INTERNAL CONTROLS 101
Office of the Provincial
Controller Division
Lets start the day with a quick refresh
 Today we have some great speakers who are internal control experts
to provide presentations and answer your questions on Internal
Controls
 Lets get the day started with some general concepts and terminology
to remind ourselves of the basics we already know and use everyday.
 As public sector managers and employees we are accountable for the
resources entrusted to us and for ensuring our programs and services
are administered effectively and efficiently.
 A significant component in fulfilling this responsibility is ensuring that
an adequate system of internal control exists and work
Office of the Provincial
Controller Division
1
The COSO* Definition of Internal Control
 Internal control is a process, effected by an entity’s board
of directors, management, and other personnel, designed
to provide reasonable assurance regarding the
achievement of objectives in the following categories:



Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
* Committee Of Sponsoring Organizations of the Treadway Commission
Office of the Provincial
Controller Division
2
Simple Definition
 Internal control is what we do to see that the
things we want to happen will happen …
 And the things we don’t want to happen won’t
happen.
Office of the Provincial
Controller Division
3
Internal Controls Are Common Sense
 What do you worry about going wrong?
 What steps have been taken to assure it doesn’t?
 How do you know things are under control?
Office of the Provincial
Controller Division
4
Internal Controls are everywhere:
You exercise internal control principles in your personal life
when you:
 Lock your house when you leave
 Keep copies of important papers in your safety deposit
box
 Balance your checkbook
 Keep your ATM/debit card PIN number separate from your
card
 Make travel plans
Office of the Provincial
Controller Division
5
Objectives of Internal Controls
 Strategic – high-level goals and objectives,
aligned with and supporting the mission.
 Operational – effective and efficient use of
resources.
 Reporting – integrity and reliability of
reporting.
 Compliance – compliance with applicable laws
and regulations.
 Stewardship – protection and conservation of
assets.
Office of the Provincial
Controller Division
6
Business analysis, program design or …
think C.A.R.E.S.
 Compliance with applicable laws and regulations.
 Accomplishment of the entity’s mission (objectives and
goals).
 Relevant and reliable financial reporting.
 Effective and efficient operations.
 Safeguarding of assets.

Can anyone think of anything in the Public Service that is not
impacted by internal controls?
Office of the Provincial
Controller Division
7
The big picture
 Internal controls are a key component to Enterprise Risk Management
(ERM)
“a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be within
its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives.”
 The Provincial government has embraced a risk based approach through
all aspects of it’s operations





Results based plans
Transfer Payment Accountability Directive
Quarterly risk reporting
Certificate of Assurance and Audit
Accountability and Transparency (Accountability Directive FAA, FTAA etc.)
Office of the Provincial
Controller Division
8
Weak Internal Controls Increase Risk
Through…






Business Interruption - system breakdowns or catastrophes, excessive
re-work to correct for errors.
Erroneous Management Decisions - based on erroneous, inadequate
or misleading information.
Fraud, Embezzlement and Theft -by management, employees,
customers, vendors, or the public-at-large.
Statutory Sanctions- penalties arising from failure to comply with
regulatory requirements, as well as overt violations.
Excessive Costs/Deficient Revenues - expenses which could have
been avoided, as well as loss of revenues to which the organization is
entitled.
Loss, Misuse or Destruction of Assets -unintentional loss of physical
assets such as cash, inventory, and equipment.
Office of the Provincial
Controller Division
9
But too much of a good thing….
When looking at controls
 More is not necessarily better
 Controls that do not work together leaving holes
 Cost of duplicated or inefficient controls.
 Controls that do not align with the importance of the risks
 Complex and poorly implemented controls
 Not understood or followed
 Inconsistently applied
 Control effectiveness can degrade over time
 No value for money
 Controls cost money
 Duplication of ineffective controls do not provide benefits
Office of the Provincial
Controller Division
10
COSO’S Internal Control Framework…
Five Inter-Related Standards:
Monitoring
Risk
Assessment
Control
Environment
Information &
Communication
Control
Activities
Office of the Provincial
Controller Division
11
1. Control Environment




Foundation for all other standards of internal control.
Pervasive influence on all the decisions and activities of an
organization.
Effective organizations set a positive “tone at the top”.
Factors include the integrity, ethical values and
competence of employees, and, management’s philosophy
& operating style.
Examples of soft controls:
 Management philosophy
 Organizational structure
 Communication
 Competency of employees
Office of the Provincial
Controller Division
12
Public Service of Ontario Act (PSOA)
The following are the purposes of this Act:
1. To ensure that the public service of Ontario is effective in serving the public, the
government and the Legislature.
2. To ensure that the public service of Ontario is non-partisan, professional, ethical and
competent.
3. To set out roles and responsibilities in the administration of the public service of
Ontario.
4. To provide a framework in law for the leadership and management of the public service
of Ontario.
5. To set out rights and duties of public servants concerning ethical conduct.
6. To set out rights and duties of public servants concerning political activity.
7. To establish procedures for the disclosure and investigation of wrongdoing in the public
service of Ontario and to protect public servants who disclose wrongdoing from
reprisals.
Office of the Provincial
Controller Division
13
2. Risk Assessment


Risks are internal & external events (economic conditions,
staffing changes, new systems, regulatory changes,
natural disasters, etc.) that threaten the accomplishment
of objectives.
Risk assessment is the process of identifying, evaluating,
and deciding how to manage these events… What is the
likelihood of the event occurring? What would be the
impact if it were to occur? What can we do to prevent or
reduce the risk?
Have any of you been through a risk assessment with Internal Audit or an
outside party?
Office of the Provincial
Controller Division
14
3. Control Activities





Tools - policies, procedures, processes -designed and
implemented to help ensure that management directives
are carried out.
Help prevent or reduce the risks that can impede the
accomplishment of objectives.
Occur throughout the organization, at all levels, and in all
functions.
Includes training, approvals, authorizations, verifications,
reconciliations, security of assets, reviews of operating
performance, and segregation of duties.
Types of Controls


Preventative
Detective
Office of the Provincial
Controller Division
15
4. Communication and Information


Pertinent information must be captured, identified and
communicated on a timely basis.
Effective information and communication systems enable
the organization’s people to exchange the information
needed to conduct, manage, and control its operations.
Office of the Provincial
Controller Division
16
5. Monitoring


Internal control systems must be monitored to assess
their effectiveness… Are they operating as intended?
Ongoing monitoring is necessary to react dynamically to
changing conditions…Have controls become outdated,
redundant, or obsolete?
Monitoring occurs in the course of everyday operations, it
includes regular management & supervisory activities and
other actions personnel take in performing their duties.
 Periodic testing can be done by the process owner,
internal audit and external audit.

Office of the Provincial
Controller Division
17
Benefits from Strong Internal Controls





Reducing and preventing errors in a costeffective manner.
Ensuring priority issues are identified and
addressed.
Protecting employees & resources.
Providing appropriate checks and balances.
Having more efficient audits, resulting in shorter
timelines, less testing, and fewer demands on
staff.
Office of the Provincial
Controller Division
18
Effective Internal Controls…

Make sense within each organization’s unique
operating environment.

Benefit rather than encumber management.

Are not stand-alone practices; they are woven
into day-to-day responsibilities.

Are cost-effective.
Office of the Provincial
Controller Division
19
Important Concepts…

Internal control is a process;



it is a means to an end, not an end itself.
Internal control is effected by people; it’s not
merely policy manuals and forms but people at
every level of an organization.
Internal control can be expected to only provide
reasonable assurance, not absolute assurance.
Office of the Provincial
Controller Division
20
Five Key Internal Control Activities…
Office of the Provincial
Controller Division
21
1. Separation of Duties


Divide responsibilities between different
employees so one individual doesn’t control all
aspects of a transaction.
Reduce the opportunity for an employee to
commit and conceal errors (intentional or
unintentional) or perpetrate fraud.
Office of the Provincial
Controller Division
22
2. Documentation
Document & preserve evidence to substantiate:
 Critical decisions and significant events...typically
involving the use, commitment, or transfer of
resources.
 Transactions…enables a transaction to be traced
from its inception to completion.
 Policies & Procedures…documents which set forth
the fundamental principles and methods that
employees rely on to do their jobs.
Office of the Provincial
Controller Division
23
3. Authorization & Approvals



Management documents and communicates
which activities require approval, and by whom,
based on the level of risk to the organization.
Ensure that transactions are approved and
executed only by employees acting within the
scope of their authority granted by management.
DOA
Office of the Provincial
Controller Division
24
4. Security of Assets



Secure and restrict access to equipment, cash,
inventory, confidential information, etc. to reduce
the risk of loss or unauthorized use.
Perform periodic physical inventories to verify
existence, quantities, location, condition, and
utilization.
Base the level of security on the vulnerability of
items being secured, the likelihood of loss, and
the potential impact should a loss occur.
Office of the Provincial
Controller Division
25
5. Reconciliation & Review



Examine transactions, information, and events to
verify accuracy, completeness, appropriateness,
and compliance.
Base level of review on materiality, risk, and
overall importance to organization’s objectives.
Ensure frequency is adequate enough to detect
and act upon questionable activities in a timely
manner.
Timing of reconciliations and monitoring
Office of the Provincial
Controller Division
26
Today, tomorrow and the next day
 Think about C.A.R.E.S. when ever you are
providing analysis or developing policies or
implementing programs
 Beware of the pitfalls – more is not always better,
controls must be maintainable
 Think about the things that worry you in your job
and try to think of how internal controls could help
elevate your worry.
Office of the Provincial
Controller Division
27