GENERAL PRINCIPLES OF INTERNAL CONTROLS
- People at every level of an organization effect internal controls.
Internal control is everyone’s responsibility. Every employee has objectives to achieve and is responsible for ensuring processes are in place that will assist the organization achieve its objectives.
- Effective internal control helps an organization achieve its operations, financial reporting, and compliance objectives.
Effective internal control is a built-in part of the management process (i.e., plan, organize, direct, and control). Internal control keeps an organization on course toward its objectives and the achievement of its mission, and minimizes surprises along the way. Internal control promotes effectiveness and efficiency of operations, reduces the risk of asset loss, and helps to ensure compliance with laws and regulations. Internal control also ensures the reliability of financial reporting (i.e., all transactions are recorded and that all recorded transactions are real, properly valued, recorded on a timely basis, properly classified, and correctly summarized and posted).
- Components of internal control system
Internal control consists of five interrelated components as follows:
- Control (or Operating) environment
- Risk assessment
- Control activities
- Information and communication
All five internal control components must be present to conclude that internal control is effective.
2.1 Control Environment
The control environment is the control consciousness of an organization; it is the atmosphere in which people conduct their activities and carry out their control responsibilities.
An effective control environment is an environment where competent people understand their responsibilities, the limits to their authority, and are knowledgeable, mindful, and committed to doing what is right and doing it the right way. They are committed to following an organization’s policies and procedures and its ethical and behavioral standards.
The control environment encompasses technical competence and ethical commitment; it is an intangible factor that is essential to effective internal control.
A governing board and management enhance an organization’s control environment when they establish and effectively communicate written policies and procedures, a code of ethics, and standards of conduct. Moreover, a governing board and management enhance the control environment when they behave in an ethical manner-creating a positive “tone at the top”—and when they require that same standard of conduct from everyone in the organization.
2.1.1 Responsibility of control environment
Management is responsible for “setting the tone” for their organization. Management should foster a control environment that encourages:
- The highest levels of integrity and personal and professional standards
- A leadership philosophy and operating style which promote internal control throughout the organization
- Assignment of authority and responsibility.
2.1.2 Control Environment Tips
Effective human resource policies and procedures enhance an organization’s control environment. These policies and procedures should address hiring, orientation, training, evaluations, counseling, promotions, compensation, and disciplinary actions. In the event that an employee does not comply with an organization’s policies and procedures or behavioral standards, an organization must take appropriate disciplinary action to maintain an effective control environment.
The control environment is greatly influenced by the extent to which individuals recognize that they will be held accountable.
Make sure that the following policies and procedures are available in your department (hard copy or Internet access): This list is not all inclusive, nor will every item apply to every department; it can, however, serve as a starting point.
- Administrative Procedures
- Business and Finance Bulletins
- Employee Handbook
- Purchasing Manual
- Make sure that the organisation has well-written departmental policies and procedures manual which addresses its significant activities and unique issues. Employee responsibilities, limits to authority, performance standards, control procedures, and reporting relationships should be clear.
- Make sure that employees are well acquainted with the organisation’s policies and procedures that pertain to their job responsibilities.
- Discuss ethical issues with employees. If employees need additional guidance, issue standards of conduct.
- Make sure that employees comply with the Conflict of Interest policy and disclose potential conflicts of interest (g., ownership interest in companies doing business or proposing to do business with the organisation).
- Make sure that job descriptions exist, clearly state responsibility for internal control, and correctly translate desired competence levels into requisite knowledge, skills, and experience; make sure that hiring practices result in hiring qualified individuals.
- Make sure that each department has an adequate training program for employees.
- Make sure that employee performance evaluations are conducted periodically. Good performance should be valued highly and recognized in a positive manner.
- Make sure that appropriate disciplinary action is taken when an employee does not comply with policies and procedures or behavioral standards.
2.2 Risk Assessment
The process of providing assurance about achievement of objectives starts with understanding of risks such objectives face. The process of understanding risks involves determining the objectives, identifying risks relating to the objectives and analysing the risks.
2.2.1 Determine Goals and Objectives
The central theme of internal control is
- To identify risks to the achievement of an organization’s objectives and
- To do what is necessary to manage those risks.
Thus, setting goals and objectives is a precondition to internal controls.
At the highest levels, goals and objectives should be presented in a strategic plan that includes a mission statement and broadly defined strategic initiatives. At the department level, goals and objectives should support the organization’s strategic plan. Goals and objectives are classified in the following categories:
Operations objectives: These objectives pertain to the achievement of the basic mission(s) of a department and the effectiveness and efficiency of its operations, including performance standards and safeguarding resources against loss.
Financial reporting objectives: These objectives pertain to the preparation of reliable financial reports, including the prevention of fraudulent public financial reporting. Compliance objectives: These objectives pertain to adherence to applicable laws and regulations.
A clear set of goals and objectives is fundamental to the success of an organisation. Specifically, an organisation or work unit should have:
- A mission statement,
- Written goals and objectives for the organisation as a whole, and
- Written goals and objectives for each significant activity in the organisation
There are certain activities which are significant to all organisations: budgeting, purchasing goods and services, hiring employees, evaluating employees, accounting for vacation/sick leave, and safeguarding property and equipment. Thus, all organisations should have appropriate goals and objectives, policies and procedures, and internal controls for these activities.
2.2.2 Identify Risks after Determining Goals
Risk assessment is the identification and analysis of risks associated with the achievement of operations, financial reporting, and compliance goals and objectives.
This, in turn, forms a basis for determining how those risks should be managed.
Who is responsible?
To properly manage their operations, managers need to determine the level of operations, financial and compliance risk they are willing to assume. Risk assessment is one of management’s responsibilities and enables management to act proactively in reducing unwanted surprises. Failure to consciously manage these risks can result in a lack of confidence that operation, financial and compliance goals will be achieved.
A risk is anything that could jeopardize the achievement of an objective. For each of the department’s objectives, risks should be identified. Asking the following questions helps to identify risks:
- What could go wrong?
- How could we fail?
- What must go right for us to succeed?
- Where are we vulnerable?
- What assets do we need to protect?
- Do we have liquid assets or assets with alternative uses?
- How could someone steal from the department?
- How could someone disrupt our operations?
- How do we know whether we are achieving our objectives?
- On what information do we mostly rely? On what do we spend the most money?
- How do we bill and collect our revenue?
- What decisions require the most judgment?
- What activities are most complex?
- What activities are regulated?
- What is our greatest legal exposure?
It is important that risk identification be comprehensive, at organisational level and at the activity or process level, for operations, financial reporting, and compliance objectives. Both external and internal risk factors need to be considered. Usually, several risks can be identified for each objective.
2.2.3 Risk Analysis
- After risks have been identified, a risk analysis should be performed to prioritize those risks:
- Assess the likelihood (or frequency) of the risk occurring.
- Estimate the potential impact if the risk were to occur; consider both quantitative and qualitative costs.
- Determine how the risk should be managed; decide what actions are necessary.
Prioritizing helps organisations focus their attention on managing significant risks (i.e., risks with reasonable likelihood of occurrence and large potential impacts).
2.2.4 Risk Assessment Tips
Listed below are tips to guide an organisation through its risk assessment:
- Make sure the organisation has a mission statement and written goals and objectives.
- Assess risks at the department level.
- Assess risks at the activity (or process) level.
- Complete a Business Controls Worksheet for each significant activity (or process) in the department; prioritize those activities (or processes) which are most critical to the success of the department and those activities (or processes) which could be improved the most.
- Make sure that all risks identified at the department level are addressed in the Business
2.3 Control Activities
Control activities are actions, supported by policies and procedures that, when carried out properly and in a timely manner, manage or reduce risks.
2.3.1 Internal control responsibility
In the same way that managers are primarily responsible for identifying the financial and compliance risks for their operations, they also have line responsibility for designing, implementing and monitoring their internal control system.
2.3.2 Types of Internal Controls
Controls can be either preventive or detective. The intent of these controls is different.
Preventive controls attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss. Examples of preventive controls are segregation of duties, proper authorization, adequate documentation, and physical control over assets.
Detective controls, on the other hand, attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring. Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories count, and audits.
Both types of controls are essential to an effective internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality.
However, detective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses.
2.3.3 Examples of internal controls
Control activities include approvals, authorizations, verifications, reconciliations, review of performance, security of assets and segregation of duties.
(a) Approvals (Preventive)
One of the important control activities is authorization/approval. Authorization is the delegation of authority; it may be general or specific. Giving a company permission to expend funds from an approved budget is an example of general authorization. Specific authorization relates to individual transactions; it requires the signature or electronic approval of a transaction by a person with approval authority. Approval of a transaction means that the approver has reviewed the supporting documentation and is satisfied that the transaction is appropriate, accurate and complies with applicable laws, regulations, policies, and procedures.
Approvers should review supporting documentation, question unusual items, and make sure that necessary information is present to justify the transaction-before they sign it. Signing blank forms should never be allowed.
Approval authority may be linked to specific Kwacha levels. Transactions that exceed the specified Kwacha level would require approval at a higher level. Under no circumstance should an approver tell someone that they could sign the approver’s name on behalf of the approver.
Similarly, under no circumstance should an approver with electronic approval authority share his password with another person. To ensure proper segregation of duties, the person initiating a transaction should not be the person who approves the transaction. A company’s approval levels should be specified in a company policies and procedures manual.
(b) Reconciliations (Detective)
Broadly defined, reconciliation is a comparison of different sets of data to one another, identifying and investigating differences, and taking corrective action, when necessary, to resolve differences. Reconciling monthly financial reports from the Accounting Department(e.g., Statement of Accounts, Ledger Sheets, etc.) to file copies of supporting documentation or departmental accounting records is an example of reconciling one set of data to another. This control activity helps to ensure the accuracy and completeness of transactions that have been charged to a department’s accounts. To ensure proper segregation of duties, the person who approves transactions or handles cash receipts should not be the person who performs the reconciliation. Another example of reconciliation is comparing vacation and sick leave balances per departmental records to vacation and sick leave balances per the payroll system.
A critical element of the reconciliation process is to resolve differences. It does no good to note differences and do nothing about it. Differences should be identified, investigated, and explained–corrective action must be taken. If expenditure is incorrectly charged to a department’s accounts, then the approver should request a correcting journal entry; the reconciler should ascertain that the correcting journal entry was posted. Reconciliations should be documented and approved by management.
- Reviews (Detective)
Reviewing reports, statements, reconciliations, and other information by management is an important control activity; management should review such information for consistency and reasonableness. Reviews of performance provide a basis for detecting problems. Management should compare information about current performance to budgets, forecasts, prior periods or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions which require follow-up. Management’s review of reports, statements, reconciliations, and other information should be documented as well as the resolution of items noted for follow-up.
- Physical asset security (Preventive and Detective)
Liquid assets, assets with alternative uses, dangerous assets, vital documents, critical systems, and confidential information must be safeguarded against unauthorized acquisition, use, or disposition. Typically, access controls are the best way to safeguard these assets. Examples of access controls are as follows: locked door, key pad systems, card key system, badge system, locked filing cabinet, guard, terminal lock, computer password, menu protection, automatic callback for remote access, smart card, and data encryption.
Departments with capital assets or significant inventories should establish perpetual inventory control over these items by recording purchases and issuances. Periodically, the items should be physically counted by a person who is independent of the purchase, authorization and asset custody functions, and the counts should be compared to balances per the perpetual records.
Missing items should be investigated, resolved, and analyzed for possible control deficiencies; perpetual records should be adjusted to physical counts if missing items are not located.
(e) Segregation of duties (Preventive and Detective)
No one person should initiate the transaction, approve the transaction, record the transaction, reconcile balances, handle assets and review reports.
Segregation of duties is critical to effective internal control; it reduces the risk of both erroneous and inappropriate actions. In general, the approval function, the accounting/reconciling function, and the asset custody function should be separated among employees. When these functions cannot be separated, due to small department size, a detailed supervisory review of related activities is required as a compensating control activity. Segregation of duties is a deterrent to fraud because it requires collusion with another person to perpetrate a fraudulent act.
Specific examples of segregation of duties are as follows:
- The person who requisitions the purchase of goods or services should not be the person who approves the purchase.
- The person who approves the purchase of goods or services should not be the person who reconciles the monthly financial reports.
- The person who approves the purchase of goods or services should not be able to obtain custody of checks.
- The person who maintains and reconciles the accounting records should not be able to obtain custody of checks.
- The person who opens the mail and prepares a listing of checks received should not be the person who makes the deposit.
- The person who opens the mail and prepares a listing of checks received should not be the person who maintains the accounts receivable records.
2.4 Information and Communication
Information and communication are essential to effecting control; information about an organization’s plans, control environment, risks, control activities, and performance must be communicated up, down, and across an organization. Reliable and relevant information from both internal and external sources must be identified, captured, processed, and communicated to the people who need it–in a form and timeframe that is useful. Information systems produce reports, containing operational, financial, and compliance-related information that makes it possible to run and control an organization.
Information and communication systems can be formal or informal. Formal information and communication systems–which range from sophisticated computer technology to simple staff meetings-should provide input and feedback data relative to operations, financial reporting, and compliance objectives; such systems are vital to an organization’s success. Just the same, informal conversations with faculty, students, customers, suppliers, regulators, and employees often provide some of the most critical information needed to identify risks and opportunities
When assessing internal control over a significant activity (or process), the key questions to ask about information and communication are as follows:
- Does our company get the information it needs from internal and external sources in a form and timeframe that is useful?
- Does our company get information that alerts it to internal or external risks (g., legislative, regulatory, and developments)?
- Does our company get information that measures its performance-information that tells the company whether it is achieving its operations, financial reporting, and compliance objectives?
- Does our company identifies, capture, process, and communicate the information that others need (g., information used by our customers or other companies)-in a form and timeframe that is useful?
- Does our company provide information to others that alerts them to internal or external risks?
- Does our company communicate effectively–internally and externally?
Information and communication are simple concepts. Nevertheless, communicating with people and getting information to people in a form and timeframe that is useful to them is a constant challenge. When completing a Business Controls Worksheet for a significant activity (or process) in a department, evaluate the quality of related information and communication systems.
Monitoring is the assessment of internal control performance over time; it is accomplished by ongoing monitoring activities and by separate evaluations of internal control such as self-assessments, peer reviews, and internal audits.
The purpose of monitoring is to determine whether internal control is adequately designed, properly executed, and effective. Internal control is adequately designed and properly executed if all five internal control components (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring) are present and functioning as designed. Internal control is effective if management and interested stakeholders have reasonable assurance that:
- They understand the extent to which operations objectives are being achieved.
- Published financial statements are being prepared reliably. Applicable laws and regulations are being compiled.
While internal control is a process, its effectiveness is an assessment of the condition of the process at one or more points in time.
Just as control activities help to ensure that actions to manage risks are carried out, monitoring helps to ensure that control activities and other planned actions to effect internal control are carried out properly and in a timely manner and that the end result is effective internal control.
Ongoing monitoring activities include various management and supervisory activities that evaluate and improve the design, execution, and effectiveness of internal control. Separate evaluations, on the other hand, such as self-assessments and internal audits, are periodic evaluations of internal control components resulting in a formal report on internal control.
Company employees perform self-assessments; internal auditors who provide an independent appraisal of internal control perform internal audits.
Management’s role in the internal control system is critical to its effectiveness. Managers, like auditors, don’t have to look at every single piece of information to determine that the controls are functioning and should focus their monitoring activities in high-risk areas.
The use of spot checks of transactions or basic sampling techniques can provide a reasonable level of confidence that the controls are functioning as intended.
The importance of internal control and risk management
- A company’s system of internal control has a key role in the management of risks that are significant to the fulfillment of its business objectives. A sound system of internal control contributes to safeguarding the shareholders’ investment and the company’s assets.
- Internal control facilitates the effectiveness and efficiency of operations, helps ensure the reliability of internal and external reporting and assists compliance with laws and regulations.
- Effective financial controls, including the maintenance of proper accounting records, are an important element of internal control. They help ensure that the company is not unnecessarily exposed to avoidable financial risks and that financial information used within the business and for publication is reliable. They also contribute to the safeguarding of assets, including the prevention and detection of fraud.
3. Internal Controls of Information Systems
Employees use a variety of information systems: mainframe computers, local area and wide area networks of minicomputers and personal computers, single-user workstations and personal computers, telephone systems, video conference systems, etc. The need for internal control over these systems depends on the criticality and confidentiality of the information and the complexity of the applications that reside on the systems. There are basically two categories of controls over information systems, general controls and application controls.
3.1 General Controls
General controls apply to entire information systems and to all the applications that reside on the systems.
General Controls Include:
- Access Security, Data & Program Security, Physical Security
- Software Development & Program Change Controls
- Data Center Operations
- Disaster Recovery
General controls consist of practices designed to maintain the integrity and availability of information processing functions, networks, and associated application systems. These controls apply to business application processing in computer centers by ensuring complete and accurate processing. These controls ensure that correct data files are processed, processing diagnostics and errors are noted and resolved, applications and functions are processed according to established schedules, file backups are taken at appropriate intervals, recovery procedures for processing failures are established, software development and change control procedures are consistently applied, and actions of computer operators and system administrators are reviewed.
Additionally, these controls ensure that physical security and environmental measures are taken to reduce the risk of sabotage, vandalism and destruction of networks and computer processing centers.
Finally, these controls ensure the adoption of disaster planning to guide the successful recovery and continuity of networks and computer processing in the event of a disaster.
3.2 Application Controls
Applications are the computer programs and processes, including manual processes that enable us to conduct essential activities; buying products, paying people, accounting for research costs, and forecasting and monitoring budgets.
Application controls apply to computer application systems and include input controls (e.g., edit checks), processing controls (e.g., record counts), and output controls (e.g., error listings), they are specific to individual applications.
Application controls include programmed procedures within application software and consists of:
- Input Controls (Data Entry): these include
- Error Notification and Correction
- Processing Controls
- Output Controls
They consist of the mechanisms in place over each separate computer system that ensures that authorized data is completely and accurately processed. They are designed to prevent, detect, and correct errors and irregularities as transactions flow through the business system. They ensure that the transactions and programs are secured, the systems can resume processing after some business interruption, all transactions are corrected and accounted for when errors occur, and the system processes data in an efficient manner.
Electronic Data Interchange, Voice Response, and Expert Systems are types of applications that may require certain controls in addition to general application controls. When a company decides to purchase or develop an application, company personnel must ensure the application includes adequate application controls: (1) input controls, (2) processing controls, and (3) output controls.
Input controls ensure the complete and accurate recording of authorized transactions by only authorized users; identify rejected, suspended, and duplicate items; and ensure resubmission of rejected and suspended items. Examples of input controls are error listings, field checks, limit checks, self-checking digits, sequence checks, validity checks, key verification, matching, and completeness checks.
Processing controls ensure the complete and accurate processing of authorized transactions. Examples of processing controls are run-to-run control totals, posting checks, end-of-file procedures, concurrency controls, control files, and audit trails.
Output controls ensure that a complete and accurate audit trail of the results of processing is reported to appropriate individuals for review. Examples of output controls are listings of master file changes, error listings, distribution registers, and reviews of output.
If a company has applications that are critical to its success, then company personnel must ensure that application controls reduce input, processing, and output risks to reasonable levels.
3.3 Application Controls: End User Computing
Twenty years ago, an information systems professional was needed to operate a computer.
Today company personnel can obtain and use information on the computer themselves. Some of the common applications used by companies are word processing, desktop publishing, spreadsheets, database management systems, graphics programs, electronic mail, project management, scheduling software, and mainframe-based query systems that are used to generate reports. In addition to computer applications, companies use other information systems applications such as voice mail and video conferencing.
Advancing technology enables departments to purchase or develop information systems and applications, shifting certain general control responsibilities from the centralized information systems department to end-user departments. This often happens in the move from the mainframe to a client-server environment.
The end-user department becomes responsible for segregation of duties within the company’s information systems environment, backup and recovery procedures, program development and documentation controls, hardware controls, and access controls. If a company has end-user information systems that are critical to its success, then company personnel must ensure that application and general controls reduce information systems risks to reasonable levels.
4 Inherent limitations of internal controls
It is important to learn that internal controls have certain limitations. The limitations include:
- Cost v benefit. The cost of establishing a system of internal control may be greater than the benefits. To take a ridiculous example, it’s very unlikely that anyone is going to establish a system of internal control over the issue of paperclips or envelopes. The amount of management time taken up with authorizing trivial amounts of expenditure simply makes it uneconomic. At some stage however the benefits may outweigh the costs and for example it comes to photocopying many organizations do have some sort of authorization or at least accounting system to track who uses most of the photocopying resource.
- Human error. For example, one person makes out an invoice using the wrong selling price and another one checks it and doesn’t see the error, this is always a possibility even in the best regulated circumstances.
- Where two or more cooperate to get around the internal control system, the collusion might be to carry out a fraud or it might be to cover up some error that was made. The more segregated duties are, the more people it would need to collude to carry out an entire transaction.
- Bypass of controls. Say someone has forgotten to order a vital piece of equipment and that to speed matters up, instead of getting the proper authorization for the purchase; they issue the purchase order without that authorization. They are bypassing the controls: it may be done with the best possible intentions, but if bypass of controls becomes too common essentially the controls are not operating.
- Non-routine transactions. These are transactions that are so rare that no system of internal control has been devised. An example can be the disposal of fixed assets. Many fixed assets are scrapped when they are disposed of, and to establish a system of internal control might not have been thought worthwhile. However, occasionally a fixed asset with a substantial value might be disposed of, and if there is no system for getting the right price and for ensuring that the proceeds come to the organization, then there is a possibility that those transactions are not properly recorded.
End of chapter questions
Define a system of internal controls. 3 Marks
State four components of internal controls and give relevant examples 5 Marks
Explain any four limitations of internal controls. 4 Marks