Chapter 6:

Concept of Internal
Control
Learning objectives:

At the end of the chapter, the students will be able to:

a. define internal control;

b. explain the COSO Internal Control - Integrated Framework;
c. articulate the three (3) categories of internal control objectives;
d. identify the five (5) components of internal control;
e. identify the inherent limitations of internal control; and,
f. explain how specific control activities are selected.
Lesson Key Concepts and
Examples
COSO Definition of Internal Control

• Internal control - process effected by the board of directors,

management, and other personnel designed to provide
reasonable assurance regarding the achievements of business
objectives.

• From the COSO Internal Control - Integrated Framework

Internal control is a process

• It is not an isolated procedure.

• It is comprised of an interrelated sets of policies, procedures, and

activities that work together for the achievement of business
objectives.

• Under the COSO Framework, internal control is comprised of five

interrelated components.
Internal control must be effected for the
achievement of business objectives
• Internal control must be put into effect by people from all levels
within the company.

• Internal control is not a mere checklist of dos and don'ts.

• Internal control is not an end in itself; rather, it is a means

toward achieving the objectives of the company.
COSO Internal Control

3 business objectives:
• Effective and efficient operations
• Reliability of financial and nonfinancial reporting
• Compliance with laws and regulations

5 components:
• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
COSO requirements to conclude that
internal control is effective
1. Each of the five components must be present and
functioning.
• “Present” - the five components exist in the system of internal control
• “Functioning” - the components are being implemented over time

2. The five components must “operate together” in an integrated

manner.
• The components of internal control are not to be treated in isolation;
rather, they need to operate in an integrated manner.
Control environment
• Control environment - foundation of internal control and reflects
the “tone at the top” of the organization

• Reflects the attitudes, awareness, and actions of senior

management and BOD regarding the importance of internal control

• Without an effective control environment, the structure of control

will collapse.
What are included in the control
environment?

a. Integrity and ethical values;

b. Management’s philosophy and operating style;
c. Organizational structure;
d. Commitment to competence;
e. Human resource policies and procedures; and
f. Functioning of the board of directors.
Risk assessment

• Risk assessment - process for identifying

and assessing those risks that may prevent the achievement of
business objectives

Steps:
• Objective setting
• Risk identification
• Risk analysis (likelihood, impact)
• Risk response
Control activities

Control activities - specific actions established through policies

and procedures

• Performance reviews
• Information processing
• Physical controls
• Segregation of duties
Information and communication
• Information is necessary for the entity to carry out internal control
responsibilities to support the achievement of its objectives.

• Management obtains, generates, and uses relevant and quality

information from both internal and external sources to support the
functioning of internal control.

• Communication - the continual, iterative process of providing, sharing,

and obtaining necessary information
Information and communication

• Internal communication - the means by which information is

disseminated throughout the organization, flowing up, down, and across
the company

• External communication is twofold, namely as follows: it enables inbound

communication of relevant external information, and provides information
to external parties in response to requirements and expectations.
Monitoring

• Monitoring of internal control is essential because internal control

that is effective today may no longer be effective months or a
year from now.

• In addition, internal control is subject to obsolescence.

• Monitoring is done through:

• Ongoing routine monitoring
• Separate evaluations
Limitations of internal control

• Internal control provides reasonable assurance that the business

objectives will be achieved.

• Limitations of internal control:

• Collusion
• Management override
• Human factors (e.g., fatigue, misintepretation of facts, errors in judgment)
• Cost-benefit considerations
Lesson Activities and/or Practice
Exercises
Activity 1: Surveying an actual establishment’s
controls
Select a small business in your locality. With the owner’s permission, attempt to identify control
policies and procedures that the business implements. Map these specific control policies and
procedures to the five (5)
components of internal control. Use the following format:
Policy/Procedure Component/s
Example: Control environment
1. The business hires only competent staff.

2. The internal auditor reports audit Monitoring Information and communication

findings and recommendations to the
owner on a periodic basis.

3.
4.
5.
6.
Activity 2: Identifying internal controls in a
business
Identify internal controls that are being implemented in the following business establishments:

1. Department store

Image from: Pexels, public

domain.

2. Bank

Image from: Pexels, public

domain.
Activity 2: Identifying internal controls in a
business
Identify internal controls that are being implemented in the following business establishments:

3. Convenience store

Image from: Pexels, public

domain.

4. Supermarket

Image from: Pexels, public

domain.
Activity 3. Group work: Demonstrate how the
internal control components “operate together.”

Requirement:

Demonstrate to the class how the five (5) components of

internal control operate together under the COSO Framework.

Use a hypothetical business situation and give specific

examples.
Conclusion:

• The internal control system is not an isolated procedure; rather,

it is a set of interrrelated set of policies, procedures, and
activities that work together to achieve the objectives of the
business.

• Under the COSO Framework, there are five (5) components of

internal control, namely: control environment, risk assessment,
information and communication, control activities, and
monitoring.

• Under the COSO Framework, the components must operate

together in an integrated manner to reduce at an acceptably low
level the risk of not achieving a business objective.
Conclusion:

• Internal control provides only a reasonable assurance that

business objectives will be achieved because there is no perfect
control system.

• There are inherent limitations on internal control, namely:

collusion, possibility of management override of controls, cost-
benefit considerations, human factors, among others.
References:

Meneses, Jesse Rey L. and Villaceran, Eugene V. 2022. Governance,

Business Ethics, Risk Management and Internal Control. Quezon
City: Rex Book Store, Inc.
The Committee of Sponsoring Organizations of the Treadway
Commission. 1992. Internal Control - Integrated Framework.
 Chapter 7:
Internal Control
in Action
Learning objectives:

At the end of the chapter, the students will be able to:

a. differentiate between entity-level and transaction-level controls;

b. differentiate between hard and soft controls;
c. differentiate between preventive, detective, and corrective
controls;
d. identify specific internal control procedures in the major
accounts;
e. define the concept of control deficiency; and,
f. identify the types of control deficiencies.
Lesson Key Concepts and
Examples
Entity-level controls
• Entity-level controls - controls that are applied broadly at the
company level and affects the functioning of transaction-level
controls.

Examples:
• Functioning of the board of directors
• Code of conduct in the workplace
• Controls under the risk assessment component
• Monitoring process
• Code of corporate governance
Transaction-level controls

• Transaction-level controls - internal control procedures

deployed and implemented for every major transaction and
accounts of the company

• When compared to entity-level controls, transaction-level

controls are more specific and applicable to specific business
processes or transactions such as revenue and collections,
expenditures and disbursements, production process, payroll,
and the like.
Types of controls

As to lines of defense, internal controls are classified into:

• Preventive controls - first line of defense

• Detective controls - controls aimed at identifying

discrepancies, errors, or fraud that may have taken place

• Corrective controls - intended to rectify the errors,

discrepancies, or fraud detected by controls
Examples of controls for Cash

• Pre-numbered use of official receipts

• Daily deposit of collections
• Bonding (through an insurance company) of cash custodians
• Authorization for the opening of bank accounts
• Comparison of deposit slips with cash book
• Separation of duties between cashier personnel and accounting
personnel
Examples of controls for Cash

• Use of cash registers

• Preparation of daily cash collection reports
• Use of cash vaults and locks
• Access to cash vaults only given to authorized cash personnel
• Preparation of monthly bank reconciliations
Examples of controls for Sales and A/R

• Credit approval before making deliveries of products to customer

• Use of credit limits for customers
• Use of pre-numbered sales order
• Independence or separation between credit and sales department
• Pre-numbering of shipping documents
Examples of controls for Sales and A/R

• Control over returned goods

• Control over scrap sales
• Periodic reconciliation of A/R subsidiaries with A/R control account
• Periodic confirmation of customers’ A/R balances
Examples of controls for Inventories

• Periodic inventory counts

• Use of perpetual inventory records
• Periodic comparison of general ledger (GL) and perpetual inventory
records
• Periodic comparison of inventory records against physical count
• Investigation of discrepancies in case of inventory short or overage
• Use of pre-numbered receiving reports
Examples of controls for Inventories

• Separation of inventory custodian from inventory accounting/record

keeping function
• Adequacy of insurance on inventories
• Physical safeguards on inventory against fire and other catastrophes
• Physical safeguards against theft of inventories
Examples of controls for Fixed Assets

• Use of detailed property records

• Periodic comparison of property records with physical assets
• Periodic counts of fixed assets
• Policy on capitalization of expenditures
Examples of controls for Fixed Assets

• Physical safeguards over assets (e.g., machines, equipment,

facilities)
• Use of property identification numbers (for specific identification
of assets)
• Adequacy of insurance over fixed assets
• Fixing of the accountability of fixed asset custodians
Examples of controls for Payroll

• Effective hiring procedures

• Maintenance of personnel data records (201 files)
• Use of time clock or through biometric device
• Supervisor review of time cards
• Review of payroll calculations (gross salaries, withholding tax,
SSS premiums, net pay)
Examples of controls for Payroll

• Procedures in distributing payroll checks

• Control over unclaimed wages
• Transmittal to the bank of official roster of employees for ATM
payroll arrangements
• Periodic head count of all company personnel
Definition of Fraud

• Fraud – an intentional act by one or more individuals among

management, those charged with governance, employees, or
third parties, involving the use of deception to obtain an unjust
or illegal advantage

• Types of fraud:
• Fraudulent financial reporting
• Misappropriation of assets
• Corruption
Elements of the Fraud Triangle

• Incentives or pressures to commit fraud

• Perceived opportunities

• Rationalizations
Control deficiency

• A control deficiency is a (a) missing control, or an (b) existing

control that is not designed properly, or is properly designed but is
not operating effectively.

Two types of control deficiency:

• Deficiency in Design - A critical control is not properly designed.

• Deficiency in Operation - A critical control is designed properly

but does not perform in the intended manner.
Internal audit

• Internal audit - an independent and objective assurance that

provides service to the company in the areas of operations,
reporting, compliance, and finance

• Traditionally, internal auditors are employees of the company.

• Because of changes in organizational trends, internal audit

service is now typically outsourced from outside accounting and
audit firms.
Scope of internal audit work

• Operational audits - intended to ascertain whether

management has conducted business operations effectively and
efficiently

• Compliance audits - intended to determine whether the

company or any of its department is able to adhere to prevailing
laws and regulations

• Financial audits - focused on determining whether the

company’s finance function as well as financial reports are
accurate or reliable
Lesson Activities and/or Practice
Exercises
Activity 1: Hard and soft controls

Go to your favorite grocery or supermarket. List at least 10 internal controls that

the grocery or supermarket is implementing. Classify the controls into hard controls
and soft controls. Use the following template:
Internal control Hard or soft control?
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Activity 2. Classifying controls into preventive,
detective or corrective
Classify internal control 1 through 10 into preventive, detective, or corrective
controls.
Internal control Preventive, detective, or corrective?
Segregation of incompatible duties
Reconciliation procedures
Making adjustment entries in the records
Uninterruptible power supply (UPS)
Approval or authorization controls
Cash vaults and locks
Vendor accreditation process
Implementation of internal auditor’s
recommendation on the improvement of
processes
Conducting surprise cash counts
Confirmation of accounts receivable balances
Activity 3: Fraud risks classified as to fraud
triangle elements
Give at least five (5) examples of fraud risks categorized into pressures,
opportunities, and rationalizations. Use the following template:

Pressures Opportunities Rationalizations

1. 1. 1.

2. 2. 2.

3. 3. 3.

4. 4. 4.

5. 5. 5.
Conclusion:

• The business should apply a mix of controls, both entity-level

controls and specific transaction-level controls.

• Specific control activities are further categorized into preventive,

detective, and corrective controls.

• For documentation and reference purposes, the business must

have an internal control manual of procedures.
Conclusion:

• Fraud is an intentional act by one or more individuals among

management, those charged with governance, employees, or third
parties, involving the use of deception to obtain an unjust or
illegal advantage.

• Fraud is categorized into fraudulent financial reporting, asset

misappropriation, and corruption.

• To understand fraud, one must consider the elements of the

fraud triangle which are incentives or pressures, perceived
opportunities, and rationalizations.
Conclusion:

• Internal audit, as an independent and objective assurance

service provides improvements in the company’s operational,
reporting, and compliance aspects.

• To add value to the company, internal auditors perform

operational audits, financial audits, and compliance audits.
References:

Meneses, Jesse Rey L. and Villaceran, Eugene V. 2022.

Governance, Business Ethics, Risk Management and Internal
Control. Quezon City: Rex Book Store, Inc.
The Committee of Sponsoring Organizations of the Treadway
Commission. 1992. Internal Control - Integrated Framework.