Basic Concepts and Elements of Internal Control

Overview

Companies establish goals and objectives. And then assess the risks of achieving those objectives. As a response to the assessed risk, the company may design and implement internal control to have a reasonable assurance that the objectives will be achieved.

Internal control pertains to actions that foster the best result for an organization.

Control is defined as any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Internal control is the process designed, implemented and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of an entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control.

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Course Objectives

After studying this module, you should be able to

• Define and describe control and different types of controls
• Describe the COSO’s Internal Control – Integrated Framework
• Describe alternative internal control frameworks such as the CoCo Model
• Explain the five components of internal control

Course Materials

COSO explained that this definition reflects certain fundamental concepts. Internal control is:

• Geared to the achievement of objectives in one or more categories—operations, reporting, and compliance
• A process consisting of ongoing tasks and activities—a means to an end, not an end in itself
• Effected by people—not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control
• Able to provide reasonable assurance—but not absolute assurance, to an entity’s senior management and board of directors
• Adaptable to the entity structure—flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process

According to COSO, internal control has three objectives:

Operations objectives – related to the effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.

Reporting objectives – related to internal and external financial and non-financial reporting to stakeholders, which would encompass reliability, timeliness, transparency, or other terms as established by regulators, standard setters, or the entity’s policies.

Compliance objectives – related to adhering to laws and regulations that the entity must follow.

Internal control cannot provide absolute assurance about the achievement of an entity's objectives; it can only provide reasonable assurance. Limitations may result from the Suitability of objectives established as a precondition to internal control, Reality that human judgment in decision making can be faulty and subject to bias, Breakdowns that can occur because of human failures such as simple errors, Ability of management to override internal control, Ability of management, other personnel, and/or third parties to circumvent controls through collusion, External events beyond the organization’s control

Classification

As to Scope. Some controls are designed to operate at a high level while others apply to specific processes or transactions. Entity-level controls apply to the entire organization and are designed both to ensure that organizational objectives are achieved and to mitigate risks that threaten the origination as a whole. Process level controls are established by a process owner to ensure that the objectives of the process are achieved and that process-level risks are addressed. Transaction-level controls are specific to individual transactions. They exist to ensure that the objectives of the transactions are achieved, and transaction-specific risks are addressed.

As to importance. Key controls (primary controls) are those that must operate effectively to reduce a significant risk to an acceptable level. Secondary controls help process run smoothly but are not essential.

As to function (or approach). Preventive controls are proactive controls that deter undesirable events from occurring. Detective controls are reactive and detect undesirable events that have occurred. Corrective controls are reactive designed to allow manual or automated correction of errors or irregularities discovered by detective controls. Directive controls are proactive that cause or encourage a desirable even to occur. Mitigating controls reduce the potential impact should an event occur. Compensating controls compensate for the lack of an expected control.

As to how operated. An active or manual control (people-based) implies a task that prevents or detect a deviation from approved procedure. A passive control or automated control (system-based) operates without human intervention.

As to objective. Administrative controls are concerned with achieving the objectives of the organization and with implementing policies. Accounting controls aim to provide accurate accounting records and to achieve accountability.

As to Financial and non-financial controls. Financial controls focus on the key transaction areas, with the emphasis being on the safeguarding of assets and the maintenance of proper accounting records and reliable financial information.Non-financial controls tend to concentrate on wider performance issues.

As to Discretion. Discretionary controls are controls that, as their name suggests, are subject to human discretion. Non-discretionary controls are provided automatically by the system and cannot be bypassed, ignored or overridden.

As to Imposition. Voluntary controls are chosen by the organization to support the management of the business. Mandated controls are required by law and imposed by external authorities.

As to Timing. Feedback controls report information about completed activities. Concurrent controls adjust ongoing processes.

Internal Control in Smaller Entities

Controls relevant to large entity may not be practical nor appropriate for a small company. Smaller entities often have fewer employees which may limit the extent to which segregation of duties is practicable.

In a small owner-managed entity, the owner-manager may exercise effective oversight and his day to day involvement may compensate for the lack of segregation of duties. This involvement should encompass physical, authorization, arithmetical and accounting controls as well as supervision. However, the owner-manager may be more able to override controls because the system of internal control is less structured.

In case the manager is not the owner, the manager may not possess the same degree of commitment to the running of it as an owner-manager would.

Internal Control Framework

A control framework is a recognized system of concepts encompassing all elements of internal control. 

Several bodies have published control frameworks that provide a comprehensive means of ensuring that the organization has considered all relevant aspects of internal control.

• United States. Internal Control – Integrated Framework, published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (named for James C. Treadway, its first chairman)
• Canada. Guidance on Control (commonly referred to as CoCo based on its original title Criteria of Control), published by the Canadian Institute of Chartered Accountants (CICA).
• United Kingdom. Internal Control: Guidance for Directors on the Combined Code (commonly referred to as the Turnbull report after Nigel Turnbull, chair of the committee that drafted the report), published by the Financial Reporting Council (FRC) of the UK and re-released as Internal Control: Revised Guide for Directors on the Combined Code.
• The UK Committee on the Financial Aspect of Corporate Governance (known informally as the Cadbury Committee after its chairman Sir Adrian Cadbury) issued its report about the same times as the Tredway Commission in the U.S. it was blended with the reports of two other organizations. The resulting Combined Code includes such recommendations for sound governance as requiring that the CEO and chairperson be separate individuals.
• Information technology. COBIT is the best-known framework specifically for IT controls. When originally published, COBIT was an acronym for Control Objectives for Information and Related Technology.
• Electronic Systems Assurance and Control (eSAC), published by the Institute of Internal Auditors Research Foundation, is an alternative control model for IT.

COSO’s Internal Control – Integrated Framework

The COSO’s Internal Control – Integrated Framework sets out seventeen principles representing the fundamental concepts associated with each component. Because these principles are drawn directly from the components, an entity can achieve effective internal control by applying all principles. All principles apply to operations, reporting, and compliance objectives.

Control environment

• Demonstrates commitment to integrity and ethical values
• Exercises oversight responsibility
• Establishes structure, authority, and responsibility
• Demonstrates commitment to competence
• Enforces accountability.

Risk assessment

• Specifies suitable objectives
• Identifies and analyzes risk
• Assesses fraud risk
• Identifies and analyzes significant change

Control activities

• Selects and develops control activities
• Selects and develops general controls over technology
• Deploys control activities through policies and procedures

Information and communications

• Uses relevant information
• Communicates internally
• Communicates externally

Monitoring activities

• Conducts ongoing and/or separate evaluations
• Evaluates and communicates deficiencies

Control Environment

Control environment is the foundation for a sound system of internal control. It forms the core of any organization

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.

Under the 2013 Framework, the Control Environment’s five principles are the following:

• The organization demonstrates a commitment to integrity and ethical values.
• The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
• Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
• The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.
• The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Entity's Risk Assessment Process

Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed.

A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management also considers the suitability of the objectives for the entity and the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.

The four principles relating to Risk Assessment are:

• The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
• The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
• The organization considers the potential for fraud in assessing risks to the achievement of objectives.
• The organization identifies and assesses changes that could significantly impact the system of internal control.

Control Activities

Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.

Principles related to the control activities component include:

• The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
• The organization selects and develops general control activities over technology to support the achievement of objectives.
• The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.

Management develops various types of control activities to mitigate risks, including: Authorizations and approvals, Verifications, Physical controls, Controls over standing data, Reconciliations, Supervisory controls, Performance reviews.

Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.

Segregation implies a number of people being involved in the accounting process. Segregation of duties is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the person’s duties.

The key functions that should be segregated are the

• Authorizing a transaction,
• Recording that transaction in the accounting records, preparing source documents, and maintaining journals
• Keeping physical custody of the related assets that arise from the transaction. For example, receiving checks in the mail.
• The periodic reconciliation of the physical assets to the recorded amounts for those assets.

Control Activities Over Technology are General IT-controls and Transaction (Application) controls.

General IT-controls are entity level controls that relate to many applications and support the effective functioning of application controls.

Application controls or technical controls are process or transaction level controls that are usually specific to a given application but may also control larger technical processes such as system access rights. Application controls are sometimes grouped by common function:

• Input controls verify the integrity of data as it is manually or automatically entered into a system. For example, a control total might verify that the proper number of records is entered.
• Processing controls check that data processing tasks are accurate, complete, and valid. For example, a control total might be compared at various processing points.
• Output controls verify that the data outputs are accurate, complete, and valid. An example is a control to ensure that output is being sent to and received by the intended recipient and not other person or system.

Information and Communication

The information and communication component of internal control supports all of the other components. The principles related to the information and communication component include:

• The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
• The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
• The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring

Monitoring activities assess whether each of the five components are present and functioning. The two principles related to the monitoring component include:

• The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
• The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

References

Reading materials you may use in this course are the following:

• TheIIA’s International Standards for the Professional Practice of InternalAuditing
• SEC Code of Corporate Governance for Publicly Listed Companies
• SEC Code of Corporate Governance for Public Companies and Registered Issuers
• COSO’s Enterprise Risk Management – Integrating with Strategy and Performance
• ISO31000:2018
• PhilippineStandards on Auditing 315
• COSO Internal Control – Integrated Framework
• Any other books or e-books on Governance, Business Ethics, Risk Management, and Control