Internal control is a process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives in
the following categories:
effectiveness and efficiency of operations;
reliability of internal and external reporting;
compliance with applicable laws and regulations and internal policies.
Reasonable Assurance
The cost of the entity’s internal control should not exceed the expected benefits.
Limitations exist in any entity’s internal control.
Key Components of Managements’ Assessment of Internal Control
Management must evaluate the design of internal control over financial reporting.
Management must test the operating effectiveness of those controls.
WHY INTERNAL CONTROL?
Ensure Reliability
Promote Compliance
Prevent & Detect Fraud
Safeguard Assets
Optimize Resources
OBJECTIVES OF INTERNAL CONTROL
Internal Control objectives are desired goals or conditions for a specific event cycle which,
if achieved, minimize the potential that waste, loss, unauthorized use or misappropriation
will occur.
For a control objective to be effective, compliance with it must be measurable and
observable.
It includes:
Proper Authorization of Transaction -approved by responsible personnel before it will
be recorded.
Completeness
Accuracy
Validity
Physical Safeguards & Security
Error Handling
Segregation of Duties
Independent Checks on Performance- Personnel are likely to forget or intentionally fail
to follow procedures, or they may become careless unless someone observes and
evaluates their performance.
Types of internal control
Directive- encourage good behavior, it’s the right thing to do.
Preventive- prevent undesirable event from happening
Detective –detect and correct undesirable events after occuring.
Corrective- designed to correct errors and abnormalities that have occurred
Manual- performed by individuals outside of a system.
Limitations of Internal Control
Judgement.
Breakdowns.
Management override.
Collusion.
Costs Versus Benefits.
What Internal Control Can Do?
It can help achieve performance & profitability targets.
help prevent loss of resources.
help ensure reliable financial reporting.
help ensure compliance with laws.
What Internal Control Cannot Do?
It cannot:
ensure success.
ensure the reliability of financial reporting.
ensure compliance with laws and regulations.
What’s More Important?
Segregation of duties or ethical employees?
Well written and thorough policy and procedures manuals or competent employees?
Clear delineation of roles and responsibilities or a group of employees dedicated to
accomplishing the organization’s mission?
COSO- committee of sponsoring organizations of the Treadway commission
MISSION- The COSO mission is to provide thought leadership through the development of
comprehensive framework and guidance on enterprise risk management, internal control and fraud
deterrence designed to improve organizational performance and governance and to reduce the
extent of fraud in organizations.
VISION- COSO’s vision is to be a recognized thought leader in the global marketplace on the
development of guidance in the areas of risk and control which enable good organizational
governance and reduction of fraud.
GOAL- COSO’s goal is to provide thought leadership dealing with three interrelated subjects:
enterprise risk management, internal control and fraud deterrence.
HISTORY- It was organized in 1985 to sponsor the National Commission on Fraudulent Financial
Reporting (NCFFR)
MAJOR PROFESSIONAL ASSOCIATIONS
American Accounting Association
AICPA
IMA
IIA
Financial Executives International
CHAIRMAN OF COSO
• First chairman – James C. Treadway Jr.
• Current chairman – Robert Hirth
COSO FRAMEWORK OBJECTIVES
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
INTERNAL CONTROL COMPONENTS AND PRINCIPLES
Control Environment- is the set of standards, processes, and structures that provide the basis for
carrying out internal control across the organization. The board of directors and senior
management establish the tone at the top regarding the importance of internal control including
expected standards of conduct.
PRINCIPLES:
Demonstrates commitment to integrity and ethical values.
Exercises oversight responsibility
Establishes structure, authority and responsibility
Demonstrates commitment to competence
Enforces accountability
Risk Assessment- involves a dynamic and iterative process for identifying and assessing risks to
the achievement of objectives.
- is a term used to describe the overall process or method where you:
Identify hazards and risk factors that have the potential to cause harm
(hazard identification).
Analyze and evaluate the risk associated with that hazard (risk analysis,
and risk evaluation).
Determine appropriate ways to eliminate the hazard, or control the risk
when the hazard cannot be eliminated (risk control).
PRINCIPLES:
Principle 6- The organization specifies objectives with sufficient clarity to
enable the identification and assessment of risks relating to objectives:
Operational
External Financial Reporting
External Non-Financial Reporting
Internal Reporting
Compliance
Principle 7- The organization identifies risks to the achievement of its
objectives across entity and analyzes risk as a basis for determining how the
risks should be manage.
Principle 8- The organization considers the potential for fraud in assessing
risks to the achievement of objectives.
Principle 9- The organization identifies and assesses changes that could
significantly impact the system of internal controls.
Control Activities- are the policies and procedures implemented to help ensure that management
directives are carried out.
Examples:
Review of financial reports
Information processing
Physical controls
Segregation of duties
PRINCIPLES:
Principle 10- The organization selects and develops control activities that
contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.
Principle 11- The organization selects and develops general control
activities over technology to support the achievement of objectives.
Principle 12- The organization deploys control activities through policies
that establish what is expected and procedures that put policies into action.
Information and Communication:
Information is necessary for the entity to carry out internal control responsibilities to support the
achievement of its objectives.
Communication is the continual, iterative process of providing, sharing, and obtaining necessary
information.
Internal communication
External communication
PRINCIPLES:
Principle 13- The organization obtains or generates and uses relevant, quality
information to support the functioning of internal control.
Principle 14- The organization internally communicates information, including
objectives and responsibilities for internal control, necessary to support the
functioning of internal control.
Principle 15- The organization communicates with external parties regarding
matters affecting the functioning of internal control.
Monitoring Activities- Ongoing evaluations, separate evaluations, or some combination of the
two are used to ascertain whether each of the five components of internal control, including
controls to affect the principles within each component, is present and functioning.
PRINCIPLES:
Principle 16- The organization selects, develops, and performs ongoing and/or
separate evaluations to ascertain whether the components of internal control are
present and functioning.
Principle 17- The organization evaluates and communicates internal control
deficiencies in a timely manner to those parties responsible for taking corrective
action, including senior management and the Board of Directors, as appropriate.
COBIT FRAMEWORK (Control Objectives for Information and Related Technologies)
COBIT- It was designed as an IT governance model, particularly and initially with audit to give
you control objectives and control practices on how that process should behave.
Purpose: To provide an IT governance model that helps in delivering value from IT and
understanding, managing its risks.
Why does IT need a control framework?
To ensure that the management needs to get under IT control.
Who needs it?
Board and Executives- to ensure directions are implemented
Management- make IT investment decisions
Users- to obtain assurance on security and control
Auditors- to advise minimum necessary IT controls.
Difference of COBIT from COSO
COSO is focused in processes and controls for financial reporting.
COBIT is focused on IT.
COBIT FRAMEWORK- To provide information that the organization needs to achieve its
objectives, IT resources need to be managed by a set of naturally grouped process.
As a control and governance framework for IT, COBIT focuses on two key areas:
► Providing the information required to support business objectives and requirements
► Treating information as the result of the combined application of IT-related
resources that need to be managed by IT processes
COBIT Cube: IT Domains
1. Plan and Organize (PO)
► Objectives:
Formulating strategy and tactics
Identifying how IT can best contribute to achieving business objectives
Planning, communicating and managing the realization of the strategic
vision
Implementing organizational and technological infrastructure
2. Acquire and Implement (AI)
Objectives:
Identifying, developing or acquiring, implementing, and integrating IT
solutions
Changes in and maintenance of existing systems
3. Deliver and Support (DS)
Objectives:
The actual delivery of required services, including service delivery
The management of security, continuity, data and operational facilities
Service support for users
4. Monitor and Evaluate (ME)
Objectives:
Performance management
Monitoring of internal control
Regulatory compliance
Governance
Business Requirements/Info. Criteria
Effectiveness- relevant, timely, correct, consistent, and usable in manner
Efficiency- optimal use of resources (productive and economical)
Confidentiality- protection of sensitive information
Integrity- accurate, complete, and valid
Availability- safeguarding of resources
Compliance- complying with laws and regulations
Reliability- appropriate information
IT Resources
Applications- software that process info.
Information- processed that data used for business
Infrastructure- facilities, hardware components of the technology
People- who plans, organize, acquire, implement, deliver, support, monitor and evaluates.
COBIT 5 PRINCIPLES:
1. Meeting a stakeholder needs- Enterprises have many stakeholders
- Governance is about:
Negotiating & deciding among different stakeholders’ value interests.
Considering all stakeholders when making benefit, resource & risk
assessment decisions
- Enterprises exist to create value for their stakeholders
- Value Creation: realizing benefits at an optimal resource cost while optimizing
risk.
Management Fraud- involves falsifying financial information for the benefit of the person
committing the crime. This includes false transactions and accounting entries, bogus trades, and
self-dealing by corporate insiders. Fraud negatively impacts organizations in many ways including
financial, reputation, psychological and social implications.
There are three common characteristics of most frauds:
Pressure or incentive — the need the fraudster is trying to satisfy by committing the fraud.
Opportunity — the fraudster’s ability to commit the fraud.
Rationalization — the fraudster’s ability to justify the fraud in his or her mind.
An effective fraud management program includes:
Company ethics policy- “tone at the top” from senior management.
Fraud awareness- understanding the nature, causes, and characteristics of fraud.
Fraud risk assessment- evaluating the risk of various types of fraud.
Ongoing reviews- an internal audit activity that considers fraud risk in every audit and
performs appropriate procedures based on fraud risk.
Prevention and detection- efforts taken to reduce opportunities for fraud to occur and
persuading individuals not to commit fraud because of the likelihood of detection and
punishment.
Investigation- procedures and resources to fully investigate and report a suspected fraud
event.
TYPES OF FRAUDS
1) Misstatements Arising from Misappropriation of Assets
Asset misappropriation- occurs when a perpetrator steals or misuses an organization’s assets. 2)
Misstatements Arising from Fraudulent Financial Reporting -The intentional manipulation of
reported financial results to misstate the economic condition of the organization.
Three common ways in which fraudulent financial reporting can take place include:
Manipulation, falsification, or alteration of accounting records or sup- porting
Misrepresentation or omission of events, transactions, or other significant information
Intentional misapplication of accounting principles
3)Bribery and corruption- This includes schemes such as cuts, kickbacks
or commission, bid rigging, gifts or gratuities, and manipulation of contracts.
Revenue Cycle is a recurring set of business activities and related information processing
operations associated with providing goods and services to customers and collecting cash in
payment for those sales.
REVENUE CYCLE SUBSYSTEM
1. Order Entry/ Sales Process
ORDER ENTRY/ SALES PROCESS – interacting structure of people, equipment, methods,
and controls that is designed to achieve a certain goals. It supports the repetitive work routines of
the sales order department, credit department and shipping department.
a. Presales activities
b. Sales order processing
c. Picking and packing of goods
d. Shipping
2. Billing/ Accounts Receivable/ Cash Receipts Process
Customer Relationship Management (CRM) Systems
CRM is designed to manage all the data related to customers, such as marketing, field
service, and contact management data. It for the organization to cultivate customer relationships
by prospecting, acquiring, servicing, and retaining customers.
Picking ticket – authorizes the warehouse to “pick” the goods from the shelf and send
them to shipping.
Customer acknowledgement – sent to the customer to notify him of the order’s
acceptance and the expected shipment date.
Sales order notification – sent to the billing department to notify them of a pending
shipment
Bill of lading – contract between the shipper and the carrier in which the carrier agrees to
transport the goods to the shipper’s customer.
Packing slip – is attached to the outside of the package and identifies the customer and
the contents of the package.
RECOMMENDED CONTROL PLANS
Customer credit check
Compare picking ticket to picked goods
Independent shipping authorization
Compare shipment to sales order and picking ticket
Independent customer master data maintenance
Review file of open sales orders
A. BILLING/ ACCOUNTS RECEIVABLE/ CASH RECEIPTS PROCESS - interacting
structure of people, equipment, methods, and controls that is designed to create
information flows and records that accomplish repetitive work routines of the credit
department, cashier, and the accounts receivable department .
1. Billing customers
2. Managing customer accounts
3. Securing payment for goods sold or services rendered
MANUAL CASH RECEIPTS PROCESS
Customer checks and remittance advices are received in the Mail Room.
Cash Receipts:
A/R posts from the remittance advices to the accounts receivable subsidiary ledger.
G/L department:
The Controller reconciles the bank accounts.
Authorization Controls
Proper authorization of transactions (documentation) should occur so that only valid
transactions get processed.
Within the revenue cycle, authorization should take place when:
o a sale is made on credit (authorization)
o a cash refund is requested (authorization)
o posting a cash payment received to a customer’s account (cash pre-list)
Invoice– business document used to notify the customer of an obligation to pay the seller for the
merchandise (or service) ordered and shipped (or provided, if a service).
Remittance advice (RA)– business document used by the payer to notify the payee of the items
being paid.
RECOMMENDED CONTROL PLANS
Review shipped not billed sales orders
Compare shipping notice input to sales order master data
Independent billing authorization
Check for authorized process, terms, freight, and discounts
Independent pricing data
Confirm customer accounts regularly
Immediately endorse incoming checks
Immediately separate checks and remittance advices
Reconcile bank account regularly to confirm the validity and accuracy of the recorded
cash receipts
Monitor open accounts receivable
REVENUE CYCLE—MAJOR THREATS & CONTROL
(1) Sales to customers with poor credit—(uncollectable sales and losses due to bad debts).
Prevention—independent credit approval function and good customer accounting.
(2) Shipping errors—wrong quantities, items, or address: mad customers. Prevention—
reconcile shipping notices and picking tickets, bar code scanners, data entry controls.
(3) Theft of inventory—loss of assets ----> inaccurate records. Prevention—Secure inventory
and document transfers, good accountability for picking and shipping, and frequently
reconcile records with physical count.
(4) Failure to bill customers—loss of inventory, and erroneous data about: sales, inventory, and
receivables. Prevention—Separate shipping and billing. Prenumber of shipping
documents and reconciliation of all sales documents.
(5) Billing errors—pricing mistakes, overbilling for items not shipped or back ordered—loss
assets and mad customers. Prevention—reconciliation of picking tickets and bills of lading
with sales orders, data entry edit controls, and price lists.
(6) Theft of cash—loss of assets and overstated A/R. Prevention—separation of duties:
handling cash and posting to customer accounts; handling cash and authorizing credit
memos & adjustments; issuing credit memos and maintaining customer accounts. Use
lockboxes and EFT. Mail customer statements monthly. Use cash registers in retail.
Deposit cash intact daily in the bank.Bank reconciliation done by noncash handler.
(7) A/R incorrectly posted—mad customers, incorrect records, and poor decisions. Prevention—
reconcile sub. A/R ledgers with general ledger, monthly stmts. to customers, and edit and
batch totals
(8) Loss of data—loss of confidential info., and poor decision making. Prevention—regular on-
site & off-site backup, logical and physical access controls to prevent leakage to
competitors.
(9) Poor performance—inefficient and ineffective operations. Prevention—sales and
profitability analysis, A/R aging, and cash budgets to track operations.
Segregation of Functions
Sales Order Processing
o credit authorization separate from SO processing
o inventory control separate from warehouse
o accounts receivable sub-ledger separate from general
o ledger control account
Cash Receipts Processing
o cash receipts separate from accounting records
o accounts receivable sub-ledger separate from general ledger
Accounting Records
With a properly maintained audit trail, it is possible to track transactions through the systems
and to find where and when errors were made:
o pre-numbered source documents
o special journals
o subsidiary ledgers
o general ledger
o files
Segregation of Functions: Three Rules
1. Transaction authorization should be separate from transaction processing.
2. Asset custody should be separate from asset recordkeeping.
3. The organization should be so structured that the perpetration of a fraud requires collusion
between two or more individuals.
Independent Verification
Physical procedures as well as record-keeping should be independently reviewed at various
points in the system to check for accuracy and completeness:
o shipping verifies the goods sent from the warehouse are
o correct in type and quantity
o warehouse reconciles the stock release document (picking
o slip) and packing slip
o billing reconciles the shipping notice with the sales
o invoice
o general ledger reconciles journal vouchers from billing,
o inventory control, cash receipts, and accounts receivable
Supervision
o Often used when unable to enact appropriate segregation of duties.
o Supervision of employees serves as a deterrent to dishonest acts and is particularly
important in the mailroom.
Access Controls
o Access to assets and information (accounting records) should be limited.
o Within the revenue cycle, the assets to protect are cash and inventories and access to
records such as the accounts receivable subsidiary ledger and cash journal should be
restricted.
THE EXPENDITURE CYCLE
DEFINITION:
An expenditure cycle is a set of purchasing decisions and actions. It's the repetitive process
of creating purchase orders and ordering goods and services, receiving these items,
approving the invoices for these items and services, and paying the invoices.
EXPENDITURE CYCLE SUBSYSTEMS
1. The Purchases Processing System
A. MONITOR INVENTORY RECORDS
B. PREPARE PURCHASE ORDER
C. RECEIVE GOODS
D. UPDATE INVENTORY RECORDS
E. SET UP ACCOUNTS PAYABLE
F. POST TO GENERAL LEDGER
2. The Cash Disbursements Processing System
A. IDENTIFY LIABILITIES DUE
B. PREPARE CASH DISBURSEMENT
C. UPDATE AP RECORD
D. POST TO GENERAL LEDGER
DOCUMENTS PERTAINING IN EXPENDITURE CYCLE
1. Purchase Requisition
2. Purchase Order
3. Receiving Report
4. Supplier’s (Vendor’s) Invoice
5. Disbursement Voucher
6. Disbursement Check
7. Debit Memorandum
8. New Supplier Form
9. Request for Proposal
EXPENDITURE CYCLE BUSINESS ACTIVITIES
Order materials, supplies, and services
Receive materials, supplies, and services
Approve supplier (vendor) invoice
Cash disbursement
1. Order Goods
Threat 1—Stock-outs or Excess Inventory
Controls: Accurate inventory control and sales forecasting; use of perpetual inventory method;
supplier performance reports; recording of inventory changes in real time; bar-coding inventory;
and periodic physical counts.
Threat 2—Ordering Unnecessary Items
Controls: Integrate databases of various divisions and produce reports that link item descriptions
to part numbers to allow consolidation of orders.
Threat 3—Purchasing Goods at Inflated Prices.
Controls: Price lists for frequently-purchased items; use of catalogs for low-cost items; solicitation
of bids for high-cost and specialized products; review of purchase orders; budgetary controls and
responsibility accounting; and performance review.
Threat 4—Purchasing Goods of Inferior Quality
Controls: Use of approved supplier list; review of purchase orders; tracking of supplier
performance; purchasing accountability for rework and scrap.
Threat 5—Purchasing from Unauthorized Suppliers
Controls: Review of purchase orders; restriction of access to supplier list; periodic review of
supplier list; and coordination with procurement card providers to restrict acceptance of cards.
Threat 6—Kickbacks
Controls: “No gift” policy for buyers; employee training on gift handling; job rotation and
mandatory vacation; audits of buyers; review of conflict of interest statements; vendor audits.