Internal Control Refresher

What is process
• A process is:
► A series of actions, changes or functions that transfer inputs
into outputs.
► Business processes are the structure by which the organization does
what is necessary to produce value for its customers.
► The process owner is a person responsible for the process.
What is process
Example to identify the process
Where could risks appear in a process?
What are the risk in the process
What is Internal Control
• An action taken to mitigate or manage risk and increase the
• probability that the business/process will achieve its goals and
• objectives.
• ► Examples of objectives
• ► Effectiveness and efficiency of operations
• ► Reliability of financial reporting
• ► Compliance with applicable laws and regulations
• ► A control is in place to prevent an error from occurring or minimize the
• impact if it does occur.
• ► The significance of a control relates back to the significance of the risk
• it is mitigating.
• ► The same control may mitigate multiple risks. Multiple controls may
• be required to mitigate one risk.
Why do we Test controls
How to write a control
• For an internal control to be properly designed, it needs to have an
• appropriate answer to each of the following qualitative questions:
• ► The “What”, “Who” and “When” should be addressed within the first
• sentence of the control:
• ► “What” is the control being performed (control type)
• ► “Who” performs the control (control owner)
• ► “When” is the control performed (control frequency)
• ► The “Where” and “Who” should be addressed within the second sentence
• of the control:
• ► “Where” is the control evidenced (control evidence)
• ► “How” is the control performed (control procedures)
• Key Elements of Control Description
• •Identify WHO is performing the control activity
• •Clearly state WHAT the purpose of the control is / WHY it is being performed
• •E.g., to verify completeness and accuracy – of what? To reconcile – what balances/systems?
• •Make sure activity explicitly address what risk the control is preventing/ detecting, and that this is the right
risk (relevance)
• •Make sure the control is performed at the appropriate level of precision, keeping in mind materiality (i.e.
threshold is defined)
• •WHEN does the control occur (frequency)
• •HOW is operation of the control evidenced
• •Complete yet concise: Key control description should be “standalone” and should not require the reader to
review a narrative/flowchart to understand full control procedure

• .
• Example
• Original Control Description
• The Staff Accountant prepares the cash reconciliation and the VP
Accounting reviews for completeness and accuracy.
• Revised Control Description
• Monthly, the VP Accounting reviews the bank account reconciliation
prepared by the Staff Accountant to verify that: the GL balance reconciles
to the bank statement; the opening/ending balances are accurate; and that
reconciling items/variances above the established threshold of $100 were
appropriately identified and investigated/resolved. VP Accounting
evidences review via email to the preparer
Example Control Description – Breaking Down the Control
Preventive vs. Detective Controls
• To have an effective system of internal control, companies should have a mix of
preventive and detective controls.
• Preventive Controls
• •Preventive controls are designed to prevent/stop errors/irregularities
• •Preventive controls are PROACTIVE
• •Examples include:
• oApprovals/authorizations
• oVerifications
• oSegregation of duties
• oPhysical security
Preventive vs. Detective Controls
Detective Controls
•Detective controls are designed to detect/identify errors/irregularities
that already exist
•Detective controls are REACTIVE
•Examples include:
 Reconciliations
 Audits
 Business performance reviews/analytics
Automated vs. Manual Controls
Controls can be automated, manual, or a mix of both.
Automated Controls
•A control that is executed by a system with no human interaction
•In order for automated controls to be relied upon, IT General Controls (ITGCs) over
the system performing the control should be in place and operating effectively
•Examples include:
Input controls (i.e. system will only accept inputs that meet certain criteria)
Systematic checks on data or data transmissions (i.e. record compares, control
totals, etc.)
Manual Controls

Manual Controls
•A control that is performed manually by a person
•Examples include:
Approvals/authorizations (i.e. manual signature)
Reconciliations where a person manually compares two sources (i.e.
tick and tie)
Secondary reviews
IT Dependent Manual (semi-automated)
IT Dependent Manual (semi-automated)
•A control that is performed manually, but reliance is placed on system generated
information (i.e. key report, EUC)
•In order to rely on system generated information, the completeness and accuracy of a
report or the effectiveness of certain system functionality must be validated in addition to
testing a sample of the manual activity
•There should also be ITGCs in place over systems that are being relied upon in the
execution of a control
•Examples include:
Follow up on exceptions identified via a system reconciliation/automated data validation
checks
Review of a report produced by a system
Approval governed by systematic workflow
Information Processing Objectives