INTERNAL CONTROL

Internal control

A system of policies, procedures, and mechanisms that organizations put in place to ensure they achieve their objectives efficiently and effectively while preventing risks and fraud.

Internal control

A process effected by the board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of business objectives.

Internal control is not just a set of rules but an ______ that helps an organization reach its goals while minimizing risks.

Active system

Internal control is a process

Internal control is not a one-time action but an ongoing cycle of monitoring, evaluating, and improving controls. It involves planning, implementation, evaluation, and adjustment to ensure business objectives are met.

Internal control as a process

A retail company continuously reviews its cash handling procedures to prevent theft or errors is an example of

Internal control must be put into effect

Having policies on paper is useless unless they are properly implemented and followed. Management must train employees, enforce policies, and monitor compliance to ensure controls work effectively.

Internal control must be put into effect

A company with strict approval procedures for large purchases must ensure that employees actually follow the process is an example of

Internal control is not an end in itself

The goal of internal control is not just to have controls in place, but to help achieve business objectives such as profitability, efficiency, and compliance. Over-controlling can slow down business operations, while too little control can lead to fraud and inefficiency.

Internal control is not an end in itself

A company that implements excessive approval processes for small expenses may slow down operations instead of improving them is an example of

• Reduces risk

• Ensures compliance

• Improves decision-making

• Protects assets

Why is COSO framework necessary

Reduces risk

Identifies and minimizes financial fraud, errors, and security breaches

Ensures compliance

Helps businesses follow laws and industry regulations.

Improves-decision making

Provides accurate and reliable financial and operational data.

Protects assets

Prevents misuse, fraud, and loss of company resources.

• Control environment

• Risk assessment

• Control activities

• Information and communication

Components of internal control

Control environment

The foundation of an organization’s internal control system. It represents the overall culture, ethical values, and commitment to integrity set by management. It ensures that employees understand their roles, adhere to ethical standards, and follow established policies. This component includes leadership oversight, organizational structure, employee competence, and disciplinary measures for non-compliance.

Control environment

Management demonstrates a strong stance against fraud by conducting regular ethics training and enforcing disciplinary actions, employees are less likely to engage in fraudulent activities is an example of

Risk assessment

Involves identifying, analyzing, and responding to potential risks that could prevent an organization from achieving its objectives. Companies must continuously evaluate both internal and external risks, such as financial fraud, operational inefficiencies, cybersecurity threats, and regulatory non-compliance. Once risks are identified, businesses determine their likelihood and impact, allowing them to develop strategies to mitigate them.

Risk assessment

A financial institution assessing risks related to cyberattacks may implement stronger encryption methods and employee training programs to minimize data breaches is an example of

Control activities

Specific policies and procedures implemented to ensure that risks are managed effectively. These activities include preventive measures such as segregation of duties, requiring multiple levels of authorization for transactions, and implementing automated systems to detect anomalies. Detective controls, such as reconciliations and internal audits, help identify errors and fraudulent activities after they occur. Corrective actions, like process improvements and disciplinary measures, help prevent issues from recurring.

Control activities

A company requiring two employees to verify large financial transactions reduces the risk of unauthorized payments is an example of

Information and communication

Ensure that employees, management, and stakeholders receive accurate and timely data to make informed decisions. Internally, employees should have access to policies, procedures, and reporting mechanisms to fulfill their responsibilities effectively. Externally, businesses must maintain transparent communication with investors, regulators, and customers. Organizations with clear communication channels, such as internal reports, employee training sessions, and whistleblower hotlines, can detect and address issues before they escalate

Information and communication

A company with an anonymous reporting system allows employees to report unethical behavior without fear of retaliation, promoting accountability and integrity is an example of

• Possibility of collusion

• Management override

• Human factors

• Cost benefit consideration

Limitations of internal control

Possibility of collusion

Even if there is a segregation of incompatible duties, fraud, or irregularity may still occur because of collusion or connivance.

Management override

Happens when even in the presence of internal control procedures, people who are in positions of power may intervene and somehow break those policies.

Human factors

Even when it appears that the internal control or accounting system is properly functioning, unreliable financial statements or incorrect records may still happen because of human error.

Cost-benefit consideration

The cost of establishing and implementing internal control should not exceed the benefits that could be derived by the company.

Entity-level controls

They shape how an organization functions by promoting honesty, compliance with laws, and effective risk management. These controls set the tone for how employees behave and ensure that all departments work towards the company’s goals in a structured and ethical way. When these controls are strong, they create a solid foundation.

Board oversight

responsible for overseeing the company’s financial health, performance, and risk management strategies.

Whistleblower hotline

a confidential system where employees can report unethical activities, such as fraud, harassment, or bribery, without fear of retaliation.

Corporate governance policies

these are rules that define the roles, responsibilities, and ethical expectations of company executives, managers, and employees.

Risk assessment framework

a structured process to identify, assess, and reduce potential risks that could harm the company.

Transaction-level controls

Specific procedures applied to individual business transactions to ensure accuracy, legitimacy, and efficiency. These controls help prevent errors, fraud, and unauthorized actions by verifying that each transaction follows the correct process from start to finish. Unlike entity-level controls, which shape overall company policies and culture, transaction-level controls focus on specific actions within financial and operational processes.

Authorization and approvals

Before purchasing materials, a requisition slip confirms the need for the items. A purchase order (PO) is then reviewed and signed by an authorized officer to approve the purchase.

Disbursement controls

Before issuing payment, a check voucher is prepared and signed by the disbursement officer to confirm legitimacy. Supporting documents (PO, receiving report, invoice) must match before payment is processed.

Hard controls

Physical security measures that protect company assets, prevent unauthorized access, and ensure operational safety. These controls create tangible barriers that safeguard an organization’s resources.

Soft controls

focus on policies, ethics, and governance, influencing how employees behave and make decisions within an organization. These controls help create a culture of compliance and accountability.

Preventive process

are measures designed to stop errors, fraud, or noncompliance before they occur. These controls act as proactive safeguards, ensuring that only authorized and legitimate transactions take place.

Authorization and approval process

Significant financial transactions, such as large purchases or contract agreements, require management approval to prevent unauthorized actions and ensure compliance with company policies.

Detective controls

help identify and uncover errors, fraud, or noncompliance after they have occurred. These controls act as monitoring tools to detect irregularities early and take necessary corrective actions.

Bank Reconciliation

The company regularly compares its financial records with bank statements to identify discrepancies, such as missing deposits, unauthorized withdrawals, or accounting errors. This process ensures the accuracy of cash balances.

Corrective controls

Are implemented after an error or fraud has been detected to fix the issue and prevent it from happening again. These controls ensure that mistakes are properly addressed to maintain financial accuracy and compliance.

Adjustment of financial records

If a bank reconciliation identifies an error in cash balances, the company corrects the mistake in the accounting system and updates financial records accordingly to reflect the correct amounts.

Automated controls

Internal control mechanisms embedded within computer systems and software to ensure security, accuracy, and efficiency in business operations. These controls automatically detect and address issues in real-time, reducing the risk of human error and improving process reliability. Unlike manual controls, automated controls are essential for handling large volumes of transactions and complex operations, making them crucial for large organizations where manual procedures may be inefficient.

Access control system

Systems like biometric scanners, passwords, and multi-factor authentication restrict unauthorized access to sensitive data, ensuring that only authorized personnel can access critical systems.

Automated transaction processing

Financial transactions, such as payroll processing, online banking, and supplier payments, are automatically validated and executed through software, reducing the risk of errors or fraudulent transactions.

Data backup and recovery systems

Automated backup systems regularly store copies of important business data, ensuring that information can be quickly restored in case of system failures, cyberattacks, or data corruption.

Prenumbered use of official receipts

Ensures that all cash transactions are documented sequentially to prevent missing or duplicate records.

Daily deposit of collections

Requires cash received to be deposited into the bank daily to reduce the risk of theft or misuse.

Separation of duties between cashier and accounting personnel

Prevents fraud by ensuring that no single person handles both cash collection and recording.

Proper authorization of investment transactions

Requires approval before making investment decisions to prevent unauthorized or risky transactions.

Bonding (insurance) of the investment custodian

Ensures that the person managing investments is insured to protect the company against fraud or mismanagement.

Periodic appraisal of investments

Regular evaluation of investments to assess their value and financial impact on the company.

Credit approval before delivery

Requires customers to pass a credit evaluation before receiving products on credit.

Use of prenumbered sales orders

Ensures that all sales are recorded sequentially, preventing loss or duplication of sales transactions.

Periodic confirmation of customer balances

Verifies accounts receivable records with customers to ensure accuracy and identify discrepancies.

Periodic inventory counts

Physical inventory is checked at regular intervals to match recorded stock levels.

Use of perpetual inventory records

Ensures real-time tracking of inventory to prevent shortages or overstocking.

Control over inventory purchases

Requires authorization before purchasing inventory to prevent unnecessary or fraudulent purchases.

Use of detailed property records

Keeps track of company-owned assets with detailed information for monitoring and accountability.

Physical safeguards over assets

Implements security measures to prevent loss, theft, or damage to fixed assets.

Control over disposal of fixed assets

Ensures proper procedures are followed when selling or retiring assets to prevent unauthorized disposals.

Effective hiring procedures

Ensures that only qualified and verified employees are added to the payroll system.

Review of payroll calculations

Checks salary computations to ensure accuracy in employee payments and tax deductions.

Periodic audit of payroll

Conducts reviews of payroll records to identify errors or fraudulent activities.

Independence of A/P from purchasing function

Separates purchasing and payment responsibilities to prevent unauthorized transactions.

Periodic reconciliation of A/P subsidiary records with the A/P control account

Regularly matches detailed records with overall accounts payable balances for accuracy.

Review of vendor's invoices

Ensures that invoices match purchase orders and received goods before processing payments.

Fraud

An intentional act by one or more individuals among management, those charge with governance, employees, or third parties, involving the use of deception to obtain a unjust or illegal advantage.

• Fraudulent financial reporting

• Misappropriation of assets

• Corruption

Categories of fraud

Fraudulent financial reporting

It results to manipulated financial statements and misleading accounting reports and records

Misappropriation of assets

It involves theft of company assets, fund, or resources.

Corruption

It involves irregularities that result to illegal kickbacks, under the table schemes, bribery, and the like.

Fraud triangle

A model developed by Donald Cresset to explain the reason behind an individual’s decision to commit fraud. A framework for spotting high-risk fraud situations.

• Pressure

• Opportunities

• Rationalization

Elements of fraud triangle

Pressures to commit fraud

Motivation or incentive to commit fraud.

Opportunities

Ability to carry out misappropriation of cash or organizational assets.

Rationalization

Justification of dishonest actions.

Control deficiencies

A deficiency in internal control over financial reporting exist when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

Deficiency to design

A critical control is designed and does not meet the control objective, or is simply ineffective.

Deficiency to Operations

A critical control is designed properly but does not perform in the intended manner and is unable to address the identified risk.

Internal Auditing

It is an independent and objective assurance that provides service to the company in the areas of operations, reporting, compliance, and finance.

Operational Audits

There are examinations intended to ascertain whether management has conducted business operations effectively and efficiently.

Compliance Audits

These are examinations intended to determine whether the company or any of its department is able to adhere to prevailing laws and regulations.

Financial Audits

These are examinations focused on determining whether the company’s finance function as well as financial reports are accurate or reliable

Financial Audits

These are examinations focused on determining whether the company’s finance function as well as financial reports are accurate or reliable

External Auditing

An independent examination of an organization’s financial statements, to ensure that the financial reports provide a true and fair view of the company’s financial position

Segregation of duties

ensuring access to systems are restricted to appropriate levels (to negate the possibility of individuals processing transactions all the way through the payments process).

Reconciliations

Ensuring feeder systems are effectively reconciled to other systems (eg, general ledger); using third-party information (suppliers’ statements) and reconciling with payment systems.

System documentation

System documentation should be maintained which details key controls to be carried out by staff to prevent fraud or error.

Monitoring

Scrutiny monitoring should be at a level that would allow managers to identify anomalous payments at an early stage.

Counter-fraud arrangements

refresh and promote the counter fraud policy with staff.