Internal controls

The purpose of this article is to provide an overview of internal control, with particular emphasis
on topics relevant to Part C of the F1/FAB syllabus. The article will focus on the following
learning objectives, as set out in section C6 of the study guide:

a) Explain internal control and internal check

b) Explain the importance of internal financial controls in an organisation
c) Describe the responsibilities of management for internal financial control.

The article will also describe the roles of internal audit and internal audit testing, relevant to
section C2(e) and (f) of the study guide.

DEFINITION AND PURPOSES OF INTERNAL CONTROL

The Turnbull Report, first published in 1999, defined internal control and its scope as follows:

‘The policies, processes, tasks, behaviours and other aspects of an organisation that taken
together:

Facilitate effective operation by enabling it to respond in an appropriate manner to significant

business, operational, financial, compliance and other risks to achieve its objectives. This
includes safeguarding of assets and ensuring that liabilities are identified and managed.

Ensure the quality of internal and external reporting, which in turn requires the maintenance of
proper records and processes that generate a flow of timely, relevant and reliable information
from both internal and external sources.

Ensure compliance with applicable laws and regulations and also with internal policies.’

Turnbull’s explanation focuses on the positive role that internal control has to play in an
organisation. Facilitating efficient operations implies improvement, and, properly applied,
internal control processes add value to an organisation by considering outcomes against original
plans and then proposing ways in which they might be addressed.

At the same time, Turnbull also conceded that there is no such thing as a perfect internal control
system, as all organisations operate in a dynamic environment: just as some risks recede into
insignificance, new risks will emerge, some of which will be difficult or impossible to anticipate.
The purpose of any control system should therefore be to provide reasonable assurance that the
organisation can meet its objectives.
OBJECTIVES OF INTERNAL CONTROL

Internal control should have the following objectives:

Efficient conduct of business:

Controls should be in place to ensure that processes flow smoothly and operations are free from
disruptions. This mitigates against the risk of inefficiencies and threats to the creation of value in
the organisation.

Safeguarding assets:
Controls should be in place to ensure that assets are deployed for their proper purposes, and are
not vulnerable to misuse or theft. A comprehensive approach to his objective should consider all
assets, including both tangible and intangible assets.

Preventing and detecting fraud and other unlawful acts:

Even small businesses with simple organisation structures may fall victim to these violations, but
as organisations increase in size and complexity, the nature of fraudulent practices becomes more
diverse, and controls must be capable of addressing these.

Completeness and accuracy of financial records:

An organisation cannot produce accurate financial statements if its financial records are
unreliable. Systems should be capable of recording transactions so that the nature of business
transacted is properly reflected in the financial accounts.

Timely preparation of financial statements:

Organisations should be able to fulfil their legal obligations to submit their account, accurately
and on time. They also have a duty to their shareholders to produce meaningful statements.
Internal controls may also be applied to management accounting processes, which are necessary
for effective strategic planning, decision taking and monitoring of organisational performance.

RESPONSIBILITIES FOR INTERNAL CONTROL

In many smaller, unincorporated businesses such as sole traders and unlimited partnerships, the
responsibility for internal controls often lies with the owners themselves. In most cases, the
owners are fully engaged in the business itself, and if employees are engaged, it is usually within
the capability of the owners to remain fully aware of transactions and the overall state of the
business.

As organisations grow, the need for internal controls increases, as the degree of specialisation
increases and it becomes impossible to remain fully aware of what is going on in every part of
the business.

In a limited company, the board of directors is responsible for ensuring that appropriate internal
controls are in place. Their accountability is to the shareholders, as the directors act as their
agents. In turn, the directors may consider it prudent to establish a dedicated internal control
function. The point at which this decision is taken will depend on the extent to which the benefits
of function will outweigh the costs.

The directors must pay due attention to the control environment. If internal controls are to be
effective, it is necessary to create an appropriate culture and embed a commitment to robust
controls throughout the organisation.

GENERIC CONTROL CATEGORIES

Controls and be categorised in many different ways. Figure 1 described five categories that are
often used.

Figure 1: Categories of controls

Internal controls can be:

Mandatory or voluntary:
Mandatory controls are those which must be applied, irrespective of circumstances. These are
widely used to prevent breached of laws or policy, as well as to minimise risks relating to health
and safety. Voluntary controls are applied according to the judgement of the organisation and its
managers.

Discretionary or non-discretionary:
Managers may be permitted discretion according to their interpretation or judgement of risks in
given circumstances. Non-discretionary controls must be applied.
Manual or automated:
Manual controls are applied by the individual employee whereas automated controls are
programmed into the systems of the organisation. Some systems combine the two: for example,
when deciding on whether a customer should be permitted days on hand for payment, there could
be automated ‘accept’ above a specified credit rating or ‘decline’ or below a specified credit
rating, and an intermediate range in which a manager may be able to override the automated
system.

General controls or application controls:

This classification of controls applies specifically to information systems. General controls help
to ensure the reliability of data generated by systems, helping to ascertain whether systems
operate as intended and output is reliable. Application controls are automated and designed to
ensure the complete and accurate recording of data from input to output.

COMMON CONTROL PROCEDURES

Physical controls:
These controls include restrictions on access to buildings, specified office or factory areas or
equipment, such as turnstiles at the entrance to the premises, swipe cards and passwords. They
also include physical restraints, such as fixing non-current assets to prevent removal.

Authorisation and approval limits:

Many employees must adhere to authorisation limits, and these will usually be specified in the
terms of employment. For example, a junior manager may be permitted to book business flights
up to the value of $500, but for tickets costing more than this, the purchase may have to be
approved by someone more senior.

Segregation of duties:
To minimise the risk of errors and fraud, duties associated with cash handling are often
segregated. For example, in the post room of a company that received cash by post, the employee
recording the cash will be a different person to the one who opens the post. Segregation is also
relevant to other functions. At executive level, it is now best practice to segregate the roles of
chairman and chief executive officer, and as an independent assurance function, internal audit
should be totally segregated from the finance department, with a reporting line direct to the board
of directors or the audit committee.

Management controls:
These controls are operated by managers themselves. An example is variance analysis, through
which a manager may be required as part of their job to consider differences between planned
outcomes and actual performance. Performance management of subordinates is also an integral
part of many managerial positions. Further down the chain of command, supervision controls
are exercised in respect of day-to-day transactions. Organisation controls operate according to
the configuration of the organisation chart and line/staff responsibilities.
Arithmetic and accounting controls:
These controls are in place to ensure accurate recording and processing of transactions.
Procedures here include reconciliations and trial balances.

Human resources controls:

Controls are implemented for all aspects of human resources management. Examples include
qualifications verification, references and criminal record checks on recruits, checks on staff who
have to be attested for competence and training effectiveness.

INTERNAL CHECK

Internal check is a system through which the accounting procedures of an organisation are so laid
out that the accounts procedures are not under the absolute and independent control of any
person. The work of one employee is complementary of that of another, enabling a continuous
audit of the business to be made.

The essential elements of an internal check are:

 checks are implemented on day-to-day transactions

 checks operate continuously as a part of the system
 the work of each person is complementary to the work of another.

By allocating duties in this way, no one person has exclusive control over any transaction.

INTERNAL AUDIT

Definition and purposes of internal audit:

Internal audit may be defined as an independent appraisal function established within an
organisation to examine and evaluate its activities as a service to the organisation.

Internal audit supports management in the effective discharge of their responsibilities. To this
end, internal audit furnishes management with analyses, appraisals, recommendations, counsel
and information concerning the activities reviewed.

OBJECTIVES OF INTERNAL AUDIT

The formal objectives of internal audit may include some or all of the following:

 review of accounting and internal control systems

 examination of financial and operating information
 review of the ‘three E’s (economy, efficiency and effectiveness)
 review of compliance with laws and regulations
 review of arrangements for the safeguarding of assets
 review of implementation of corporate goals and objectives
  identification of significant risks to the organisation, and monitoring risk management
policy and risk management strategies
 special investigations as required.

WHY IS INTERNAL AUDIT NECESSARY?

The importance of internal audit was highlighted by the Turnbull Report. It states that listed
public companies that do not have an internal audit function should review the need to have such
a function at least annually. Turnbull goes on to state that listed public companies that do have an
internal audit function should review the scope, authority and resources of this function at least
annually.

Turnbull suggests that the need for the internal audit function will depend on several factors.
These include:

 the scale, diversity and complexity of the organisation’s activities

 the number of employees – the need for an internal audit function increases as the
number of employees increases, or if employee interrelationships become more complex
 where the benefits of such a function will outweigh the costs of implementation and
operation
 when changes occur over time in the organisation’s structures, reporting processes or
underlying information systems
 the nature of risks, changes to risks and emerging risks
 problems and issues arising with internal control systems, both actual and perceived
 the occurrence of an increasing number of unexplained or unacceptable events.

INTERNAL AUDIT AND INTERNAL CONTROL

Internal audit is an internal but independent assurance function. While internal auditors are
usually employees of the organisation, they should operate independently of management so that
their analyses, judgements and reports are free from bias or undue influence. The head of internal
audit should report to the board of directors, or to the audit committee. Some organisations
reinforce independence by outsourcing the internal audit function to professional external firms.

Internal audit testing is the internal assessment of internal controls and as such is a
management control to ensure compliance and conformity of internal controls to pre-determined
standards.

Key risks:
Internal audit reviews and reports on internal controls in relation to key risks affecting the
organisation. The objective here should be to test the extent to which the controls will control the
risk if it crystallises. The conclusions of these reports should enable management to reconsider
the controls and modify or redesign them if appropriate.
Financial and operating information:
Internal audit may examine this information in order to ensure it is accurate, fit for purpose and
timely. Tests may be applied to determine whether information is correctly measured and
therefore suitable as a basis for informing management and external stakeholders.

Compliance:
Increasingly, organisations have to implement performance standards in relation to compliance.
This may be to satisfy the demands of external regulators, or to operate to pre-determined
internal standards. Internal audit should review operations for compliance with such standards. In
this respect, the work of internal auditors in broadening, as organisations increasingly pursue
compliance not only with industry standards for products and service provision, but also with
criteria relevant to environmental standards.

TYPES OF AUDIT

In the course of their duties, internal auditors may carry out various types of audit. These include
the following:

Operational audits may be concerned with the efficiency of the organisation’s activities. They
consider performance relative to pre-determined criteria.

Systems audits are used to test and evaluate controls as described in the last section. They test
whether the controls can be relied upon to ensure that resources are allocated and managed
effectively. They also test whether the information provided by the organisation’s systems is
accurate. Compliance tests verify whether internal controls are being applied in a proper
manner. Substantive tests verify the accuracy of figures, and can be used to identify errors and
omissions.

A transactions or probity audit is concerned with detecting fraud and other types of criminal or
unlawful behaviour. However, it can also be extended to matters relating to fairness of dealings,
impartiality, accountability and transparency, sometimes considered to be within the scope of
social audit. Generally, social audit may be concerned with any matters relating to governance.