CHAPTER 2

Components of
Internal Control

Internal Auditing:
Internal
Assurance
Auditing:
& Advisory
Assurance
Services,
& Advisory
4th Edition
Services,
© 2017
4th Edition
by the Internal
© 2017 Audit
by theFoundation.
Internal Audit Foundation.
Chapter 2: Internal Control

LEARNING OBJECTIVES

◼ Overview of internal
control framework.
◼ Describe 5 components of
Internal Control
◼ Evaluating the system of
internal controls.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 1.1. Overview of Internal Control

DEFINITION OF INTERNAL CONTROL

COSO broadly defines internal

control as:
. . . a process, effected by an entity’s
board of directors, management, and
other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives relating to
operations, reporting, and compliance.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 1.1. Overview of Internal Control

THE OBJECTIVES, COMPONENTS,

AND PRINCIPLES OF INTERNAL CONTROL

COSO explains, “A direct relationship

exists between objectives, which are
what an entity strives to achieve,
components [and principles], which
represent what is required to
achieve the objectives, and entity
structure (the operating units, legal
entities, and other structures). The
relationship can be depicted in the
form of a cube.”*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of
Sponsoring Organizations of the Treadway Commission, 2013), 5.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.1. Overview of Internal Control

THE PRINCIPLES OF
INTERNAL CONTROL

In addition to the five

integrated components,
COSO also defines 17
supporting principles
representing the
fundamental concepts
associated with each
component of internal
control.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.1. Overview of Internal Control

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.1. Overview of Internal Control

INTERNAL CONTROL COMPONENTS

COSO indicates, “Supporting the organization in its efforts to

achieve objectives are five components of internal control:
 Control Environment
 Risk Assessment
 Control Activities
 Information and Communication
 Monitoring Activities

These components are relevant to an entire entity and to the

entity level, its subsidiaries, divisions, or any of its individual
operating units, functions, or other subsets of the entity.”*
* Internal Control – Integrated Framework (Jersey City, NJ: Committee of Sponsoring Organizations of the Treadway Commission, 2013), 5.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.2. Control Environment

DEFINITION

The Control Environment—Consists of the actions, policies,

and procedures that reflect the overall attitudes of top
management, directors, and owners of an entity about
internal control and its importance to the entity.
The control environment has five underlying principles:
◼ Integrity and ethical values

◼ Board of director or audit committee participation

◼ Organizational structure

◼ Commitment to competence

◼ Accountability

The control environment sets the tone of an organisation,

influencing the control consciousness of its people.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.2. Control Environment

INTEGRITY AND ETHICAL VALUES

Integrity and ethical values are the product

of the entity’s ethical and behavioral
standards, as well as how they are
communicated and reinforced in practice.
They include management’s actions to
remove or reduce incentives and temptations
that might prompt personnel to engage in
dishonest, illegal, or unethical acts. They also
include the communication of entity values
and behavioral standards to personnel
through policy statements, codes of conduct.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.2. Control Environment

BOARD OF DIRECTOR OR AUDIT COMMITTEE

PARTICIPATION

◼ The board of directors is essential for effective corporate governance

because it has ultimate responsibility to make sure management
implements proper internal control. An effective board of directors is
independent of management, and its members stay involved in and
scrutinize management’s activities.
◼ Although the board delegates responsibility for internal control to
management, the board must exercise oversight of the design and
performance of controls. In addition, an active and objective board can
reduce the likelihood that management overrides existing controls.
◼ To assist the board in its oversight, the board creates an audit
committee that is charged with oversight responsibility for financial
reporting. The audit committee is also responsible for maintaining
ongoing communication with both external and internal auditors. This
allows the auditors and directors to discuss matters that might relate to
such things as management integrity or the appropriateness of actions
taken by management.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.2. Control Environment

ORGANIZATIONAL STRUCTURE

◼ The entity’s organizational structure defines the

existing lines of responsibility and authority. As
shown in the COSO cube, the organizational
structure can consist of the entity level,
divisions, operating units, and functions within
those units, and controls operate at each of
these levels.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Owners

Board of Audit Committee

Directors

Chief Executive
Board of Internal Audit
Officer
Management
(CEO)

Business V.P. V.P. Chief

V.P
Unit Human Information Financial
Ethics
Managers Resources Services Officer (CFO)

Plant Plant
Managers Managers Controller Treasurer

Plant Plant
Accountants Accountants
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1-12
1.2. Control Environment

COMMITMENT TO COMPETENCE

◼ Competence is the knowledge and skills necessary to

accomplish tasks that define an individual’s job.
Commitment to competence includes management’s
consideration of the competence levels for specific jobs
and how those levels translate into requisite skills and
knowledge. If employees are competent and trustworthy,
other controls can be absent, and reliable financial
statements will still result. Incompetent or dishonest
people can reduce the system to a shambles—even if
there are numerous controls in place. Honest, efficient
people are able to perform at a high level even when
there are few other controls to support them. However,
even competent and trustworthy people can have
shortcomings
Internal Auditing: Assurance & Advisory Services, 4 Edition © 2017 by the Internal Audit Foundation.
th

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.2. Control Environment

ACCOUNTABILITY

◼ Management and the board of directors are responsible

for communicating expectations and holding individuals
accountable for internal control duties.
◼ The effectiveness of this process depends on the other
subcomponents

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.3. Risk assessment

DEFINITION

◼ A process for identifying and analyzing risks that may

prevent the organization from achieving its objectives.

Entity’s risk assessment process

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.3. Risk assessment

RISK ASSESSMENT PROCESS

◼ Objective Setting
Objectives should always be in line with the mission and
vision of an organization. COSO-ERM distinguishes four
categories of objectives: strategic objectives, operations
objectives, reporting objectives and compliance objectives. For
certain objectives these categories can overlap and different
officers may be responsible for their realization.
◼ Event Identification
Risks can be defined as the probability that a critical
event occurs and negatively affects the achievement of
objectives. Therefore, for appropriate risk assessment, critical
events need to be identified. Such events may be caused by
external (e.g. economic, political, social, or technological)
factors, or Auditing:
Internal by internal factors
Assurance & Advisory (e.g.
Services, organizational
4 Edition
th structuring,
© 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4 Edition © 2017 by the Internal Audit Foundation.
th

processes, personnel, or systems).

1.3. Risk assessment

RISK ASSESSMENT PROCESS

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.3. Risk assessment

RISK ASSESSMENT PROCESS

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.3. Risk assessment

RISK ASSESSMENT PROCESS

◼ Risk Assessment
◼ Risk assessment involves estimation of the likelihood of a
critical event occurring and the impact of the occurrence of
that event.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.3. Risk assessment
• Inherent Risk, Controllable Risk, Residual Risk
• Inherent Risk is typically defined as the level of risk in
place in order to achieve an
entity’s objectives and before actions are taken to alter the
risk’s impact or likelihood
• Residual Risk is the remaining level of risk following the
development and implementation of the entity’s response
• Inherent vs. Residual Risk:
The difference between the inherent and residual risk may be
imagined or visualized as water flowing through a filter.
Inherent risk is above the filter, which constitutes
management controls. A smaller pool of residual risk remains.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.3. Risk assessment

INHERENT RISK, CONTROLLABLE RISK,

AND RESIDUAL RISK

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.3. Risk assessment

INHERENT RISK, CONTROLLABLE RISK,

AND RESIDUAL RISK

◼ Inherent risk is established only after the entity’s key objectives have
been defined, and steps have been taken to identify what could go
wrong to prevent the entity from achieving those objectives. In addition
to impact and likelihood, management considers the nature of the risk,
whether the risk results from fraud, natural events such as storms, or
complex or unusual business transactions. The origin and character of
the risk contributes to understanding its potential impact and likelihood
of occurrence.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.3. Risk assessment

The risks included in the initial risk identification process are

usually referred to as a “risk universe,” – a listing of the risks
that entity faces.
These risks are typically organized by standard risk categories
such a strategic, financial, operational, compliance, but may
also be divided into sub-categories based on function, division,
sections, etc.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.3. Risk assessment
- The steps between the assessment of inherent risk and the
final evaluation of residual risk may vary somewhat from
entity to entity.

They typically include much of the core process of

enterprise risk management, and will typically involve the
following steps:

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.3. Risk assessment

• Risk Response – Management designs risk responses at various levels based

on the analysis of
the risk (impact and likelihood) and on the defined level of risk tolerance. The
response typically
includes the categories of acceptance, avoidance, reduction, and sharing.
• Establishment of Controls – Controls are typically established in those
operations areas that are
essential, and acceptance is too risky, and avoidance and sharing are not possible
or practical. A control is any activity which mitigates or reduces risk, but typically it
involves an additional activity to ensure that a process occurs as it should. Cost vs
benefit is always considered in the establishment of controls.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.3. Risk assessment

• Testing and Assessment of Internal Controls – To ensure that

controls are operating efficiently, testing is usually necessary, particularly in
automated processes. The testing provides confidence that controls have reduced
risk to a tolerable level.
• Corrective Action – Corrective action is warranted when a control is weak,
not in place, or not functioning properly. These actions are documented and added
to the entity’s risk assessment
plan with a timeline for action. Testing can be time-consuming and not always
possible, and an alternative is to combine on-going monitoring with a regular
review of control design to provide assurance that activities are being carried out
in a timely and accurate manner

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.3. Risk assessment

◼ The Revised COSO Enterprise Risk Guidance (Aligning Risk with

Strategy and Performance, June, 2016) identified a new principle
– the organization identifies “risk in execution” that impacts the
achievement of business objectives. This requirement highlights
the importance of identifying new, emerging and
changing risk. Examples would include a change in business
objectives, a change in business context, and a change that was
previously unknown or was previously unidentified. The new
COSO guidance also cautions against bias in assessment, in
which one’s personal point of view plays an unproportioned role
in the evaluation of risk.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 1.3. Risk assessment

RISK ASSESSMENT PROCESS

Risk Response

Acceptance. No action is taken to decrease risk impact or likelihood.
The organization is willing to accept the risk at the current level rather
than spend valuable resources deploying one of the other risk response
options.

Avoidance. A decision is made to exit or divest of the activities giving
rise to the risk. Risk avoidance may involve, for example, exiting a
product line, deciding not to expand to a new geographical market, or
selling a division.

Pursuit. Exploit the risk if taking such a risk is advantageous to the
organization or is necessary to achieve a particular business objective.

Reduction. Action is taken to reduce the risk impact, likelihood, or
both. This involves a myriad of everyday business decisions, such as
implementing controls.

Sharing. The risk impact or likelihood is reduced by transferring or
otherwise sharing
Internal a portion
Auditing: Assurance ofServices,
& Advisory the risk. Common
4 Edition
th
© 2017 by the techniques include
Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4 Edition © 2017 by the Internal Audit Foundation.
th

purchasing insurance
1.4. Control Activities

DEFINITION AND TYPES OF CONTROLS

◼ The policies and procedures that help ensure that necessary
actions are taken to address the risks to the achievement of the
entity’s objectives.
◼ There are many types of controls that are used by an
organization to increase the likelihood that objectives will be
met:
 Entity-level, Process-level, and Transaction-level Controls
 Key Controls and Secondary Controls
 Compensating Controls
 Preventive and Detective Controls
 Information Systems (Technology) Controls

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 1.4. Control Activities
ENTITY-LEVEL, PROCESS-LEVEL, AND
TRANSACTION-LEVEL CONTROLS


Entity – level Controls: A control that operates across an
entire entity and, as such, is not bound by, or associated
with, individual processes.

Process – level Controls: A control that operates across an
entire entity and, as such, is not bound by, or associated
with, individual processes.

Transaction – level Controls: An activity that reduces risk
relative to a group or variety of operational-level tasks or
transactions within an organization.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 1.4. Control Activities

TYPES OF CONTROL


Key control: An activity designed to reduce risk
associated with a critical business objective

Secondary control: An activity designed to either
reduce risk associated with business objectives
that are not critical to the organization’s survival
or success or serve as a backup to a key control.

Compensating control: An activity that, if key
controls do not fully operate effectively, may help
to reduce the related risk. A compensating control
will not, by itself, reduce risk to an acceptable
level.
Internal Auditing: Assurance & Advisory Services, 4 Edition © 2017 by the Internal Audit Foundation.
th

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 1.4. Control Activities

TYPES OF CONTROL


Preventive control is designed to deter unintended events
from occurring in the first place.

Detective control is designed to discover undesirable
events that have already occurred. A detective control must
occur timely (before the undesirable event has had an
unacceptably negative impact on the organization) to be
considered effective.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.4. Control Activities

TYPES OF CONTROL ACTIVITIES

Control activities generally fall into the following five types:

1. Adequate separation of duties
2. Proper authorization of transactions and activities
(establishment of responsibility)
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance (Independent internal
verification)

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.4. Control Activites

SEGREGATION OF DUTIES
 Different individuals should be
responsible for related activities.

Example: The responsibility for

record-keeping for an asset should
be separate from the physical
custody of that asset.

LO
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. 1
1.4. Control Activities

ADEQUATE SEPARATION OF DUTIES

There are four general guidelines for adequate separation of

duties to prevent both fraud and errors:
◼ Separation of the custody of assets from accounting

◼ Separation of the authorization of transactions from the

custody of related assets

◼ Separation of operational responsibility from record-keeping

responsibility
◼ Separation of IT duties from the user departments

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.4. Control Activities

PROPER AUTHORIZATION OF
TRANSACTIONS AND ACTIVITIES
◼ Every transaction must be properly authorized if controls are to
be satisfactory. If any person in an organization could acquire or
expend assets at will, complete chaos would result.
◼ Authorization can be either general or specific. Under general
authorization, management establishes policies and
subordinates are instructed to implement these general
authorizations by approving all transactions within the limits set
by the policy. General authorization decisions include the
issuance of fixed price lists for the sale of products, credit limits
for customers, and fixed reorder points for making acquisitions.
◼ Specific authorization applies to individual transactions. For
certain transactions, management prefers to authorize each
transaction
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.4. Control Activities

ADEQUATE DOCUMENTS AND

RECORDS
◼ Prenumbered consecutively
◼ Prepared at the time a transaction takes place
◼ Designed for multiple use
◼ Constructed to encourage correct preparation

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
ANATOMY OF A FRAUD

To support their reimbursement requests for travel costs incurred, employees at

Mod Fashions Corporation’s design center were required to submit receipts. The
receipts could include the detailed bill provided for a meal, or the credit card
receipt provided when the credit card payment is made, or a copy of the
employee’s monthly credit card bill that listed the item. A number of the designers
who frequently traveled together came up with a fraud scheme: They submitted
claims for the same expenses. For example, if they had a meal together that cost
$200, one person submitted the detailed meal bill, another submitted the credit
card receipt, and a third submitted a monthly credit card bill showing the meal as
a line item. Thus, all three received a $200 reimbursement.

Total take: $75,000

The Missing Control

Documentation procedures. Mod Fashions should require the original,
detailed receipt. It should not accept photocopies, and it should not accept
credit card statements. In addition, documentation procedures could be further
improved by requiring the use of a corporate credit card (rather than a personal
credit card) for all business expenses.
LO
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. 1
PHYSICAL CONTROLS OVER ASSETS & RECORDS

LO
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. 1
ANATOMY OF A FRAUD

At Centerstone Health, a large insurance company, the mailroom each day

received insurance applications from prospective customers. Mailroom
employees scanned the applications into electronic documents before the
applications were processed. Once the applications are scanned they can be
accessed online by authorized employees. Insurance agents at Centerstone
Health earn commissions based upon successful applications. The sales agent’s
name is listed on the application. However, roughly 15% of the applications are
from customers who did not work with a sales agent. Two friends—Alex, an
employee in record keeping, and Parviz, a sales agent—thought up a way to
perpetrate a fraud. Alex identified scanned applications that did not list a sales
agent. After business hours, he entered the mailroom and found the hardcopy
applications that did not show a sales agent. He wrote in Parviz’s name as the
sales agent and then rescanned the application for processing. Parviz received
the commission, which the friends then split.

Total take: $240,000

The Missing Control

LO
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. 1
Total take: $240,000

The Missing Control

Physical controls. Centerstone Health lacked two basic physical controls that
could have prevented this fraud. First, the mailroom should have been locked
during nonbusiness hours, and access during business hours should have been
tightly controlled. Second, the scanned applications supposedly could be
accessed only by authorized employees using their passwords. However, the
password for each employee was the same as the employee’s user ID. Since
employee user-ID numbers were available to all other employees, all
employees knew all other employees’ passwords. Unauthorized employees
could access the scanned applications. Thus, Alex could enter the system using
another employee’s password and access the scanned applications.

LO
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. 1
INDEPENDENCE CHECKS ON PERFORMANCE

 Records
periodically verified
by an employee
who is independent.
 Discrepancies
reported to
management.

Illustration
Comparison of segregation of duties
principle with independent internal
verification principle
LO
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. 1
ANATOMY OF A FRAUD

Bobbi Jean Donnelly, the office manager for Mod Fashions Corporations design
center, was responsible for preparing the design center budget and reviewing
expense reports submitted by design center employees. Her desire to upgrade
her wardrobe got the better of her, and she enacted a fraud that involved filing
expense-reimbursement requests for her own personal clothing purchases. She
was able to conceal the fraud because she was responsible for reviewing all
expense reports, including her own. In addition, she sometimes was given
ultimate responsibility for signing off on the expense reports when her boss was
“too busy.” Also, because she controlled the budget, when she submitted her
expenses, she coded them to budget items that she knew were running under
budget, so that they would not catch anyone’s attention.
Total take: $275,000
The Missing Control
Independent internal verification. Bobbi Jean’s boss should have verified her
expense reports. When asked what he thought her expenses were, the boss
said about $10,000. At $115,000 per year, her actual expenses were more than
ten times what would have been expected. However, because he was “too
busy” to verify her expense reports or to review the budget, he never noticed.
LO
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. 1
1.5. Information &
Communication
INFORMATION AND COMMUNICATION
◼ Information and communication are necessary to facilitate
control. This internal control component relates to recording
transactions, matching internal with external documents,
confirmations from/to third parties, communication of
procedures and tasks, accountability and formal management
reports. Information should meet certain quality criteria to
facilitate proper control.
◼ Relevant, accurate, and timely information must be available to
individuals at all levels of an organization who need such
information to run the business effectively. Information must be
provided to specific personnel as appropriate to support
achievement of their operating, reporting, and compliance
responsibilities.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.5. Information &
Communication
INFORMATION AND COMMUNICATION
◼ The purpose of an entity’s accounting information and
communication system is to initiate, record, process, and
report the entity’s transactions and to maintain accountability
for the related assets. The underlying principles related to
information and communication stress the importance of using
relevant, quality information that is communicated both
internally and externally as necessary to support the proper
functioning of internal controls.
◼ Communications with external parties also are important and
can provide critical information on the functioning of controls.
These parties include, but are not limited to, customers,
suppliers, service providers, regulators, external auditors, and
shareholders.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.5. Information &
Communication
INFORMATION AND COMMUNICATION

◼ There are many ways organizations can choose to

communicate.

Hardcopy forms of communication include manuals,
memoranda, and bulletin boards located in areas where
individuals congregate.

Communication also can take place in face-to-face meetings or
electronically through emails, intranet sites, video
conferencing, or electronic bulletin boards.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.5. Monitoring

DEFINITION

As COSO indicates:
◼ Monitoring activities consist of ongoing evaluations built into
business processes at different levels of the entity [that]
provide timely information. Separate evaluations, conducted
periodically, will vary in scope and frequency depending on
assessment of risks, effectiveness of ongoing evaluations, and
other management considerations.
◼ Findings are evaluated against criteria established by
regulators, standard-setting bodies or management and the
board of directors, and deficiencies are communicated to
management and the board of directors as appropriate.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
1.5. Monitoring

◼ Monitoring activities are performed concurrently with those

operations on an ongoing basis. The more robust and
comprehensive the supervisory and verification procedures, the
more confidence management can place in the effectiveness of
those procedures to ensure consistent and reliable ongoing
operations. With effective ongoing monitoring activities,
coupled with accurate and dependable risk assessments, the
frequency of separate evaluations may be reduced.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 1.5. Monitoring

EFFECTIVENESS OF MONITORING
◼ The first layer includes the everyday activities performed by management of
a given area as described above.
◼ The second layer is a separate (nonindependent) evaluation of the area’s
internal controls performed by management on a regular basis to ensure
that any deficiencies that exist are identified and resolved timely.
◼ The third layer is an independent assessment by an outside area or function,
frequently the internal audit function, performed to validate the results
(accuracy and reliability) of management’s self-assessment of the
effectiveness of controls in their area. While the internal audit function
provides a valuable form of assurance, as described above, most
organizations have other groups that also provide some form of assurance.
These groups may provide assurance directly to the board, or communicate
to members of management who provide the assurance to the board. This
layered approach provides the organization with a higher level of confidence
that the system of internal controls remains effective and helps ensure
internal control deficiencies are identified and addressed timely.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 1.5. Monitoring

EFFECTIVENESS OF MONITORING

◼ Embedding monitoring activities into processes performed

during day-today business operations allows monitoring
activities to occur regularly, catching problems before they
become unmanageable. Separate evaluations lack this
advantage due to the timing of their performance, which is later
in the process, and because they are performed less frequently.
Separate evaluations provide for a supplemental look at the
system of internal controls, catch problems that might have been
missed during ongoing monitoring activities, and evaluate the
effectiveness of the ongoing monitoring activities embedded in
the day-to-day activities of the area. Despite the various
advantages of the two different methods for monitoring, both are
needed for a robust monitoring process to exist.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 1.5. Monitoring

EFFECTIVENESS OF MONITORING

◼ Management has primary responsibility for the effectiveness of the

organization’s system of internal controls, including monitoring
activities. As responsibility for performing certain controls rises in the
organization to higher levels of management, traditional supervisory
monitoring becomes more challenging.
◼ Monitoring activities performed by subordinates in an organization are
much less effective than those performed by superiors. In those
situations in which senior management performs controls, it might be
appropriate for other members of senior management to monitor those
controls. In cases that carry the risk of management override, board-
level monitoring might be necessary.
◼ Ultimately, the board of directors is responsible for overseeing whether
management has implemented an effective system of internal controls.
This responsibility is fulfilled by the board through an understanding of
the risks to the organization and by understanding how management
Internal Auditing: Assurance & Advisory Services, 4 Edition © 2017 by the Internal Audit Foundation.
th

mitigates thoseInternal risks to an acceptable level.

Auditing: Assurance & Advisory Services, 4 Edition © 2017 by the Internal Audit Foundation.
th
◼ Definition:
“A condition within an internal control system worthy of
attention” that may represent a perceived, potential, or real
shortcoming, or opportunity to strengthen the internal control
system to provide a greater likelihood that the entity’s
objectives will be achieved.”
(COSO 2013)
◼ Deficiencies in an organization’s system of internal controls
might be identified during the performance of either
ongoing monitoring activities or separate evaluations.
COSO broadly defines a deficiency as “a shortcoming in a
component and relevant principle that reduces the
likelihood that the entity can achieve its objectives.”
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
DEFICIENCY OF INTERNAL CONTROL

DEFICIENCY OF INTERNAL CONTROL

◼ Deficiencies identified as a result of ongoing monitoring

activities and separate evaluations must be reported timely
to the appropriate parties within the organization.
◼ Depending on the impact a specific deficiency has on the
potential effectiveness of the system of internal controls, it
should be reported to business unit management, senior
management, and/or the board of directors. Reported
deficiencies are important considerations in the evaluation
of the system of internal controls.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
MONITORING

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
EVALUATING THE SYSTEM OF
INTERNAL CONTROLS
 Management is responsible for putting in place adequately designed
and effectively operating entity-level and activity-level controls to
mitigate risks associated with the achievement of business objectives
in each of the three COSO-defined categories: operations, reporting,
and compliance.

 Internal auditors play a significant role in the verification that

management has met its responsibility. Initially, management
performs the primary assessment of internal controls using a
formalized process developed for that purpose. The internal audit
function then independently validates management’s results.

 A report is typically submitted to the audit committee by either senior

management or the CAE outlining the results of management’s
assessment regarding the design adequacy and operating
effectiveness of the organization’s system
Services, 4 of internal
© 2017 by controls.
Internal Auditing: Assurance & Advisory Services, 4 Edition © 2017 by the Internal Audit Foundation.
th

Internal Auditing: Assurance & Advisory Edition

th
the Internal Audit Foundation.
 DISCUSSION

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 2: Internal Control

EXERCISE 1
◼ An organization has a goal to prevent the ordering of inventory
quantities in excess of its needs. One individual in the
organization wants to design a control that requires a review of
all purchase requisitions by a supervisor in the user
department prior to submitting them to the purchasing
department. Another individual wants to institute a policy
requiring agreement of the receiving report and packing slip
before storage of new inventory receipts. Which of these
controls is (are) relevant in achieving the stated goal? Explain
your answer.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 2: Internal Control

EXERCISE 1
Answer:
◼ The control requiring a review of all purchase requisitions by a
supervisor in the user department prior to submitting them to
the purchasing department is superior because it is a means of
control over the number of items ordered. Conversely, the
control requiring agreement of the receiving report and
packing slip would be more appropriate for the risk of receiving
an amount other than that ordered.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 MC QUESTIONS

Internal Auditing:
Internal
Assurance
Auditing:
& Advisory
Assurance
Services,
& Advisory
4th Edition
Services,
© 2017
4th Edition
by the Internal
© 2017 Audit
by theFoundation.
Internal Audit Foundation.
 Chapter 2: Internal Control

QUESTION 1
◼ Which of the following best exemplifies a control activity
referred to as
independent verification?
a. Reconciliation of bank accounts by someone who does not
handle cash or record cash transactions.
b. Identification badges and security codes used to restrict entry
to the production facility.
c. Accounting records and documents that provide a trail of sales
and cash receipt transactions.
d. Separating the physical custody of inventory from inventory
accounting..

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 2: Internal Control

QUESTION 2

Reasonable assurance, as it pertains to internal control,

means that:
a. The objectives of internal control vary depending on the
method of data processing used.
b. A well-designed system of internal controls will prevent or
detect all errors and fraud.
c. Inherent limitations of internal control preclude a system
of internal control from providing absolute assurance that
objectives will be achieved.
d. Management cannot override controls, and employees
cannot circumvent controls through collusion.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 2: Internal Control

QUESTION 3
◼ Who has primary responsibility for the monitoring component
of internal control?
a. The organization’s independent outside auditor.
b. The organization’s internal audit function.
c. The organization’s management.
d. The organization’s board of directors.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 2: Internal Control

QUESTION 4
◼ The requirement that purchases be made from suppliers on an
approved vendor list is an example of a:
a. Preventive control.
b. Detective control.
c. Compensating control.
d. Monitoring control.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
CASE STUDY

Internal Auditing:
Internal
Assurance
Auditing:
& Advisory
Assurance
Services,
& Advisory
4th Edition
Services,
© 2017
4th Edition
by the Internal
© 2017 Audit
by theFoundation.
Internal Audit Foundation.
 CASE STUDY # 1
Breezy Company
(This case was prepared by Elizabeth Morris, Lehigh University, Memorial Drive West Bethlehem,
PA 18015 USA )

Breezy Company of Bethlehem, Pennsylvania, is a small wholesale

distributor of heating and cooling fans. The company deals with
retailing firms that buy small to medium quantities of fans. The
president, Chuck Breezy, was very pleased with the marked increase in
sales over the past couple of years. Recently, however, the accountant
informed Chuck that although net income has increased, the percentage
of uncollectibles has tripled. Because of the small size of the business,
Chuck fears he may not be able to sustain these increased losses in the
future. He asked his accountant to analyze the situation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 CASE STUDY # 1
Breezy Company (Cont.)
Background
In 1998, the sales manager, John Breezy, moved to Alaska,
and Chuck hired a young college graduate to fill the position. The
company had always been a family business and, therefore,
measurements of individual performance had never been a large
consideration. The sales levels had been relatively constant because
John had been content to sell to certain customers with whom he had
been dealing for years. Chuck was leery about hiring outside the family
for this position. To try to keep sales levels up, he established a
reward incentive based on net sales. The new sales manager, Bob
Sellmore, was eager to set his career in motion and decided he
would attempt to increase the sales levels.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 CASE STUDY # 1
• Breezy Company (Cont.)
To do this, he recruited new customers while keeping the old
clientele. After one year, Bob had proved himself to Chuck, who
decided to introduce an advertising program
to further increase sales. This brought in orders from a number of
new customers, many of whom Breezy had never done business
with before. The influx of orders
excited Chuck so much that he instructed Jane Breezy, the
finance manager, to raise the initial credit level for new
customers. This induced some customers to purchase more.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 CASE STUDY # 1
• Breezy Company (Cont.)
Existing System
The accountant prepared a comparative income statement to show
changes in revenues and expenses over the last three years, shown in
Exhibit A.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 CASE STUDY # 1

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 CASE STUDY # 1
• Breezy Company (Cont.)
Currently, Bob is receiving a commission of 2 percent of net sales.
Breezy Company uses credit terms of net 30 days. At the end of
previous years, bad debt expense amounted to approximately 2 percent
of net sales. As the finance manager, Jane performs credit checks. In
previous years, Jane had been familiar with most clients and approved
credit on the basis of past behavior. When dealing with new customers,
Jane usually approved a low credit amount and increased it after the
customer exhibited reliability. With the large increase in sales, Chuck
thought that the current policy was restricting a further rise in sales
levels. He decided to increase credit limits to eliminate this restriction.
This policy, combined with the new advertising program, should attract
many new customers.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 CASE STUDY # 1
• Future
The new level of sales impresses Chuck and he wishes to expand,
but he also wants to keep un-collectibles to a minimum. He believes
the amount of un-collectibles should remain relatively constant as a
percentage of sales. Chuck is thinking of expanding his production
line, but wants to see un-collectibles drop and sales stabilize before
he proceeds with this plan.
Required
Define risks and Analyze the weaknesses in internal control and
suggest improvements.?

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 END OF CHAPTER 2

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.