2. Types of Internal Controls
Internal control activities are usually classified into
three types:
1. preventive controls;
2. detective controls and
3. corrective controls
3. preventive controls
Internal controls designed to prevent
undesirable outcomes from occurring are
referred to as preventive controls
Examples include
Physical control over cash by locking it in a safe-box
Visible cameras can also be used to discourage
potential attackers.
The use of passwords (PW) to stop unauthorized
access to systems/applications
4. Preventive controls continue
Supervision of staff; i.e. instructing, monitoring and
observing the employees while they are doing jobs
Employing trustworthy staff by investing their
background prior to employment;
Employing competent staff by examining their
educational certification;
Proper authorization (approvals) of transactions to
prevent improper use of resources. This can include
approvals for making payments
5. Detective Controls
Internal controls designed to identify the
undesirable outcomes after or when they occur
are referred to as detective controls.
Examples include:
•A CCTV camera: A manager can look at the clerk's
actions or at customers to detect potential theft
•Value of inventory shown in the records and value
of inventory obtained during physical count.
•A verification for ensuring that computer users
change their password regularly
6. Detective controls continued
An access log and an alert system can quickly detect
and notify management of attempts by employees or
outsiders to access unauthorized information or parts
of a building.
• When the detective control identifies a departure
from standard, it sounds an alarm to attract attention
to the problem so that it can be corrected
•A verification for ensuring that computer users
change their password regularly
•Comparing the actual price paid for purchases, with
the standard cost
7. Corrective Controls
Corrective controls are designed to rectify
irregularities that have been detected by detective
controls.
They are actions taken to reverse the effects of
detected irregularities.
They begin when an irregularity occurs and is detected
and keep the "attention" on the problem until
management can correct the defect.
They restore the system or process back to the state
prior to a damaging event. They help eliminate or
reduce damage once a risk has materialized
8. Examples of Corrective Controls include:
Restore data from backup following a failure;
Incorrect invoices adjusted and resubmitted
Submit corrective journal entries after discovering an
error;
Rectifying transposition errors after being identified
by IT application control
training and can be revised to prevent future errors
and irregularities
Modify the processing system(s) to minimize future
occurrence of the problem.
9. Detective Vs: Corrective Controls
There is a very significant distinction between
detective controls and corrective controls.
Detective controls identify irregularities and draw
attention to them whereas corrective controls actually
correct (fix) the problem.
For any detected irregularity, however, there may be
more than one possible corrective action, but the best
course of action may not always be obvious.
10. Detective and Corrective continued
Linking a corrective action to a detected irregularity
as an automatic response, may result in an incorrect
action that causes a worse problem than the original
irregularity.
For this reason, irregularity correction should be
viewed as a separate control step that should be taken
cautiously
11. Limitations of Internal Control
No matter how well internal control is designed and
operated, it can only provide reasonable assurance
regarding the achievement of an entity’s financial
reporting objectives.
The likelihood of achieving corporate objectives is
affected by limitations inherent in internal control
systems.
This is due to the facts that human judgment in
decision-making can be faulty, and that breakdowns
in internal controls can occur due to human failures.
12. Internal controls continued
For example,
1.personnel may misunderstand instructions and thus
make judgment mistakes.
2.Personnel may commit errors due to carelessness,
distraction, sickness or fatigue
1.An accounting department supervisor responsible for
investigating exceptions might simply
- forget or fail to pursue the investigation far enough
to be able to make appropriate corrections.
4. System changes may be implemented before
personnel have been trained to react appropriately to
signs of incorrect functioning. Additionally:
13. 5. Controls can be circumvented by the collusion of two
or more people.
Individuals acting collectively to perpetrate and conceal
an action from detection often can alter financial and
other management information in a manner that cannot
be identified by the control system.
6. Management can override the internal control
system.
The term “management override” is used to mean
overruling prescribed policies for with the intent of
personal gain or an enhanced presentation of financial
condition to increase reported revenue to cover an
unanticipated decrease in market share
14. 7. The need to consider controls’ relative costs and
benefits. Resources always have constraints, and
entities must consider the relative costs and benefits
of establishing controls
Unfortunately, some people have greater, and
unrealistic, expectations on internal control.
They believe that internal control can absolutely
ensure achievement of business objectives or, at least
ensure survival.
Others believe that internal control can ensure the
reliability of financial reporting and compliance with
laws and regulations. This believes are not warranted
15. Even effective internal control can only help an entity
achieve these objectives. It can provide management
information about the entity’s progress
But internal control cannot change an inherently poor
manager into a good one,
An internal control system, no matter how well
designed and operated, can only provide reasonable,
but not absolute assurance regarding the achievement
of an entity’s objectives.
The likelihood of achievement is affected by limitations
inherent in all internal control systems discussed
above. Thus, while internal control can help an entity
achieve its objectives, it is not a panacea (cure all).
16. Internal control is a process, effected by an entity's
board of directors, management and other personnel,
designed to provide reasonable assurance that:
•The information is reliable, accurate and timely
•The entity compliance with applicable laws,
regulations, contracts, policies and procedures.
The International Auditing and Assurance Standards
Board (IAASB) is responsible for setting the
International Standards on Auditing (ISAs).
IAASB identify five components of an effective
internal control system. They are as follows:
(1)Control Environment;
17. (2) The entity’s risk assessment process
(3) Control activities relevant to the audit
(4) The information system, including the related
business processes, relevant to financial
reporting, and communication and
(5) Monitoring of controls
Similarly, The Committee of Sponsoring
Organizations of the Treadway Commission
(COSO) 2013 Internal Control—Integrated
Framework identifies five components of the
internal control structure.
18. 1. The Control Environment
The control environment is the foundation for all other
components of internal control, providing discipline
and structure.
The importance of internal control to the entity is
reflected in the overall attitude and actions of
management:
through those charged with governance [e.g. board of
directors (BOD)] and
owners with regard to control provided by the BOD
19. Control Environment Continued
The core of any business is its people, that is, their
individual attribute such as:
integrity, ethical values and competence of the entity’s
people;
management’s philosophy and operating style;
the way management assigns authority and
responsibility, and organises and develops its people;
and
the attention and direction provided by the board of
directors
20. Auditors consider the control environment as the most
important component of the internal control structure.
The effect of weakening this component is that
auditors will assess the overall internal control
structure as less reliable.
1 related to the Control environment of internal control
provides that “the organization should demonstrate a
commitment to integrity and ethical values” Discuss
this principle under the following points:
Sets the Tone at the Top; Establishes Standards of
Conduct; Evaluates Adherence to Standards of
Conduct and Addresses Deviations in a Timely Manner
21. 2. Risk Assessment
Every entity faces a variety of risks from external and
internal sources.
Risk is defined as the possibility that an event will
occur and adversely affect the achievement of
objectives.
The entity must therefore, be aware of and deal with its
risks effectively.
It must establish mechanisms to identify, analyze and
manage the related risks.
There is no practical way to reduce risk to zero
22. Risk Assessment continued
Risk assessment is the identification and analysis of
relevant risks to achievement of the objectives.
This forms a basis for determining how the risks
should be managed.
There is no practical way to reduce risk to zero
23. 3. Control Activities
Control activities are the policies and procedures that
help to ensure that management directives are carried
out effectively.
They help ensure that necessary actions are taken to
reduce risks in order to achieve the entity’s objectives.
Control activities are the responsibility of all levels of
the entity,
They can be preventive or detective, automated
through the use of technology or manual and
include identifying and segregating incompatible
functions to reduce to an acceptable level the risk
24. 4. Information and Communication
Important information must be identified and
communicated in a form and timeframe that enable
people to carry out their responsibilities effectively.
Information systems produce reports, containing
operational, financial and compliance-related
information that enables to run and control the
business.
They deal not only with internally generated data, but
also information about external events, activities and
conditions necessary to business decision-making and
external reporting.
25. Every personnel must receive a clear message from
top management that control responsibilities.
The message must be taken effectively.
Personnel must understand their own responsibility in
the internal control system.
There also needs to be an effective communication
with external parties, such as customers, suppliers,
regulators and shareholders
Information and Communication
26. 5. Monitoring Activities
Internal control systems need to be monitored.
This involves assessing the effectiveness of controls
on a timely basis and taking effective remedial
actions.
This is done through ongoing monitoring activities,
separate evaluations or a combination of the two.
All components of the internal control framework
require continuous monitoring - either as ongoing
evaluations, separate evaluations or a combination of
the two.
27. Monitoring Activities Continued
Assessments can be conducted by the persons
performing the control (self-assessments) or by
independent internal or external third parties
Ongoing monitoring occurs in the course of
operations.
It includes regular management and supervisory
activities, and other actions personnel take in
performing their duties
Management’s monitoring activities may include
using information from external parties such as
customer complaints that may indicate weaknesses
or highlight areas in need of improvement