Professional Documents
Culture Documents
The purpose of this article is to provide an overview of internal control, with particular emphasis on topics relevant to Part C of the
F1/FAB/FBT syllabus. The article will focus on the following learning objectives, as set out in section C6 of the study guide:
The article will also describe the roles of internal audit and internal audit testing, relevant to section C2(e) and (f) of the study guide.
‘The policies, processes, tasks, behaviours and other aspects of an organisation that taken together:
Facilitate effective operation by enabling it to respond in an appropriate manner to significant business, operational, financial,
compliance and other risks to achieve its objectives. This includes safeguarding of assets and ensuring that liabilities are identified and
managed.
Ensure the quality of internal and external reporting, which in turn requires the maintenance of proper records and processes that
generate a flow of timely, relevant and reliable information from both internal and external sources.
Ensure compliance with applicable laws and regulations and also with internal policies.’
Turnbull’s explanation focuses on the positive role that internal control has to play in an organisation. Facilitating efficient operations
implies improvement, and, properly applied, internal control processes add value to an organisation by considering outcomes against
original plans and then proposing ways in which they might be addressed.
At the same time, Turnbull also conceded that there is no such thing as a perfect internal control system, as all organisations operate in
a dynamic environment: just as some risks recede into insignificance, new risks will emerge, some of which will be difficult or impossible
to anticipate. The purpose of any control system should therefore be to provide reasonable assurance that the organisation can meet
its objectives.
Safeguarding assets:
Controls should be in place to ensure that assets are deployed for their proper purposes, and are not vulnerable to misuse or theft. A
comprehensive approach to his objective should consider all assets, including both tangible and intangible assets.
As organisations grow, the need for internal controls increases, as the degree of specialisation increases and it becomes impossible to
remain fully aware of what is going on in every part of the business.
In a limited company, the board of directors is responsible for ensuring that appropriate internal controls are in place. Their
accountability is to the shareholders, as the directors act as their agents. In turn, the directors may consider it prudent to establish a
dedicated internal control function. The point at which this decision is taken will depend on the extent to which the benefits of function
will outweigh the costs.
The directors must pay due attention to the control environment. If internal controls are to be effective, it is necessary to create an
appropriate culture and embed a commitment to robust controls throughout the organisation.
Mandatory or voluntary:
Mandatory controls are those which must be applied, irrespective of circumstances. These are widely used to prevent breached of laws
or policy, as well as to minimise risks relating to health and safety. Voluntary controls are applied according to the judgement of the
organisation and its managers.
Discretionary or non-discretionary:
Managers may be permitted discretion according to their interpretation or judgement of risks in given circumstances. Non-discretionary
controls must be applied.
Manual or automated:
Manual controls are applied by the individual employee whereas automated controls are programmed into the systems of the
organisation. Some systems combine the two: for example, when deciding on whether a customer should be permitted days on hand for
payment, there could be automated ‘accept’ above a specified credit rating or ‘decline’ or below a specified credit rating, and an
intermediate range in which a manager may be able to override the automated system.
Segregation of duties:
To minimise the risk of errors and fraud, duties associated with cash handling are often segregated. For example, in the post room of a
company that received cash by post, the employee recording the cash will be a different person to the one who opens the post.
Segregation is also relevant to other functions. At executive level, it is now best practice to segregate the roles of chairman and chief
executive officer, and as an independent assurance function, internal audit should be totally segregated from the finance department,
with a reporting line direct to the board of directors or the audit committee.
Management controls:
These controls are operated by managers themselves. An example is variance analysis, through which a manager may be required as
part of their job to consider differences between planned outcomes and actual performance. Performance management of subordinates
is also an integral part of many managerial positions. Further down the chain of command, supervision controls are exercised in
respect of day-to-day transactions. Organisation controls operate according to the configuration of the organisation chart and line/staff
responsibilities.
Arithmetic and accounting controls:
These controls are in place to ensure accurate recording and processing of transactions. Procedures here include reconciliations and
trial balances.
Internal check
Internal check is a system through which the accounting procedures of an organisation are so laid out that the accounts procedures are
not under the absolute and independent control of any person. The work of one employee is complementary of that of another, enabling
a continuous audit of the business to be made.
By allocating duties in this way, no one person has exclusive control over any transaction.
Internal audit
Definition and purposes of internal audit:
Internal audit may be defined as an independent appraisal function established within an organisation to examine and evaluate its
activities as a service to the organisation.
Internal audit supports management in the effective discharge of their responsibilities. To this end, internal audit furnishes management
with analyses, appraisals, recommendations, counsel and information concerning the activities reviewed.
Internal audit testing is the internal assessment of internal controls and as such is a management control to ensure compliance and
conformity of internal controls to pre-determined standards.
Key risks:
Internal audit reviews and reports on internal controls in relation to key risks affecting the organisation. The objective here should be to
test the extent to which the controls will control the risk if it crystallises. The conclusions of these reports should enable management to
reconsider the controls and modify or redesign them if appropriate.
Financial and operating information:
Internal audit may examine this information in order to ensure it is accurate, fit for purpose and timely. Tests may be applied to
determine whether information is correctly measured and therefore suitable as a basis for informing management and external
stakeholders.
Compliance:
Increasingly, organisations have to implement performance standards in relation to compliance. This may be to satisfy the demands of
external regulators, or to operate to pre-determined internal standards. Internal audit should review operations for compliance with such
standards. In this respect, the work of internal auditors in broadening, as organisations increasingly pursue compliance not only with
industry standards for products and service provision, but also with criteria relevant to environmental standards.
Types of audit
In the course of their duties, internal auditors may carry out various types of audit. These include the following:
Operational audits may be concerned with the efficiency of the organisation’s activities. They consider performance relative to pre-
determined criteria.
Systems audits are used to test and evaluate controls as described in the last section. They test whether the controls can be relied
upon to ensure that resources are allocated and managed effectively. They also test whether the information provided by the
organisation’s systems is accurate.
Compliance tests verify whether internal controls are being applied in a proper manner. Substantive tests verify the accuracy of
figures, and can be used to identify errors and omissions.
A transactions or probity audit is concerned with detecting fraud and other types of criminal or unlawful behaviour. However, it can
also be extended to matters relating to fairness of dealings, impartiality, accountability and transparency, sometimes considered to be
within the scope of social audit. Generally, social audit may be concerned with any matters relating to governance.