A High Level Perspective
• There are several types of internal control, and each
organisation will use some or all of these, to a greater or lesser
extent. Some organisations have more extensive and more
effective controls than others.
• Internal controls are applied to prevent adverse events from
happening or to detect failures in control when they occur. A
useful and common method of categorising internal controls is
to analyse them into three categories:
1. Financial controls.
2. Operational controls.
3. Compliance controls
Standard Internal control system
• An internal control system consists of a ‘control
environment’ and control procedures.
• A useful definition of internal control was given by the US
Committee Of Sponsoring Organizations (COSO).
• The COSO Framework defines internal control as the
achievement of objectives’ in the following three categories
1. Reliability of financial reporting (through financial
2. Effectiveness and efficiency of operations (through
3. Compliance with relevant laws and regulations (through
The COSO Framework elements -1
A control environment:
• The control environment sets the tone of an organization,
influencing the control consciousness of its people.
• It is the foundation for all other components of internal
control, providing discipline and structure.
• Control environment factors include the integrity, ethical
values and competence of the entity's people,
management's philosophy and operating style, the way
management assigns authority and responsibility, and
organizes and develops its people; and the attention and
direction provided by the board of directors.
The COSO Framework elements -2
Risk identification and assessment:
• Every entity faces a variety of risks from external and
internal sources that must be assessed. A precondition to
risk assessment is establishment of objectives, linked at
different levels and internally consistent.
• Risk assessment is the identification and analysis of
relevant risks to achievement of the objectives, forming a
basis for determining how the risks should be managed.
• As economic, industry, regulatory and operating
conditions will continue to change, mechanisms are
needed to identify and deal with the special risks
associated with change 5
The COSO Framework elements -3
• Policies and procedures that help ensure management
directives are carried out.
• These policies & procedures help ensure that necessary
actions are taken to address risks towards achievement of
the entity's objectives.
• Control activities occur throughout the organization, at all
levels and in all functions. They include a range of
activities as diverse as approvals, authorizations,
verifications, reconciliations, reviews of operating
performance, security of assets and segregation of duties.
The COSO Framework elements -4
Information and communication:
• Pertinent information must be identified, captured and
communicated in a form and timeframe that enable people to
carry out their responsibilities.
• Information systems produce reports, containing operational,
financial and compliance-related information, that make it
possible to run and control the business. They deal not only with
internally generated data, but also information about external
events, activities and conditions necessary to informed business
decision-making and external reporting.
• Effective communication also must occur in a broader sense,
flowing down, across and up the organization. All personnel must
receive a clear message from top management that control
responsibilities must be taken seriously. They must understand
their own role in the internal control system, as well as how
individual activities relate to the work of others.
• Effective communication with external parties, such as customers,
suppliers, regulators and shareholders is required
The COSO Framework elements - 5
• Internal control systems need to be monitored--a process that
assesses the quality of the system's performance over time.
• Monitoring is accomplished through on-going monitoring
activities, separate evaluations or a combination of the two.
• On-going monitoring occurs in the course of operations. It
includes regular management and supervisory activities, and
other actions personnel take in performing their duties.
• The scope and frequency of separate evaluations will depend
primarily on an assessment of risks and the effectiveness of on-
going monitoring procedures.
• Internal control deficiencies should be reported upstream, with
serious matters reported to top management and the board.
1. Internal Control is a process. It is a mean to an end not an
2. Internal control is not merely a policy manual and forms but
it is the assurance of effective and efficient implementation
of those manuals.
3. Internal control can be expected to provide only reasonable
assurance not an absolute assurance of the implemented
4. Internal control is geared to the achievement of the
objectives in one or more overlapping categories.
• Financial controls relates to the preparation of reliable
published financial statements, including interim and
condensed financial statements and selected financial data
derived from such statements, such as earnings releases,
• Financial controls are designed to ensure that:
− There are no errors in the preparation of accounting records
and financial statements.
− No fraud is committed (there may be controls for detecting
fraud when it occurs , as well as controls that try to prevent
fraud from being able to occur).
− Assets of the company are not stolen, lost or damaged. 10
• Operational controls addresses the company 's basic business
objectives, including performance and profitability goals and
safeguarding of resources.
• Operational controls are designed to prevent failures in
operational procedures, or to detect and correct operational
failures if they do occur. Operational failures may be caused
− Program breakdowns (total breakdown or in certain
− Failures in the performance of systems.
− Weaknesses in procedures / process execution.
− Poor management such as no planning, monitoring,… 11
• Compliance controls ensure that the company complies with
the most significant laws, rules and regulations.
• The most significant regulations for a company vary according
to the nature of its business, (i.e. compliance with health and
safety regulations, in the case of banks money laundering
Regulations Who Needs to
HIPAA US healthcare
partners all over the
Creating, storing and
All major "Best
Practice Safety "
(SOX) & Accounting
US public companies
and partners over the
Defined to secure the
corporate fraud and
All major "Best
Practice Financial "
(Also Covered by
Merchants who take
Privacy of Customer
Varies by size of
Best Practices plus
3rd Party Quality
Establishing internal control system – (1)
• The board of directors is responsible for maintaining a sound system
of internal control.
• They should set appropriate policies on internal control & seek
regular assurance to satisfy that the system is operating effectively.
• In deciding the policies for internal control and assessing what
constitutes an effective system of internal control, the board should
consider the following factors:
1. The nature and extent of the risks facing the company;
2. The extent and categories of risks that the board regards as
acceptable for the company to bear.
3. The likelihood that the risks will materialise.
4. The company’s ability to reduce the incidence and impact on the
business of the risks that do materialise.
5. The costs of operating particular controls relative to the benefits
to be obtained from managing the risks they control. 14
The internal control system should:
1. Be embedded in the operations of the company and form
part of its culture.
2. Be capable of responding quickly to risks which the
business may face as they emerge and develop.
3. Include procedures for reporting immediately to the
management responsible of control failings and any
corrective action that should be undertaken.
Establishing internal control system – (2)
Internal audit overview
• Internal audit is defined as an independent appraisal activity
established within an organisation as a service to it. It is a
control which functions by examining and evaluating the
adequacy and effectiveness of other controls.
• If the board of directors and the audit committee do not have
the time to carry out a detailed review themselves, and they
can rely on information provided to them by internal auditors
• Internal auditors may be full-time employees of the company
or external professionals appointed by the company to carry
out specific investigations.
• There must be a system for monitoring and review by higher
The possible tasks of internal audit –(1)
1. Reviewing the internal control system. Traditionally, an
internal audit department would carry out checks on the
financial controls in an organisation. The checks would be to
establish whether suitable financial controls exist and if so,
whether they are applied properly and are effective. It is not
the function of internal auditors to manage risks, only to
monitor and report them, and to check that risk controls are
efficient and cost-effective.
2. Special investigations. Internal auditors might conduct
special investigations into particular aspects of the
organisation’s operations (systems and procedures), to check
the effectiveness of operational controls.
The possible tasks of internal audit –(2)
3. Examination of financial and operating information.
Internal auditors might be asked to investigate the timeliness
of reporting and the accuracy of the information in reports.
4. Value for money (VFM) audits. This is an investigation
into an operation or activity to establish whether it is
economical, efficient and effective.
5. Reviewing compliance by the organisation with particular
laws or regulations. This is an investigation into the
effectiveness of compliance controls..
6. Risk assessment. Internal auditors might be asked to
investigate aspects of risk management, and in particular the
adequacy of the mechanisms for identifying, assessing and
controlling significant risks to the organisation, from both
internal and external sources.
7. Internal auditors might be involved in providing continuous
support to the risk management process. If a company has
established a risk oversight committee with responsibility for
the oversight and reporting of risks, a senior internal auditor
might be one of the committee members. The internal audit
department might even have responsibility for coordinating
risk management within the company, and reporting to the
board or audit committee about risks on a company-wide
The possible tasks of internal audit –(3)
Investigation of internal controls
Internal auditors are commonly required to check the soundness of
internal financial controls. In assessing the effectiveness of individual
controls, and of an internal control system generally.
• Factors to be considered:
1. Automated controls are by no means error- or fraud-proof, but
may be more reliable than similar manual controls.
2. Non-discretionary controls are checks and procedures that must
be carried out. Discretionary controls are those that do not have
to be applied, either because they are voluntary or because an
individual can choose to dis-apply them.
3. Finding if the controls extensive enough or carried out
frequently enough ? Are the controls applied rigorously? For
example, is a supervisor doing his job properly? (to check
whether the controls are effective in achieving their purpose) 20