2. Lets start the day with a quick refresh
Today we have some great speakers who are internal
control experts to provide presentations and answer
your questions on Internal Controls
Lets get the day started with some general concepts
and terminology to remind ourselves of the basics we
already know and use everyday.
As public sector managers and employees we are.
accountable for the resources entrusted to us and for
ensuring our programs and services are administered
effectively and efficiently
A significant component in fulfilling this responsibility
is ensuring that an adequate system of internal
control exists and work
3. The COSO* Definition of Internal
Effectiveness and efficiency of
Reliability of financial
Compliance with applicable
laws and regulations
Internal control is a process, effected by an entity’s
board of directors, management, and other
personnel, designed to provide reasonable
assurance regarding the achievement of objectives
in the following categories:
4. Simple Definition
• Internal control is what we do
to see that the things we want
to happen will happen …
• And the things we don’t want
to happen won’t happen.
5. Internal Controls Are Common
What do you worry about going
What steps have been
taken to assure it doesn’t?
How do you know things
are under control?
6. Internal Controls are everywhere:
You exercise internal control principles
in your personal life when you:
1. Lock your house when
2. Keep copies of important
papers in your safety deposit box
3. Balance your checkbook
4. Keep your ATM/debit card PIN
number separate from your card
5. Make travel plans
7. • high-level goals
• effective and
8. Business analysis, program design or …
Compliance with applicable laws and
Accomplishment of the entity’s mission
(objectives and goals).
Relevant and reliable financial reporting.
Effective and efficient operations.
Safeguarding of assets.
Can anyone think of
anything in the Public
Service that is not impacted
by internal controls?
9. The big picture
• Internal controls are a key component to Enterprise Risk
“a process, effected by an entity’s board of directors,
management and other personnel, applied in strategy
setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.”
• The Provincial government has embraced a risk based
approach through all aspects of it’s operations
– Results based plans
– Transfer Payment Accountability Directive
– Quarterly risk reporting
– Certificate of Assurance and Audit
– Accountability and Transparency (Accountability
Directive FAA, FTAA etc.)
10. Weak Internal
Business Interruption - system
breakdowns or catastrophes, excessive
re-work to correct for errors.
Erroneous Management Decisions - based
on erroneous, inadequate or misleading
Fraud, Embezzlement and Theft -by
management, employees, customers,
vendors, or the public-at-large.
Statutory Sanctions- penalties arising
from failure to comply with regulatory
requirements, as well as overt violations.
Excessive Costs/Deficient Revenues -
expenses which could have been avoided,
as well as loss of revenues to which the
organization is entitled.
Loss, Misuse or Destruction of Assets -
unintentional loss of physical assets such
as cash, inventory, and equipment.
11. But too much of a good thing….
When looking at controls
• More is not necessarily better
– Controls that do not work together leaving holes
– Cost of duplicated or inefficient controls.
– Controls that do not align with the importance of the risks
• Complex and poorly implemented
– Not understood or followed
– Inconsistently applied
– Control effectiveness can degrade over time
• No value for money
– Controls cost money
– Duplication of ineffective controls do not provide benefits
12. COSO’S Internal Control Framework…
Five Inter-Related Standards:
13. 1. Control Environment
Foundation for all other standards of
Pervasive influence on all the decisions
and activities of an organization.
Effective organizations set a positive
“tone at the top”.
Factors include the integrity, ethical values
and competence of employees, and,
management’s philosophy & operating
14. Public Service of Ontario Act (PSOA)
To ensure that the public service of Ontario is effective in serving the public,
the government and the Legislature.
To ensure that the public service of Ontario is non-partisan, professional,
ethical and competent.
To set out roles and responsibilities in the administration of the public
service of Ontario.
To provide a framework in law for the leadership and management of the
public service of Ontario.
To set out rights and duties of public servants concerning ethical conduct.
To set out rights and duties of public servants concerning political activity.
To establish procedures for the disclosure and investigation of wrongdoing in
the public service of Ontario and to protect public servants who disclose
wrongdoing from reprisals.
The following are the purposes of this Act:
15. 2. Risk Assessment
Have any of you been
through a risk
assessment with Internal
Audit or an outside
Risks are internal & external
events (economic conditions,
staffing changes, new systems,
regulatory changes, natural
disasters, etc.) that threaten the
accomplishment of objectives.
Risk assessment is the process of
identifying, evaluating, and
deciding how to manage these
events… What is the likelihood of
the event occurring? What would
be the impact if it were to occur?
What can we do to prevent or
reduce the risk?
16. 3. Control Activities
Tools - policies, procedures, processes -designed
and implemented to help ensure that
management directives are carried out.
Help prevent or reduce the risks that can impede
the accomplishment of objectives.
Occur throughout the organization, at all levels,
and in all functions.
Includes training, approvals, authorizations,
verifications, reconciliations, security of assets,
reviews of operating performance, and
segregation of duties.
Types of Controls
17. 4. Communication and Information
Pertinent information must
be captured, identified and
communicated on a timely
Effective information and
communication systems enable
the organization’s people to
exchange the information
needed to conduct, manage, and
control its operations.
18. 5. Monitoring
Internal control systems must be monitored to
assess their effectiveness… Are they operating
Ongoing monitoring is necessary to react
dynamically to changing conditions…Have
controls become outdated, redundant, or
Monitoring occurs in the course of everyday
operations, it includes regular management &
supervisory activities and other actions
personnel take in performing their duties.
Periodic testing can be done by the process
owner, internal audit and external audit
20. Make sense within
Benefit rather than
Are not stand-alone
practices; they are
woven into day-to-
23. 1. Separation of Duties
employees so one
individual doesn’t control all
aspects of a transaction.
Reduce the opportunity for an
employee to commit and conceal
errors (intentional or
unintentional) or perpetrate
24. 2. Documentation
Document & preserve evidence to substantiate:
Critical decisions and significant events...typically
involving the use, commitment, or transfer of resources.
Transactions…enables a transaction to be traced from
its inception to completion.
Policies & Procedures…documents which set forth the
fundamental principles and methods that employees rely
on to do their jobs.