Control Process

What is control?
Control
Any action taken by management, the board and other parties to manage risk and increase
the likelihood that established objectives and goals will be achieved.
Direct responsible
Guidance, direction, and oversight
Frontline Personnel – minimum of what is expected
Auditor– evaluate and monitor

Internal Control
A process effected by an entity’s board of directors, management and other personnel designed
to provide reasonable assurance of the achievement of objectives in the following categories:
• Effectiveness & efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.
• Safeguarding of assets
• Adherence to managerial policies

COSO Internal Control – Integrated Framework 2013

COSO Internal Control – Integrated Framework 2013

Objectives of Internal Control
- Published by the Committee of Sponsoring Organizations of the for determining what
constitutes effective internal control. Treadway Commission (COSO)
- Help organizations design and implement internal control in light of many changes in
business and operating environments, broaden the application of internal control in
addressing operations and reporting objectives, and clarify the requirements

Control Process
The policies, procedures and activities that are part of a control framework, designed and
operated to ensure that risks are contained within the level that an organization is willing to
accept
COSO Internal Control – Integrated Framework 2013
 Risk Appetite

1. Establishing standards for the operation to be controlled

2. Measuring performance against the standards
3. Examining and analyzing deviation
4. Taking corrective action
5. Reappraising the standard based on experience

Benefits of Control
• It can HELP
• achieve performance & profitability targets
• prevent loss of resources
• ensure reliable financial reporting
• ensure compliance with laws
• prevent errors and irregularities, if they occur, help ensure timely detection
• an entity get to where it wants to go
• It encourage adherence to prescribed policies and procedures
• It can protect employees
• by clearly outlining tasks and responsibilities,
• by providing checks and balances, and
• from being accused of misappropriations, errors or irregularities.

Limitations of Control
• Reasonable, not absolute
• Affects speed
• Different levels of assurance to objectives
• Human element/weakness
• Collusion/management override
• Cost-benefit Principle
• Uncertain future

Classifications of Control
A. Primary Control
1. Preventive Control
• deter the occurrence of unwanted events
• designed to reduce likelihood
Example
• Storing petty cash in a locked safe and segregating duties
• Authorization credit limit checks
• Restricting user access to IT systems
• Firewall
2. Detective Control
• alert the proper people after an unwanted event; effective when detection
occurs before material harm occurs
• designed to reduce likelihood
Example
• Burglar alarm
• Review of exception reports
3. Corrective Control
• correct the negative effect of unwanted events
 • designed to reduce impact
Example
• Disciplinary action
• Bank reconciliation
4. Directive Control
• cause or encourage the occurrence of a desirable event
• designed to reduce both likelihood and impact
Example
• Policies and procedures
• Training sessions
• Job descriptions
B. Secondary Control
1. Compensatory Control
• may reduce risk when the primary controls are ineffective; do not reduce risk
to an acceptable level
Example
• Supervision
• Monitoring
2. Complementary Control
• work with other controls to reduce risk to an acceptable level
Example
• Segregation of duty of accounting and custody of cash is complemented by
obtaining deposit slips validated by the bank

C. Time-Based Classification
1. Feedback Control (Detective/Corrective Control)
• report information about completed activities; corrective action occurs after
the fact
Example
• Inspection of completed goods
2. Concurrent Control (Preventive Control)
• adjust ongoing processes; real-time controls monitor activities in the present to
prevent them from deviating too far from standards
Example
• Close supervision of production-line workers
3. Feedforward Control (Directive Control)
• anticipate and prevent problems; long-term perspective
Example
• Policies and procedures
D. IT-Based Classification
1. Manual Control
• performed outside of a system
Example:
• Review and sign-off of a cheque
• Bank reconciliation
2. Application Control
• performed automatically by the system
• ensure the completeness and accuracy of transaction processing,
authorization and validity
• configuration setting in a system that can prevent or detect problems
 Example:
• Two-factor authentication login on Facebook
• Lock-out a user that enters incorrect password after three attempts
3. IT Dependent Manual Controls
• performed by individuals outside of a system that rely on a manual process but
differ as portion of control requires system involvement
Example:
• System-generated report list of users that have not accessed a system within
the past 90 days
4. IT General Controls
• refers to overall information-processing environment
• comprised of policy management, logical access, change management,
and physical security
Example:
• Access rights on system resources
• Tracks and documents that changes authorized, tested, approved, and
implemented into production
•

Roles and Responsibilities

Board’s Role
• Strategic direction and oversight of Internal Control System
Management’s Role
• Determine the need for controls
• Design suitable controls
• Implement these controls
• Check that these controls are being applied correctly
• Maintain and update the controls

Auditor/ Consultant’s Role

• Evaluation of the adequacy and effectiveness of controls in responding to risks within the
organization’s governance, operations, and information systems.
• Assessing those areas that are most at risk in terms of key control objectives.
• Defining and undertaking a program for reviewing high profile systems that attract the most
risk.
• Reviewing each of these systems by examining and evaluating their associated ICS to
determine the extent to which the five key control objectives are being met.
Auditor/ Consultant’s Role
• Advising management whether or not controls are operating adequately and effectively
so as to promote the achievement of the system’s/control objectives.
• Recommending any necessary improvements to strengthen controls where appropriate,
while making clear the risks involved for failing to effect these recommended changes.
• Following up audit work so as to discover whether management has actioned agreed
audit recommendations

Practice Question
The actions taken to manage risk and increase the likelihood that established objectives and goals
will be achieved are best described as
A. Quality assurance
B. Compliance
C. Control
D. Supervision

Which of the following are most directly designed to ensure that risks are contained?
A. Risk management processes
B. Internal audit activities
C. Control processes
D. Governance processes

Controls should be designed to provide reasonable assurance that

A. Management’s plans have not been circumvented by worker collusion.
B. Organizational objectives will be achieved economically and efficiently.
C. The internal audit activity’s guidance and oversight of management’s performance is
accomplished economically and efficiently.
D. Management’s planning, organizing, and directing processes are properly evaluated

Controls that are designed to provide management with assurance of the realization of specified
minimum gross margins on sales are
A. Preventive controls
B. Detective controls
C. Output controls
D. Directive controls

The requirement that purchases be made from suppliers on an approved vendor list is an example
of a
A. Preventive control
B. Detective control
C. Corrective control
D. Monitoring control

The use of financial statement analysis, quality control procedures, and employee performance
evaluations are all examples of
A. Feedback controls
B. Preliminary controls
C. Concurrent controls
D. Feedforward controls
TOOLS ON EVALUATING CONTROLS
Controls Definition
Any action taken by management, the board, and other parties to manage risk and
increase the likelihood that established objectives and goals will be achieved.

Controls must be:

A. Adequate
• Planned
• Organized
• Designed

B. Effective
• Directing
• Executing
• Implementing
C. Efficient
• Less cost and effort
• May mitigate multiple risk

Heat Map
A visualization tool to help organize, define, and quickly communicate key risks.
an indispensable tool in any risk management toolbox and can help cut through the
complexity
risk heat maps are a common part of an ERM approach to risk management.
(COSO) promotes the use of a risk matrix or heat map to focus management’s attention
on the most important threats and opportunities and to lay the groundwork for risk
responses.
Two-dimensional representation of data in which values are typically represented by colors
(often red, green, and yellow) and can range in complexity from simple (for example,
showing qualitative risks only) to more complex (including qualitative and quantitative
risks).
In the risk assessment process, visualization of risks using a heat map presents a concise,
big-picture view of the full risk landscape to discuss while making decisions about the
likelihood and impact of risks within the company.
According to Norman Marks, risk expert
• “a heat map can be an important tool to communicate risk within an organization.”
• “A heat map is very effective in communicating which risks rate highest when you
consider their potential impact and the likelihood of that impact,”

Heat Map Illustration

It’s important for the organization to create a common language around discussions of risk.
Terms like “potential impact” and “likelihood” need to be defined and used throughout
the organization and in the design of the heat map so that everyone is on the same page
on discussions of risk.
It also requires a common understanding of the risk appetite of the organization.
Organizations use a variety of ways to identify entity-wide risks, including:
• Surveys
• Workshops
• Interviews
• Risk factors in financial reports
 A typical risk heat map will show risks plotted on a graph with:
• potential impact” on the vertical axis at left. It contain the minimum 3 categories as
follows:
a. High
b. Medium
c. Low
• likelihood” plotted on the horizontal axis along the bottom. It contain the minimum
3 categories as follows:
a. Low
b. Moderate
c. High

Eight Steps in Creating a Risk Heat Map

1. Define the scope
• Decide on the scope of the map you want to create.
• It can be a simple 3×3 matrix with three colors for high, medium, and low, or it can
be a complex affair with layers based on types of risk, several categories on each
axis, multiple shades depending on risk scores, lines that follow how risks have
changed over time, and more.
2. Create a common language
• Terms like “likelihood,” “impact,” and “onset speed” need to be defined and used
in the same way throughout the organization.
• It’s also a good idea to give rankings along the axes quantitative ranks, such as
percentage ranges or scale ratings, such as 1 out of 5 for “low.”
 3. Gather the necessary data
• Risk heat map should be built after a solid risk assessment process is completed,
so the data should be there already.
• You may be consolidating data from several departments or functions, in which
case you need to ensure that the assessments were done in the same way and
that duplication is eliminated.
4. Score the risks
• Score on likelihood, impact, and other factors you want on the map, according to
the agreed scope.
• It’s important that process owners and those that “own the risk” drive the risk
scoring process, since they are closest too it, with help from the second and third
lines of defense.
5. Plot the points and create the map.
• The actual mapping of risks is fairly easy, once the data is gathered and consensus
is achieved on scores.
• Use a simple application, such as Excel, at first and for simple maps.
6. Assess the relative placement of individual risks.
• A risk that is clearly more severe in terms of impact and has a higher likelihood is
somehow in a “safer” quadrant than a far more benign risk.
7. Gather feedback.
• The feedback and consensus process starts again with the whole map in view and
adjustments are made to fix outliers, errors, and in light of the relevant scores of
each risk.
8. Refine and update the map.
• Use the feedback to make adjustments to the map and then create the process
for updating the map and ensuring that it is a living document.
• It can be annual process to coincide with the risk assessment that is completed as
part of the audit planning stage.
• It can also be updated on a quarterly, monthly, or more frequent basis

Risk and Control Matrix

Powerful tool that can help an organization identify, rank, and implement control measures
to mitigate risks.
Repository of risks that pose a threat to an organization’s operations, as well as the controls
in place to mitigate those risks.
RACM serves as a snapshot of an organization’s risk profile, measuring the organization’s
risks against the formalized actions taken to prevent negative events from occurring.
Tool for matching risks and controls
• Assessing likelihood and impact of risks
• Assessing adequacy of controls (Test of Design)
• Specifying controls that have to be tested (Test of Control)
Use of Control Matrix
Controls do not necessarily match risks one to one
Certain controls may address more than one risk, and more than one control may be
needed to adequately address a single risk.