8/23/2024

CHAPTER 6

Components of
Internal Control

Internal Auditing: Assurance

Internal
& Advisory
Auditing:
Services, 4th Edition
Assurance & Advisory
© 2017
Services, th Edition
by the4Internal Audit
© 2017
Foundation.
by the Internal Audit Foundation.

Chapter 2: Internal Control

LEARNING OBJECTIVES

◼ Overview of internal control

framework.
◼ Describe 5 components of
Internal Control
◼ Evaluating the system of
internal controls.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1
 8/23/2024

1.1. Overview of Internal Control

DEFINITION OF INTERNAL CONTROL

COSO broadly defines internal control as:

. . . a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and
compliance.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.1. Overview of Internal Control

THE OBJECTIVES, COMPONENTS,

AND PRINCIPLES OF INTERNAL CONTROL

COSO explains, “A direct relationship

exists between objectives, which are
what an entity strives to achieve,
components [and principles], which
represent what is required to achieve
the objectives, and entity structure (the
operating units, legal entities, and other
structures). The relationship can be
depicted in the form of a cube.”*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring
Organizations of the Treadway Commission, 2013), 5.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

2
 8/23/2024

1.1. Overview of Internal Control

THE PRINCIPLES OF
INTERNAL CONTROL

In addition to the five

integrated components,
COSO also defines 17
supporting principles
representing the
fundamental concepts
associated with each
component of internal
control.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.1. Overview of Internal Control

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

3
 8/23/2024

1.1. Overview of Internal Control

INTERNAL CONTROL COMPONENTS

COSO indicates, “Supporting the organization in its efforts to achieve

objectives are five components of internal control:
 Control Environment
 Risk Assessment
 Control Activities
 Information and Communication
 Monitoring Activities

These components are relevant to an entire entity and to the entity

level, its subsidiaries, divisions, or any of its individual operating units,
functions, or other subsets of the entity.”*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 5.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.2. Control Environment

DEFINITION

The Control Environment—Consists of the actions, policies, and

procedures that reflect the overall attitudes of top management,
directors, and owners of an entity about internal control and its
importance to the entity.
The control environment has five underlying principles:
◼ Integrity and ethical values

◼ Board of director or audit committee participation

◼ Organizational structure

◼ Commitment to competence

◼ Accountability

The control environment sets the tone of an organisation, influencing

the control consciousness of its people.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

4
 8/23/2024

◼ Complete the definition taking the words following:

Attitudes, importance, control environment awareness,
governance, actions, control
The …………. control………………….
environment includes the governance
and management functions and the……………..,attitudes
actions
………………… and awareness …………. of those charged with
governance
…………… and management concerning the entity's
internal ………
control and its ……………….
importance in the entity.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.2. Control Environment

INTEGRITY AND ETHICAL VALUES

Integrity and ethical values are the product of the entity’s

ethical and behavioral standards, as well as how they are
communicated and reinforced in practice. They include
management’s actions to remove or reduce incentives and
temptations that might prompt personnel to engage in
dishonest, illegal, or unethical acts. They also include the
communication of entity values and behavioral standards to
personnel through policy statements, codes of conduct.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

5
 8/23/2024

1.2. Control Environment

BOARD OF DIRECTOR OR AUDIT

COMMITTEE PARTICIPATION

◼ The board of directors is essential for effective corporate governance because it

has ultimate responsibility to make sure management implements proper internal
control. An effective board of directors is independent of management, and its
members stay involved in and scrutinize management’s activities. Although the
board delegates responsibility for internal control to management, the board must
exercise oversight of the design and performance of controls. In addition, an active
and objective board can reduce the likelihood that management overrides existing
controls.
◼ To assist the board in its oversight, the board creates an audit committee that is
charged with oversight responsibility for financial reporting. The audit committee is
also responsible for maintaining ongoing communication with both external and
internal auditors. This allows the auditors and directors to discuss matters that
might relate to such things as management integrity or the appropriateness of
actions taken by management.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.2. Control Environment

ORGANIZATIONAL STRUCTURE

◼ The entity’s organizational structure defines the existing lines of

responsibility and authority. As shown in the COSO cube, the
organizational structure can consist of the entity level, divisions,
operating units, and functions within those units, and controls
operate at each of these levels.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

6
 8/23/2024

Owners

Board of Audit Committee

Directors

Chief Executive
Board of Internal Audit
Officer
Management
(CEO)

Business V.P. V.P. Chief

V.P
Unit Human Information Financial
Ethics
Managers Resources Services Officer (CFO)

Plant Plant
Controller Treasurer
Managers Managers

Plant Plant
Accountants Accountants
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1-13

1.2. Control Environment

COMMITMENT TO COMPETENCE

◼ Competence is the knowledge and skills necessary to accomplish

tasks that define an individual’s job. Commitment to competence
includes management’s consideration of the competence levels for
specific jobs and how those levels translate into requisite skills and
knowledge. If employees are competent and trustworthy, other
controls can be absent, and reliable financial statements will still
result. Incompetent or dishonest people can reduce the system to
a shambles—even if there are numerous controls in place. Honest,
efficient people are able to perform at a high level even when there
are few other controls to support them. However, even competent
and trustworthy people can have shortcomings

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

7
 8/23/2024

1.2. Control Environment

ACCOUNTABILITY

◼ Management and the board of directors are responsible for

communicating expectations and holding individuals accountable
for internal control duties.
◼ The effectiveness of this process depends on the other
subcomponents

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.3. Risk assessment

DEFINITION

◼ A process for identifying and analyzing risks that may prevent the
organization from achieving its objectives.

Entity’s risk assessment process

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

8
 8/23/2024

1.3. Risk assessment

RISK ASSESSMENT PROCESS

◼ Objective Setting
Objectives should always be in line with the mission and vision of an
organization. COSO-ERM distinguishes four categories of objectives:
strategic objectives, operations objectives, reporting objectives and
compliance objectives. For certain objectives these categories can
overlap and different officers may be responsible for their realization.
◼ Event Identification
Risks can be defined as the probability that a critical event occurs and
negatively affects the achievement of objectives. Therefore, for
appropriate risk assessment, critical events need to be identified. Such
events may be caused by external (e.g. economic, political, social, or
technological) factors, or by internal factors (e.g. organizational
structuring, processes, personnel, or systems).
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.3. Risk assessment

RISK ASSESSMENT PROCESS

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

9
 8/23/2024

1.3. Risk assessment

RISK ASSESSMENT PROCESS

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.3. Risk assessment

RISK ASSESSMENT PROCESS

7S McKiney Model
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

10
 8/23/2024

1.3. Risk assessment

RISK ASSESSMENT PROCESS

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.3. Risk assessment

RISK ASSESSMENT PROCESS

◼ Risk Assessment
◼ Risk assessment involves estimation of the likelihood of a critical event
occurring and the impact of the occurrence of that event.
duoi muc appetite nay chap nhan con tren thi k
chap nhan

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

11
 8/23/2024

1.3. Risk assessment

INHERENT RISK, CONTROLLABLE RISK,

AND RESIDUAL RISK

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.3. Risk assessment

INHERENT RISK, CONTROLLABLE RISK,

AND RESIDUAL RISK

 Controls: risk responses management takes to reduce the impact and/or likelihood
of threats to objective achievement.
 Risk appetite: the types and amount of risk, on a broad level, an organization is
willing to accept in pursuit of value Khau vi rui ro

 Acceptable variation in performance: the boundaries of acceptable outcomes

related to achieving a business objective

 Controllable risk: that portion of inherent risk that management can directly
influence and reduce through day-to-day business activities.

 Residual risk: the portion of inherent risk that remains after mitigating all
controllable risks cac rui ro con lai ma ko ngan chan dc = cac bphap tren

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

12
 8/23/2024

1.3. Risk assessment

RISK ASSESSMENT PROCESS

Risk Response
 Acceptance. No action is taken to decrease risk impact or likelihood. The
organization is willing to accept the risk at the current level rather than spend
valuable resources deploying one of the other risk response options.
 Avoidance. A decision is made to exit or divest of the activities giving rise to the
risk. Risk avoidance may involve, for example, exiting a product line, deciding not
to expand to a new geographical market, or selling a division.
 Pursuit. Exploit the risk if taking such a risk is advantageous to the organization or
is necessary to achieve a particular business objective.
 Reduction. Action is taken to reduce the risk impact, likelihood, or both. This
involves a myriad of everyday business decisions, such as implementing controls.
 Sharing. The risk impact or likelihood is reduced by transferring or otherwise
sharing a portion of the risk. Common techniques include purchasing insurance
 products, engaging in hedging transactions, or outsourcing an activity.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.4. Control Activities

DEFINITION AND TYPES OF CONTROLS

◼ The policies and procedures that help ensure that necessary actions are
taken to address the risks to the achievement of the entity’s objectives.
◼ There are many types of controls that are used by an organization to
increase the likelihood that objectives will be met:
 Entity-level, Process-level, and Transaction-level Controls
 Key Controls and Secondary Controls
 Compensating Controls
 Preventive and Detective Controls
 Information Systems (Technology) Controls

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

13
 8/23/2024

1.4. Control Activities

ENTITY-LEVEL, PROCESS-LEVEL, AND
TRANSACTION-LEVEL CONTROLS

 Entity – level Controls: A control that operates across an entire entity

and, as such, is not bound by, or associated with, individual
processes.
 Process – level Controls: An activity that operates within a specific
process for the purpose of achieving process-level objectives
 Transaction – level Controls: An activity that reduces risk relative to
a group or variety of operational-level tasks or transactions within an
organization.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.4. Control Activities

TYPES OF CONTROL

 Key control: An activity designed to reduce risk associated with a

critical business objective
 Secondary control: An activity designed to either reduce risk
associated with business objectives that are not critical to the
organization’s survival or success or serve as a backup to a key
control.
 Compensating control: An activity that, if key controls do not fully
operate effectively, may help to reduce the related risk. A
compensating control will not, by itself, reduce risk to an acceptable
level.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

14
 8/23/2024

1.4. Control Activities

TYPES OF CONTROL

 Preventive control is designed to deter unintended events from

occurring in the first place. prevent an error occurring: chua xay ra
 Detective control is designed to discover undesirable events that
have already occurred. A detective control must occur timely (before
the undesirable event has had an unacceptably negative impact on
the organization) to be considered effective.
identify that an error has occurred and correct
it: nhan dien va sua chua error da xay ra

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.4. Control Activities

TYPES OF CONTROL ACTIVITIES

Control activities generally fall into the following five types:

1. Adequate separation of duties
2. Proper authorization of transactions and activities (establishment of
responsibility)
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance (Independent internal
verification)

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

15
 8/23/2024

1.4. Control Activites

SEGREGATION OF DUTIES
 Different individuals should be
responsible for related activities.

Example: The responsibility for

record-keeping for an asset should
be separate from the physical
custody of that asset.

LO 1
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.4. Control Activities

ADEQUATE SEPARATION OF DUTIES

There are four general guidelines for adequate separation of duties to

prevent both fraud and errors:
◼ Separation of the custody of assets from accounting

◼ Separation of the authorization of transactions from the custody of

related assets
◼ Separation of operational responsibility from record-keeping

responsibility
◼ Separation of IT duties from the user departments

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

16
 8/23/2024

1.4. Control Activities

PROPER AUTHORIZATION OF
TRANSACTIONS AND ACTIVITIES

◼ Every transaction must be properly authorized if controls are to be

satisfactory. If any person in an organization could acquire or expend
assets at will, complete chaos would result.
◼ Authorization can be either general or specific. Under general
authorization, management establishes policies and subordinates are
instructed to implement these general authorizations by approving all
transactions within the limits set by the policy. General authorization
decisions include the issuance of fixed price lists for the sale of products,
credit limits for customers, and fixed reorder points for making
acquisitions.
◼ Specific authorization applies to individual transactions. For certain
transactions, management prefers to authorize each transaction

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.4. Control Activities

ADEQUATE DOCUMENTS AND RECORDS

◼ Prenumbered consecutively
◼ Prepared at the time a transaction takes place
◼ Designed for multiple use
◼ Constructed to encourage correct preparation

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

17
 8/23/2024

ANATOMY OF A FRAUD

To support their reimbursement requests for travel costs incurred, employees at

Mod Fashions Corporation’s design center were required to submit receipts. The
receipts could include the detailed bill provided for a meal, or the credit card
receipt provided when the credit card payment is made, or a copy of the
employee’s monthly credit card bill that listed the item. A number of the designers
who frequently traveled together came up with a fraud scheme: They submitted
claims for the same expenses. For example, if they had a meal together that cost
$200, one person submitted the detailed meal bill, another submitted the credit
card receipt, and a third submitted a monthly credit card bill showing the meal as
a line item. Thus, all three received a $200 reimbursement.

Total take: $75,000

The Missing Control

Documentation procedures. Mod Fashions should require the original, detailed
receipt. It should not accept photocopies, and it should not accept credit card
statements. In addition, documentation procedures could be further improved
by requiring the use of a corporate credit card (rather than a personal credit
card) for all business expenses.
LO 1
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

PHYSICAL CONTROLS OVER ASSETS & RECORDS

LO 1
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

18
 8/23/2024

ANATOMY OF A FRAUD

At Centerstone Health, a large insurance company, the mailroom each day

received insurance applications from prospective customers. Mailroom
employees scanned the applications into electronic documents before the
applications were processed. Once the applications are scanned they can be
accessed online by authorized employees. Insurance agents at Centerstone
Health earn commissions based upon successful applications. The sales agent’s
name is listed on the application. However, roughly 15% of the applications are
from customers who did not work with a sales agent. Two friends—Alex, an
employee in record keeping, and Parviz, a sales agent—thought up a way to
perpetrate a fraud. Alex identified scanned applications that did not list a sales
agent. After business hours, he entered the mailroom and found the hardcopy
applications that did not show a sales agent. He wrote in Parviz’s name as the
sales agent and then rescanned the application for processing. Parviz received
the commission, which the friends then split.

Total take: $240,000

The Missing Control

LO 1
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Total take: $240,000

The Missing Control

Physical controls. Centerstone Health lacked two basic physical controls that
could have prevented this fraud. First, the mailroom should have been locked
during nonbusiness hours, and access during business hours should have been
tightly controlled. Second, the scanned applications supposedly could be
accessed only by authorized employees using their passwords. However, the
password for each employee was the same as the employee’s user ID. Since
employee user-ID numbers were available to all other employees, all
employees knew all other employees’ passwords. Unauthorized employees
could access the scanned applications. Thus, Alex could enter the system
using another employee’s password and access the scanned applications.

LO 1
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

19
 8/23/2024

INDEPENDENCE CHECKS ON PERFORMANCE

 Records
periodically verified
by an employee
who is independent.

 Discrepancies
reported to
management.

Illustration
Comparison of segregation of duties
principle with independent internal
verification principle
LO 1
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

ANATOMY OF A FRAUD

Bobbi Jean Donnelly, the office manager for Mod Fashions Corporations design
center, was responsible for preparing the design center budget and reviewing
expense reports submitted by design center employees. Her desire to upgrade
her wardrobe got the better of her, and she enacted a fraud that involved filing
expense-reimbursement requests for her own personal clothing purchases. She
was able to conceal the fraud because she was responsible for reviewing all
expense reports, including her own. In addition, she sometimes was given
ultimate responsibility for signing off on the expense reports when her boss was
“too busy.” Also, because she controlled the budget, when she submitted her
expenses, she coded them to budget items that she knew were running under
budget, so that they would not catch anyone’s attention.
Total take: $275,000
The Missing Control
Independent internal verification. Bobbi Jean’s boss should have verified her
expense reports. When asked what he thought her expenses were, the boss
said about $10,000. At $115,000 per year, her actual expenses were more than
ten times what would have been expected. However, because he was “too
busy” to verify her expense reports or to review the budget, he never noticed.
LO 1
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

20
 8/23/2024

1.5. Information & Communication

INFORMATION AND COMMUNICATION

◼ Information and communication are necessary to facilitate control. This

internal control component relates to recording transactions, matching
internal with external documents, confirmations from/to third parties,
communication of procedures and tasks, accountability and formal
management reports. Information should meet certain quality criteria to
facilitate proper control.
◼ Relevant, accurate, and timely information must be available to
individuals at all levels of an organization who need such information to
run the business effectively. Information must be provided to specific
personnel as appropriate to support achievement of their operating,
reporting, and compliance responsibilities.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.5. Information & Communication

INFORMATION AND COMMUNICATION

◼ The purpose of an entity’s accounting information and communication

system is to initiate, record, process, and report the entity’s transactions
and to maintain accountability for the related assets. The underlying
principles related to information and communication stress the
importance of using relevant, quality information that is communicated
both internally and externally as necessary to support the proper
functioning of internal controls.
◼ Communications with external parties also are important and can
provide critical information on the functioning of controls. These parties
include, but are not limited to, customers, suppliers, service providers,
regulators, external auditors, and shareholders.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

21
 8/23/2024

1.5. Information & Communication

INFORMATION AND COMMUNICATION

◼ There are many ways organizations can choose to communicate.

 Hardcopy forms of communication include manuals, memoranda, and

bulletin boards located in areas where individuals congregate.

 Communication also can take place in face-to-face meetings or

electronically through emails, intranet sites, video conferencing, or
electronic bulletin boards.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.5. Monitoring

DEFINITION

As COSO indicates:
◼ Monitoring activities consist of ongoing evaluations built into business
processes at different levels of the entity [that] provide timely
information. Separate evaluations, conducted periodically, will vary in
scope and frequency depending on assessment of risks, effectiveness of
ongoing evaluations, and other management considerations.
◼ Findings are evaluated against criteria established by regulators,
standard-setting bodies or management and the board of directors, and
deficiencies are communicated to management and the board of
directors as appropriate.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

22
 8/23/2024

1.5. Monitoring

◼ Monitoring activities are performed concurrently with those operations on

an ongoing basis. The more robust and comprehensive the supervisory
and verification procedures, the more confidence management can
place in the effectiveness of those procedures to ensure consistent and
reliable ongoing operations. With effective ongoing monitoring activities,
coupled with accurate and dependable risk assessments, the frequency
of separate evaluations may be reduced.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.5. Monitoring

EFFECTIVENESS OF MONITORING
◼ The first layer includes the everyday activities performed by management of a given
area as described above.
◼ The second layer is a separate (non-independent) evaluation of the area’s internal
controls performed by management on a regular basis to ensure that any deficiencies
that exist are identified and resolved timely.
◼ The third layer is an independent assessment by an outside area or function, frequently
the internal audit function, performed to validate the results (accuracy and reliability) of
management’s self-assessment of the effectiveness of controls in their area. While the
internal audit function provides a valuable form of assurance, as described above, most
organizations have other groups that also provide some form of assurance. These
groups may provide assurance directly to the board, or communicate to members of
management who provide the assurance to the board. This layered approach provides
the organization with a higher level of confidence that the system of internal controls
remains effective and helps ensure internal control deficiencies are identified and
addressed timely.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

23
 8/23/2024

1.5. Monitoring

EFFECTIVENESS OF MONITORING

◼ Embedding monitoring activities into processes performed during day-

today business operations allows monitoring activities to occur regularly,
catching problems before they become unmanageable. Separate
evaluations lack this advantage due to the timing of their performance,
which is later in the process, and because they are performed less
frequently. Separate evaluations provide for a supplemental look at the
system of internal controls, catch problems that might have been missed
during ongoing monitoring activities, and evaluate the effectiveness of the
ongoing monitoring activities embedded in the day-to-day activities of the
area. Despite the various advantages of the two different methods for
monitoring, both are needed for a robust monitoring process to exist.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.5. Monitoring

EFFECTIVENESS OF MONITORING

◼ Management has primary responsibility for the effectiveness of the organization’s

system of internal controls, including monitoring activities. As responsibility for
performing certain controls rises in the organization to higher levels of
management, traditional supervisory monitoring becomes more challenging.
◼ Monitoring activities performed by subordinates in an organization are much less
effective than those performed by superiors. In those situations in which senior
management performs controls, it might be appropriate for other members of
senior management to monitor those controls. In cases that carry the risk of
management override, board-level monitoring might be necessary.
◼ Ultimately, the board of directors is responsible for overseeing whether
management has implemented an effective system of internal controls. This
responsibility is fulfilled by the board through an understanding of the risks to the
organization and by understanding how management mitigates those risks to an
acceptable level.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

24
 8/23/2024

1.5. Monitoring

DEFICIENCY OF INTERNAL CONTROL

◼ Definition:
“A condition within an internal control system worthy of attention”
that may represent a perceived, potential, or real shortcoming, or
opportunity to strengthen the internal control system to provide a
greater likelihood that the entity’s objectives will be achieved.”
(COSO 2013)
◼ Deficiencies in an organization’s system of internal controls might be
identified during the performance of either ongoing monitoring
activities or separate evaluations. COSO broadly defines a
deficiency as “a shortcoming in a component and relevant principle
that reduces the likelihood that the entity can achieve its objectives.”

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

1.5. Monitoring

DEFICIENCY OF INTERNAL CONTROL

◼ Deficiencies identified as a result of ongoing monitoring activities

and separate evaluations must be reported timely to the appropriate
parties within the organization.
◼ Depending on the impact a specific deficiency has on the potential
effectiveness of the system of internal controls, it should be reported
to business unit management, senior management, and/or the board
of directors. Reported deficiencies are important considerations in
the evaluation of the system of internal controls.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

25
 8/23/2024

Chapter 2: Components of Internal Control

MONITORING

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 2: Internal Control

EVALUATING THE SYSTEM OF

INTERNAL CONTROLS
 Management is responsible for putting in place adequately designed and
effectively operating entity-level and activity-level controls to mitigate risks
associated with the achievement of business objectives in each of the three
COSO-defined categories: operations, reporting, and compliance.

 Internal auditors play a significant role in the verification that management has
met its responsibility. Initially, management performs the primary assessment of
internal controls using a formalized process developed for that purpose. The
internal audit function then independently validates management’s results.

 A report is typically submitted to the audit committee by either senior

management or the CAE outlining the results of management’s assessment
regarding the design adequacy and operating effectiveness of the organization’s
system of internal controls.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

26
 8/23/2024

Chapter 2: Internal Control

EXERCISE 1

◼ An organization has a goal to prevent the ordering of inventory

quantities in excess of its needs. One individual in the organization
wants to design a control that requires a review of all purchase
requisitions by a supervisor in the user department prior to submitting
them to the purchasing department. Another individual wants to institute
phieu nhan hang
a policy requiring agreement of the receiving report and packing slip phieu giao hang
before storage of new inventory receipts. Which of these controls is
(are) relevant in achieving the stated goal? Explain your answer.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 2: Internal Control

EXERCISE 1

Answer:
◼ The control requiring a review of all purchase requisitions by a
supervisor in the user department prior to submitting them to the
purchasing department is superior because it is a means of control over
the number of items ordered. Conversely, the control requiring
agreement of the receiving report and packing slip would be more
appropriate for the risk of receiving an amount other than that ordered.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

27
 8/23/2024

Chapter 2: Internal Control

EXERCISE 2

◼ Which of the following best exemplifies a control activity referred to as

independent verification?
a. Reconciliation of bank accounts by someone who does not handle cash
or record cash transactions.
b. Identification badges and security codes used to restrict entry to the
production facility.
c. Accounting records and documents that provide a trail of sales and cash
receipt transactions.
d. Separating the physical custody of inventory from inventory accounting..

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 2: Internal Control

EXERCISE 3

◼ Reasonable assurance, as it pertains to internal control, means that:

a. The objectives of internal control vary depending on the method of data
processing used.
b. A well-designed system of internal controls will prevent or detect all
errors and fraud.
c. Inherent limitations of internal control preclude a system of internal
control from providing absolute assurance that objectives will be achieved.
d. Management cannot override controls, and employees cannot
circumvent controls through collusion.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

28
 8/23/2024

Chapter 2: Internal Control

EXERCISE 3

◼ Reasonable assurance, as it pertains to internal control, means that:

a. The objectives of internal control vary depending on the method of data
processing used.
b. A well-designed system of internal controls will prevent or detect all
errors and fraud.
c. Inherent limitations of internal control preclude a system of internal
control from providing absolute assurance that objectives will be achieved.
d. Management cannot override controls, and employees cannot
circumvent controls through collusion.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 2: Internal Control

EXERCISE 4

◼ Who has primary responsibility for the monitoring component of internal

control?
a. The organization’s independent outside auditor.
b. The organization’s internal audit function.
c. The organization’s management.
d. The organization’s board of directors.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

29
 8/23/2024

Chapter 2: Internal Control

EXERCISE 5

◼ The requirement that purchases be made from suppliers on an

approved vendor list is an example of a:
a. Preventive control.
b. Detective control.
c. Compensating control.
d. Monitoring control.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

30