Chapter 6 Internal Control

Chapter 6 Outline Frameworks of Internal Control Definitions of Internal Control Components of Internal Control Roles and Responsibilities in Control Inside Organization Internal Audit Function Limitations of Internal Controls Types of Controls Application of Controls Overview of Evaluating Controls (CH12-15) Every organization has business objectives that it intends to achieve, and every organization has risks that threaten the achievement of those objectives. In this chapter, we will discuss the various components of the system of internal controls that organizations develop to mitigate and manage those risks. Specifically: Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 6-1 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

2100 – Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. 2110 Governance (CH 3) 2120 Risk Management (CH 4) 2130 Control (CH 6) Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

2130 – Control The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Achievement of the organization’s strategic objectives; 2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: Achievement of the organization’s strategic objectives; Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

I. Internal Control Frameworks A framework is a body of guiding principles that form a template against which organizations can evaluate a multitude of business practices. Blueprint of Knowledge and Guidance Specific to the practice of internal auditing, various frameworks are used to assess the design and operating effectiveness of internal controls. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 6-2 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

ERM and these IC frameworks: Both deal with risk mitigation and internal control, BUT Those that focus on internal control alone are: More narrowly defined Less strategic in nature We focus on IC Frameworks in this chapter Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Internal Control Frameworks There are currently only 3 comprehensive internal control frameworks recognized globally by management, independent outside accountants/auditors, and internal audit professionals: Internal Control – Integrated Framework, issued by COSO in 1992 Guidance on Control (CoCo), published in 1995 by the Canadian Institute of Chartered Accountants Internal Control: Revised Guide for Directors on the Combined Code (Turnbull Report), published by the Financial Reporting Council in 1999 and updated in 2005. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

The fourth, COBIT 4.1, (NOW COBIT 5 20012) IT internal control framework, IT Governance Institute, 2007, provides guidance, but not comprehensive. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 6-3 Similarities between the 3 IC frameworks: Define Internal Control Three categories of objectives: Effectiveness and efficiency of operations Reliability of reporting Compliance Agree on responsibility for control (BOD, Sr MNGT, IA and all individuals) Similar 5 components (COSO) Control Environment Risk Assessment Control Activities Information and Communication Monitoring Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Similarities between the 3 IC frameworks: Define Internal Control Three categories of objectives: Effectiveness and efficiency of operations Reliability of reporting Compliance Agree on responsibility for control Similar 5 components (COSO) Control Environment Risk Assessment Control Activities Information and Communication Monitoring

Similarities between the 3 IC frameworks: Define Internal Control Three categories of objectives: Effectiveness and efficiency of operations Reliability of reporting Compliance Agree on responsibility for control Similar 5 components (COSO) Control Environment Risk Assessment Control Activities Information and Communication Monitoring Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

SOX Act of 2002 In the US, the SOX Act of 2002 put responsibility for the design, maintenance, and effective operation of internal control squarely on the shoulders of senior management, specifically the CEO and CFO. To comply with this legislation, the SEC requires the CEO and CFO of publicly traded companies to produce opinion on the adequate design and effective operations of the internal control over financial reporting (ICFR) as part of the annual filing of financial statements with the SEC, as well as report any substantial changes in ICFR on a quarterly basis, if any. The SEC recommends that companies use the COSO framework in their evaluation. This is known as Section 404 of SOX. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Summary of Section 404 Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures. The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.

Exhibit 6-4 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

II. What is Internal Control? Internal Control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations reliability of financial reporting compliance with applicable laws and regulations COSO Definition Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Control Control has long been a component of the “unique” franchise of internal auditing. The emergence of broad management control frameworks such as COSO and CoCo has elevated the internal auditor’s focus from financial and compliance-oriented controls to management controls and governance processes that address broad organizational risks. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

III. Components of Internal Control: ERM Cube (2004); COSO Pyramid (1992) Control Environment Risk Assessment Control Activities Information & Communication Monitoring Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 6-6 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 6-7 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

The 20 (now 17) basic principles of the COSO framework are listed in Exhibit 6-6 (6-10)and correspond to the five components of the COSO framework (Exhibit 6-7) We will discuss as we talk about each component of control Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 6-10 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

1. Control Environment Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Control Environment Control Environment: sets the tone of an organization, influencing the control consciousness of its people Control environment factors include the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors Permeates all areas of the organization and influences the way individuals approach internal control Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Control Environment Effectively controlled entities establish appropriate policies and procedures, often including a written code of conduct, which foster shared values and team work in the pursuit of the entity’s objectives. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

2. Risk Assessment Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Risk Assessment Risk Assessment: the identification and analysis of relevant risks to achievement of objectives, forming a basis for determining how the risks should be managed There must first be objectives, established in a strategy-setting environment, before management can identify risks (event identification) that might impede the achievement of the objectives and take necessary actions to manage those risks (risk response) Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Risk Assessment Objective setting is not an internal control but it is a prerequisite to and enabler of internal control By setting objectives at the entity and activity (process) levels, an entity can identify critical success factors – key things that must go right if goals are to be attained Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Risk Assessment There are three broad categories of objectives: Operations objectives – these pertain to effectiveness and efficiency of operations, including performance and profitability goals and safeguarding resources against loss. They vary based on management’s choices about structure and performance. Financial reporting objectives – these pertain to the preparation of reliable published financial statements, including prevention of fraudulent public financial reporting. They are driven primarily by external requirements. Compliance objectives – these pertain to adherence to laws and regulations to which the entity is subject. They tend to be similar across all entities in some cases and across an industry in others. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

3. Control Activities Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Control Activities Control Activities: occur throughout the organization, at all levels and in all functions Can be divided into 3 categories based on the nature of the entity’s objectives to which they relate: operations, financial reporting, or compliance. Although controls relate solely to one area, there is often overlap. Thus, operations controls also can help ensure reliable financial reporting, financial reporting controls can serve to effect compliance, and so on. The particular category in which a control is placed is not as important as the role it plays in achieving a particular activity’s objectives. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

4. Info and Communication and 5. Monitoring

Information and Communication Information and Communication: Pertinent information must be identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication must occur in a broader sense, flowing down, across, and up the organization. All personnel must understand their own role in the internal control system, as well as how individual activities relate to the work of others. hey must have a means of communicating significant information upstream. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Information and Communication There also needs to be effective communication with external parties such as customers, suppliers, regulators and shareholders. Information is only useful when communicated appropriately. This interdependency is why COSO combines information and communication into one component. Communication takes the form of policy manuals, memos, bulletin board notices, and videotaped messages. Tone of voice and body language also convey information. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Monitoring Monitoring: A process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities separate (periodic) evaluations or a combination of the two Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Monitoring Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board of directors. Exhibit 6-9 - Deficiency (also called audit observation) is defined as a condition within an internal control system worthy of attention. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

IV. Internal Control Roles and Responsibilities: Management: The CEO is ultimately responsible and should assume ownership of the system. More than any other individual, the CEO sets the tone at the top that affects integrity and ethics and other factors of a positive control environment. In a large company, the CEO fulfills this duty by providing leadership and direction to senior managers and reviewing the way they’re controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit’s functions. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Internal Control Roles and Responsibilities: Board of Directors: Effective board members are objective, capable, and inquisitive. They have knowledge of the entity’s activities and environment and commit the time necessary to fulfill their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management that intentionally misrepresents results to cover its tracks. A strong active board is best able to identify and correct such a problem. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Internal Control Roles and Responsibilities: Internal Auditors: Internal auditors play a significant role in verifying that management has an adequate system of internal controls. Management performs the primary assessment, testing and certification of the system of internal controls and then IA independently validates management’s results. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Internal Control Roles and Responsibilities: Other Personnel: Internal control is, to some degree, the responsibility of everyone in an organization and should be an explicit or implicit part of everyone’s job description. External auditors contribute directly through the financial statement audit and indirectly by providing information useful to management and the board in carrying out their responsibilities. In many cases, outside vendors are used to perform elements of the internal control system. In these cases, ownership or accountability for the outsourced elements remains with internal management. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Limitations of Internal Controls: Internal controls can provide only reasonable assurance to management and the BOD regarding achievement of an entity’s objectives. The likelihood of achievement is affected by limitations inherent in all internal control systems including: Faulty human- judgment in decision-making and human errors such as simple mistakes Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Limitations of Internal Controls: Controls can be circumvented by the collusion of two or more people and management has the ability to override the control system. Another limiting factor is the need to consider controls’ relative costs and benefits. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Risk A key to understanding the concepts of inherent limitations and reasonable assurance lies in understanding the linkage and interdependency of the business objectives and the risks that directly or indirectly affect an organization’s ability to achieve its business objectives. An organization’s ability to achieve established business objectives is affected by both internal and external risk factors. The combination of internal and external risk factors in their pure, uncontrolled state is referred to as inherent risk Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Risk After the entity has identified entitywide and activity risks, a risk analysis needs to be performed Estimating the significance of a risk (severity or impact) Assessing the likelihood (or frequency) of the risk occurring (probability) Considering how the risk should be managed – that is, an assessment of what actions need to be taken (control activities) Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Risk A risk that does not have a significant effect and has a low likelihood of occurrence generally does not warrant serious concern. A significant risk with a high likelihood of occurrence usually demands considerable attention. Circumstances in-between require difficult judgments; thus, it is important that the analysis be rational and careful. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Risk The specific action management chooses to take to reduce the significance or likelihood of a risk depends largely on the risk appetite established by an organization’s management and BOD. COSO’s ERM Integrated Framework defines risk appetite as “ the broad-based amount of risk a company is willing to accept in pursuit of its mission or vision”. A company needs to ensure it has neither excessive risk nor excessive control. Exhibit 6-10 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Risk Controllable risk is that portion of inherent risk specifically related to risk factors internal to an organization. Said another way, controllable risk is the risk that management can directly influence and that can be reduced or managed through day-to-day business operations. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Risk The portion of inherent risk that remains after mitigating controllable risk is defined as residual risk. If residual risk is less than the established risk appetite, then the system of internal controls is operating at an acceptable level and within an organization’s defined risk appetite. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Risk If residual risk exceeds the organization’s established risk appetite, it is necessary to re-evaluate the system of internal controls to determine if additional cost effective control activities can be implemented to further reduce residual risk to an acceptable level. If not, management must consider other options such as sharing or transferring a portion of the uncontrolled risk to a willing independent third party through insurance or outsourcing. If the uncontrolled risk cannot be transferred or shared, management can either accept the higher level of risk and adjust their risk appetite accordingly or discontinue the activity. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Viewing Internal Control From Different Perspectives Management: views internal control from the broad perspective of the entire organization. Its responsibility is to develop the entity’s objectives and strategies, and to direct its human and material resources to achieve the objectives. Internal Auditors: examine and evaluate the planning, organizing, and directing processes to determine whether reasonable assurance exists that goals and objectives will be achieved. All of an entity’s systems, processes, operations, functions and activities are included within this view of internal control. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Viewing Internal Control From Different Perspectives Independent Auditors: focus on those aspects of control that support or affect the entity’s external financial reporting. Other External Parties: include legislators and regulatory agencies. Their view of control generally relate to the types of activities monitored and may encompass achievement of the entity’s goals and objectives, reporting requirement, use of resources in compliance with laws and regulations, and safeguarding resources against waste, loss and misuse. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Types of Control Activities: Many commonly recognized control activities that are present in a well-designed system of internal controls include: segregation of duties performance reviews and follow-up authorization (approvals) IT access control activities Documentation (rigorous and comprehensive) Physical access control activities IT application (input, processing, output) control activities Independent verifications and reconciliations Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Entitywide and Process-level Control Activities All control activities are designed to mitigate risk either at the enterprise level or at the operational level within an organization. Entitywide control activities are very broadly focused and often deal with the organizational environment or atmosphere. Process level control activities are more detailed in their focus than entitywide control activities and reduce risk relative to a group of operational level activities (tasks). Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Key Control Activities and Secondary Control Activities: A key control activity is a control activity designed to reduce risk associated with a critical business objective. Failure to implement adequately designed and effectively operating key controls can result in the failure of the organization not only to achieve critical business objectives but to survive. A secondary control activity is one that is designed to either reduce risk associated with business objectives that are not critical to the organization’s survival or success, or serve as a backup to a key control. Secondary control activities are typically a subset of compensating or complementary control activities. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Key Control Activities and Secondary Control Activities: Compensating control activities are redundant controls designed to supplement key controls that are either ineffective or cannot fully mitigate a risk by themselves to an acceptable level within the risk appetite A complementary control is not directly related to the risk it mitigates and is not enough to fully mitigate the risk by itself, but when taken together with other control activities that are in place, does contribute to the overall effective mitigation of risk Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Key Control Activities and Secondary Control Activities: A detective control is one that is designed to discover undesirable events that have already occurred. A preventive control is a control designed to deter unintended events from occurring in the first place. It is much more difficult and costly to design a preventive control activity that is both economical and efficient. As a result most organizations use a combination of preventive and detective controls. A directive control is a control that gives explicit direction regarding what actions need to take place to cause or encourage a desirable event to occur. A corrective control is one in which detected omissions and errors are corrected. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Information Systems Control Activities: Two broad groupings of information systems control activities can be used. General computing controls (a type of entitywide control) apply to many if not all application systems and help ensure their continued, proper operation. Application controls include computerized steps within the application software and related manual procedures to control the processing of various types of transactions. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Evaluating the System of Internal Controls: Three key considerations in reaching an evaluation of the overall effectiveness of the organization’s risk management and control activities are: Were significant discrepancies or weaknesses discovered from the audit work performed and other assessment information gathered? If so, were corrections or improvements made after the discoveries? Do the discoveries and their consequences lead to the conclusion that a pervasive condition exists resulting in an unacceptable level of business risk (or operating effectiveness)? Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

VIII. Evaluating the System of Internal Controls: A control maturity model is a tool that an organization uses to assess the sophistication of its system of internal controls Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

DQs Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

b. Risk that is under control c. Risk that is not managed What is residual risk? a. Impact of risk b. Risk that is under control c. Risk that is not managed d. Underlying risk in the environment Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

b. The branch manager receives all wire transfers Appropriate internal control for a multinational corporation’s branch office that has a department responsible for the transfer of money requires that: a. The individual who initiates wire transfers does not reconcile the bank statement. b. The branch manager receives all wire transfers c. Foreign currency rates be computed separately by two different employees d. Corporate management approves the hiring of monetary transfer unit employees Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

All of the following are entitywide control activities EXCEPT: a. assignment of authority and responsibility b. consistent policies and procedures c. transaction approval d. management’s risk assessment process Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

The requirement that purchases be made from suppliers on an approved vendor list is an example of a : a. preventive control b. detective control c. corrective control d. monitoring control Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Which of the following best describes an internal auditor’s purpose in reviewing the organization’s existing risk management, control, and governance processes? to help determine the nature, timing, and extent of tests necessary to achieve engagement objectives to ensure that weaknesses in the internal control system are corrected. to provide reasonable assurance that the processes will enable the organization’s objectives and goals to be met efficiently and economically. to determine whether the processes ensure that the accounting records are correct and the financial statements are fairly presented. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Discussion Question 1 (pg. 6-31): An audit report contains the following observations: A service department’s location is not well suited to allow adequate service to other units. Employees hired for sensitive positions are not subjected to background checks. Managers do not have access to reports that profile overall performance in relation to other benchmarked organizations. Management has not taken corrective action to resolve past engagement observations related to inventory controls. Which two of these observations are most likely to indicate the existence of control weaknesses over safeguarding of assets? Why? Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Discussion Question 2 (page 6-31) To meet waste discharge standards, a factory implements a control system designed to prevent the release of wastewater that does not meet those standards. One of the controls requires chemical analysis of the water, prior to discharge, for components specified in the permit. Is this an appropriate control? Why or why not? Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Discussion Question 3 An organization has a goal to prevent the ordering of inventory quantities in excess of its needs. One individual in the organization wants to design a control that requires a review of all purchase requisitions by a supervisory in the user department prior to submitting them to the purchasing department. Another individual wants to institute a policy requiring agreement of the receiving report and packing slip before storage of new inventory receipts. Which of these controls is (are) relevant in achieving the stated goal? Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

WB 3.14 COSO Components of Internal Control Exercise: For each control issue described below, select the component or components of the COSO framework that best characterize the issue Control Issue #1: Within a contracting process, levels of authorization are not defined for contracts at specified dollar values. ___ Control ___ Risk Assess- ___ Control ___ Information & ___ Monitoring Environment ment Activities Communication   Control Issue #2: Employees providing customer support for a new product are not sure how to handle certain transactions. ___ Control ___ Risk Assess- ___ Control ___ Information & ___ Monitoring Environment ment Activities Communication Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

WB 3.14 COSO Components of Internal Control Exercise: Control Issue #3: Management encourages employees who are staffing a customer “help” line to describe certain calls in a particular way even when the calls do not fit that description. ___ Control ___ Risk Assess- ___ Control ___ Information & ___ Monitoring Environment ment Activities Communication Control Issue #4: A particular system is essential to operations, but data from that system is not covered by the disaster-recovery plan for the organization. Control Issue #5: Reports on the volume of certain types of transactions are not reviewed by the appropriate level of management. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit CS2-4 Compliance and Ethics Program Maturity Attributes Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Maturity Levels with Maturity Attributes World Class The compliance and ethics program is considered “worldclass,” based on benchmarking and continuous improvement; many aspects of the program are highly automated and self-updating,thus creating a competitive advantage; extensive use of real-time monitoring and executive dashboards. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Maturity Levels with Maturity Attributes Mature KPIs and monitoring techniques are employed to measure success; greater reliance on prevention versus detection of compliance violations and ethical misconduct; strong self-assessment of operating effectiveness; assignments of responsibilities and accountabilities exist and are well understood. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Maturity Levels with Maturity Attributes Defined Compliance and ethics requirements are well defined and documented, thus there is consistency even in times of change; overall compliance and ethics awareness exists; gaps are detected and remediated timely; performance monitoring is informal, placing great reliance on the diligence of people and independent audits. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Maturity Levels with Maturity Attributes Repeatable Compliance and ethics practices are established with some policy structure; formal requirements are still lacking; some clarity on roles, responsibilities, and authorities, but not on accountability; increased discipline and guidelines support repeatability; high reliance on existing personnel creates exposure to change. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Maturity Levels with Maturity Attributes Initial Compliance and ethics practices are fragmented and ad hoc; generally managed in silos and reactive; lack of formal policies and procedures; dependent on the “heroics” of individuals to ensure compliance and sound ethical conduct; greater potential for violations; higher costs due to inefficiencies; not sustainable. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

The PCAOB (Public Company Accounting Oversight Board) was created to establish guidelines that independent outside auditors must adhere to in order to company with SOX reporting requirements. In 2007, the PCAOB issued Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

From IIA’s Tone at the Top newsletter, November 2003 MYTH   FACT Internal control starts with a strong set of policies and procedures. Internal control starts with a strong control environment. Internal control – that’s why we have internal auditors. Management is the owner of internal control. Internal control is a finance thing. We do what the controller’s office tells us to do. Internal control is integral to every aspect of the business. Internal controls are essentially negative, like a list of “thou shalt nots”. Internal control makes the right things happen the first time, and every time. Internal controls are a necessary evil. They take time away from our core activities – making products, making sales, and serving customers. Internal controls should be built into, not onto, business processes. With downsizing and empowerment, we have to give up a certain amount of control. With downsizing and empowerment, we need different forms of control. If controls are strong enough, we can be sure there will be no fraud, and financial statements will be accurate. Internal controls provide reasonable, but not absolute assurance that the organization’s objectives will be achieved. From IIA’s Tone at the Top newsletter, November 2003 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 6-5 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 6-8 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 6-9 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 6-11 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 6-12 10 OPPORTUNITIES FOR THE INTERNAL AUDIT DEPARTMENT TO PROVIDE INSIGHT ON EFFECTIVE INTERNAL CONTROL Help the organization develop a comprehensive framework for assessing the adequate design and effective operation of internal control. Help management establish a logical structure for analyzing, documenting, and assessing the organization’s design and operation of internal control. Help the organization develop a process for identifying, evaluating, and remediating internal control deficiencies. Provide independent assurance on the adequate design and effective operation of internal control. Act decisively when potentially significant or material internal control changes or deficiencies are identified. Assist in postmortem analysis when internal control deficiencies occurs. Inform management of potential breakdowns in internal control that present increased risk to the organization. Assist management in developing a culture of ethical behavior (“tone at the top”) and low tolerance of ineffective internal control. Stay abreast and inform management of emerging issues, regulations, and laws related to the effectiveness of internal control. Provide internal control awareness training throughout the organization. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Add slides as desired Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.