The document provides an overview of internal control and control self-assessment. It defines internal control and control self-assessment and discusses the rationale, goals, benefits and case study of control self-assessment. It outlines the COSO internal control framework components of control environment, risk assessment, control activities, monitoring and traditional auditing vs control self-assessment. The presentation also discusses control types, principles of internal control and evaluating controls objectives. It provides a sample control self-assessment template and case study.
2. Disclaimer
• All the contents of the presentation constitute the opinion of
the speaker, and the speaker alone; they do not represent the
views and opinions of the speaker’s employers, supervisors,
nor do they represent the view of organizations, businesses or
institutions the speaker is, or has been a part of.
2
4. Definitions
Internal Auditing definition states the fundamental purpose, nature, and
scope of internal auditing.
Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes
4
Internal control is defined by COSO (www.coso.org) as follows:
Internal control is a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives relating to operations, reporting, and
compliance.
5. Internal Control
On paraphrasing definition of Internal control, we get:
1. Geared to the achievement of objectives in one or more separate but
overlapping categories
2. A process consisting of ongoing tasks and activities—it is a means to an
end, not an end in itself.
3. Effected by people - it is not merely about policy and procedure manuals,
systems, and forms, but about people and the actions they take at every
level of an organization to effect internal control.
4. Able to provide reasonable assurance, not absolute assurance, to an
entity’s senior management and board of directors.
5. Adaptable to the entity structure - flexible in application for the entire
entity or for a particular subsidiary, division, operating unit, or business
process
5
6. COSO Internal Control Framework
• Objectives of Internal Control
– Operational Objectives - Effectiveness and efficiency of operations
– Reporting Objective - Reliability of reporting
– Compliance Objectives - Compliance with applicable laws and regulations
• Process
– Policies (Management Statement what should be done)
– Procedures (Actions that implement policies)
• Process is managed through Planning, Executing (doing), Checking,
amending (Planning Do Check Act)
6
PDCA 5 Components of Internal Control
Plan Control Environment
Risk Assessment
Do Control Activities
Check Information &Communication
Act Monitoring Activities
8. Principles of Internal Controls-1
Components Principles
Control
environment
1. The organization demonstrates a commitment to integrity and ethical
values.
2. The board of directors demonstrates independence of management
and exercises oversight for the development and performance of
internal control
3. Management establishes, with board oversight, structures, reporting
lines, and appropriate authorities and responsibilities in the pursuit of
objectives.
4. The Organization demonstrates a commitment to attract, develop, and
retain competent individual in alignment with objectives.
5. The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
8
9. Principles of Internal Controls-2
Components Principles
Risk
Assessment
6. The organization specifies objectives with sufficient clarity to enable
identification and assessment of risks relating to objectives
7. The organization identifies risks to achievement of its objectives across
the entity and analyses risks as a basis for determining how the risks
should be managed.
8. The organization considers the potential of fraud in assessing risks to
achievement of objectives.
9. The organization identifies and assesses changes that could significantly
impact the system of internal control.
Control
Activities
10.Select and develops control activities that contribute to the mitigation
of risks to the achievement of objectives to acceptable levels.
11.Select and develops general control activities over technology to
support the achievement of objectives.
12.Deploy control activities as manifested in policies that establish what is
expected and in relevant procedures to effect the policies.
9
10. Principles of Internal Controls-3
Components Principles
Information and
Communication
13.The organization obtains or generates and uses relevant, quality
information to support the functioning of other components of
internal control
14.The organization internally communicates information, including
objectives and responsibilities for internal control, necessary to
support the functioning of other component of internal control.
15.The organization communicates to external parties regarding
matters affecting the functioning of other components of internal
control
Monitoring
Activities
16.The organization selects, develops and performs ongoing and/or
separate evaluations to ascertain whether the components of
internal controls are present and functioning.
17.The organization evaluates and communicates internal control
deficiencies in a timely manner to those parties responsible for
taking corrective action, including senior management and the board
of directors, as appropriate.
10
11. Principle Evaluation Template..1
11
Principle Evaluation Template — Control Environnent
Control Environment Principles Summary of
Controls
Deficiencies/Notes/Other
Considerations
(also record deficiencies in log
below)
1. Demonstrates Commitment to Integrity and Ethical Values—The organization demonstrates a commitment to integrity and ethical values.
Sets the Tone at the Top—How do the board of directors and management at all levels
of the entity demonstrate through their directives, actions, and behavior the importance
of integrity and ethical values to support the functioning of the system of internal
control?
Establishes Standards of Conduct—How are the expectations of the board of directors
and senior management concerning integrity and ethical values defined in the entity’s
standards of conduct and understood at all levels of the organization and by outsourced
service providers and business partners?
Evaluates Adherence to Standards of Conduct— What processes are in place to evaluate
the performance of individuals and teams against the entity’s expected standards of
conduct?
Addresses Deviations in a Timely Manner—How are deviations of the entity’s expected
standards of conduct identified and remedied in a timely and consistent manner?
(Other entity specific points of focus, if any)
12. Principle Evaluation Template..2
12
Principle Evaluation Template — Control Environnent
Deficiencies Applicable to the Principle
Identificat
ion No.
Internal control deficiency
description
Possible Impact on
Principle
Evaluate preliminary deficiency
severity:
(Consider whether other controls to
effect this principle compensate for the
internal control deficiency.)
List internal control
deficiencies related to
another principle that
may impact this
internal
control deficiency
Present?
(Y/N)
Functionin
g?
(Y/N)
Preliminary
Severity—
Is internal control
deficiency a major
deficiency? (Y/N)
Comments/
Compensating
Controls
Evaluate deficiencies within the principle:*
Evaluate if any internal control deficiencies or
combination of internal control deficiencies,
when considered within the principle,
represent a major deficiency.**
<Update Summary of Deficiencies Template as
required>
<Explanation>
Evaluate the principle using judgment.** Y/N Explanation/Conclusion
Is the principle present?
Is the principle functioning?
* Note: Record deficiencies in Summary of Deficiencies Template.
** If it is determined that there is a major deficiency, then management must conclude that the component is not present and functioning
and the overall system of internal control is not effective.
13. Controls Objectives
Objectives Input Process Output
Authorization Is the source authorized? Are the procedures approved? What was approved?
Recording Is it accurate and
complete?
Is it timely?
Is it documented?
Who does it?
When?
Are procedures followed?
Is it recoverable?
Is management review adequate?
Is it accurate and complete?
Is there an audit trail?
Is management review adequate?
Does it balance?
Safeguarding/
Security
Who should control?
Are duties separated?
Who can access it?
Are duties separated?
Is it confidential?
Who should have it?
Verification Are sources proper? Are procedures followed complete?
Are investigation and review of
differences adequate?
Are differences properly
resolved?
Is management review adequate?
Existence/
Placement
Do policies and
procedures define the
adequate level of
controls?
Are there procedures to create a
control?
Are controls adequate?
Are controls placed in the most
efficient part of the process?
Is the residual risk acceptable
according to the company's risk
tolerance?
13
14. Controls Objectives-Payroll - 1
Objectives Input Questions to be asked
Authorization Is the source authorized? Is the persons sending the inputs for payroll are authorized
Recording Is it accurate and
complete?
Is person sends the correct and Complete Inputs?
Is it timely? Is inputs are send in a timely manner to ensure processing happens as per
plan?
Is it documented? Is there is evidence that inputs have been actually received from person
specified?
Safeguarding/
Security
Who should control? Who should receive the inputs?
Are duties separated? Is the person receiving the inputs is the person who process the payroll?
Verification Are sources proper? How does we know that the person has actually taken information from
correct source?
Existence/
Placement
Do policies and
procedures define the
adequate level of
controls?
Does all this is documented? Does the responsibility has been
documented?
14
15. Controls Objectives – Payroll -2
Objectives Process Question to be asked
Authorization Are the procedures approved? Is the process / method to process payroll is approved?
Recording Who does it? Does it can be established who has actually performed which job?
When? Is there any audit trail which can establish that procedures are actually
followed?
Are procedures followed?
Is it recoverable?
Is it repeatable?
Is management review adequate? Does some one has review the processing and is there an evidence
which can confirm that review has been actually been performed?
Safeguarding/
Security
Who can access it? Who can access the location/ system/ office processing the
information?
Are duties separated? Is there SOD in place?
Verification Are procedures followed
complete?
Who verify that the process has been actually been followed?
Are investigation and review of
differences adequate?
In case of any exception has been observed , then whether the same
has been taken to its logical conclusion and the same is documented.
Existence/
Placement
Are there procedures to create a
control?
Is someone is responsible to ensure that process has been actually
completed as specified?
Are controls adequate? Is any controls have been put in place to ensure that process is
happening as specified?
Are these adequate?
Are controls placed in the most
efficient part of the process?
Is control has been put in place to ensure optimum cost and benefit?
15
16. Controls Objectives – Payroll - 3
Objectives Output Question to be asked
Authorization What was approved? Is there an evidence that output of the process is authorized and
accountability of person authorizing can be established?
Recording Is it accurate and
complete?
How is it ensures that output is accurate and complete?
Is there an audit trail? Is there an audit trail of process of ensuring the completeness of output?
Is management review
adequate?
Is there adequate management review?
Does it balance? Does output matches with input to ensure that output is proper?
Safeguarding/
Security
Is it confidential?
Who should have it?
Is there any guideline defined regarding who should have access the
output and to what extent?
Verification Are differences properly
resolved?
Is management review
adequate?
In case of any differences observed in management review or a question
raised in review, the same has been resolved properly with audit trail?
Existence/
Placement
Is the residual risk
acceptable according to
the company's risk
tolerance?
What is the risk observed and not (insured/controlled) and is that
acceptable to company? Is there any document evidencing acceptance?
16
17. Control Types
• Preventative Controls: are installed to stop
undesirable outcomes before they can occur. These
types of controls are typically the most cost-effective
controls because they avoid the cost of
correction. E.g.
• Detective Controls: are necessary to measure the
effectiveness of the preventive controls. While some
errors cannot be effectively controlled through
preventative controls, they must be detected as they
occur. E.g.
• Corrective Controls: are necessary, for they correct
the identified deficiency and therefore deter it from
occurring again. Documentation and reporting
systems are developed to identify undesirable
outcomes and keep problems under management’s
purview until they can be solved or the defect can be
corrected.
17
• Segregation of duties to prevent
intentional wrongdoing,
• Proper authorization to prevent
improper use of organizational
resources,
• Adequate documentation and
records to deter improper
transactions,
• Physical control over assets to
prevent their improper
conversion or use.
• Reviews and comparisons of
records,
• Independent check on
performance,
• Bank reconciliations,
confirmation of bank
balances, cash counts,
• Computerized techniques
such as transaction limits and
passwords.
Ref: Marks on Governance (http://normanmarks.wordpress.com/)
http://www.theiia.org/blogs/marks/index.cfm?postid=396
18. What is CSA?
Control Self Assessment
• A set of techniques used to assess risk, control strength,
and control weaknesses utilizing a control framework.
The 'self' refers to the involvement of management and staff
in the assessment process often facilitated by internal
auditors
• to analyze, within a chosen control framework, the obstacles
and strengths which affect their ability to achieve their key
business objectives, and
• to decide upon appropriate action.
18
19. CSA Rationale
• Responsibility for controlling risk belongs to management and
all employees
• People are the most important control factor
• Most employees are honest, competent, and want their
organization to succeed
• People are far more likely to embrace needed changes if they
are involved
in the assessment process
• Helps employees understand control
19
20. When do you want to use CSA?
• New work processes/projects
• New organizations
– to identify the risk exposures and required controls
• Reorganizations
• Management / Employee turnover
– to identify where risks are
– to create understanding for business objectives
– to assess how risks are changing
– to put emphasis on highest priority
risks and controls
• Processes that cross over into other work groups
– to get to the root cause of problems
– helps bring groups together
– participants learn how their activities interrelate
– collaborative problem solving
20
21. CSA - GOALS & OBJECTIVES
• Provide a forum for participants (stakeholders) to:
– Conduct an assessment of risks and controls.
– Develop recommendations for improvement.
– Enhance their ability to achieve objectives.
– Increase communication with the Unit.
– Improve the efficiency and effectiveness of operations.
21
22. Benefits of CSA
• Honest feedback on control environment communication and
monitoring
• Ability to discuss and explore areas of concern to determine
reasons and root causes of concern
• Ability to obtain an understanding of the degree of concern
among participants
• Development of recommendations by employees in the Unit
• Buy-in/Ownership of Recommendations
22
23. COSO Framework - Control Components
23
CONTROL ENVIRONMENT
RISK ASSESSMENT
CONTROL ACTIVITIES
MONITORING
Traditional
Auditing/Testing
CSA
24. Case Study
• Multinational Organisation
• Control Catalogue (from Risk Register)
• Control Categories
• Use of Excel Template
24
25. Case Study
25
The following are guidelines to help complete the self assessment:
Is control relevant? There may be situations where a control is not relevant to a business unit. If this is the
case, answer no and provide explanation in the comment field.
Is control Implemented? Answer Yes if the control is in place and operational.
Is control under
implementation?
Answer Yes if the control is under implementation but not yet fully operational.
Is a plan for
implementation prepared?
Answer Yes if implementation is not yet commenced but a plan has been developed for
implementation.
Is the design of the control
documented?
Answer Yes if you have a description of the control in place (written procedure, process
flowchart, etc). The description needs to be sufficiently detailed to continue operating the
control if you need to change resources.
Is evidence retained? Answer Yes if you retain evidence that control has been performed.
The following boxes should be completed if the Maturity level for the control is not 5:
Gap Analysis / Comment Document the gap analysis (e.g. determining and documenting the variance between the
control requirements and current control in place)
Implementation Plan Document what actions need to be taken to close the gap identified as part of the gap
analysis (e.g. what needs to be done to obtain a level 5 maturity)
Deadline When the control is expected to be at a level 5 maturity
The following box should be completed if the Maturity level for the control is 5:
Assurance What monitoring processes are in place to give management confidence that the control
has been implemented? Is the monitoring process documented? What is done if non-
compliance is found?
27. My Blogs and Posts
1. Audit Client Categories
2. Role of Internal Audit
3. Value addition by internal audit
4. Revenue Assurance
5. Companies Act 2013 and Control Catalogues
6. Internal Controls in eCommerce Companies
7. How to create Internal Control Framework for your company
8. Creating An Internal Audit Plan
9. Governance for Approval Matrix
10. Right to Audit
11. Have you included vendor audit as part of your audit plan?
Manoj Agarwal
manojbagarwal@gmail.com
9820392252
Linkedin: https://in.linkedin.com/in/manojbagarwal