Internal

Business processes, which are conducted within or across organization units or functions, are
managed

them. Objectives may be set for an entity as a whole, or be targeted to specific activities
within the entity. Though many objectives are specific to a particular entity, some are widely
shared. For example, objectives common to virtually all entities are achieving and
maintaining a positive reputation within the business and consumer communities, providing
reliable financial statement to stakeholders, Control Involves People

Internal control is effected by a board of directors, management and other personnel in an

entity. It is accomplished by the people of an organization, by what they do and say. People establish
the entity’s objectives and put control mechanisms in place. Similarly, internal control affects people’s
actions. Internal control recognizes that people do not always understand, communicate or perform
consistently. Each individual brings to the workplace a unique background and technical ability, and has
different needs and priorities.

to reliability of financial reporting, effectiveness and efficiency of operations, and compliance

with laws and regulations. Clearly, internal control is designed and implemented to address identified
business risks that threaten the achievement of any of these objectives.

Committee of Sponsoring Organizations of the Treadway Commission

Internal control is defined by the Committee of Sponsoring Organizations of the Treadway

Commission (COSO) as follows:

“Internal control is a process, effected by an entity’s board of directors, management

and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories: Effectiveness and efficiency of
operations, reliability of financial reporting, and compliance with applicable laws and
regulations.”

Internal Control is a Processof an entity to assist in achieving management’s objective of

ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to
management policies, the safeguarding of assets, the prevention and detection of fraud and error, the
accuracy and completeness of the accounting records, and the timely preparation of reliable financial
information. The internal control system extends beyond these matters which relate directly to the
functions of the accounting system.
The internal control system and its components are discussed in the sections that follow.

Components of Internal Control

Internal control consists of five interrelated components. These are derived from the way
management runs a business, and are integrated with the management process. Although the

The control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for all other components of internal control,
providing discipline and structure. The control environment includes the governance and
management functions and the attitudes, awareness, and actions of those charged with governance
and management concerning the entity’s internal control and its importance in the entity. The control

1
environment sets the tone of an organization, influencing the control consciousness of its people. It
is the foundation for effective internal control, providing discipline and structure.

The primary responsibility for the prevention and detection of fraud and error rests with
both those charged with governance and the management of an entity. Similarly, the responsibility
for establishing a strong control environment rests with both those charged with governance and
the management of the entity.

Effectively controlled entities strive to have competent people, instill an enterprise-wide

attitude of integrity and control consciousness, and set a positive “tone at the top.” They establish
appropriate policies and procedures, often including written code of conduct, which foster shared
values and teamwork in pursuit of the entity’s objectives.

Elements of the Control Environment

The control environment encompasses factors discussed below. Although all are important,
the extent to which each is addressed will vary with the entity.

1. Communication and enforcement of integrity and ethical values

Integrity is a prerequisite for ethical behavior in all aspects of an enterprise’s activities.
Establishing ethical values often is difficult because of the need to consider the concerns of
several parties. Managers of well-run enterprises have increasingly accepted the view that
“ethics pays” – that ethical behavior is good business. Integrity and ethical values are
expressed through:

a. Existence and implementation of codes of conduct and other policies regarding

acceptable business practice, conflicts of interest, or expected standards or ethical
and moral behavior.
b. Dealings with employees, suppliers, customers, investors, creditors, insurers,
competitors, and auditors (e.g., whether management conducts business on a high
ethical plane, and insists that others do so, or pays little attention to ethical issues).
c. Pressure to meet unrealistic performance targets – particularly for short-term
results – and extent to which compensation is based on achieving those
performance targets.

2. Commitment to Competence

Competence should reflect the knowledge and skills needed to accomplish tasks that define
the individual’s job. How well these tasks need to be accomplished generally is a management
decision which should be made considering the entity’s objectives and management’s strategies and
plans for achievement of the objectives. There often is a trade-off between competence and cost – it
is not necessary, for instance, to hire an components apply to all entities, small and mid-size
companies may implement them differently than large ones. The controls of small and mid-size
companies may be less formal and less structured, yet they can still have effective internal control.
PSA 315 enumerates the following components of internal control:
A. Control Environment
2
 BASIC CONCEPTS INTERNAL CONTROL

Internal control is the process designed and effected by those charged with governance,
management, and other personnel to provide reasonable assurance about the achievement of the
entity’s objectives with regard

B. The Control Environment

expertise coupled with the necessary stature and mid set so that it can adequately
perform the necessary governance, guidance and oversight responsibilities – is critical to
effective internal control. Controls involving the Board of Directors or Audit Committee
include:
may control operations largely by face-to-face contact with key managers. Controls
involving management’s philosophy and operating style include:

a. Nature of business risks accepted, e.g., whether management often enters into
particularly high-risk ventures, or is extremely conservative in accepting risks.
b. Frequency of interaction between senior management and operating
management, particularly when operating from geographically removed
locations.
c. Attitudes and actions toward financial reporting, including disputes over
application of accounting treatments (e.g., selection of conservative versus
liberal accounting policies, whether accounting principles have been misapplied,
important financial information not disclosed, or records manipulated or
falsified).

2. Organizational Structure
An entity’s organizational structure provides the framework within which its activities
for achieving entity-wide objectives are planned, executed, controlled and monitored.
Activities may relate to what is sometimes referred to as the value chain: inbound
(receiving) activities, operation or production, outbound (shipping), marketing, sales
and service. There may be support functions, relating to administration, human
resources or technology development. Controls involving organizational structure are
expressed through:
a. Appropriateness of the entity’s organization structure, and its ability to provide
the necessary information flow to manage its activities.

b. Adequacy of definition of key manager’s responsibilities, and their

understanding of these responsibilities.

c. Adequacy of knowledge and experience of key managers in light of

responsibilities.

3. Assignment of Authority and Responsibility

a. This element pertains to how an organization assigns
authority and responsibility for operating activities, and how
reporting relationships and authorization hierarchies are
established. It also includes policies relating to appropriate
business practices, knowledge and experience of key
personnel, and resources provided for carrying out duties. In
Independence from management, such that necessary, even if difficult and

3
 probing, questions are raised.

b. Frequency and timeliness with which meetings are held with chief financial and/or
accounting officers, internal auditors and external auditors.
c. Sufficiency and timeliness with which information is provided to board or
committee members, to allow monitoring of management’s objectives and
strategies, the entity’s financial position and operating results, and terms of
significant agreements.
d. Sufficiency and timeliness with which the board or audit committee is apprised of
sensitive information, investigations and improper acts of officers.

4. Management’s Philosophy and Operating Style

This factor affects the way the enterprise is managed, including the kinds of business
risks accepted. An entity that has been successful taking significant risks may have a
different outlook on internal control than one that has faced harsh economic or
regulatory consequences as a result of venturing into dangerous territory. An informally
managed company ethical behavior, demonstrate an entity’s commitment to competent
and trustworthy people. Training policies that communicate prospective roles and
responsibilities and include practices such as training schools and seminars, simulated
case studies and role-play exercises, illustrate expected levels of performance and
behavior. Controls involving human resources policies and practices include:
a. The extent to which policies and procedures for hiring, training, promoting and
compensating employees are in place.
b. Appropriateness of remedial action taken in response to departures from
approved policies and procedures.
c. Adequacy of employee candidate background checks, particularly with regard to
prior actions or activities considered to be unacceptable by the entity.
d. Adequacy of employee retention and promotion criteria and information-
gathering techniques (e.g., performance evaluations) and relation to the code of
conduct or other behavioral guidelines.

C. The Entity’s Risk Assessment Process

Every entity faces a variety of risks from external and internal sources that must be
assessed. A precondition to risk assessment is establishment of objectives, linked at different
levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to
achievement of the objectives, forming a basis for determining how the risks should be managed.
Because economic, industry, regulatory and operating conditions will continue to change,
mechanisms are needed to identify and deal with the special risks associated with change.

All entities, regardless of size, structure, nature or industry, encounter risks at all levels
within their organizations. Risks affect each entity’s ability to survive; successfully compete within
its industry; maintain its financial strength and positive public image; and maintain the overall
quality of its products, services and people. There is no practical way to reduce risk to zero. Indeed,
the decision to be in business creates risk. Management must determine how much risk is to be
prudently accepted, and strive to maintain risks within these levels.
The goal of internal control in this area focuses primarily on: developing consistency of
objectives and goals throughout the organization, identifying key success factors and timely
reporting to management or performance and expectations. Although success cannot be ensured,
management should have reasonable assurance of being alerted when objectives are in danger of
not being achieved.
An entity’s risk assessment process is its process for identifying and responding to

4
business risks and the results thereof. (Note that the risk assessment process refers to the client’s
process for assessing risk. This is different from the risk assessment being performed by an auditor
for inherent and control risk.) The process of identifying and analyzing risk is an ongoing iterative
process and is a critical component of an effective internal control system. Management must focus
carefully on risks at all levels of the entity and take the necessary actions to manage them.

Risk Identification

An entity’s performance can be at risk due to internal or external factors. These factors, in
turn, can affect either stated or implied objectives. Risk rises as objectives increasingly differ from
past performance. It is important that risk identification be comprehensive. It should consider all

5
significant interactions – of goods, services and information – between an entity and relevant
external parties. These external parties include potential and current suppliers, investors, creditors,
shareholders, employees, customers, as well as public bodies and news media. Risk identification is
an iterative process and often is integrated with the planning process. It also is useful to consider
risk from a “clean sheet of paper” approach, and not merely relate the risk to the previous review.

Figure 4-6: Risks at the entity-wide level can arise from external or internal factors.

External factors Internal factors

1. Technological developments can affect 1. A disruption in information systems

the nature and timing of research and processing can adversely affect the
development, or lead to changes in entity’s operations.
procurement.
2. The quality of personnel hired and
2. Changing customer needs or methods of training and motivation can
expectations can affect product influence the level of control
development, production process, consciousness within the entity.
customer service, pricing or warranties.
3. A change in management
3. New legislation and regulation can force responsibilities can affect the way
changes in operating policies and certain controls are effected.
strategies.
4. The nature of the entity’s activities, and
4. Natural catastrophes can lead to employee accessibility to assets, can
changes in operations or information contribute to misappropriation of
systems and highlight the need for resources.
contingency planning.
5. An unassertive or ineffective board or
5. Economic changes can have an impact audit committee can provide
on decisions related to financing, capital opportunities for indiscretion.
expenditures and expansion.

Risk Analysis

After the entity has identified entity-wide and activity risks, a risk analysis needs to be
performed. The methodology for analyzing risks can vary, largely because many risks are difficult to
quantify. Nonetheless, the process – which may be more or less formal usually includes:
 Estimating the significance of a risk;
 Assessing the likelihood (or frequency) of the risk occurring;
 Considering how the risk should be managed – that is, an assessment of what
actions need to be taken

A risk that does not have a significant effect on the entity and that has a low likelihood of
occurrence generally does not warrant serious concern. There are numerous methods for estimating
the cost of a loss from an identified risk. Management should be aware of them and apply them as
appropriate. However, many risks are indeterminate in size. At best they can be described as
“large,”, “moderate”, or “small.”
Once the significance and likelihood of risk have been assessed, management needs to
consider how the risk should be managed. This involves judgment based on assumptions about the
risk, and reasonable analysis of costs associated with reducing the level of risk. Before installing
additional procedures, management, however, should consider carefully whether existing ones may
be suitable for addressing identified risks. Because procedures may satisfy multiple objectives

6
management may discover that additional actions are not warranted; existing procedures may be
sufficient or may need to be performed better.

Risk analysis is not a theoretical exercise. It is often critical to the entity’s success. It is most
effective when it includes identification of all key business processes where potential exposures of
some consequence exist. It might involve process analysis, such as identification of key
dependencies and significant control nodes, and establishing clear responsibility and accountability.
Effective process analysis directs special attention to cross-organizations dependencies, identifying,
for example: where date originate, where they are stored, how they are converted to useful
information and who uses the information. Large organizations usually need to be particularly
vigilant in addressing intra-company and inter-company transactions and key dependencies.
Unfortunately, the importance of risk analysis is sometimes recognized too late, as in the case of a
major financial services firm where a senior executive offered what amounted to a wistful epitaph:
“We just did not think we faced so much risk.”

D. Information System and Communication

An information system consists of infrastructure (physical and hardware components),

software, people, procedures, and data. Infrastructure and software will be absent, or have less
significance, in systems that are exclusively or primarily manual. Many information systems make
extensive use of information technology (IT).

The information system relevant to financial reporting objectives, which includes the financial
reporting system, consists of the procedures and records established to initiate, record, process, and
report entity transactions (as well as events and conditions) and to maintain accountability for the
related assets, liabilities, and equity. Transactions may be initiated manually or automatically by
programmed procedures. Recording includes identifying and capturing the relevant information for
transactions or events. Processing includes functions such as edit and validation, calculation,
measurement, valuation, summarization, and reconciliation, whether performed by automated or
manual procedures. Reporting relates to the preparation of financial reports as well as other
information, in electronic or printed format, that the entity uses in measuring and reviewing the
entity’s financial performance and in other functions. The quality of system-generated information
affects management’s ability to make appropriate decisions in managing and controlling the entity’s
activities and to prepare reliable financial reports.
Accordingly, an information system encompasses methods and records that:
 Identify and record all valid transactions.
 Describe on a timely basis the transactions in sufficient detail to permit proper
classification of transactions for financial reporting.
 Measure the value of transactions in a manner that permits recording their
proper monetary value in the financial statements.
 Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
 Present properly the transactions and related disclosures in the financial
statements.

Every enterprise must capture pertinent information – financial and non-financial, relating to
external as well as internal events and activities. The information must be identified by management
as relevant to managing the business. It must be delivered to people who need it in a form and
timeframe that enables them to carry out their control and other responsibilities.

7
Information

Information is needed at all levels of an organization to run the business, and move toward
achievement of the entity’s objectives in all categories – operations, financial reporting and
compliance. An array of information is used. Financial information, for instance, is used not only in
developing financial statements for external dissemination. It is also used for operating decisions,
such as monitoring performance and allocating resources. Management reporting of monetary and
related measurements enables monitoring, for example, of brand profitability, receivables
performance by customer type, market share, customer complaint trends and accident statistics.
Reliable internal financial measurements also are essential to planning, budgeting, pricing,
evaluating vendor performance, and evaluating joint ventures and other alliances.

Similarly, operating information is essential for developing financial statements. This

includes the routine – purchases, sales and other transactions – as well as information on
competitors’ product releases or economic conditions, which can affect inventory and receivables
valuations. Operating information such as airborne particle emissions or personnel data may be
needed to achieve both compliance and financial reporting objectives. As such, information
developed from internal and external sources, both financial and non-financial, is relevant to all
objectives categories.
Information systems sometimes operate in a monitoring mode, routinely capturing specific
data. In other cases, special actions are taken to obtain needed information. Consider, for
example, systems capturing information on customers’ satisfaction with the entity’s products.
Information systems might regularly identify and report sales by product and location, customer
gains and losses, returns and requests for allowances, application of product warranty provisions
and direct feedback in the form of complaints or other comments. On the other hand, special efforts
may be made from time to time to obtain information on evolving market requirements regarding
technical product specifications, or customer delivery or service needs. This information may be
obtained through questionnaires, interviews, broad-based market demand studies or targeted focus
groups.
Information systems can be formal or informal. Conversations with customers, suppliers,
regulators and employees often provide some of the most critical information needed to identify risks
and opportunities. Similarly, attendance at professional or industry seminars and memberships in
trade and other associations can provide valuable information.

Information Quality

The quality of system-generated information affects management’s ability to make

appropriate decisions in managing and controlling the entity’s activities. Modern systems often
provide on-line query ability, so that the freshest information is available on request.
It is critical that reports contain enough appropriate data to support effective control. The
quality of information includes ascertaining whether:

 Content is appropriate – Is the needed information there?

 Information is timely – Is it there when required?
 Information is current – Is it the latest available?
 Information is accurate – Are the data correct?
 Information is accessible – Can it be obtained easily by appropriate parties?
All of these questions must be addressed by the system design. If not, it is probable that
the system will not provide the information that management and other personnel require.
Because having the right information, on time, at the right place is essential to effecting control,
information systems, while themselves a component of an internal control system, also must be
controlled.

9
Communication

Communication involves providing an understanding of individual roles and responsibilities

pertaining to internal control over financial reporting. It includes the extent to which personnel
understand how their activities in the financial reporting information system relate to the work of
others and the means of reporting exceptions to an appropriate higher level within the entity. Open
communication channels help ensure that exceptions are reported and acted on.
Communication takes such forms as policy manuals, accounting and financial reporting
manuals, and memoranda. Communication also can be made electronically, orally, and through the
actions of management.

Means of Communication

Communication takes such forms as policy manuals, memoranda, bulletin board notices and
videotaped messages. Where messages are transmitted orally in large groups, smaller meetings or
one-on-one sessions –tone of voice and body language serve to emphasize what is being used.
Another powerful communications medium is the action taken by management in dealing
with subordinates. Managers should remind themselves, “Actions speak louder than words.” Their
actions are, in turn, influenced by the history and culture of the entity, drawing on past observations
of how their superiors dealt with similar situations.

An entity with a long and rich history of operating with integrity, and whose culture is well
understood by people throughout the organization, will likely find little difficulty in communicating its
message. An entity without such a tradition will likely need to put more effort into the way messages
are communicated.

E. Control Activities

Control activities are the policies and procedures that help ensure management directives
are carried out. The help ensure that necessary actions are taken to address risks to achievement
of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all
functions. They include a range of activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets and segregation of duties.
Control activities are policies and procedures, which are the actions of people to implement
the policies, to help ensure that management directives identified as necessary to address risks are
carried out. Control activities can be divided into three categories, based on the nature of the entity’s
objectives to which they relate: operations, financial reporting, or compliance. Although some
controls relate solely to one area, there is often overlap. Operations controls for example, can help
ensure reliable financial reporting, financial reporting controls can serve to effect compliance, and so
on.

Types of Control Activities

Many different descriptions of types of control activities have been put forth, including
preventive controls, detective controls, manual controls, computer controls and management
controls. Control activities can be typed by specified control objectives, such as ensuring
completeness and accuracy of data processing.
Following are certain control activities commonly performed by personnel at various levels in
organizations:
1. Performance reviews.
These control activities include reviews and analyses of actual performance versus
budgets, forecasts, and prior period performance; relating different sets of data – operating
or financial – to one another, together with analyses of the relationships and investigative
and corrective actions; comparing internal data with external sources of
10
 information; and review of functional or activity performance, such as a bank’s consumer
loan manager’s review of reports by branch, region, and loan type for loan approvals and
collections.

2. Information processing.
A variety of controls are performed to check accuracy, completeness, and authorization of
transactions. The two broad groupings of information systems control activities are
application controls and general IT-controls. Application controls apply to the processing of
individual applications. These controls help ensure that transactions occurred, are
authorized, and are completely and accurately recorded and processed. Examples of
application controls include checking the arithmetical accuracy of records, maintaining and
reviewing accounts and trial balances, automated controls such as edit checks of input data
and numerical sequence checks, and manual follow-up of exception reports. General IT-
controls are policies and procedures that relate to many applications and support the
effective functioning of application controls by helping to ensure the continued proper
operation of information systems. General IT-controls commonly include controls over data
center and network operations; system software acquisition, change and maintenance;
access security; and application system acquisition, development, and maintenance. These
controls apply to mainframe, miniframe, and end-user environments. Examples of such
general IT-controls are program change controls, controls that restrict access to programs
or data, controls over the implementation of new releases of packaged software
applications, and controls over system software that restrict access to or monitor the use of
system utilities that could change financial data or records without leaving an audit trail.

3. Physical controls.
These activities encompass the physical security of assets, including adequate safeguards
such as secured facilities over access to assets and records; authorization for access to
computer programs and data files; and periodic counting and comparison with amounts
shown on control records (for example comparing the results of cash, security and inventory
counts with accounting records). The extent to which physical controls intended to prevent
theft of assets are relevant to the reliability of financial statement preparation, and
therefore the audit, depends on circumstances such as when assets are highly susceptible to
misappropriation. For example, these controls would ordinarily not be relevant when any
inventory losses would be detected pursuant to periodic physical inspection and recorded in
the financial statements. However, if for financial reporting purposes management relies
solely on perpetual inventory records, the physical security controls would be relevant to the
audit.

4. Segregation of duties.
Assigning different people the responsibilities of authorizing transactions, recording
transactions, and maintaining custody of assets is intended to reduce the opportunities to
allow any person to be in a position to both perpetrate and conceal errors or fraud in the
normal course of the person’s duties. Examples of segregation of duties include reporting,
reviewing and approving reconciliations, and approval and control of documents.

Certain control activities may depend on the existence of appropriate higher level policies
established by management or those charged with governance. For example, authorization controls
may be delegated under established guidelines, such as investment criteria set by those charged
with governance; alternatively, non-routine transactions such as major acquisitions or divestments
may require specific high level approval, including in some cases that of shareholders.

Policies and Procedures

Control activities usually involve two elements: a policy establishing what should be done
and, serving as a basis for the second element, procedures to effect the policy. A policy, for example,
might call for review of customer trading activities by a securities dealer retail branch manager. The
procedure is the review itself, performed in a timely manner and with attention

9
given to factors set forth in the policy, such as the nature and volume of securities traded, and their
relation to customer net worth and age.

Many times, policies are communicated orally. Unwritten policies can be effective where
the policy is a long-standing and well-understood practice, and in smaller organizations where
communications channels involve only limited management layers and close interaction and
supervision of personnel. But regardless of whether a policy is written, it must be implemented
thoughtfully, conscientiously and consistently. A procedure will not be useful if performed
mechanically without a sharp continuing focus on conditions to which the policy is directed.

Evaluation of Control Activities

Control activities must be evaluated in the context of management directives to address risks
associated with established objectives for each significant activity. An evaluator therefore will
consider whether control activities relate to the risk-assessment process and whether they are
appropriate to ensure that management’s directives are carried out. This will be done for each
significant business activity, including general controls over computerized information systems. An
evaluator (e.g., internal auditor or external auditor) will consider not only whether established
control activities are relevant to the risk-assessment process, but also whether they are being
applied properly.

F. Monitoring Controls

Monitoring of controls is a process to assess the quality of internal control performance

over time. It involves assessing the design and operation of controls on a timely basis and taking
necessary corrective actions. Monitoring is done to ensure that controls continue to operate
effectively. For example, if the timeliness and accuracy of bank reconciliations are not monitored,
personnel are likely to stop preparing them. Monitoring of controls is accomplished through ongoing
monitoring activities, separate evaluations, or a combination of the two.
Internal control systems need to be monitored – a process that assesses the quality of the
system’s performance over time. This is accomplished through ongoing monitoring activities,
separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of
operations. It includes regular management and supervisory activities, and other actions personnel
take in performing their duties. The scope and frequency of separate evaluations will depend
primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures.
Internal control deficiencies should be reported upstream, with serious matters reported to top
management and the board.
Internal control systems change over time. The way controls are applied may evolve. Once-
effective procedures can become less effective, or perhaps are no longer performed. This can be due
to the arrival of new personnel, the varying effectiveness of training and supervision, time and
resource constraints or additional pressures. Furthermore, circumstances for which the internal
control system originally was designed also may change, causing it to be less able to warn of the
risks brought by new conditions. Accordingly, management needs to determine whether the
internal control system continues to be relevant and able to address new risks.

Monitoring ensures that internal control continues to operate effectively. This process
involves assessment by appropriate personnel of the design and operation of controls on a suitably
timely basis, and the taking of necessary actions. It applies to all activities within an organization,
and sometimes to outside contractors as well.

Monitoring can be done in two ways: through ongoing activities or separate evaluations.
Internal control systems usually will be structured to monitor themselves on an ongoing basis to
some degree. The greater the degree and effectiveness of ongoing monitoring, the less need for
separate evaluations. The frequency of separate evaluations necessary for management to have
reasonable assurance about the effectiveness of the internal control system is a matter of
management’s judgment. In making that determination, consideration should be given to the
following: the nature and degree of changes occurring and their associated risks, the competence

10
and experience of the people implementing the controls, as well as the results of the ongoing
monitoring.

Activities that serve to monitor the effectiveness of internal control in the ordinary course of
operations are manifold. They include regular management and supervisory activities, comparisons,
reconciliation and other routine actions.
Examples of ongoing monitoring activities include the following:
(a) In carrying out its regular management activities, operating management obtains
evidence that the system of internal control continues to function. When operating
reports are integrated or reconciled with the financial reporting system and used to
manage operations on an ongoing basis, significant inaccuracies or exceptions to
anticipated results are likely to be spotted quickly. For example, managers or sales,
purchasing and production at divisional, subsidiary and corporate levels are in touch
with operations and question reports that differ significantly from their knowledge of
operations. The effectiveness of the internal control system is enhanced by timely and
complete reporting and resolution of these exceptions.
(b) Communications from external parties corroborate internally generated information or
indicate problems. Customers implicitly corroborate billing data by paying their
invoices. Conversely, customer complaints about billings could indicate system
deficiencies in the processing of sales transactions. Similarly, reports from investment
managers on securities gains, losses and income can corroborate or signal problems
with the entity’s records.

(c) Appropriate organizational structure and supervisory activities provide oversight of

control functions and identification of deficiencies. For example, clerical activities serving
as a control over the accuracy and completeness of transaction processing are routinely
supervised. Also, duties of individuals are divided so that different people serve as a
check on each other. This is also a deterrent to employee fraud since it inhibits the
ability of an individual to conceal his or her suspect activities.
(d) Training seminars, planning sessions and other meetings provide important feedback to
management on whether controls are effective. In addition to particular problems that
may indicate control issues, participants’ control consciousness often becomes apparent.
Information generated by employees in conducting regular operating activities usually is
reported through normal channels to their immediate superior. He or she may in turn communicate
upstream or laterally in the organization so that the information ends up with people who can and
should act on it.

Findings of internal control deficiencies usually should be reported not only to the individual
responsible for the function or activity involved, who is in the position to take corrective action, but
also to at least one level of management above the directly responsible person. This process enables
that individual to provide needed support or oversight for taking corrective action, and to
communicate with others in the organization whose activities may be affected. Where findings cut
across organizational boundaries, the reporting should cross over as well and be directed to a
sufficiently high level to ensure appropriate action.
In considering the extent to which the continued effectiveness of internal control is
monitored, both ongoing monitoring activities and separate evaluations of the internal control
system, or portions thereof, should be considered. Listed below are issues one might consider.
The list is not all-inclusive, nor will every item apply to every entity; it may, however, serve as a
starting point.

9
Ongoing Monitoring
 Extent to which personnel, in carrying out their regular activities, obtain evidence
as to whether the system of internal control continues to function.
 Extent to which communications from external parties corroborate internally
generated information, or indicate problems.
 Periodic comparison of amounts recorded by the accounting system with physical
assets.
 Responsiveness to internal and external auditor recommendations on means to
strengthen internal controls.
 Whether personnel are asked periodically to state whether they understand and
comply with the entity’s code of conduct and regularly perform critical control
activities.
 Effectiveness of internal audit activities.

Separate Evaluations
 Scope and frequency of separate evaluations of the internal control system.
 Appropriateness of the evaluation process.
 Whether the methodology for evaluating a system is logical and appropriate.
 Appropriateness of the level of documentation.

Reporting Deficiencies
 Existence of mechanism for capturing and reporting identified internal control
deficiencies.
 Appropriateness of reporting protocols and of follow-up actions

Web Sources:

https://www.youtube.com/watch?v=8w1s1yuzxPI

https://www.youtube.com/watch?v=B83yxjLttCY

https://www.youtube.com/watch?v=l5_n4yi9dMU

10