UNIT 6.

INTERNAL CONTROL AND GOVERNANCE

Introduction

Internal controls are the practical aspects of corporate governance. They are the
policies and procedures that a firm uses to ensure compliance with its own moral code. The
goals of internal corporate governance controls typically include safeguarding assets,
minimizing errors, promoting efficiency, minimizing risk, preventive, and detective. Unit 6 in
this module covers the topic on the necessity for internal control, internal control
responsibilities of the board and management, and the internal and external audit.

Unit Learning Objectives

By the end of this unit, the students should be to:

1. present the value of internal control and where it is employed in corporate
governance; and
2. prepare a basic compliance report on internal control.

Timing
For this unit, you are suggested to allocate 15 hours of your available time for this
course.

6.1. NECESSITY FOR INTERNAL CONTROL

Concept of Internal Control
The possibility of misappropriation of company assets and fraudulent behavior
among people in the organization is still considered as a problem are in corporate
governance. Even the trustworthiness of corporate financial statements can become an
issue. There is no sure guarantee that people in the company will not perform any unethical
nor illegal acts. The temptation to satisfy personal gains at the expense of the company and
its stakeholders is always there. This challenge has been existing for decades and remedies
have been contemplated, created, and are being enforced to address this malignant scourge
in the business community. This is where internal control comes in. With changes
happening in the business environment, it is possible that internal control standards have
to be reviewed if they need to be improved.
Internal control can be applied on the use of our resources; work procedures;
disbursement of funds; acquisition of assets; disposal of assets; preparation of financial
reports; quality standards for inputs and outputs; access and use of company data, and
many more.
Our governance code defines internal control as “ a process designed and effected
by the board of directors, senior management, and all levels of personnel to provide
reasonable assurance on the achievement of objectives through efficient and
effective operations; reliable, complete and timely financial and management
information; and compliance with applicable laws, regulations, and the
organization’s policies and procedures.”
The code further stressed out its value as stated in Principle 12 which says “To
ensure the integrity, transparency and proper governance in the conduct of its affairs,
the company should have a strong and effective internal control system and enterprise
risk management framework.”

47
 According to a March 2020 article in accountingtools.com, the components of an
internal control system are as follows:
Control environment. This is the attitude of management and their employees
regarding the need for internal controls. If the controls are taken
seriously, this greatly enhances the robustness of the system of internal
control.
Risk assessment. This is the process of reviewing the business to see where the
most critical risks lie, and then designing controls to address those risks.
This assessment must be conducted on a regular basis, to take into
account any new risks introduced by changes in the business.
Control activities. This is the use of accounting systems, information
technology, and other resources to ensure that appropriate controls are
put in place and operating properly. For example, there may be
accounting systems in place to periodically conduct inventory audits and
fixed asset audits. In addition, there may be off-site backups to minimize
the risk of lost data.
Information and communication. Information about controls should be
communicated to management in a timely manner, so that shortfalls can
be addressed promptly. The amount of information communicated should
be appropriate to the needs of the recipient.
Monitoring. This is the set of processes used by management to examine and
assess whether its internal controls are functioning properly. Ideally,
management should be able to spot control failures and make
adjustments to improve the control environment. Otherwise, an improper
or ineffective control may allow misstatements to pass through into the
financial statements.
(Downloaded on June 24, 2020 from
https://www.accountingtools.com/articles/components-of-an-internal-
control-system.html)
6.2. Internal control responsibilities of the Board of Directors
How can companies conform to this standard?
Our governance code provides us with standards for internal control. They are:
(Rec 3.2) The Board should establish an Audit Committee to enhance its
oversight capability over the company’s financial reporting, internal control system,
internal and external audit processes, and compliance with applicable laws and
regulations. This provision emphasizes the need for an audit committee than can, among
others, assists in enforcement of internal control in the company.
This provision also empowers the committee to perform certain functions such as
make recommendations on internal audit standards and procedures as well as monitor and
evaluate the adequacy and effectiveness of the corporation’s internal control system,
integrity of financial reporting, and security of physical and information assets, among
others.
(Principle 8) The company should establish corporate disclosure policies and
procedures that are practical and in accordance with best practices and regulatory
expectations. Disclosure allow the generation of needed information that will help the
company determine irregularities that need to be avoided. This rule is further supported by
the following recommendations:
(Rec 8.2) The Company should have a policy requiring all directors and
officers to disclose/report to the company any dealings in the company’s
48
 shares within three business days. A director or officer will be required to report
if he has acquired additional shares or sold his shares in the company within the
last three business days.
(Rec 8.3) The Board should fully disclose all relevant and material
information on individual board members and key executives to evaluate their
experience and qualifications, and assess any potential conflicts of interest that
might affect their judgment. The board must provide relevant information about
individual directors and key corporate officers or make such information accessible
to help determine the existence of possible conflicts of interest that may influence
their actions and decisions as directors or officers of the company.
(Rec 8.5) The company should disclose its policies governing Related
Party Transactions (RPTs) and other unusual or infrequently occurring
transactions in their
Manual on Corporate Governance. …. The disclosure rules should also include
related party transactions as this kind of transactions are usually prone to possible
corruption and abuse controversies.
(Rec 12.1) The Company should have an adequate and effective internal control
system and an enterprise risk management framework in the conduct of its business,
taking into account its size, risk profile and complexity of operations.
The code explains that an effective internal control system embodies
management oversight and control culture; risk recognition and assessment; control
activities; information and communication; monitoring activities and correcting
deficiencies.
Here are some noted examples of internal controls from the blog of Accounting
Solutions Partners dated Feb 13, 2020
1. Assigning specific duties to each employee that divides accounting
responsibilities is a basic control system to ensure that the people responsible for
financial reporting are separate from the people tasked with making cash
deposits and asset purchases.
2. Setting permission levels to safeguard data and physical assets is one of the most
routine controls businesses use because they are so easy to implement. In
password-protected areas, secure passwords and two-step authentication
procedures make it difficult for employees to use others’ login credentials.
Additionally, changing passwords frequently enables access controls to remain
steadfast over time.
3. Designating managers to be responsible for transaction authorizations is an
internal control function that funnels purchase decisions through the most
trusted employees. Authorizations may be required for large payments, unusual
expenses, and unexpected cost increases.
4. Auditing is the most widely used internal accounting control. Financial audits like
cash reconciliations are performed regularly to verify that actual balances match
accounting balances. Differences can be analyzed and investigated, where
necessary, to result in accurate financial reports.
5. Assigning specific duties to each employee that divides accounting
responsibilities is a basic control system to ensure that the people responsible
for financial reporting are separate from the people tasked with making cash
deposits and asset purchases.
6. Setting permission levels to safeguard data and physical assets is one of the most
routine controls businesses use because they are so easy to implement. In
password-protected areas, secure passwords and two-step authentication
procedures make it difficult for employees to use others’ login credentials.
Additionally, changing passwords frequently enables access controls to
remain steadfast over time. 49
 7. Designating managers to be responsible for transaction authorizations is an
internal control function that funnels purchase decisions through the most
trusted employees. Authorizations may be required for large payments, unusual
expenses, and unexpected cost increases.
8. Designating managers to be responsible for transaction authorizations is an
internal control function that funnels purchase decisions through the most
trusted employees. Authorizations may be required for large payments, unusual
expenses, and unexpected cost increases.
9. Auditing is the most widely used internal accounting control. Financial audits
like cash reconciliations are performed regularly to verify that actual balances
match accounting balances. Differences can be analyzed and investigated, where
necessary, to result in accurate financial reports.
10. Standardizing financial documents creates consistency, which makes it easier
during the auditing process.
11. Data backups are the most forgotten internal accounting control system.
Because accurate financial data requires technological interaction between
platforms, loss of financial inputs can skew reporting and muddle audits.
(Downloaded on June 27, 2020 from: https://www.asp-nw.com/blog/8-types-of-
internal-control-accounting-systems)

(Rec 12.2) The Company should have in place an independent internal audit
function that provides an independent and objective assurance, and consulting
services designed to add value and improve the company's operations.
The code explains that “a separate internal audit function is essential to
monitor and guide the implementation of company policies. It helps the company
accomplish its objectives by bringing a systematic, disciplined approach to evaluating
and improving the effectiveness of the company’s governance, risk management and
control functions.”

Please see: The Tyco scandal of 2002 and Worldcom Accounting scandal located on
Appendices A and B respectively at the end of this module.

Unit Summary
Effective internal control is considered as an indispensable ingredient in the
successful governance of a company. Its presence allows us effective control over all
important processes, people, and resources that can have influence our operations. The
board of directors is also vested with the responsibility of ensuring that the company will
have an effective internal control system in place to assure the stockholders of the absence
of anomalies in the company. The board can create bodies as well as appoint officers that
will help it in its governance responsibilities.