INTERNAL CONTROLS

INTRODUCTION
 Since resources in the public sector generally
embody public money, the significance of
safeguarding them needs to be stressed.
 The role of internal control as a litmus test for
efficiency and effectiveness cannot be over
emphasised.
 Definition
Internal control is an integral process that is effected
by an entity’s management and personnel.
Designed to address risks and to provide reasonable
assurance that in pursuit of the entity’s mission, the
following general objectives are being achieved:
executing orderly, ethical, economical, efficient
and effective operations;
fulfilling accountability obligations;
complying with applicable laws and regulations;
safeguarding resources against loss, misuse and
damage.
 Why Internal Controls?

 Internal controls are put in place to keep the

organisation on course towards achievement of its
mission, and to minimize surprises along the way.
 They enable management to deal with rapidly
changing economic and competitive environments,
shifting customer/clients demands and priorities,
and restructuring for future growth.

 Internal controls promote efficiency, reduce
risks, and help ensure the reliability of
financial statements and compliance with laws
and regulations.
 Because internal control serves many
important purposes, there are increasing calls
for better internal control systems. Internal
control is looked upon as a solution to a variety
of potential problems.
 Cont…
 Therefore, safeguarding resources was
judged to be an important internal control
objective.
 Prevention and detection of fraud and
corruption in the public sector has become
more.
Internal Controls and; Legislators
and regulators
 Legislation can provide a common
understanding of the internal control
definition and objectives to be achieved.
 It can also prescribe the policies that
internal and external stakeholders are to
follow in carrying out their respective roles
and responsibilities for internal control.
 An integral process
 Internal control is a dynamic integral process that
should be continuously adapting to the changes an
organisation is facing.
 Internal control is not one event or circumstance,
but a series of actions that permeate an entity's
activities.
 These actions occur throughout an entity’s
operations on an ongoing basis.
 They are pervasive and inherent in the way
management runs the organisation.
 The internal control system is intertwined with
an entity's activities and is most effective when
it is built into the entity's infrastructure and is
an integral part of the essence of the
organisation.
 Internal control should be built in rather than
built on. By building in internal control, it
becomes part of and integrated with the basic
management processes of planning, executing
and monitoring.
 Built in internal control also has important
implications for cost containment. Adding new
control procedures that are separate from existing
procedures adds costs.
 By focusing on existing operations and their
contribution to effective internal control, and by
integrating controls into basic operating activities,
an organisation often can avoid unnecessary
procedures and costs.
 Effected by management and
other personnel
 People are what make internal control work. It
is accomplished by individuals within an
organisation, by what they do and say.
 Consequently, internal control is effected by
people. People must know their roles and
responsibilities, and limits of authority.
 Although management primarily provides
oversight, it also sets the entity's objectives and
has overall responsibility for the internal
control system.
 The management will put internal control
activities in place and monitor and evaluate
them.
 The implementation of internal control
requires significant management initiative
and intensive communication by
management with other personnel.
Therefore internal control is a tool used by
management and directly related to the
entity’s objectives.
 As such, management is an important
element of internal control. However, all
personnel in the organisation play important
roles in making it happen.
 Similarly, internal control is affected by human
nature. Internal control guidelines recognize
that people do not always understand,
communicate or perform consistently.
 Each individual brings to the workplace a
unique background and technical ability, and
has different needs and priorities.
 These realities affect, and are affected by,
internal control.
 Categories….
 Controls can be categorised as:
1. Detective – These controls identify undesirable
outcomes that have occurred. They are suitable
when it is possible to accept the loss and damaged
occurred.

2. Directive – These controls direct an activity

towards a desired outcome.
 Continued..
3. Preventive – These limit or stop the
possibility of an undesirable event happening.
eg separation of duties , authorisation of
transactions.

4. Corrective – They correct undesirable

outcomes after they have happened.
 COMPONENTS OF
INTERNAL CONTROL
 Components of Internal
Control
Internal control consists of five interrelated
components:

control environment

risk assessment

control activities
information and
communication
monitoring
 1. Control Environment
 The control environment sets the tone of an
organisation, influencing the control
consciousness of its staff.
 It is the foundation for all other components of
internal control, providing discipline and
structure.
 Elements of the control environment are:
(1) the personal and professional integrity and ethical
values of management and staff, including a supportive
attitude toward internal control at all times throughout
the organisation;
(2) commitment to competence;
(3) the “tone at the top” (i.e. management’s philosophy
and operating style);
(4) organisational structure;
(5) human resource policies and practices.
 2. Risk Assessment
Risk assessment is the process of identifying and analysing
relevant risks to the achievement of the entity’s objectives
and determining the appropriate response. It implies:
(1) risk identification:
 related to the objectives of the entity;
comprehensive;
includes risks due to external and internal factors, at both
the entity and the activity levels;
(2) risk evaluation:
estimating the significance of a risk;
assessing the likelihood of the risk occurrence;
(3) assessment of the risk appetite of the
organisation;
(4) development of responses:
four types of responses to risk must be
considered: transfer, tolerance, treatment or
termination; of these, risk treatment is the most
relevant to these guidelines because effective
internal control is the major mechanism to treat
risk;
 the appropriate controls involved can be either
detective or preventive. As governmental,
economic, industry, regulatory and operating
conditions are in constant change, risk
assessment should be an ongoing iterative
process.
 It implies identifying and analysing altered
conditions and opportunities and risks (risk
assessment cycle) and modifying internal
control to address changing risk.
 3. Control Activities

 Control activities are the policies and

procedures established to address risks and to
achieve the entity’s objectives.
 To be effective, control activities must be
appropriate, function consistently according to
plan throughout the period, and be cost
effective, comprehensive, reasonable and
directly relate to the control objectives.
 Control activities occur throughout the
organisation, at all levels and in all functions.
They include a range of detective and preventive control
activities as diverse, for example, as:
(1) authorization and approval procedures;
(2) segregation of duties (authorizing, processing, recording,
reviewing);
(3) controls over access to resources and records;
(4) verifications;
(5) reconciliations;
(6) reviews of operating performance;
(7) reviews of operations, processes and activities;
(8) supervision (assigning, reviewing and approving, guidance
and training).
Entities should reach an adequate balance
between detective and preventive control
activities. Corrective actions are a necessary
complement to control activities in order to
achieve the objectives.
 4. Information Technology
Control Activities
Information systems imply specific types of control activities. Therefore
information technology controls consist of two broad groupings:
(1) General Controls
General controls are the structure, policies and procedures that apply to all or a
large segment of an entity’s information systems and help ensure their proper
operation. They create the environment in which application systems and
controls operate. The major categories of general controls are
entity-wide security program planning and management,
access controls,
controls on the development, maintenance and change of the application
software,
system software controls,
segregation of duties, and
 service continuity.
 Cont…
(2) Application Controls
Application controls are the structure, policies, and procedures that
apply to separate, individual application systems, and are directly
related to individual computerized applications. These controls are
generally designed to prevent, detect, and correct errors and
irregularities as information flows through information systems.
General and application controls are interrelated and both are needed
to help ensure complete and accurate information processing.
Because information technology changes rapidly, the associated
controls must evolve constantly to remain effective.
 Information and Communication
Information and communication are essential to realising all
internal control objectives.
Information
A precondition for reliable and relevant information is the
prompt recording and proper classification of transactions and
events.
Pertinent information should be identified, captured and
communicated in a form and timeframe that enables staff to
carry out their internal control and other responsibilities
(timely communication to the right people).
Therefore, the internal control system as such and all
transactions and significant events should be fully
documented.
 Information systems produce reports that contain
operational, financial and non-financial, and
compliance-related information and that make it
possible to run and control the operation.
 They deal not only with internally generated data, but
also information about external events, activities and
conditions necessary to enable decision-making and
reporting.
 Management’s ability to make appropriate decisions is
affected by the quality of information which implies
that the information should be appropriate, timely,
current, accurate and accessible.
Management’s ability to make appropriate decisions is
affected by the quality of information which implies
that the information is:
• appropriate (is the needed information there?);
• timely (is it there when required?);
• current (is it the latest available?);
• accurate (is it correct?);
• accessible (can it be obtained easily by the relevant
parties?).
  Communication
 Effective communication should flow down, across,
and up the organisation, throughout all components and
the entire structure.
 All personnel should receive a clear message from top
management that control responsibilities should be
taken seriously. They should understand their own role
in the internal control system, as well as how their
individual activities relate to the work of others.
 There also needs to be effective communication with
external parties.
 5. Monitoring
Internal control systems should be monitored to assess the quality
of the system’s performance over time. Monitoring is
accomplished through routine activities, separate evaluations or a
combination of both.
(1) Ongoing monitoring
Ongoing monitoring of internal control is built into the normal,
recurring operating activities of an entity. It includes regular
management and supervisory activities, and other actions
personnel take in performing their duties.
Ongoing monitoring activities cover each of the internal control
components and involve action against irregular, unethical,
uneconomical, inefficient and ineffective internal control systems.
 (2) Separate evaluations
The scope and frequency of separate evaluations will
depend primarily on an assessment of risks and the
effectiveness of ongoing monitoring procedures.
Specific separate evaluations cover the evaluation of
the effectiveness of the internal control system and
ensure that internal control achieves the desired results
based on predefined methods and procedures.
 Internalcontrol deficiencies should be
reported to the appropriate level of
management.
 Monitoring should ensure that audit findings
and recommendations are adequately and
promptly resolved.
 Limitations on Internal Control
Effectiveness
The limitations on internal control effectiveness need
to be stressed to avoid exaggerated expectations due to
a misunderstanding of its effective scope.
Internal control cannot by itself ensure the
achievement of the general objectives defined earlier.
An effective internal control system, no matter how
well conceived and operated, can provide only
reasonable – not absolute – assurance to management
about the achievement of an entity's objectives or its
survival.
 It can give management information about the
entity's progress, or lack of it, towards
achievement of the objectives. But internal
control cannot change an inherently poor
manager into a good one.
 Moreover, shifts in government policy or
programs, demographic or economic
conditions are typically beyond management's
control and may require managers to re-design
controls or adjust the level of acceptable risk.
 An effective system of internal control
reduces the probability of not achieving
the objectives. However, there will
always be the risk that internal control
will be poorly designed or fail to operate
as intended.
 1. human factor
 Because internal control depends on the
human factor, it is subject to flaws in
design, errors of judgment or interpretation,
misunderstanding, carelessness, fatigue,
distraction, collusion, abuse or override.
 2. resource constraints
 Another limiting factor is that the design of an
internal control system faces resource
constraints. The benefits of controls must
consequently be considered in relation to their
costs.
 Maintaining an internal control system that
eliminates the risk of loss is not realistic and
would probably cost more than is warranted by
the benefit derived.
 Indetermining whether a particular
control should be established, the
likelihood of the risk occurring and the
potential effect on the entity are
considered along with the related costs
of establishing a new control.
 3. Organisational changes and
management attitude
 can have a profound impact on the
effectiveness of internal control and the
personnel operating the system. Thus,
management needs to continually review
and update controls, communicate changes
to personnel, and set an example by
adhering to those controls.
 BASIC PRINCIPLES OF
INTERNAL CONTROL
1. The duties of the various members of the
staff should be set out in writing together with
the limit of authority in each case.

2. Precise instructions should be laid down for

the re-arrangement or delegation of duties in
the event of members of the staff being absent.
 Continued..
3. The accounting department should keep, or
have control over all accounting records.
Persons having the custody/control of assets
should not also be responsible for the
accounting in respect of those assets. Where
this is unavoidable there should be frequent
independent checks of the accounting records.
 Continued..
4. Records and forms should be as simple as
possible and properly designed for the purpose for
which they are being used.

5. Payments should be made only on the authority

of properly authenticated vouchers.

6. The books should be kept properly and written

up to date in permanent form.
 Continued..
7. The books should be posted regularly and
posting should not fall into arrears.

8. The books should be balanced at regular

intervals, normally monthly.
9. Staff must understand, and be competent to
carry out work entrusted to them.
 Continued..
10. There should be a well-defined division of
responsibilities between departments, sections and
individuals, so that no one person handles a
transaction from beginning to end.

11. Work carried out by any one section or person in

the accounting department should where possible be
independently checked by another.
 Continued..
13. All staff should take their holidays regularly.
Failure in this regard especially by staff connected
with the receipt or payment of cash should be
investigated.

14. There should be close supervision where few staff

members man the office.

.
 Continued..
 The effectiveness of the system of internal
control that can be put into force will depend
upon the number of staff available

 Where this number is too few to establish an

adequate division of responsibilities it is
important that there should be close supervision
by the head of office or a senior official.
THE END