Internal control systems

Learning outcomes
2.1 Internal controls
Learners need to understand:
2.1.1 the purpose of internal controls:
– facilitate operations
– safeguard assets
– prevent and detect fraud
– ensure quality of internal and external reporting
– compliance
2.1.2 the types of internal controls used in different parts of the accounting function:
– segregation of duties
– organisational controls
– authorisation and approval
– physical controls
– supervision
– personnel
– arithmetical and accounting
– management
2.1.3 how different types of internal controls suit different types of organisations:
– size (small, medium, large)
– nature (cash-based, credit based, online).
Learners need to be able to:
2.1.4 assess how a strong system of internal controls can minimise the risk of loss to an
organisation
2.1.5 assess how a strong system of internal controls can ensure ethical standards in an
organisation.

2.2 Prevent and detect fraud and systemic weaknesses

Learners need to understand:
2.2.1 the common types of fraud within a business:
– misappropriation of funds (monetary, inventory)
– misstatement of financial statements (singularity, over time)
2.2.2 systemic weaknesses and their causes:
– lack of controls
– poor implementation controls
– lack of monitoring
– lack of leadership

TT2022

BPP Tutor Toolkit copy

 2.2.3 implications for an organisation if fraud occurs:
– financial
– non-financial
2.2.4 the role of internal controls in:
– preventing fraud and errors
– detecting fraud and errors.
Learners need to be able to:
2.2.5 identify the circumstances when fraud may occur
2.2.6 evaluate the impact of fraud on an organisation:
– financial
– non-financial
2.2.7 assess how internal controls can be used in preventing and detecting fraud
2.2.8 make suggestions for internal controls to prevent and detect fraud
2.2.9 assess the cause of systemic weaknesses in internal control systems.

Assessment/Chapter context
The topics covered in this chapter will be included within a number of tasks in the Internal
Accounting Systems and Controls unit assessment.

Qualification context
The operation of the bookkeeping controls discussed in this chapter is covered at both Level 2 and
Level 3.

Business context
The system of internal controls is designed to ensure the company does not fall prey to fraud,
error or misstatement of its financial statements. This ensures that the company can operate
effectively. The different types of controls within an organisation are identified and explanations
as to why they would be important for an accounting system. These are then reviewed in terms of
the sales, purchases (including non-current assets) and payroll systems, with activity practice
using the CCC scenario.

TT2022

32
BPP Tutor Toolkit copy
 Chapter overview
Internal control systems
Control Type of control
environment activities
 SPAMSOAP
 IT controls
Ethical behaviour  Misappropriation
 Misstatement of
Preventing fraud Detecting fraud
 Sales system  Fraud matrix
 Purchases system  Key performance
 Payroll system indicators
 Ratios
Financial
TT2022
BPP Tutor Toolkit copy
Fraud System of
internal controls
What is fraud?  Internal controls
 Control environment
 Types of control
of assets activities
– SPAMSOAP
financial  Security of the
statements accounting system
– limiting access
– preventing errors
Impact of fraud  Internal control systems
for different types of
organisatinos
– company size
– cash or credit-based
– online
 Ethical behaviour within
an organisation
– fundamental
Non-financial principles of
professional ethics
– ethical risks to the
system
 Fraud
– misappropriation of
assets
– misstatement of
financial statements
 Impact of faud
– financial
– reputation
– employee morale
 Controls to prevent
fraud and systemic
weaknesses
– sales system fraud
– purchases system
fraud
 Detecting fraud
2: Internal control systems 33
 Introduction
In this chapter we look at the purpose and type of internal controls commonly found in an
organisation.
A strong system of internal controls minimises financial loss within an organisation and can
ensure that ethical standards are maintained.
Weak controls are one of the reasons that fraud may occur within an organisation. We will look at
the common types of fraud and the implications of fraud within an organisation.
Organisations need to have good internal controls to prevent fraud taking place, with particular
focus on the importance of the segregation of duties within the accounting function.
Accounting systems are at risk of specific frauds, namely payroll fraud, payables ledger fraud
and receivables ledger fraud. We will look at the controls that should be in place to prevent these.

1 Internal controls
Internal controls are policies and procedures that address the risk that the aims and objectives
of the company will not be met.
The purpose of internal controls is to:
 facilitate operations
 safeguard assets
 prevent and detect fraud
 ensure quality of internal and external reporting
 compliance
Internal controls work alongside the control environment to create the overall control framework.
This is known as the system of internal controls and is the combination of:
 the control environment;
 the entity’s risk assessment process;
 the entity’s process to monitor the system of internal control;
 the information system and communication; and
 control activities.
Robust systems of internal controls:
 Reduce systemic weaknesses in the accounting system, including the scope for errors
 Reduce the risk of loss or fraud
 Ensure that the accounting system operates appropriately
 Ensure the accounting system can change in line with the environment and organisational
requirements
 Ensure that ethical standards are met within an organisation

2 The control environment

The control environment is formed by the attitudes, awareness and actions of management and
those responsible for ensuring that the internal controls within the company meet that company's
needs.
The control environment is part of the system of internal controls, alongside the internal controls
themselves.
The owners or management of a company must ensure that these control activities are regularly
monitored to ensure that nothing goes wrong. If the controls are not followed and management
do nothing in response, the system of internal controls will not operate effectively, eg if a
manager knowingly authorises a fraudulent expense claim by a subordinate, then the internal
control requiring expenses to be authorised by management is undermined by the weak control
environment.

TT2022

34
BPP Tutor Toolkit copy
 Management must regularly assess the existing system and identify any new risks which may
affect how robust the control system currently is. Without this monitoring, there is unlikely to be a
strong control environment.
Indications of a good control environment include the following:
(a) Management communicate and enforce integrity and ethical behaviour.
(b) Management and staff are well trained and competent.
(c) Management operates in a way that promotes control, eg regularly monitoring whether the
controls are working and adhered to in practice.
(d) The company and accounting function is structured in a way that promotes control.
(e) Authority and responsibility for controls is assigned to separate people ie segregation of
duties is commonplace.
(f) Human resources policies promote controls.
(g) Management regularly review and reassess any new or potential risks to assess whether
the controls in place are robust enough to ensure a strong control environment.

3 Types of control activities

KEY
Control activities are the policies and procedures that help ensure that objectives are carried
TERM
out.

The types of control activity that should be used in an accounting system to address systemic
weaknesses can be remembered using the mnemonic SPAMSOAP:
(a) Segregation of duties – making sure that a number of people are involved in different parts
of each process to minimise the opportunity for fraud and error eg different members of
staff should (1) open the post, (2) record cheques received and (3) bank cheques received.
These can be built into integrated computer systems, eg an invoice is raised by one user,
but a manager must log in to approve them. Others may be manual, such as proof of
authorisation by a signature on a hard copy report.
(b) Physical controls – controls over the physical security of accounting records and assets
such as cash and inventory, eg lock cash receipts in a safe until they are banked; require
codes to unlock the cash tills; lock the stores where inventory is kept.
(c) Authorisation and approval of transactions by supervisors and managers – this shows the
person processing the transaction that it is valid, eg overtime should be approved by
departmental heads.
Authorisation controls ensure that only authorised personnel can make changes, such as
to standing data or to authorise a bank payment.
(d) Management controls – managers should review whether activity controls are being
carried out within the accounting system, eg comparing budget to actual performance in a
budgetary control report, and comparing performance and position from one period to the
next using ratio analysis.
(e) Supervision controls – there should be close oversight of people performing accounting
tasks day to day.

KEY
Reviews are performed by supervisors or managers by looking at summaries and reports of
TERM
transactions, eg to ensure they are reasonable.

(f) Organisation – the way tasks and the business as a whole are organised should support
internal control eg clear lines of responsibility, delegation and reporting, and adequate
resources being available for the accounting system.

TT2022

2: Internal control systems 35

BPP Tutor Toolkit copy
 (g) Arithmetic and accounting controls - checks on whether transactions have been processed
accurately and completely eg reconciliations such as a bank statement and a cash book,
or a payables ledger account and a statement from the supplier, can also highlight if errors
have occurred

Other accounting controls can be highlighted by a trial balance being out of balance or a
computer system not allowing a journal to be posted where the debits do not equal the
credits. By using control accounts and trial balances, these can help to identify mistakes in
the accounting records.

KEY
Reconciliations are checks where staff ensure that two different sources of information agree
TERM
or that any differences are understood, eg bank reconciliations verifying the bank statement
to the bank account on the nominal ledger.

(h) Personnel controls – appropriately recruited, selected and trained accounting staff should
be employed

Activity 1: The control environment

Consider the following scenario at CCC which occurred in September 20X2:

Stefan was the first to arrive at work on Monday morning. He opened the post, and began
logging cheques received into the day book when the telephone rang. It was Margaret to say that
she had an emergency dental appointment for that morning, so she would be late for work.
Stefan went back to his task of processing the mail; without noticing he had dropped a cheque
behind the desk, before he had written it into the day book. Stefan put the day book, with the
cheques inside, onto his desk whilst he went to discuss the morning's deliveries with the
warehouse manager.
Paula Cookridge popped into the office before she joined her husband, John, for lunch. As she
was short on cash and did not have time to go to the bank, she helped herself to £40 from the
petty cash tin, and told Stefan that John would replace it this afternoon when he returned from
their lunch date.
Paul Collins asked when Pritpal, one of the fitters, would be at work as he needed some rolls of
vinyl to be moved into the warehouse from the pallet delivery outside. Pritpal is certified in
counter-balance forklift truck operation. In Pritpal's absence Jake Brew offered to move the vinyl
as he has been shown how to use the forklift by Pritpal on a number of occasions. Paul accepts
his offer as Pritpal is delayed in traffic.
John was concerned that some customers were becoming increasingly slow in making payments
on their credit accounts. He asked Stefan to prepare a schedule of receivables, but Stefan was
busy drawing up the sales invoices (he uses his Word template and manually inputs details from
the sales team) and asked if this could be done next month. Stefan had not chased up late
payments recently because he was too busy. Constructing a receivables ledger from the word
document invoices took at least two to three hours, and there was a lot of post still to be
processed that morning.
Sonja, who had been on holiday, was approached by Ron Sellers, one of the sales team. He had
been expecting commission totalling £800 in his wages, but Margaret (who had covered for Sonja
last month) had not processed this and had only prepared his wages based on Ron’s basic hours
worked. Ron told Sonja that he really needed this money, but Sonja, knowing she could do
nothing until the next wages run, told Ron he would have to wait seven days.
Ron was so upset by this news that Sonja was consumed with guilt, and she told Ron that she
would borrow the money out of the petty cash tin and replace it when she made his wages up
next week.
Margaret keeps the company cheque book in her drawer, but as she only works part time, the
drawer is often left unlocked.

TT2022

36
BPP Tutor Toolkit copy
 Required
Highlight areas of weakness from the extract above relating to CCC.
Solution

4 Security of the accounting system

The accounting system must be secure so that it can perform its function. This can be done in a
number of ways, for instance preventing initial access to the system with a physical barrier (locks
on the doors) or using passwords to prevent unauthorised access to the software.

KEY
Physical controls ensure assets such as inventory and cash are safe.
TERM

4.1 Limiting access

All users of a computerised accounting system should have a password that gives them access to
the parts of the system they are authorised to use. This ensures staff cannot complete operations
that are not related to their role eg access to payroll systems will be strictly limited to HR staff.
Management should guard against malicious or fraudulent access using a variety of security
controls, such as physical barriers (locks on doors and cabinets), deterrents (alarm system or
security), IT controls (passwords, firewalls and ensuring adequate disaster recovery processes are
in place, such as backups of data) and monitoring of controls (management reviews,
authorisation requirements etc).
Such controls in the accounting system include implementing integrity controls, to verify and
validate input data, the processing of data and the production of reports.
There should be information processing controls over standing data to ensure only authorised
changes are made; for example, new suppliers can only be entered onto a system by an
authorised person, or payroll data only accessible by payroll staff.
Ensuring strict segregation of duties by reducing the number of people involved in different parts
of each process and minimising the opportunity for fraud and error will help to ensure the
integrity of standing data and ensuring only authorised transactions are made.

KEY
Integrity of data ensures that data is complete, secure and accurate.
TERM

4.2 Preventing errors

The accounting system should have robust integrity controls to verify and validate input data, the
processing of data and the production of reports.
These should include input controls on completeness of data input to the system (eg batch
processing, total checks, not allowing journals to be posted which do not balance). There can also
be programme controls ensuring the accuracy of data input to the system, such as an automatic
check on the calculation of VAT. Some controls, such as integrity controls, check the consistency
and validity of the data being entered eg the correct format of figures are used (eg allowing
invoice numbers in the correct format, AA12345) and checking the calculation of VAT. They are
rules in the system which allow only certain types of data to be inserted.

TT2022

2: Internal control systems 37

BPP Tutor Toolkit copy
 Processing controls verify the data validation and editing procedures. They can also ensure that
forms are not closed without being saved or can only be altered by one user at a time. They also
used for ensuring arithmetical accuracy or completeness of data. One example of this is 'batch
invoice processing' whereby the total value of the invoices is independently calculated and then
the total of the invoices entered onto the system is verified against this total.

Activity 2: Security and IT at CCC

Below is an extract from the CCC IT policy currently in place.

All computers can only be accessed by staff who have been authorised by management to
use CCC's computers. All computers must be password protected.
Computers must only be loaded with licensed software owned by the company. No changes
to software are permitted without the consent of CCC's directors. No member of staff is
allowed to load any software onto computers without prior permission from the management.
No unauthorised devices are to be used for saving, uploading or downloading work (eg discs,
memory sticks, external hard drives or other devices) other than those purchased and
approved by the company.
Computers should only be used for company business and must not be used to access any
social networking sites.

Using the information available in the pre-seen information on CCC, comment on the following:
Required
(a) What rules should be put in place regarding the use of and control of passwords at
CCC?
(b) Why are these important?
(c) Note any other issues regarding the current security of the accounting system and IT
practice at CCC.
Solution

5 Internal control systems for different types of

organisations
As regulation and reporting requirements become more complex, the underlying system of
internal controls must also be reviewed and assessed for suitability by management.
The level of complexity and size of the system of internal controls will depend on the size and
nature of the organisation.
Large companies produce significant amounts of data which is usually recorded electronically.
Therefore, large companies usually need a mixture of controls over electronic data as well as
some manual internal controls. Large companies usually have lots of staff which makes
segregation of duties easier.

TT2022

38
BPP Tutor Toolkit copy
 A small or medium-sized company may have fewer staff members to perform controls and
therefore they are less able to implement segregation of duty. These companies might use simpler
accounting systems with more manual controls.
Businesses that are cash-based but have good physical controls over cash and regular
reconciliations to ensure that the cash balances are correct, for example reconciling the cash
register balance at the end of the day. A cash-based business is usually considered to be riskier
than a business that operates on credit.
Credit-based businesses tend to have a lot more documentation at each stage of their
transaction cycles. This paper (or electronic) documentation makes it easier to establish an audit
trail to implement internal controls and monitor whether they have been adhered to.
Online businesses will need different controls to physical businesses. As well as strong controls
over the IT systems, there will need to be good physical controls over any inventory, especially as
these businesses often have higher levels of returns.

6 Ethical behaviour within an organisation

In previous chapters, we discussed the impact of the organisation’s size, culture and type on its
accounting function. Here we consider how ethical principles should guide the practices and
controls within an accounting system. In the Level 3 unit Business Awareness you learned the five
fundamental principles of professional ethics within the AAT Code of Professional Ethics (the
AAT Code).

KEY
Integrity is being straightforward and honest in all professional and business relationships.
TERM
Objectivity is not allowing bias, conflict of interest or undue influence of others to override
professional or business relationships.
Professional competence and due care is having the right level of current professional
knowledge and skill to give competent professional service, and acting diligently and in
accordance with applicable and professional standards.
Confidentiality is not disclosing confidential information except in appropriate circumstances,
and not profiting from confidential information.
Professional behaviour is complying with relevant laws and regulations and not bringing
disrepute on the accounting profession.
(AAT, 2017)

Management should ensure that these principles are embedded within the organisation’s
accounting system.

Assessment focus point

Ensure you have a thorough understanding of the five fundamental principles of professional
ethics. If you need to revisit these areas, review your Level 3 Business Awareness Course Book
for more details.

6.1 Fundamental principles of professional ethics

KEY
Ethics is a set of generally accepted principles that guide behaviour.
TERM

Ethical values are assumptions and beliefs about what constitutes 'right' and 'wrong' behaviour.
Individuals hold ethical values, often reflecting the beliefs of the families, cultures and educational
environments in which they grew up.
Companies should also have ethical values, based on the norms and standards of behaviour that
their leaders believe will best help them express their identity and achieve their objectives. The
values of the company are usually set out in its mission statement.

TT2022

2: Internal control systems 39

BPP Tutor Toolkit copy
 Companies, just like individuals, are members of society and are therefore responsible for their
actions, and can be held accountable for the effects of those actions eg companies can be
convicted of crimes such as manslaughter, just like people.
Therefore, companies should behave ethically towards their stakeholders.

6.2 Ensuring ethical practice within the system

Management and directors need to ensure that ethical practice is maintained within their
organisation. Often there will be an organisational policy or mission statement, or a code of
conduct that employees are expected to follow.

Activity 3: Ensuring ethical behaviour at work

CCC has recently revised its website, adding information regarding its mission statement (see
Chapter 1, Activity 10). Stefan, the Accounts Receivable Clerk, has suggested that the five ethical
principles as set out by the AAT Code of Professional Ethics be added to the website. The directors
have agreed and intend to show how CCC’s accounting function (and all other staff) achieves
these principles in order to demonstrate what an ethical organisation it is in practice.
Required
Using the table below, identify how CCC can ensure its accounting function (and all other
staff) uphold the ethical standards demanded by the AAT Code of Professional Ethics.
Solution

Fundamental ethical Explain how CCC may demonstrate these

principle principles in practice
Integrity

Objectivity

Professional competence and

due care

Confidentiality

Professional behaviour

6.3 Ethical risks to the system

The accounting function (Chapter 1) plays an important role in establishing and maintaining the
ethical culture within an organisation. Risks to ethical behaviour may come in a variety of forms:
 Criminal behaviour (bribery, money laundering, theft)
 Non-compliance with organisational policy or regulations (data protection, AAT Code)
 Bullying or intimidating behaviour
 Poor decision making (short-term decision making, reputational risks, environmental
hazards)
Let us consider some ethical issues concerning CCC's accounting function in line with these
fundamental principles.

TT2022

40
BPP Tutor Toolkit copy
 Activity 4: Ethics conflict at CCC

Consider the following scenarios:

(a) Stefan is asked to produce an aged receivables listing for John Cookridge as at 30 April
20X3. However, he does not have up to date figures because cash received has not yet
been allocated to customers, and Stefan knows that the aged receivables report will look
worse than the underlying situation. Sonja suggests that to get the report done in time he
should use averages for the missing figures.
(b) Margaret has opened a letter from an estate agent requesting financial information about
one of CCC's customers, who is applying to rent a property. The information is needed as
soon as possible, by email, in order to secure approval for the rent agreement.
(c) A friend tells Stefan on a night out that she expects to inherit money from a recently
deceased uncle. She asks him how she will be affected by inheritance tax, capital gains tax
and other matters.
(d) A supplier is so pleased with how promptly Stefan paid her that she offers him a free
weekend break in a luxury hotel, just as a 'thank you'.
Required
Identify the ethical issues at risk in the scenarios and recommend a course of action to be
taken by Stefan or Margaret in each case.
Solution

7 What is fraud?
You were introduced to the concept of fraud and the regulations surrounding it during the Level 3
Business Awareness module. It is useful to review the key points before attempting the activities in
this section.

KEY
Fraud is a crime in which the criminal intentionally makes a gain or causes a loss to another
TERM
person by depriving them of assets.

Legally, there are three types of fraud (Fraud Act 2006: s.1):
 False representation
 Failure to disclose information
 Abuse of position
With respect to the accounting system, the types of fraud which are important are:
 Misappropriation of assets which is theft, teeming and lading, payment of false
employees or suppliers.
 Misstatement of the financial statements which is the overstatement of assets or profit,
or the understatement of profit, losses or liabilities.
An accounting system is more open to fraud if it contains systemic weaknesses, making it easy to
misappropriate assets, or misstate financial information.

TT2022

2: Internal control systems 41

BPP Tutor Toolkit copy
 Examples of fraud include, but are not restricted to:
 Falsifying financial statements or documents, such as invoices
 Incorrect accounting to purposely hide debts or overstate profits
 False claims about the products being sold by the company (for example, Silicon Valley
start-up Theranos)
 Payment fraud, including teeming and lading (misallocation of cash payments)
 Tax evasion, such as understatement of VAT, PAYE or corporate tax.
 Money laundering
 Insider trading
 Embezzlement (fraud by employees in positions of power or trust within a business), such
as by creating fictitious suppliers or employees
Activity 5: Potential frauds at CCC

Using the information obtained about CCC from the pre-seen information and any existing
knowledge about CCC, consider the key areas where fraud may occur within the business.
Required
Identify the possible frauds that could occur within CCC – even if the controls currently in
place make such a fraud unlikely.
Solution

Potential fraud
Purchases and inventory system

Payroll system

Bank and cash system

TT2022

42
BPP Tutor Toolkit copy
 Potential fraud
Sales and aged receivables system

8 Impact of fraud
Fraud has the following types of impact on a company:
(a) Financial – loss of funds or other assets. This in turn affects the company's profitability
and the owner's investment in it. It can also affect the company's share price.
(b) Reputation – exposure to fraud can affect the company's reputation in the eyes of internal
and external stakeholders. This in turn could lead to a loss of business.
(c) Employee morale – the trust of existing employees could be damaged. Future recruitment
and retention of staff might also be affected.
Real life example
The following examples illustrate the financial and reputational impacts upon companies which
have been fined for financial misstatement, or not having sufficient fraud prevention controls in
place:
Example 1 – Tesco Stores
In March 2017, Tesco Stores was fined £129 million by the Serious Fraud Office (SFO) and ordered
to set up an £85 million compensatory scheme for shareholders and bondholders who bought
shares between the results announcement and the accounting misstatement being made public.
Tesco settled out of court regarding charges of false accounting and misstatement of profits.
The impact on the company was a £214 million cash outflow, not including legal costs, with Tesco
recording an exceptional charge of £235 million for the 2016/2017 accounting year end.
(Reuters, 2017)

Example 2 – Rolls-Royce PLC

Rolls-Royce PLC was fined £497.5 million by the SFO in January 2017 in respect of 12 counts of
conspiracy to corrupt, false accounting and failure to prevent bribery over a period of 30 years.
In addition, the company was fined $170 million by to the US Department of Justice and $25
million by the Brazilian authorities.
(SFO, 2017)

Example 3 – Standard Chartered Bank

The Financial Conduct Authority (FCA) fined the bank £102.2 million for failing to maintain
adequate anti-money laundering controls between November 2010 and January 2013.
(FCA, 2019)

TT2022

2: Internal control systems 43

BPP Tutor Toolkit copy
 9 Controls to prevent fraud and systemic
weaknesses
In this section, we look specifically at the types of fraud which can occur within the business and,
using the scenario of CCC, identify potential issues and consider the impact on CCC.
The management of a company have a duty to put in place adequate controls to safeguard the
company and its assets. You have seen many of the safeguarding controls in the Level 3 Business
Awareness module and have also covered them earlier in this chapter (SPAMSOAP).
The main types of controls which can help prevent fraud include controls for the accounting
system can be grouped into the following categories:
 Staff controls – segregation of duties
 Management controls – review of controls and regular checks on control activities
 Physical controls – locking away confidential files and ensuring office security
 Information processing and general IT controls – password protection, access limitations
and integration of systems
Fraud controls are internal controls specifically against fraud in the areas of staff controls,
management controls, physical controls and IT controls.

9.1 Sales system fraud

Fraud within the sales system is possible because the system involves the receipt of money, and
this risk is more severe where this is in the form of cash, such as a shop.

Activity 6: Sales system fraud

The following is some further information given about an event in January 20X3 at CCC. Use this
additional information and any existing knowledge about CCC to formulate your answer.

Stefan was tidying up in the office one evening and was surprised to discover two cheques
behind a desk. One was dated August 20X2, and one November 20X2. He put them in the in-
tray intending to bank them the next day.
John Cookridge asked for a copy of the aged receivables report, as he hadn't seen one for
nearly four months. He was annoyed when he discovered that one of the credit accounts,
opened for B. Braithwaite, had made no payments against credit given at all so far. This
customer had bought £1,000 worth of goods and paid an initial deposit in July 20X2 but had
made no payment since then. He asked Stefan to track back through the account and Stefan
realised that no credit reference agency had been used to vet the customer before accepting
their initial order, so he decided to contact the agency to check on this customer, only to find
that he had a very poor credit score.
Meanwhile John continued to review the aged receivables report and discovered that not only
had debts been written off without his knowledge but also that over 50% of the invoices over
60 days old had no payments allocated against them. Unallocated cash amounted to £5,645.
Stefan advised that there had been a large debt of £2,300 written off the previous month, as it
dated back to the previous October. Stefan said that although he had tried to chase the debt,
the telephone number rang out, and the customer had taken the flooring with him (so no
delivery address had been logged by the sales staff).
When John came to lock up the business at the end of Thursday, he discovered that the tills
on the shop floor had not been emptied or reconciled to the day's takings.

TT2022

44
BPP Tutor Toolkit copy
 Required
(a) Identify the types of fraud which could occur in the sales system at CCC based on
the information you have been given in this extract. Also explain why you think this
fraud risk has arisen.
Solution

Fraud which could occur at CCC Why this risk has arisen

(b) Consider the financial and non-financial impacts these frauds could have on CCC.
Solution

9.2 Purchases system fraud

Fraud within the purchases system is possible because the system includes the ability to order
goods from suppliers and then to make payments.
One of the general controls in place to prevent such examples of fraud is segregation of duties:
the same member of the accounting team should not be allowed to place orders with suppliers,
book in goods received, and then process payments to them.

Activity 7: Purchases system fraud

The following events happened at CCC during March 20X3:

Margaret needed to place a stationery order for CCC. She asked the staff what they needed
and placed the order, including some additional paper for her nephew who is studying at
university.

TT2022

2: Internal control systems 45

BPP Tutor Toolkit copy
 CarPet Suppliers, one of CCC's major suppliers, has requested urgent payment of an invoice
that has been outstanding for 60 days. This invoice is for £15,000 and, though this would
normally have been paid, there were not enough funds in the bank to cover this amount.
When Margaret informed John of this, he was very surprised at the size of the invoice and
asked her to review all the GRNs for October to see what carpets had been ordered to cause
such a large invoice. Margaret spent a day completing this reconciliation and found that there
was an error and they had been charged for 1,000 metres of twisted Wilton instead of 100,
this having a wholesale price of £15.00 per metre including VAT.
When John was checking the invoice, he asked Margaret to produce a report of outstanding
invoices and discovered some new suppliers with long outstanding debts which he did not
recognise.

Required
Identify the risks from the control weaknesses in the above extract and make any
recommendations to improve the controls.
Ensure your answer is specific to the scenario.
Solution

10 Detecting fraud
Internal controls within the accounting system should be designed not only to address
weaknesses and prevent fraud and errors, but also to help detect when they have occurred.
The key controls that detect whether fraud or errors have occurred are:
(a) Spot checks on whether control activities have taken place
(b) Performance reviews and comparisons, using:
(i) The budgetary control report: compare actual results to budgeted results
(ii) Ratio analysis: compare this period to the previous period, and evaluate the
relationships between figures in the financial statements (eg level of receivables
compared with level of sales)
(c) Reconciliation of information produced by the accounting system with external evidence,
such as bank statements and supplier statements
(d) Control account reconciliations where transactions are recorded in individual accounts
and in total (eg receivables and payables)
Management can use financial information to analyse and review the controls of an organisation.
Financial information can highlight issues such as potential inefficiencies as well as possible
fraudulent behaviour, eg decreases in profit margin may suggest that costs are being poorly
managed, or may highlight an issue such as theft of inventory.

TT2022

46
BPP Tutor Toolkit copy
 10.1 Management accounts
Management reports can be structured to ensure that the most useful information is available to
the user of the report. The information may be summarised into a form of profit or loss statement,
or include additional information such as variance analysis, aged receivables analysis or capital
expenditure review for the period.
Ideally, these reports should be consistently prepared and monitored on a regular basis, eg
monthly, so as to highlight any significant issues arising, and to prompt investigations and
corrective action where required.

Activity 8: Detecting fraud using financial information

The following are some extracts from the management accounts which were completed at the
year end for CCC.
Use these and the financial statements in the pre-seen scenario for this activity.
CCC completes quarterly management accounts only.
Extracts from the management accounts for CCC Ltd as at 31 December 20X2

20X2 20X1
Carpets Vinyl Carpets Vinyl
£000 £000 £000 £000
Revenue 379 727 425 505
Cost of sales (287) (416) (282) (351)

Gross margin 92 311 143 154

All products All products

£000 £000 £000 £000

Rent and rates 30 30

Salaries: administration and

87 87
management

Salaries: sales 105 60

Salaries: directors 120 110

Motor expenses 19 10

Irrecoverable debts 22 8

Finance costs 5 6

Other costs 13 10

Total costs 401 321

Net profit/(loss) 2 (24)

TT2022

2: Internal control systems 47

BPP Tutor Toolkit copy
 Required
Using the knowledge you have obtained from the earlier activities, review the management
accounts above and highlight areas which present potential issues for the company, making
any recommendations you believe are appropriate.
Note. There is no requirement to calculate ratios.
Solution

TT2022

48
BPP Tutor Toolkit copy
 Chapter summary

 Internal controls in the accounting system aim: to protect it from systemic weaknesses; avoid
fraudulent activities and human error; ensure compliance with applicable laws and regulations;
and ensure the company is working to meet its objectives.
 The system of internal controls consists of an effective control environment; the entity’s risk
assessment process; the entity's process to monitor the system of internal control; the information
system and communication; and control activities.
 Control activities in an accounting system address systemic weaknesses and control risks.
 Control activities consist of segregation of duties; physical controls; authorisation and approval
of transactions; management controls; supervision controls; organisational controls; arithmetic
and accounting controls; and personnel controls. The SPAMSOAP mnemonic may help you
remember these.
 Information processing controls affect transactions and consist of input controls, accuracy
controls, authorisation checks, processing controls and controls over standing data.
 General IT controls protect the general computer environment.
 The limitations of controls include people making mistakes, where controls may not be operated
effectively or where people may deliberately circumvent controls.
 For each control objective within a system, the risks controlled and control activities need to be
identified.
 Within any of the systems, segregation of duties – as far as it is possible given the size of the
accounting function and the number of its staff – is a vital control.
 In the credit sales system, control objectives etc are identified for: taking orders and extending
credit; dispatching and invoicing goods; recording and accounting for sales and returns; and
receiving payment.
 In the purchases system, control objectives etc are identified for: ordering; receipt of goods and
services; accounting; and payments.
 In the payroll system, control objectives etc are identified for: setting wages and salaries;
recording; payments; and deductions.

TT2022

2: Internal control systems 49

BPP Tutor Toolkit copy
 Keywords
 Accounting controls: Control accounts and trial balances which help to identify mistakes
in the accounting records
 Authorisation and approval controls: A key control activity, indicating to accounting staff
that the transaction in question is valid
 Authorisation of transactions: These ensure that only authorised personnel can make
changes, such as to standing data or to authorise a bank payment
 Control activities: The policies and procedures that help ensure objectives are carried out
 Control environment: The attitudes, awareness and actions of management and those
responsible for ensuring that the internal controls within the company meet that
company's needs
 Internal controls: Procedures that address the risk that the aims and objectives of the
company will not be met
 Systems of internal controls: The control environment, the entity’s risk assessment
process, the entity’s processes to monitor the system of internal control, the information
system and communication and control activities

TT2022

50
BPP Tutor Toolkit copy
 Test your learning
1 What type of control activity is each of the following actions?

Action Type of control activity

Person A matches dispatch notes to
invoices. Person B creates invoice to
customer.

Control account reconciliation

Petty cash box kept locked
Adequate resourcing of accounting
function

Review of budgetary control report

2 Identify whether each of the following control activities is an integrity, system or

physical access security control.

Activities Type of security control

Validation of input data 
Passwords 
Archiving 

Picklist:
Integrity control
Physical access control
System control
3 Complete the following statement:

Management should regularly ensure that staff perform  of the

receivables ledger to ensure accuracy and completeness of the data.
Picklist:
assessments
inspections
reconciliations
teeming and lading
4 Complete the following statement:
Control objectives in relation to taking orders and extending credit are part of the
 system of the accounting system.
Picklist:
payroll
purchases
sales

TT2022

2: Internal control systems 51

BPP Tutor Toolkit copy
 5 Complete the following statement:
Completion of GRNs is a control activity related to the control objective of
.
Picklist:
ensuring goods and services received are used for the company's purposes
only accepting goods and services that have been ordered and appropriately authorised
only accepting goods received that are of a sufficient quantity for the purposes of the
organisation
recording all money received
6 Complete the following statement:
Allocating one customer's payment to another customer's account in order to balance the
books and detract from a shortfall is called .
Picklist:
identity fraud
inflation
reconciliation and review
teeming and lading

TT2022

52
BPP Tutor Toolkit copy