Internal Control

Presentation by Yumaira Panganiban

GERMIC1| 2025
 Overview

A. Classification of Controls
B. COSO 2017 Internal Control Framework
C. Evaluating the Effectiveness of Internal Control
D. Internal Controls in Computer Information Systems
 CONTROL

Control is defined as any action taken by management, the board, and

other parties to manage risk and increase the likelihood that
established objectives and goals will be achieved.
 Internal Control

It is a process effected by an entity’s board of directors, management,

and other personnel, designed to provide reasonable assurance about
the achievement of an entity’s objectives relating to operations,
reporting, and compliance.
 Fundamental Concepts
Internal Control is:

• Geared to the achievement of objectives in one or more categories –

operations, reporting, and compliance
• A process consisting of ongoing tasks and activities
• Effected by people – not merely about policy and procedure manuals,
systems, and forms, but about people and the actions they take
• Able to provide reasonable assurance
 Objectives

Operations Objectives – related to the effectiveness and efficiency of

the entity’s operations including operational and financial performance
goals, and safeguarding assets against loss.
 Objectives

Reporting Objectives – related to internal and external financial and

non-financial reporting to stakeholders, which would encompass
reliability, timeliness, and transparency.

Compliance Objectives – related to adhering to laws and regulations

that the entity must follow.
 Limitations
Limitations may result from the:

• Suitability of objectives established as a precondition to internal control

• Human judgment in decision making can be faulty and subject to bias
• Breakdowns that can occur because of human failures
• Ability of management to override internal control
• Ability of management, other personnel, and/or third parties to
circumvent controls through collusion
 Erroneous Judgment
Management may make erroneous judgments in designing the nature
and extent of the controls it chooses to implement. And the employee
assigned to review exception report may not understand the purpose of
the report or may fail to take appropriate action.
 Cost/Benefit
A company will not design and implement control if its cost exceeds
the expected benefit. The internal controls may not be felt to be worth
the reduction in risk that they achieve.
 Classification - Scope
• Entity-level controls
• Process level controls
• Transaction-level controls
 Entity-level
Apply to the entire organization and are designed both to ensure that
organizational objectives are achieved and to mitigate risks that
threaten the organization as a whole. This includes:

• Governance controls – these establishes the control culture, clarify

organizational expectations, and include organization-wide policies.
• Management oversight controls – set at the business unit or line
management to address achievement of business unit objectives and
mitigation of business unit risk
 Process level
These are established by a process owner to ensure that the objectives
of the process are achieved and that process-level risks are addressed.

• Supervision
• Monitoring
• Oversight, process level risk assessment,
• Performance evaluation
• Key account reconciliation, and
• Inventory counts
 Transaction level
These are controls specific to individual transactions. They exist to
ensure that the objectives of the transactions are achieved, and
transaction-specific risks are addressed.

• Documentation requirements
• Segregation of duties
• Authorizations
• IT application controls (input, processing, output)
 Classification - Importance
Key controls (primary controls) – are those that must operate
effectively to reduce a significant risk to an acceptable level. If omitted,
those would make it very difficult to achieve the desired outcome or
business objective.

Secondary controls – help process run smoothly but are not essential.
These exists either to mitigate risks that are not considered significant
or as redundant control already addressed by a key control.
 Classification - Function
Preventive controls – are proactive controls that deter undesirable
events from occurring. Examples are as follows:
• Storing petty cash in a locked safe and segregating duties
• Procedures which ensure that safety features are built into new
products, enough time is spent for testing and a project/product is
not signed off until all the weaknesses identified during testing
have been addressed.
• Checking invoices from suppliers against goods-received notes
before paying the invoices.
• Signing of goods-received notes, credit notes, overtime records
 Classification - Function
Detective controls – are reactive and detect undesirable events that
have occurred.

Corrective controls – are reactive and designed to allow manual or

automated correction of errors or irregularities discovered by detective
controls.
 Classification - Function
Directive controls – are proactive controls that cause or encourage a
desirable event to occur.

Compensating controls – these controls compensate for the lack of an

expected control.
 COSO’s Internal Control
The Framework is a system used as a roadmap and guide to establish
internal controls to be integrated into business processes.
 Components of COSO IC
CRIMC

• Control Environment
• The entity’s Risk assessment process
• The Information system and communication
• Control activities relevant to the audit
• Monitoring of controls
 Control Environment
The control environment is the set of standards, processes, and
structures that provide the basis for carrying out internal control across
the organization. The board of directors and senior management
establish the tone at the top regarding the importance of internal
control including expected standards of conduct.
 Risk Assessment
Risk assessment involves a dynamic and iterative process for
identifying and assessing risks to the achievement of objectives. Risks
to the achievement of these objectives from across the entity are
considered relative to established risk tolerances. Thus, risk
assessment forms the basis for determining how risks will be managed.
 Control Activities
Control activities are the actions established through policies and
procedures that help ensure that management’s directives to mitigate
risks to the achievement of objectives are carried out. Control activities
are performed at all levels of the entity, at various stages within
business processes, and over the technology environment.
 Types of Control Activities
1. Authorizations and Approvals

An authorization affirms that a transaction is valid (i.e., it represents an

actual economic event). An authorization typically takes the form of an
approval by a higher level of management or of verification and a
determination if the transaction is valid.
 Types of Control Activities
2. Verifications

Verifications compare two or more items with each other or compare an

item with a policy and perform a follow-up action when the two items
do not match, or the item is not consistent with policy. Verifications
generally address the completeness, accuracy, or validity of processing
transactions.
 Types of Control Activities
3. Physical Controls

Limiting physical access to assets and records. Only authorizes

personnel should have access to certain assets. For instance,
equipment, inventories, securities, cash, and other assets are secured
physically and are periodically counted and compared with amounts
shown on control records.
 Types of Control Activities
4. Controls over Standing Data

Standing data, such as the price master file, is often used to support the
processing of transactions within a business process. Control activities
over the processes to populate, update, and maintain the accuracy,
completeness, and validity of this data are put in place by the
organization.
 Types of Control Activities
5. Reconciliations

Reconciliations compare two or more data elements and, if differences

are identified, action is taken to bring the data into agreement. For
example, a reconciliation is performed over daily cash flows with net
positions reported centrally for overnight transfer and investment.
 Types of Control Activities
6. Supervisory Controls

Supervisory controls assess whether other transaction control activities

(i.e., verifications, reconciliations, authorizations and approvals, controls
over standing data, and physical control activities) are being performed
completely, accurately, and according to policy and procedures.
 Types of Control Activities
7. Performance reviews

These control activities include:

• Reviews and analysis of actual performance vs budgets and forecasts
• Relating different sets of data to one another, together with analysis
of the relationships and investigate corrective actions
• Comparing internal data with external sources of information; and
• Review of function or activity performance
 Types of Control Activities
8. Segregation of duties

This is intended to reduce the opportunities to allow any person to be

in a position to both perpetrate and conceal errors or fraud in the
normal course of the person’s duties.
 Types of Control Activities
8. Segregation of duties
Functions that should be segregated:
• Authorizing a transaction
• Recording that transaction in the records, preparing documents, and
maintaining journals
• Keeping physical custody of the related assets that arise from the
transaction. For example, receiving checks in the mail.
• The periodic reconciliation of the physical assets to the recorded
amounts for those assets.
 Information and Communication
Information is necessary for the entity to carry out internal control
responsibilities to support the achievement of its objectives.
Management obtains or generates and uses relevant and quality
information from both internal and external sources to support the
functioning of other components of internal control.
 Monitoring
Monitoring activities deal with ongoing or periodic assessment of the
quality of internal control by management to determine that controls
are operating as intended and that they are modified as appropriate for
changes in conditions.

For many companies, especially larger ones, an internal audit

department is essential for effective monitoring of the operating
performance of internal controls.
 Evaluating the Effectiveness
When we test the operating effectiveness of a control, we obtain
evidence about whether it is operating as designed. The evaluation
follows a structured, logical, and organized series of steps and
procedures.
 Internal Controls in CIS Environment
Characteristics of Computer Information Systems:

• Result in transaction trails that exist for a short period of time or only
in computer-readable form
• Include program errors that cause uniform mishandling of
transactions—clerical errors become much less frequent

• Include computer controls that need to be tested in addition to the

segregation of functions
 Internal Controls in CIS Environment

• Involve increased difficulty in detecting unauthorized access

• Allow increased management supervisory potential resulting from
more timely reports
• Include less documentation of initiation and execution of transactions
• Include computer controls that affect the effectiveness of related
manual control activities that use computer output
 General Controls
Are those that control the design, security, and use of computer
programs and the security of data files in general throughout the
organization. General controls apply to all computerized applications
and consist of a combination of system software and manual procedures
that create an overall control environment.

• Control activities over the technology infrastructure

• Security management, and
• Technology acquisition, development, and maintenance.
 General Controls
Implementation Controls - audit the systems development process at
various points to ensure that the process is properly controlled and
managed.

Software Controls - monitor the use of system software and prevent

unauthorized access of software programs, system software, and
computer programs
 General Controls
Hardware Controls - ensure that computer hardware is physically
secure and check for equipment malfunction.

Computer Operations Controls - apply to the work of the computer

department and help ensure that programmed procedures are
consistently and correctly applied to the storage and processing of data
 General Controls
Data Security Controls - ensure that valuable business data files are not
subject to unauthorized access, change, or destruction.

Administrative Controls - formalized standards, rules, procedures, and

control disciplines to ensure that the organization's general and
application controls are properly executed and enforced.
 Application Controls
Are specific controls unique to each computerized application, such as
payroll, accounts receivable, and order processing. They consist of both
controls applied from the user functional area of a particular system and
from programmed procedures

Application controls fall into three categories:

• Input
• Processing
• Output
 Input Controls
Input controls are designed to ensure that the information entered into
the computer is authorized, accurate, and complete. They are critical
because a large portion of errors in IT systems result from data entry
errors and, of course, regardless of the quality of information
processing, input errors result in output errors.
 Input Controls
Common examples are:

• Reasonableness check – to be accepted, the data must fall within

certain limits set in advance or they will be rejected
• Format check – characteristics of the contents (letter/digit), length,
and sign of individual data fields are checked by the system
• Existence check – the computer compares input reference data to
tables or master files to make sure that valid codes are being used
 Input Controls
Common examples are:

• Financial total – summary total of field amounts for all records in a

batch that represent a meaningful total such as dollars or amounts
• Hash total – summary total of codes from all records in a batch that
do not represent a meaningful total
• Record count – summary total of physical records in a batch
 Processing Controls
Establish that data are complete and accurate during updating. The
major processing controls are run control totals, computer matching,
and programmed edit checks.

• Computer Matching- Processing control that matches input data with

information held on master files
• Run Control Totals- Procedures for controlling completeness of
computer updating by generating control totals that reconcile totals
before and after processing
 Output Controls
These are controls that focus on detecting errors after processing is
completed, rather than on preventing errors.

• Reconcile computer-produced output to manual control totals

• Compare the number of units processed to the number of units
submitted for processing
• Compare a sample of transaction output to input source documents
• Verify dates and times of processing to identify any out-of-sequence
processing
 THANK YOU

GERMIC1 | 2025
 FINALS (By Group)

Group 1 – Food / Restaurants

Group 2 – Beauty, Fashion and Wellness
Group 3 – E-commerce (Online Shops)
Group 4 – Healthcare (Pharmacy / Hospital)
Group 5 – Supermarket / Convenience Stores
Group 6 – Construction / Hardware shops

Due on: May 30, 2025 (Friday)

 FINALS (By Group)
Choose a company/business in line with your assigned industry and design an
enterprise risk management framework
1. Make a SWOT Analysis on your chosen company
2. Identify the risks within the company and their industry and classify them
according to their risk drivers
3. Out of the risks identified, choose the top 5 risks that need to be prioritized
by the company and with justification using risk assessment
4. For the top 5 risks that are to be prioritized, identify and best risk response
strategy with justification and action plan