SlideShare une entreprise Scribd logo

Internal control and Control Self Assessment

Manoj Agarwal
Manoj Agarwal

The document provides an overview of internal control and control self-assessment. It defines internal control and control self-assessment and discusses the rationale, goals, benefits and case study of control self-assessment. It outlines the COSO internal control framework components of control environment, risk assessment, control activities, monitoring and traditional auditing vs control self-assessment. The presentation also discusses control types, principles of internal control and evaluating controls objectives. It provides a sample control self-assessment template and case study.

Business
1  sur  27
Télécharger pour lire hors ligne
Internal Control and Control Self Assessment Presented by CA Manoj Agarwal May 18, 2016, IIA Bombay Chapter
Disclaimer • All the contents of the presentation constitute the opinion of the speaker, and the speaker alone; they do not represent the views and opinions of the speaker’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the speaker is, or has been a part of. 2
Agenda • Internal Control • Control Self Assessment • Case Study • Q&A 3
Definitions Internal Auditing definition states the fundamental purpose, nature, and scope of internal auditing. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes 4 Internal control is defined by COSO (www.coso.org) as follows: Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
Internal Control On paraphrasing definition of Internal control, we get: 1. Geared to the achievement of objectives in one or more separate but overlapping categories 2. A process consisting of ongoing tasks and activities—it is a means to an end, not an end in itself. 3. Effected by people - it is not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to effect internal control. 4. Able to provide reasonable assurance, not absolute assurance, to an entity’s senior management and board of directors. 5. Adaptable to the entity structure - flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process 5
COSO Internal Control Framework • Objectives of Internal Control – Operational Objectives - Effectiveness and efficiency of operations – Reporting Objective - Reliability of reporting – Compliance Objectives - Compliance with applicable laws and regulations • Process – Policies (Management Statement what should be done) – Procedures (Actions that implement policies) • Process is managed through Planning, Executing (doing), Checking, amending (Planning Do Check Act) 6 PDCA 5 Components of Internal Control Plan Control Environment Risk Assessment Do Control Activities Check Information &Communication Act Monitoring Activities
Principles of Internal Controls 7
Principles of Internal Controls-1 Components Principles Control environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The Organization demonstrates a commitment to attract, develop, and retain competent individual in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. 8
Principles of Internal Controls-2 Components Principles Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable identification and assessment of risks relating to objectives 7. The organization identifies risks to achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed. 8. The organization considers the potential of fraud in assessing risks to achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. Control Activities 10.Select and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11.Select and develops general control activities over technology to support the achievement of objectives. 12.Deploy control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies. 9
Principles of Internal Controls-3 Components Principles Information and Communication 13.The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control 14.The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other component of internal control. 15.The organization communicates to external parties regarding matters affecting the functioning of other components of internal control Monitoring Activities 16.The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal controls are present and functioning. 17.The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. 10
Principle Evaluation Template..1 11 Principle Evaluation Template — Control Environnent Control Environment Principles Summary of Controls Deficiencies/Notes/Other Considerations (also record deficiencies in log below) 1. Demonstrates Commitment to Integrity and Ethical Values—The organization demonstrates a commitment to integrity and ethical values. Sets the Tone at the Top—How do the board of directors and management at all levels of the entity demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control? Establishes Standards of Conduct—How are the expectations of the board of directors and senior management concerning integrity and ethical values defined in the entity’s standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners? Evaluates Adherence to Standards of Conduct— What processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct? Addresses Deviations in a Timely Manner—How are deviations of the entity’s expected standards of conduct identified and remedied in a timely and consistent manner? (Other entity specific points of focus, if any)
Principle Evaluation Template..2 12 Principle Evaluation Template — Control Environnent Deficiencies Applicable to the Principle Identificat ion No. Internal control deficiency description Possible Impact on Principle Evaluate preliminary deficiency severity: (Consider whether other controls to effect this principle compensate for the internal control deficiency.) List internal control deficiencies related to another principle that may impact this internal control deficiency Present? (Y/N) Functionin g? (Y/N) Preliminary Severity— Is internal control deficiency a major deficiency? (Y/N) Comments/ Compensating Controls Evaluate deficiencies within the principle:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered within the principle, represent a major deficiency.** <Update Summary of Deficiencies Template as required> <Explanation> Evaluate the principle using judgment.** Y/N Explanation/Conclusion Is the principle present? Is the principle functioning? * Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, then management must conclude that the component is not present and functioning and the overall system of internal control is not effective.
Controls Objectives Objectives Input Process Output Authorization Is the source authorized? Are the procedures approved? What was approved? Recording Is it accurate and complete? Is it timely? Is it documented? Who does it? When? Are procedures followed? Is it recoverable? Is management review adequate? Is it accurate and complete? Is there an audit trail? Is management review adequate? Does it balance? Safeguarding/ Security Who should control? Are duties separated? Who can access it? Are duties separated? Is it confidential? Who should have it? Verification Are sources proper? Are procedures followed complete? Are investigation and review of differences adequate? Are differences properly resolved? Is management review adequate? Existence/ Placement Do policies and procedures define the adequate level of controls? Are there procedures to create a control? Are controls adequate? Are controls placed in the most efficient part of the process? Is the residual risk acceptable according to the company's risk tolerance? 13
Controls Objectives-Payroll - 1 Objectives Input Questions to be asked Authorization Is the source authorized? Is the persons sending the inputs for payroll are authorized Recording Is it accurate and complete? Is person sends the correct and Complete Inputs? Is it timely? Is inputs are send in a timely manner to ensure processing happens as per plan? Is it documented? Is there is evidence that inputs have been actually received from person specified? Safeguarding/ Security Who should control? Who should receive the inputs? Are duties separated? Is the person receiving the inputs is the person who process the payroll? Verification Are sources proper? How does we know that the person has actually taken information from correct source? Existence/ Placement Do policies and procedures define the adequate level of controls? Does all this is documented? Does the responsibility has been documented? 14
Controls Objectives – Payroll -2 Objectives Process Question to be asked Authorization Are the procedures approved? Is the process / method to process payroll is approved? Recording Who does it? Does it can be established who has actually performed which job? When? Is there any audit trail which can establish that procedures are actually followed? Are procedures followed? Is it recoverable? Is it repeatable? Is management review adequate? Does some one has review the processing and is there an evidence which can confirm that review has been actually been performed? Safeguarding/ Security Who can access it? Who can access the location/ system/ office processing the information? Are duties separated? Is there SOD in place? Verification Are procedures followed complete? Who verify that the process has been actually been followed? Are investigation and review of differences adequate? In case of any exception has been observed , then whether the same has been taken to its logical conclusion and the same is documented. Existence/ Placement Are there procedures to create a control? Is someone is responsible to ensure that process has been actually completed as specified? Are controls adequate? Is any controls have been put in place to ensure that process is happening as specified? Are these adequate? Are controls placed in the most efficient part of the process? Is control has been put in place to ensure optimum cost and benefit? 15
Controls Objectives – Payroll - 3 Objectives Output Question to be asked Authorization What was approved? Is there an evidence that output of the process is authorized and accountability of person authorizing can be established? Recording Is it accurate and complete? How is it ensures that output is accurate and complete? Is there an audit trail? Is there an audit trail of process of ensuring the completeness of output? Is management review adequate? Is there adequate management review? Does it balance? Does output matches with input to ensure that output is proper? Safeguarding/ Security Is it confidential? Who should have it? Is there any guideline defined regarding who should have access the output and to what extent? Verification Are differences properly resolved? Is management review adequate? In case of any differences observed in management review or a question raised in review, the same has been resolved properly with audit trail? Existence/ Placement Is the residual risk acceptable according to the company's risk tolerance? What is the risk observed and not (insured/controlled) and is that acceptable to company? Is there any document evidencing acceptance? 16
Control Types • Preventative Controls: are installed to stop undesirable outcomes before they can occur. These types of controls are typically the most cost-effective controls because they avoid the cost of correction. E.g. • Detective Controls: are necessary to measure the effectiveness of the preventive controls. While some errors cannot be effectively controlled through preventative controls, they must be detected as they occur. E.g. • Corrective Controls: are necessary, for they correct the identified deficiency and therefore deter it from occurring again. Documentation and reporting systems are developed to identify undesirable outcomes and keep problems under management’s purview until they can be solved or the defect can be corrected. 17 • Segregation of duties to prevent intentional wrongdoing, • Proper authorization to prevent improper use of organizational resources, • Adequate documentation and records to deter improper transactions, • Physical control over assets to prevent their improper conversion or use. • Reviews and comparisons of records, • Independent check on performance, • Bank reconciliations, confirmation of bank balances, cash counts, • Computerized techniques such as transaction limits and passwords. Ref: Marks on Governance (http://normanmarks.wordpress.com/) http://www.theiia.org/blogs/marks/index.cfm?postid=396
What is CSA? Control Self Assessment • A set of techniques used to assess risk, control strength, and control weaknesses utilizing a control framework. The 'self' refers to the involvement of management and staff in the assessment process often facilitated by internal auditors • to analyze, within a chosen control framework, the obstacles and strengths which affect their ability to achieve their key business objectives, and • to decide upon appropriate action. 18
CSA Rationale • Responsibility for controlling risk belongs to management and all employees • People are the most important control factor • Most employees are honest, competent, and want their organization to succeed • People are far more likely to embrace needed changes if they are involved in the assessment process • Helps employees understand control 19
When do you want to use CSA? • New work processes/projects • New organizations – to identify the risk exposures and required controls • Reorganizations • Management / Employee turnover – to identify where risks are – to create understanding for business objectives – to assess how risks are changing – to put emphasis on highest priority risks and controls • Processes that cross over into other work groups – to get to the root cause of problems – helps bring groups together – participants learn how their activities interrelate – collaborative problem solving 20
CSA - GOALS & OBJECTIVES • Provide a forum for participants (stakeholders) to: – Conduct an assessment of risks and controls. – Develop recommendations for improvement. – Enhance their ability to achieve objectives. – Increase communication with the Unit. – Improve the efficiency and effectiveness of operations. 21
Benefits of CSA • Honest feedback on control environment communication and monitoring • Ability to discuss and explore areas of concern to determine reasons and root causes of concern • Ability to obtain an understanding of the degree of concern among participants • Development of recommendations by employees in the Unit • Buy-in/Ownership of Recommendations 22
COSO Framework - Control Components 23 CONTROL ENVIRONMENT RISK ASSESSMENT CONTROL ACTIVITIES MONITORING Traditional Auditing/Testing CSA
Case Study • Multinational Organisation • Control Catalogue (from Risk Register) • Control Categories • Use of Excel Template 24
Case Study 25 The following are guidelines to help complete the self assessment: Is control relevant? There may be situations where a control is not relevant to a business unit. If this is the case, answer no and provide explanation in the comment field. Is control Implemented? Answer Yes if the control is in place and operational. Is control under implementation? Answer Yes if the control is under implementation but not yet fully operational. Is a plan for implementation prepared? Answer Yes if implementation is not yet commenced but a plan has been developed for implementation. Is the design of the control documented? Answer Yes if you have a description of the control in place (written procedure, process flowchart, etc). The description needs to be sufficiently detailed to continue operating the control if you need to change resources. Is evidence retained? Answer Yes if you retain evidence that control has been performed. The following boxes should be completed if the Maturity level for the control is not 5: Gap Analysis / Comment Document the gap analysis (e.g. determining and documenting the variance between the control requirements and current control in place) Implementation Plan Document what actions need to be taken to close the gap identified as part of the gap analysis (e.g. what needs to be done to obtain a level 5 maturity) Deadline When the control is expected to be at a level 5 maturity The following box should be completed if the Maturity level for the control is 5: Assurance What monitoring processes are in place to give management confidence that the control has been implemented? Is the monitoring process documented? What is done if non- compliance is found?
Case Study 26
My Blogs and Posts 1. Audit Client Categories 2. Role of Internal Audit 3. Value addition by internal audit 4. Revenue Assurance 5. Companies Act 2013 and Control Catalogues 6. Internal Controls in eCommerce Companies 7. How to create Internal Control Framework for your company 8. Creating An Internal Audit Plan 9. Governance for Approval Matrix 10. Right to Audit 11. Have you included vendor audit as part of your audit plan? Manoj Agarwal manojbagarwal@gmail.com 9820392252 Linkedin: https://in.linkedin.com/in/manojbagarwal

Recommandé

Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptIbrahim Jimalle
 
Control Self Assessment
Control Self AssessmentControl Self Assessment
Control Self AssessmentManoj Agarwal
 
Control self assessment (csa)
Control self assessment (csa)Control self assessment (csa)
Control self assessment (csa)Idear S. Wanichkul
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
Internal Audit Plan 2015
Internal Audit Plan 2015Internal Audit Plan 2015
Internal Audit Plan 2015Mohammad Kashif
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditingFrederick Altum Pokoo-Aikins
 
An introduction to internal auditing
An introduction to internal auditingAn introduction to internal auditing
An introduction to internal auditinggrifff
 
The Internal Audit Framework
The Internal Audit FrameworkThe Internal Audit Framework
The Internal Audit FrameworkAhmad Tariq Bhatti
 

Recommandé

Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptIbrahim Jimalle
 
Control Self Assessment
Control Self AssessmentControl Self Assessment
Control Self AssessmentManoj Agarwal
 
Control self assessment (csa)
Control self assessment (csa)Control self assessment (csa)
Control self assessment (csa)Idear S. Wanichkul
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
Internal Audit Plan 2015
Internal Audit Plan 2015Internal Audit Plan 2015
Internal Audit Plan 2015Mohammad Kashif
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditingFrederick Altum Pokoo-Aikins
 
An introduction to internal auditing
An introduction to internal auditingAn introduction to internal auditing
An introduction to internal auditinggrifff
 
The Internal Audit Framework
The Internal Audit FrameworkThe Internal Audit Framework
The Internal Audit FrameworkAhmad Tariq Bhatti
 
The role of internal audit department
The role of internal audit departmentThe role of internal audit department
The role of internal audit departmentSalih Islam
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit MethodologyManoj Agarwal
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesManoj Agarwal
 
Internal audit department
Internal audit departmentInternal audit department
Internal audit departmentPopun
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptLetzconsult.com
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing PresentationVernon Benjamin
 
Compiling an internal audit universe
Compiling an internal audit universeCompiling an internal audit universe
Compiling an internal audit universeDavid Griffiths
 
Internal Audit Report Writing Best Practice
Internal Audit Report Writing Best PracticeInternal Audit Report Writing Best Practice
Internal Audit Report Writing Best PracticeDJones68
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraJenard Wachira
 
Internal Audit Reporting
Internal Audit ReportingInternal Audit Reporting
Internal Audit ReportingSALIH AHMED ISLAM
 
Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 
Introduction to internal auditing
Introduction to internal auditingIntroduction to internal auditing
Introduction to internal auditingDavid Griffiths
 
Internal financial control
Internal financial controlInternal financial control
Internal financial controlMitesh Katira
 
Internal audit
Internal auditInternal audit
Internal auditRahul Mithia
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writingNeha Kothari
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Nidhi Gupta
 
Internal audit report writing.pdf
Internal audit report writing.pdfInternal audit report writing.pdf
Internal audit report writing.pdfkavyashree k
 
Common internal audit findings & how to avoid them
Common internal audit findings & how to avoid themCommon internal audit findings & how to avoid them
Common internal audit findings & how to avoid themSurajit Datta
 
Internal Audit Manual
Internal Audit ManualInternal Audit Manual
Internal Audit ManualDavid Griffiths
 
Auditing Chapter 2
Auditing Chapter 2Auditing Chapter 2
Auditing Chapter 2aaykhan
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessmentManoj Agarwal
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal AuditManoj Agarwal
 

Contenu connexe

Tendances

The role of internal audit department
The role of internal audit departmentThe role of internal audit department
The role of internal audit departmentSalih Islam
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit MethodologyManoj Agarwal
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesManoj Agarwal
 
Internal audit department
Internal audit departmentInternal audit department
Internal audit departmentPopun
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing PresentationVernon Benjamin
 
Compiling an internal audit universe
Compiling an internal audit universeCompiling an internal audit universe
Compiling an internal audit universeDavid Griffiths
 
Internal Audit Report Writing Best Practice
Internal Audit Report Writing Best PracticeInternal Audit Report Writing Best Practice
Internal Audit Report Writing Best PracticeDJones68
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraJenard Wachira
 
Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 
Introduction to internal auditing
Introduction to internal auditingIntroduction to internal auditing
Introduction to internal auditingDavid Griffiths
 
Internal financial control
Internal financial controlInternal financial control
Internal financial controlMitesh Katira
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writingNeha Kothari
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Nidhi Gupta
 
Internal audit report writing.pdf
Internal audit report writing.pdfInternal audit report writing.pdf
Internal audit report writing.pdfkavyashree k
 
Common internal audit findings & how to avoid them
Common internal audit findings & how to avoid themCommon internal audit findings & how to avoid them
Common internal audit findings & how to avoid themSurajit Datta
 
Auditing Chapter 2
Auditing Chapter 2Auditing Chapter 2
Auditing Chapter 2aaykhan
 

Tendances (20)

The role of internal audit department
The role of internal audit departmentThe role of internal audit department
The role of internal audit department
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit Methodology
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
Internal audit department
Internal audit departmentInternal audit department
Internal audit department
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit ppt
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing Presentation
 
Compiling an internal audit universe
Compiling an internal audit universeCompiling an internal audit universe
Compiling an internal audit universe
 
Internal Audit Report Writing Best Practice
Internal Audit Report Writing Best PracticeInternal Audit Report Writing Best Practice
Internal Audit Report Writing Best Practice
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo Wachira
 
Internal Audit Reporting
Internal Audit ReportingInternal Audit Reporting
Internal Audit Reporting
 
Internal Control
Internal ControlInternal Control
Internal Control
 
Introduction to internal auditing
Introduction to internal auditingIntroduction to internal auditing
Introduction to internal auditing
 
Internal financial control
Internal financial controlInternal financial control
Internal financial control
 
Internal audit
Internal auditInternal audit
Internal audit
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writing
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013
 
Internal audit report writing.pdf
Internal audit report writing.pdfInternal audit report writing.pdf
Internal audit report writing.pdf
 
Common internal audit findings & how to avoid them
Common internal audit findings & how to avoid themCommon internal audit findings & how to avoid them
Common internal audit findings & how to avoid them
 
Internal Audit Manual
Internal Audit ManualInternal Audit Manual
Internal Audit Manual
 
Auditing Chapter 2
Auditing Chapter 2Auditing Chapter 2
Auditing Chapter 2
 

En vedette

internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessmentManoj Agarwal
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal AuditManoj Agarwal
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementManoj Agarwal
 
IIA Report Writing 10 Oct 09
IIA Report Writing 10 Oct 09IIA Report Writing 10 Oct 09
IIA Report Writing 10 Oct 09Manoj Agarwal
 
Compliance framework
Compliance frameworkCompliance framework
Compliance frameworkManoj Agarwal
 
Role and responsibility of Internal Audit under new Companies Act 2013
Role and responsibility of Internal Audit under new Companies Act 2013Role and responsibility of Internal Audit under new Companies Act 2013
Role and responsibility of Internal Audit under new Companies Act 2013Manoj Agarwal
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditManoj Agarwal
 
Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)Ahmad Tariq Bhatti
 
Internal controls in auditing
Internal controls in auditingInternal controls in auditing
Internal controls in auditingHardik Shah
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEric Pesik
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit ApproachSalih Islam
 
Auditing principle and objective
Auditing principle and objectiveAuditing principle and objective
Auditing principle and objectivestudent
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013SARVJEET KAUSHAL
 
Rmk bab 11 susanti nurul ramadani
Rmk bab 11 susanti nurul ramadaniRmk bab 11 susanti nurul ramadani
Rmk bab 11 susanti nurul ramadaniErdha Reidha
 
التدقيق الداخلي والحب من طرف واحد
التدقيق الداخلي والحب من طرف واحدالتدقيق الداخلي والحب من طرف واحد
التدقيق الداخلي والحب من طرف واحدWa'el Bibi, CPA,CIA,CISA
 

En vedette (20)

internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessment
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal Audit
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk Management
 
IIA Report Writing 10 Oct 09
IIA Report Writing 10 Oct 09IIA Report Writing 10 Oct 09
IIA Report Writing 10 Oct 09
 
Functional Audit
Functional AuditFunctional Audit
Functional Audit
 
Compliance framework
Compliance frameworkCompliance framework
Compliance framework
 
Role and responsibility of Internal Audit under new Companies Act 2013
Role and responsibility of Internal Audit under new Companies Act 2013Role and responsibility of Internal Audit under new Companies Act 2013
Role and responsibility of Internal Audit under new Companies Act 2013
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal Audit
 
Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)
 
Internal controls in auditing
Internal controls in auditingInternal controls in auditing
Internal controls in auditing
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your Organization
 
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit Approach
 
Auditing principle and objective
Auditing principle and objectiveAuditing principle and objective
Auditing principle and objective
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
 
Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013
 
Rmk bab 11 susanti nurul ramadani
Rmk bab 11 susanti nurul ramadaniRmk bab 11 susanti nurul ramadani
Rmk bab 11 susanti nurul ramadani
 
Profile of the Audit Office of Palestine, SIGMA conference 16 December 2014
Profile of the Audit Office of Palestine, SIGMA conference 16 December 2014Profile of the Audit Office of Palestine, SIGMA conference 16 December 2014
Profile of the Audit Office of Palestine, SIGMA conference 16 December 2014
 
التدقيق الداخلي والحب من طرف واحد
التدقيق الداخلي والحب من طرف واحدالتدقيق الداخلي والحب من طرف واحد
التدقيق الداخلي والحب من طرف واحد
 

Similaire à Internal control and Control Self Assessment

COSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdfCOSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdfAliehaDhea
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and auditAstri Stiawaty
 
Internal control.. control env
Internal control.. control envInternal control.. control env
Internal control.. control envPhillys Sebastiane
 
INTERNAL CONTROL-PPT.pptx
INTERNAL CONTROL-PPT.pptxINTERNAL CONTROL-PPT.pptx
INTERNAL CONTROL-PPT.pptxHeldaMaryA
 
IFC Dr SkGupta pptx NIRC Internal financial control
IFC Dr SkGupta pptx NIRC Internal financial controlIFC Dr SkGupta pptx NIRC Internal financial control
IFC Dr SkGupta pptx NIRC Internal financial controlajayinvestrade
 
CHAPTER-1 Management Audit and Planning procedure.pdf
CHAPTER-1 Management Audit and Planning procedure.pdfCHAPTER-1 Management Audit and Planning procedure.pdf
CHAPTER-1 Management Audit and Planning procedure.pdfDr. Dinesh Mehta
 
Internal auditing for “one & all” (second edition)
Internal auditing for “one & all” (second edition)Internal auditing for “one & all” (second edition)
Internal auditing for “one & all” (second edition)Mohammad Wahid Abdullah Khan
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 
Internal Controls Topic 2.ppt
Internal Controls Topic 2.pptInternal Controls Topic 2.ppt
Internal Controls Topic 2.pptyahyamuthamia
 
Frequently asked questions on auditing in dubai
Frequently asked questions on auditing in dubaiFrequently asked questions on auditing in dubai
Frequently asked questions on auditing in dubaiManeesha35
 
Performance audit adding value
Performance audit adding valuePerformance audit adding value
Performance audit adding valueicgfmconference
 
Audits and Regulatory Compliance
Audits and Regulatory ComplianceAudits and Regulatory Compliance
Audits and Regulatory Compliancesomeshwar mankar
 
Advanced auditing Chapter Five.Internal control pptx
Advanced auditing Chapter Five.Internal control pptxAdvanced auditing Chapter Five.Internal control pptx
Advanced auditing Chapter Five.Internal control pptxseidIbrahim2
 

Similaire à Internal control and Control Self Assessment (20)

COSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdfCOSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdf
 
Internal audit
Internal auditInternal audit
Internal audit
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and audit
 
Internal control.. control env
Internal control.. control envInternal control.. control env
Internal control.. control env
 
Internal Audit
Internal AuditInternal Audit
Internal Audit
 
INTERNAL CONTROL-PPT.pptx
INTERNAL CONTROL-PPT.pptxINTERNAL CONTROL-PPT.pptx
INTERNAL CONTROL-PPT.pptx
 
introduction on auditing
introduction on auditingintroduction on auditing
introduction on auditing
 
IFC Dr SkGupta pptx NIRC Internal financial control
IFC Dr SkGupta pptx NIRC Internal financial controlIFC Dr SkGupta pptx NIRC Internal financial control
IFC Dr SkGupta pptx NIRC Internal financial control
 
CHAPTER-1 Management Audit and Planning procedure.pdf
CHAPTER-1 Management Audit and Planning procedure.pdfCHAPTER-1 Management Audit and Planning procedure.pdf
CHAPTER-1 Management Audit and Planning procedure.pdf
 
Internal audit
Internal auditInternal audit
Internal audit
 
Internal auditing for “one & all” (second edition)
Internal auditing for “one & all” (second edition)Internal auditing for “one & all” (second edition)
Internal auditing for “one & all” (second edition)
 
Internal control system
Internal control systemInternal control system
Internal control system
 
Internal control system
Internal control systemInternal control system
Internal control system
 
COSO Update DTF
COSO Update DTFCOSO Update DTF
COSO Update DTF
 
COSO.pptx
COSO.pptxCOSO.pptx
COSO.pptx
 
Internal Controls Topic 2.ppt
Internal Controls Topic 2.pptInternal Controls Topic 2.ppt
Internal Controls Topic 2.ppt
 
Frequently asked questions on auditing in dubai
Frequently asked questions on auditing in dubaiFrequently asked questions on auditing in dubai
Frequently asked questions on auditing in dubai
 
Performance audit adding value
Performance audit adding valuePerformance audit adding value
Performance audit adding value
 
Audits and Regulatory Compliance
Audits and Regulatory ComplianceAudits and Regulatory Compliance
Audits and Regulatory Compliance
 
Advanced auditing Chapter Five.Internal control pptx
Advanced auditing Chapter Five.Internal control pptxAdvanced auditing Chapter Five.Internal control pptx
Advanced auditing Chapter Five.Internal control pptx
 

Dernier

India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportMintel Group
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / NcrCall Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncrdollysharma2066
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailAriel592675
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationAnamaria Contreras
 

Dernier (20)

India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample Report
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
Call Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North GoaCall Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North Goa
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / NcrCall Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detail
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
 

Internal control and Control Self Assessment

  • 1. Internal Control and Control Self Assessment Presented by CA Manoj Agarwal May 18, 2016, IIA Bombay Chapter
  • 2. Disclaimer • All the contents of the presentation constitute the opinion of the speaker, and the speaker alone; they do not represent the views and opinions of the speaker’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the speaker is, or has been a part of. 2
  • 3. Agenda • Internal Control • Control Self Assessment • Case Study • Q&A 3
  • 4. Definitions Internal Auditing definition states the fundamental purpose, nature, and scope of internal auditing. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes 4 Internal control is defined by COSO (www.coso.org) as follows: Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
  • 5. Internal Control On paraphrasing definition of Internal control, we get: 1. Geared to the achievement of objectives in one or more separate but overlapping categories 2. A process consisting of ongoing tasks and activities—it is a means to an end, not an end in itself. 3. Effected by people - it is not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to effect internal control. 4. Able to provide reasonable assurance, not absolute assurance, to an entity’s senior management and board of directors. 5. Adaptable to the entity structure - flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process 5
  • 6. COSO Internal Control Framework • Objectives of Internal Control – Operational Objectives - Effectiveness and efficiency of operations – Reporting Objective - Reliability of reporting – Compliance Objectives - Compliance with applicable laws and regulations • Process – Policies (Management Statement what should be done) – Procedures (Actions that implement policies) • Process is managed through Planning, Executing (doing), Checking, amending (Planning Do Check Act) 6 PDCA 5 Components of Internal Control Plan Control Environment Risk Assessment Do Control Activities Check Information &Communication Act Monitoring Activities
  • 8. Principles of Internal Controls-1 Components Principles Control environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The Organization demonstrates a commitment to attract, develop, and retain competent individual in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. 8
  • 9. Principles of Internal Controls-2 Components Principles Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable identification and assessment of risks relating to objectives 7. The organization identifies risks to achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed. 8. The organization considers the potential of fraud in assessing risks to achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. Control Activities 10.Select and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11.Select and develops general control activities over technology to support the achievement of objectives. 12.Deploy control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies. 9
  • 10. Principles of Internal Controls-3 Components Principles Information and Communication 13.The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control 14.The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other component of internal control. 15.The organization communicates to external parties regarding matters affecting the functioning of other components of internal control Monitoring Activities 16.The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal controls are present and functioning. 17.The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. 10
  • 11. Principle Evaluation Template..1 11 Principle Evaluation Template — Control Environnent Control Environment Principles Summary of Controls Deficiencies/Notes/Other Considerations (also record deficiencies in log below) 1. Demonstrates Commitment to Integrity and Ethical Values—The organization demonstrates a commitment to integrity and ethical values. Sets the Tone at the Top—How do the board of directors and management at all levels of the entity demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control? Establishes Standards of Conduct—How are the expectations of the board of directors and senior management concerning integrity and ethical values defined in the entity’s standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners? Evaluates Adherence to Standards of Conduct— What processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct? Addresses Deviations in a Timely Manner—How are deviations of the entity’s expected standards of conduct identified and remedied in a timely and consistent manner? (Other entity specific points of focus, if any)
  • 12. Principle Evaluation Template..2 12 Principle Evaluation Template — Control Environnent Deficiencies Applicable to the Principle Identificat ion No. Internal control deficiency description Possible Impact on Principle Evaluate preliminary deficiency severity: (Consider whether other controls to effect this principle compensate for the internal control deficiency.) List internal control deficiencies related to another principle that may impact this internal control deficiency Present? (Y/N) Functionin g? (Y/N) Preliminary Severity— Is internal control deficiency a major deficiency? (Y/N) Comments/ Compensating Controls Evaluate deficiencies within the principle:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered within the principle, represent a major deficiency.** <Update Summary of Deficiencies Template as required> <Explanation> Evaluate the principle using judgment.** Y/N Explanation/Conclusion Is the principle present? Is the principle functioning? * Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, then management must conclude that the component is not present and functioning and the overall system of internal control is not effective.
  • 13. Controls Objectives Objectives Input Process Output Authorization Is the source authorized? Are the procedures approved? What was approved? Recording Is it accurate and complete? Is it timely? Is it documented? Who does it? When? Are procedures followed? Is it recoverable? Is management review adequate? Is it accurate and complete? Is there an audit trail? Is management review adequate? Does it balance? Safeguarding/ Security Who should control? Are duties separated? Who can access it? Are duties separated? Is it confidential? Who should have it? Verification Are sources proper? Are procedures followed complete? Are investigation and review of differences adequate? Are differences properly resolved? Is management review adequate? Existence/ Placement Do policies and procedures define the adequate level of controls? Are there procedures to create a control? Are controls adequate? Are controls placed in the most efficient part of the process? Is the residual risk acceptable according to the company's risk tolerance? 13
  • 14. Controls Objectives-Payroll - 1 Objectives Input Questions to be asked Authorization Is the source authorized? Is the persons sending the inputs for payroll are authorized Recording Is it accurate and complete? Is person sends the correct and Complete Inputs? Is it timely? Is inputs are send in a timely manner to ensure processing happens as per plan? Is it documented? Is there is evidence that inputs have been actually received from person specified? Safeguarding/ Security Who should control? Who should receive the inputs? Are duties separated? Is the person receiving the inputs is the person who process the payroll? Verification Are sources proper? How does we know that the person has actually taken information from correct source? Existence/ Placement Do policies and procedures define the adequate level of controls? Does all this is documented? Does the responsibility has been documented? 14
  • 15. Controls Objectives – Payroll -2 Objectives Process Question to be asked Authorization Are the procedures approved? Is the process / method to process payroll is approved? Recording Who does it? Does it can be established who has actually performed which job? When? Is there any audit trail which can establish that procedures are actually followed? Are procedures followed? Is it recoverable? Is it repeatable? Is management review adequate? Does some one has review the processing and is there an evidence which can confirm that review has been actually been performed? Safeguarding/ Security Who can access it? Who can access the location/ system/ office processing the information? Are duties separated? Is there SOD in place? Verification Are procedures followed complete? Who verify that the process has been actually been followed? Are investigation and review of differences adequate? In case of any exception has been observed , then whether the same has been taken to its logical conclusion and the same is documented. Existence/ Placement Are there procedures to create a control? Is someone is responsible to ensure that process has been actually completed as specified? Are controls adequate? Is any controls have been put in place to ensure that process is happening as specified? Are these adequate? Are controls placed in the most efficient part of the process? Is control has been put in place to ensure optimum cost and benefit? 15
  • 16. Controls Objectives – Payroll - 3 Objectives Output Question to be asked Authorization What was approved? Is there an evidence that output of the process is authorized and accountability of person authorizing can be established? Recording Is it accurate and complete? How is it ensures that output is accurate and complete? Is there an audit trail? Is there an audit trail of process of ensuring the completeness of output? Is management review adequate? Is there adequate management review? Does it balance? Does output matches with input to ensure that output is proper? Safeguarding/ Security Is it confidential? Who should have it? Is there any guideline defined regarding who should have access the output and to what extent? Verification Are differences properly resolved? Is management review adequate? In case of any differences observed in management review or a question raised in review, the same has been resolved properly with audit trail? Existence/ Placement Is the residual risk acceptable according to the company's risk tolerance? What is the risk observed and not (insured/controlled) and is that acceptable to company? Is there any document evidencing acceptance? 16
  • 17. Control Types • Preventative Controls: are installed to stop undesirable outcomes before they can occur. These types of controls are typically the most cost-effective controls because they avoid the cost of correction. E.g. • Detective Controls: are necessary to measure the effectiveness of the preventive controls. While some errors cannot be effectively controlled through preventative controls, they must be detected as they occur. E.g. • Corrective Controls: are necessary, for they correct the identified deficiency and therefore deter it from occurring again. Documentation and reporting systems are developed to identify undesirable outcomes and keep problems under management’s purview until they can be solved or the defect can be corrected. 17 • Segregation of duties to prevent intentional wrongdoing, • Proper authorization to prevent improper use of organizational resources, • Adequate documentation and records to deter improper transactions, • Physical control over assets to prevent their improper conversion or use. • Reviews and comparisons of records, • Independent check on performance, • Bank reconciliations, confirmation of bank balances, cash counts, • Computerized techniques such as transaction limits and passwords. Ref: Marks on Governance (http://normanmarks.wordpress.com/) http://www.theiia.org/blogs/marks/index.cfm?postid=396
  • 18. What is CSA? Control Self Assessment • A set of techniques used to assess risk, control strength, and control weaknesses utilizing a control framework. The 'self' refers to the involvement of management and staff in the assessment process often facilitated by internal auditors • to analyze, within a chosen control framework, the obstacles and strengths which affect their ability to achieve their key business objectives, and • to decide upon appropriate action. 18
  • 19. CSA Rationale • Responsibility for controlling risk belongs to management and all employees • People are the most important control factor • Most employees are honest, competent, and want their organization to succeed • People are far more likely to embrace needed changes if they are involved in the assessment process • Helps employees understand control 19
  • 20. When do you want to use CSA? • New work processes/projects • New organizations – to identify the risk exposures and required controls • Reorganizations • Management / Employee turnover – to identify where risks are – to create understanding for business objectives – to assess how risks are changing – to put emphasis on highest priority risks and controls • Processes that cross over into other work groups – to get to the root cause of problems – helps bring groups together – participants learn how their activities interrelate – collaborative problem solving 20
  • 21. CSA - GOALS & OBJECTIVES • Provide a forum for participants (stakeholders) to: – Conduct an assessment of risks and controls. – Develop recommendations for improvement. – Enhance their ability to achieve objectives. – Increase communication with the Unit. – Improve the efficiency and effectiveness of operations. 21
  • 22. Benefits of CSA • Honest feedback on control environment communication and monitoring • Ability to discuss and explore areas of concern to determine reasons and root causes of concern • Ability to obtain an understanding of the degree of concern among participants • Development of recommendations by employees in the Unit • Buy-in/Ownership of Recommendations 22
  • 23. COSO Framework - Control Components 23 CONTROL ENVIRONMENT RISK ASSESSMENT CONTROL ACTIVITIES MONITORING Traditional Auditing/Testing CSA
  • 24. Case Study • Multinational Organisation • Control Catalogue (from Risk Register) • Control Categories • Use of Excel Template 24
  • 25. Case Study 25 The following are guidelines to help complete the self assessment: Is control relevant? There may be situations where a control is not relevant to a business unit. If this is the case, answer no and provide explanation in the comment field. Is control Implemented? Answer Yes if the control is in place and operational. Is control under implementation? Answer Yes if the control is under implementation but not yet fully operational. Is a plan for implementation prepared? Answer Yes if implementation is not yet commenced but a plan has been developed for implementation. Is the design of the control documented? Answer Yes if you have a description of the control in place (written procedure, process flowchart, etc). The description needs to be sufficiently detailed to continue operating the control if you need to change resources. Is evidence retained? Answer Yes if you retain evidence that control has been performed. The following boxes should be completed if the Maturity level for the control is not 5: Gap Analysis / Comment Document the gap analysis (e.g. determining and documenting the variance between the control requirements and current control in place) Implementation Plan Document what actions need to be taken to close the gap identified as part of the gap analysis (e.g. what needs to be done to obtain a level 5 maturity) Deadline When the control is expected to be at a level 5 maturity The following box should be completed if the Maturity level for the control is 5: Assurance What monitoring processes are in place to give management confidence that the control has been implemented? Is the monitoring process documented? What is done if non- compliance is found?
  • 27. My Blogs and Posts 1. Audit Client Categories 2. Role of Internal Audit 3. Value addition by internal audit 4. Revenue Assurance 5. Companies Act 2013 and Control Catalogues 6. Internal Controls in eCommerce Companies 7. How to create Internal Control Framework for your company 8. Creating An Internal Audit Plan 9. Governance for Approval Matrix 10. Right to Audit 11. Have you included vendor audit as part of your audit plan? Manoj Agarwal manojbagarwal@gmail.com 9820392252 Linkedin: https://in.linkedin.com/in/manojbagarwal