Principles of Internal Control Components

00:00

in this presentation we will take a look

00:01

at principles of internal control

00:04

components we're going to list out our

00:06

five components of the internal controls

00:08

and then we'll list out principles

00:10

related to them those five components

00:12

being the control environment or risk

00:14

assessment control activities

00:16

information and communication and

00:19

monitoring activities we're going to

00:21

start off with the control environment

00:23

listing the principles related to

00:25

control environment first principle

00:27

business shows a commitment to integrity

00:30

and ethical value so we're looking at

00:33

this in terms of the controls of the

00:34

organization in terms of the

00:36

organization as a whole that the

00:38

business shows a commitment to integrity

00:39

and ethical values note these things

00:42

aren't always the easiest things for us

00:44

to write down and communicate but you

00:45

could think about how can we get a feel

00:47

for that we're going to be of course

00:48

talking to people inquiring about it and

00:51

writing down our impressions of the

00:54

control environment in terms of business

00:57

shows commitment to integrity and

00:58

ethical value principle number two board

01:01

of directors shows independence from

01:03

management and exercises oversight of

01:06

the development and performance of

01:08

internal control you'll recall that the

01:10

board of directors are represented and

01:12

voted on by the owners the shareholders

01:14

so therefore they should be able to

01:16

provide some oversight over management

01:18

which in essence are the people that

01:19

they hire in order to act as agents of

01:22

the shareholders so the board of

01:24

directors should show independence from

01:26

management the more independence from

01:28

management then the more you would think

01:30

the board of directors would have good

01:32

oversight over management whereas if

01:34

there's less independence from

01:36

management it would be a more difficult

01:38

situation you would think the oversight

01:40

wouldn't be as good over the performance

01:42

of the management third principle

01:45

management sets up with board oversight

01:48

structures reporting lines and

01:50

authorities and responsibilities in the

01:52

pursuit of objectives so we have the set

01:55

up and the board of directors being

01:57

involved in this with the structure the

01:59

reporting liance we have the business

02:01

hierarchy the reporting lines within it

02:03

and authorities and responsibilities in

02:05

the pursuit of the objectives what are

02:08

the authorities and responsibilities

02:09

this is going to be really important

02:10

because of course people need to

02:12

understand

02:13

there are specific roles and

02:15

responsibilities it seems like a basic

02:17

thing but oftentimes people don't have a

02:19

good idea of what their responsibilities

02:21

are things fall down you know in the

02:24

middle between the responsibilities of

02:26

two individuals possibly and we don't

02:28

know exactly who to hold accountable

02:30

because it was never well defined in the

02:32

first place

02:32

principle for business shows a

02:35

commitment to attract develop and retain

02:37

competent employees in alignment with

02:39

objectives so we're looking at the types

02:42

of employees that are being brought into

02:43

the organization and we might also

02:45

consider the overturn of employees are

02:47

they bringing up the employees that seem

02:49

to be performing well the best top

02:51

performance of the employ of the

02:53

organization are they basically

02:55

retaining employees that are well

02:57

performing employees is there a high

02:59

turnover of employees of employees and

03:03

what's going to be basically the feeling

03:05

of employees which can be indicated in

03:08

whether there's a high turnover or not

03:10

or whether they're basically able to

03:12

develop employees within the

03:13

organization number five business holds

03:17

individuals accountable for their

03:18

internal control responsibilities in the

03:21

pursuit of objectives this of course

03:23

lines out with first determining what

03:25

the responsibilities are for different

03:27

individuals and then determining whether

03:29

or not the individuals have follow

03:32

through with their responsibilities and

03:34

the people that aren't following through

03:35

we know who to hold accountable and we

03:38

want to be able to see that the people

03:40

responsible for for certain conditions

03:42

or first certain objectives are the ones

03:44

being held accountable if those

03:46

objectives are not met next we'll take a

03:48

look at risk risk assessment principles

03:50

or principles related to a risk

03:52

assessment principle number one business

03:55

specifies objectives with enough clarity

03:57

to enable the identification and

03:59

assessment of risks related to

04:02

objectives so when we're thinking about

04:03

the risks we need to know exactly what

04:05

the objectives are so that that's gonna

04:07

help us to identify what the risks are

04:10

we need to be clear about that at the

04:11

more clear we are about that the more

04:13

clearly we can basically assess what

04:16

those risks are and take action with

04:17

regards to them principle number two

04:19

business identifies risks to the

04:22

achievement of its objectives across the

04:24

entity and analyzes risks as a basis

04:27

for determining how the risks are to be

04:29

managed once we understand what the

04:31

risks are we want to see them across the

04:33

organization and then we can come up

04:35

with a plan of course to see how we want

04:37

to deal with those risks how can we

04:39

mitigate those risks principle three

04:42

business considers the potential for

04:44

fraud in assessing risks to the

04:46

achievement of objectives so we want to

04:48

consider fraud and we'll talk a little

04:50

bit more about the fraud factors that

04:52

can be put together on what's gonna

04:54

increase the likelihood of fraud we want

04:57

to basically set up an environment

04:58

within the organization to lessen the

05:00

likelihood of fraud as part of the

05:02

components of our internal control so

05:04

first we have to say what are the risks

05:06

of fraud some of those risks are going

05:08

to be things that we can apply to any

05:10

type of organization some might be

05:12

specific to the type of organization

05:14

that we are in we want to see where the

05:16

fraud risks are highest and put in

05:19

policies and principles in order to

05:20

mitigate them principle number four

05:22

business entities and assesses changes

05:25

that could significantly impact the

05:27

system of internal controls so we're

05:30

gonna identify and assess any changes

05:32

anytime we have a significant change we

05:34

should have in our mind what is the

05:36

internal control what are going to be

05:38

the risks related to any significant

05:40

changes and we should basically map out

05:42

what are gonna be the risks related to

05:44

the significant change make adjustments

05:46

as necessary based on those changes in

05:49

those adjusted risks next we'll take a

05:51

look at the principles related to

05:52

control activities principle number one

05:55

principle selects and develops control

05:57

activities that contribute to the

06:00

mitigation of risks to achievement of

06:02

objectives to acceptable levels so now

06:05

we're on basically the ground floor

06:06

we're talking about the control

06:08

activities the actual implementation and

06:10

development and implementation of those

06:13

control activities that are going to be

06:15

put in place in order to contribute to

06:17

the mitigation the lessening of the

06:19

risks to the achievement of objectives

06:21

to acceptable levels we're going to be

06:24

thinking about things then including

06:26

performance reviews as our control

06:28

activities physical controls as our

06:31

perform as our control activities the

06:33

segregation of duties this probably

06:35

being the one that you want to think

06:36

about first when you think about

06:37

internal controls in general one

06:40

the first thing that probably comes into

06:42

mind should be the segregation of duties

06:43

you probably think of things like

06:45

performance review or people when they

06:48

first think about internal controls are

06:49

probably thinking about some type of

06:51

performance reviews we've consider an

06:53

audit and setting up the audit

06:55

procedures and someone asks you about

06:56

internal controls the first thing that

06:58

should come in your mind is really the

06:59

separation of duties is one of the major

07:01

functions and factions or areas of

07:03

internal controls then we have the

07:05

information processing controls

07:06

principle number two business selects

07:09

and develops general control activities

07:11

over technology to support the

07:13

achievement of objectives so once we

07:16

have these set up once we have the

07:18

control activities we will set them up

07:20

and we're probably going to need

07:21

technology in order to do this we're

07:24

gonna have some type of database program

07:26

as part of our internal controls

07:27

oftentimes we're gonna that's gonna

07:29

allow us to do things like the

07:32

separation of duties that like having

07:33

the performance reviews through the

07:36

interaction and the setting up of that

07:38

database and of course we need IT

07:40

professionals to help us with that that

07:42

part of it so we set up the internal

07:44

controls work with IT then to help us to

07:47

implement those by restricting or

07:49

manipulating the database to give

07:50

certain restrictions and assignments to

07:52

different individuals principle number

07:54

three business sets up control

07:56

activities through policies that

07:57

establish what is expected and

08:00

procedures that put policies into play

08:03

so obviously once we implement this

08:05

information we're going to actually put

08:06

into play the policies and the

08:08

procedures as we as we set the set and

08:11

thing out so we're imagining of course

08:13

we set up the controls now we're gonna

08:15

end up ah in the part of the control

08:17

system where we have to actually

08:18

implement and put those controls into

08:20

place which involves of setting up the

08:22

policies and procedures and implementing

08:25

those policies and procedures next we

08:27

have information and communication

08:30

principle principle number one business

08:32

obtains makes and uses relevant quality

08:35

information to support the functioning

08:37

of internal controls

08:39

this could include identify and record

08:42

valid transactions classify transactions

08:45

correctly measure the value of

08:47

transactions correctly record

08:50

transactions in the correct period

08:51

correctly present transact

08:54

and disclosures principle number two

08:56

business communicates information

08:58

internally communication includes

09:01

objectives and responsibilities for

09:03

internal controls and needed to support

09:05

the functioning of the internal controls

09:07

obviously when we set up the internal

09:09

controls we then need to have the good

09:11

communication in order for people to

09:12

understand those internal controls in

09:14

terms of what is expected of them as

09:16

well as what the reason is to some

09:19

degree because that will give them some

09:20

incentive to follow through and make

09:22

sure that they are implementing the

09:23

internal controls and possibly the

09:25

feeling of well-being and self-worth as

09:27

they go through the internal controls

09:29

some processes which can seem like

09:31

they're going to be something that's not

09:32

contributing to the performance but

09:34

actually is when you think about it out

09:36

on the bigger picture level so principle

09:38

number three business communications

09:40

with external parties regarding issues

09:42

affecting the functioning of internal

09:46

controls next we're gonna take a look at

09:48

monitoring activities principles related

09:50

to a principle number one business

09:52

selects develops and performs ongoing

09:54

and or separate evaluations to determine

09:57

whether the components of internal

09:59

controls are installed and functioning

10:01

so you'll of course we're thinking about

10:03

the internal controls here in terms of

10:04

what are the risks we come up with a

10:06

plan for internal controls we then

10:08

implement that plan with their control

10:10

activities we communicate that

10:12

information and then of course we

10:14

monitor that information to see if this

10:17

the internal control processes are set

10:19

up well if they're implemented well if

10:21

they're doing what we would expect them

10:23

to do principle number two business

10:26

evaluates and communicates internal

10:28

control problems in a timely manner to

10:29

parties responsible for taking

10:31

corrective action there's problems

10:33

internal internal controls in terms of

10:35

either the way the internal control is

10:36

set up not well designed or in the way

10:39

it's being implemented not being

10:40

implemented or followed through with

10:41

then we go to the appropriate level of

10:44

management and discuss the the

10:46

implementation and/or design at that at

10:49

that point parties include senior

10:51

management and the board of directors as

10:53

appropriate obviously if it's if it's to

10:55

the point where we can discuss this with

10:57

senior management and and take care of

10:59

it then that would be it if it's

11:01

something that's going to be a serious

11:02

flaw in the internal controls and have

11:04

substantial risk then of course we would

11:06

want to include the

11:07

directors as well audit risk model

11:10

you'll recall that the audit risk model

11:12

represents in a formula type format

11:14

audit risk equals the inherent risk the

11:17

inherent risk within basically inherent

11:20

in the organization of a type of

11:21

business that were in line with the

11:24

control risk controlled risk what we are

11:26

talking about now and then we have the

11:28

detection risk this is the auditors

11:30

basically whether the audit will pick up

11:32

pick up any problems within the auditing

11:35

process these two of recall are kind of

11:38

on the business side of things what

11:40

industry they're in what's inherently

11:41

risky about the business ventures that

11:43

they are in that's their decision to be

11:45

in that business and take on those

11:47

inherent risks the control risk is what

11:49

they are designing in their bureaucratic

11:52

system as they set up their their

11:54

business model and that of course is

11:56

with the component that we're focusing

11:59

on here when we consider the overall

12:01

audit risk model