sales data by paying their bills or raising questions. Also,
bank regulators, other regulators, and outside auditors may communicate about design or effectiveness
of internal control.
Ongoing monitoring activities of small entities are more likely to be informal and are typically performed
as a part of the overall management of the entity’s operation. Management’s close involvement in
operations often will identify significant variances from expectations and inaccuracies in financial data
leading to corrective action to the control.
1. Preventive controls are proactive controls that deter undesirable events form occurring.
2. Detective controls are reactive and detect undesirable events that have occurred. They provide
evidence after-the-fact that a loss or error has occurred, but do not prevent them from
occurring.
Examples are:
a. Bank reconciliation
b. Regular checks of physical inventory against book records of inventory (physical inventory
count)
c. Review organizational performance (such as a budget-to-actual comparison to look for any
unexpected differences)
d. Physical inventories (such as a cash or inventory count)
3. Corrective Controls are reactive designed to allow manual or automated correction of errors or
irregularities discovered by detective controls, including resolution or duplicate payment in cash
disbursement system, audit trails, backup and recovery procedures.
6. Directive controls are proactive that cause or encourage a desirable event to occur. Examples
are:
a. Operational manual
b. Guidelines
c. Training program
d. Incentive plans
5. Mitigating controls reduce the potential impact should an event occur. Insurance is a prime
example.
6. Compensating controls. These controls compensate for the lack of an expected control. For
example, close supervisory review may compensate for lack segregation of duties were a small
staff size makes proper segregation impractical.
7. Redundant or back controls duplicate a control objective or a secondary control that operates
only if a key control fails, for example, a spillover pool below a toxic substance holding tank.
2) Management override
Management override happens when, even in the presence of internal control procedures,
people who are in positions of power may intervene and somehow break those policies.
For example, ABC Co. has a policy that all purchase transactions must have proper purchase
requisition and approved purchase orders. Therefore, no purchase transaction can be executed
without these documents. However, Mr. X was able execute a purchase transaction without the
necessary purchase requisition and approved purchase order because he is the company’s
general manager.
This an example of management override of internal controls.
8) Human factors
Even when it appears that the internal control or accounting system is properly functioning,
unreliable financial statements or incorrect records may still happen because of human error.
Clerical errors often occur in the input process resulting to incorrect output. Human fatigue,
mistakes in judgement, incompetent personnel, and the like also contribute and thus, the
objectives of internal control or accounting system may not be achieved.
4) Cost-benefit considerations
The cost of establishing and implementing internal control should not exceed the benefits that
could be derived by the company.
No one will recommend an internal control system that cost a million to a sari-sari store. It is not worth
the price even if said internal control is effective.