Programs and Training

Fraud Program

Fraud Prevention Training and Resources

Some relevant fraud resources for the internal audit function.

Canadian Anti-Fraud Centre
Alberta Public Sector Whistleblower Protection
ACFE Fraud Resources

Internal Control Program

Internal Controls

As per the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal control is defined as "a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance of the achievement of objectives in operations, reporting and compliance."

COSO Framework

An effective internal control system is supported by these five integrated components

  • The organization demonstrates a commitment to integrity and ethical values.
  • The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  • Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
  • The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  • The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
  • The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  • The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
  • The organization considers the potential for fraud in assessing risks to the achievement of objectives.
  • The organization identifies and assesses changes that could significantly affect the system of internal control.
  • The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  • The organization selects and develops general control activities over technology to support the achievement of objectives.
  • The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
  • The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
  • The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  • The organization communicates with external parties regarding matters affecting the functioning of internal control.
    • The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
    • The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

    Types of Controls

    Controls can be either preventive or detective, both types of controls are essential to an effective internal control system.

    • Preventive controls: Are designed to deter or prevent errors or irregularities from occurring. They are proactive controls that help to ensure departmental or unit objectives are being met. Examples of preventive controls include segregation of duties and pre-approval of transactions.
    • Detective Controls: Are designed to detect errors or irregularities which have already occurred and that they be corrected/addressed. Examples of detective controls include reconciliations and reviews of exception reports.