internal control and control self assessment
Upcoming SlideShare
Loading in...5

internal control and control self assessment






Total Views
Views on SlideShare
Embed Views



1 Embed 8 8



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • The basic control objectives have been divided into the business cycle format for ease of implementation, reference, and subsequent evaluation. The control matrix shown below provides a general guideline for the processing of all transactions consistent with fundamental control criteria.
  • These control questions are segmented by purpose of control. Some controls are installed to prevent undesirable outcomes before they can happen.  Others are created to identify undesirable events as they happen and still others make sure that action is taken to undo the undesirable outcome or to see that they do not recur.  The following text defines three classes of controls.

internal control and control self assessment internal control and control self assessment Presentation Transcript

  • Internal Control andControl Self AssessmentPresented by CA Manoj AgarwalDecember 30, 2012, Thane CPE Study Circle of WIRC, ICAI
  • Disclaimer• All the contents of the presentation constitute the opinion of the speaker, and the speaker alone; they do not represent the views and opinions of the speaker’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the speaker is, or has been a part of. 2
  • Agenda• Internal Control• Control Self Assessment• Case Study• Q&A 3
  • DefinitionsInternal Auditing definition states the fundamental purpose, nature, andscope of internal auditing. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes Internal control is defined by COSO ( as follows: Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. 4
  • Internal ControlOn paraphrasing definition of Internal control, we get:1. Geared to the achievement of objectives in one or more separate but overlapping categories2. A process consisting of ongoing tasks and activities—it is a means to an end, not an end in itself.3. Effected by people - it is not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to effect internal control.4. Able to provide reasonable assurance, not absolute assurance, to an entity’s senior management and board of directors.5. Adaptable to the entity structure - flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process 5
  • COSO Internal Control Framework• Objectives of Internal Control – Operational Objectives - Effectiveness and efficiency of operations – Reporting Objective - Reliability of reporting – Compliance Objectives - Compliance with applicable laws and regulations• Process – Policies (Management Statement what should be done) – Procedures (Actions that implement policies)• Process is managed through Planning, Executing (doing), Checking, amending (Planning Do Check Act) PDCA 5 Components of Internal Control Plan Control Environment Risk Assessment Do Control Activities Check Information &Communication Act Monitoring Activities 6
  • Principles of Internal Controls 7
  • Principles of Internal Controls-1Components PrinciplesControl 1. The organization demonstrates a commitment to integrity and ethicalenvironment values. 2. The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The Organization demonstrates a commitment to attract, develop, and retain competent individual in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. 8
  • Principles of Internal Controls-2Components PrinciplesRisk 6. The organization specifies objectives with sufficient clarity to enableAssessment identification and assessment of risks relating to objectives 7. The organization identifies risks to achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed. 8. The organization considers the potential of fraud in assessing risks to achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control.Control 10.Select and develops control activities that contribute to the mitigationActivities of risks to the achievement of objectives to acceptable levels. 11.Select and develops general control activities over technology to support the achievement of objectives. 12.Deploy control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies. 9
  • Principles of Internal Controls-3Components PrinciplesInformation and 13.The organization obtains or generates and uses relevant, qualityCommunication information to support the functioning of other components of internal control 14.The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other component of internal control. 15.The organization communicates to external parties regarding matters affecting the functioning of other components of internal controlMonitoring 16.The organization selects, develops and performs ongoing and/orActivities separate evaluations to ascertain whether the components of internal controls are present and functioning. 17.The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. 10
  • Principle Evaluation Template..1Principle Evaluation Template — Control EnvironnentControl Environment Principles Summary of Deficiencies/Notes/Other Controls Considerations (also record deficiencies in log below)1. Demonstrates Commitment to Integrity and Ethical Values—The organization demonstrates a commitment to integrity and ethical values.Sets the Tone at the Top—How do the board of directors and management at all levelsof the entity demonstrate through their directives, actions, and behavior the importanceof integrity and ethical values to support the functioning of the system of internalcontrol?Establishes Standards of Conduct—How are the expectations of the board of directorsand senior management concerning integrity and ethical values defined in the entity’sstandards of conduct and understood at all levels of the organization and by outsourcedservice providers and business partners?Evaluates Adherence to Standards of Conduct— What processes are in place to evaluatethe performance of individuals and teams against the entity’s expected standards ofconduct?Addresses Deviations in a Timely Manner—How are deviations of the entity’s expectedstandards of conduct identified and remedied in a timely and consistent manner?(Other entity specific points of focus, if any) 11
  • Principle Evaluation Template..2Principle Evaluation Template — Control EnvironnentDeficiencies Applicable to the PrincipleIdentificat Internal control deficiency Possible Impact on Evaluate preliminary deficiency List internal controlion No. description Principle severity: deficiencies related to (Consider whether other controls to another principle that effect this principle compensate for the may impact this internal control deficiency.) internal control deficiency Present? Functionin Preliminary Comments/ (Y/N) g? Severity— Compensating (Y/N) Is internal control Controls deficiency a major deficiency? (Y/N)Evaluate deficiencies within the principle:* <Explanation>Evaluate if any internal control deficiencies orcombination of internal control deficiencies,when considered within the principle,represent a major deficiency.**<Update Summary of Deficiencies Template asrequired>Evaluate the principle using judgment.** Y/N Explanation/ConclusionIs the principle present?Is the principle functioning?* Note: Record deficiencies in Summary of Deficiencies Template.** If it is determined that there is a major deficiency, then management must conclude that the component is not present and functioningand the overall system of internal control is not effective. 12
  • Controls Objectives Objectives Input Process OutputAuthorization Is the source authorized? Are the procedures approved? What was approved?Recording Is it accurate and Who does it? Is it accurate and complete? complete? When? Is there an audit trail? Is it timely? Are procedures followed? Is management review adequate? Is it documented? Is it recoverable? Does it balance? Is management review adequate?Safeguarding/ Who should control? Who can access it? Is it confidential?Security Are duties separated? Are duties separated? Who should have it?Verification Are sources proper? Are procedures followed complete? Are differences properly Are investigation and review of resolved? differences adequate? Is management review adequate?Existence/ Do policies and Are there procedures to create a Is the residual risk acceptablePlacement procedures define the control? according to the companys risk adequate level of Are controls adequate? tolerance? controls? Are controls placed in the most efficient part of the process? 13
  • Controls Objectives-Payroll - 1 Objectives Input Questions to be askedAuthorization Is the source authorized? Is the persons sending the inputs for payroll are authorizedRecording Is it accurate and Is person sends the correct and Complete Inputs? complete? Is it timely? Is inputs are send in a timely manner to ensure processing happens as per plan? Is it documented? Is there is evidence that inputs have been actually received from person specified?Safeguarding/ Who should control? Who should receive the inputs?Security Are duties separated? Is the person receiving the inputs is the person who process the payroll?Verification Are sources proper? How does we know that the person has actually taken information from correct source?Existence/ Do policies and Does all this is documented? Does the responsibility has beenPlacement procedures define the documented? adequate level of controls? 14
  • Controls Objectives – Payroll -2 Objectives Process Question to be askedAuthorization Are the procedures approved? Is the process / method to process payroll is approved?Recording Who does it? Does it can be established who has actually performed which job? When? Is there any audit trail which can establish that procedures are actually followed? Are procedures followed? Is it repeatable? Is it recoverable? Is management review adequate? Does some one has review the processing and is there an evidence which can confirm that review has been actually been performed?Safeguarding/ Who can access it? Who can access the location/ system/ office processing theSecurity information? Are duties separated? Is there SOD in place?Verification Are procedures followed Who verify that the process has been actually been followed? complete? Are investigation and review of In case of any exception has been observed , then whether the same differences adequate? has been taken to its logical conclusion and the same is documented.Existence/ Are there procedures to create a Is someone is responsible to ensure that process has been actuallyPlacement control? completed as specified? Are controls adequate? Is any controls have been put in place to ensure that process is happening as specified? Are these adequate? Are controls placed in the most Is control has been put in place to ensure optimum cost and benefit? efficient part of the process? 15
  • Controls Objectives – Payroll - 3 Objectives Output Question to be askedAuthorization What was approved? Is there an evidence that output of the process is authorized and accountability of person authorizing can be established?Recording Is it accurate and How is it ensures that output is accurate and complete? complete? Is there an audit trail? Is there an audit trail of process of ensuring the completeness of output? Is management review Is there adequate management review? adequate? Does it balance? Does output matches with input to ensure that output is proper?Safeguarding/ Is it confidential? Is there any guideline defined regarding who should have access theSecurity Who should have it? output and to what extent?Verification Are differences properly In case of any differences observed in management review or a question resolved? raised in review, the same has been resolved properly with audit trail? Is management review adequate?Existence/ Is the residual risk What is the risk observed and not (insured/controlled) and is thatPlacement acceptable according to acceptable to company? Is there any document evidencing acceptance? the companys risk tolerance? 16
  • Control Types• Preventative Controls: are installed to stop • Segregation of duties to prevent undesirable outcomes before they can occur. These intentional wrongdoing, types of controls are typically the most cost-effective • Proper authorization to prevent controls because they avoid the cost of improper use of organizational correction. E.g. resources, • Adequate documentation and• Detective Controls: are necessary to measure the records to deter improper effectiveness of the preventive controls. While some transactions, errors cannot be effectively controlled through • Physical control over assets to preventative controls, they must be detected as they prevent their improper occur. E.g. conversion or use.• Corrective Controls: are necessary, for they correct • Reviews and comparisons of the identified deficiency and therefore deter it from records, occurring again. Documentation and reporting • Independent check on systems are developed to identify undesirable performance, • Bank reconciliations, outcomes and keep problems under management’s confirmation of bank purview until they can be solved or the defect can be balances, cash counts, corrected. • Computerized techniques Ref: Marks on Governance ( such as transaction limits and passwords. 17
  • What is CSA?Control Self Assessment• A set of techniques used to assess risk, control strength, and control weaknesses utilizing a control framework. The self refers to the involvement of management and staff in the assessment process often facilitated by internal auditors• to analyze, within a chosen control framework, the obstacles and strengths which affect their ability to achieve their key business objectives, and• to decide upon appropriate action. 18
  • CSA Rationale• Responsibility for controlling risk belongs to management and all employees• People are the most important control factor• Most employees are honest, competent, and want their organization to succeed• People are far more likely to embrace needed changes if they are involved in the assessment process• Helps employees understand control 19
  • When do you want to use CSA?• New work processes/projects• New organizations – to identify the risk exposures and required controls• Reorganizations• Management / Employee turnover – to identify where risks are – to create understanding for business objectives – to assess how risks are changing – to put emphasis on highest priority risks and controls• Processes that cross over into other work groups – to get to the root cause of problems – helps bring groups together – participants learn how their activities interrelate – collaborative problem solving 20
  • CSA - GOALS & OBJECTIVES• Provide a forum for participants (stakeholders) to: – Conduct an assessment of risks and controls. – Develop recommendations for improvement. – Enhance their ability to achieve objectives. – Increase communication with the Unit. – Improve the efficiency and effectiveness of operations. 21
  • Benefits of CSA• Honest feedback on control environment communication and monitoring• Ability to discuss and explore areas of concern to determine reasons and root causes of concern• Ability to obtain an understanding of the degree of concern among participants• Development of recommendations by employees in the Unit• Buy-in/Ownership of Recommendations 22
  • Case Study Case Study 24
  • Q&AManoj Agarwalmanojbagarwal@gmail.com9820392252 25