CHAPTER FIVE

INTERNAL CONTROL

Learning objectives

✓ Give the clear definition of internal control

✓ Describe objectives & purpose of internal control

✓ Explain characteristics of effective Internal control

✓ Identify & describe essential elements of internal control system

✓ Explain the limitation of internal control

✓ Explain how to minimize inherent limitation of internal control;

Introduction

Internal control is an important area of auditing which is an important tool of management.

It assists the management in the performance of its various functions. It means the built in
cross-checks in the system supplemented with proper supervision and internal audit carried
out by the staff appointed by the organisation.

These days business has been become more complex both in nature and size and the
management finds it difficult to get correct information about the various aspects of the
business.

Internal control assures the management that the information supplied to it is reliable and
accurate.

The Internal controls are exercised to ensure the accuracy and the reliability of accounting
data and other records, to identify weaker areas of operation and to improve them to increase
operational efficiency of the business, to safeguard its assets and to ensure orderly conduct of
business.

5.1 Definition of Internal Control

Internal control system has been defined in different ways by different individuals,
accounting & auditing organizations. The American Institute of Public Accountants has
defined internal control as the plan of organization and all the co-ordinate methods, and
measures adopted within an entity to safeguards its assets, check the accuracy and the
reliability of its accounting data, promote operational efficiency and encourage adherence to
prescribed managerial policies. The Institute of Chartered Accountants of England and
Wales defines internal control as internal control means not only internal check or internal

1|11
audit, but the whole system of control financial and otherwise, established by management in
order to carry on the business of the company in an orderly manner, safeguard its assets and
secure as far as possible accuracy and reliability of its records.

According to AICPA Internal control refers to all coordinate methods and measures within
an organization or within a system adopted to safeguard assets, cheek accuracy and reliability
of accounting data, promote op

erational efficiency and encourage adherence to prescribed managerial policy.

Internal Control can also be defined as a process effected by an entity’s board of directors,
management, and other personnel that is designed to provide reasonable assurance regarding
the achievement of organization’s objectives on effectiveness and efficiency of operations,
Reliability of financial reporting, and Compliance with applicable laws and regulations.

We can further define internal control as a set of rules, policies, and procedures an
organization designs & implements to provide reasonable assurance on reliability of financial
reports, effective & efficiency of operation, and compliance of activities with applicable laws
and regulations.

Thus internal control involves sort vigilance and directions over important matters like
budget and finance, purchase and sales and internal administration by the management.

In general, the following basic concepts underline the definition of internal control:

 Internal control is a process. It is a means to an end, not an end itself.

 Internal control is effected by people. It is not merely policy manuals and forms, but
people at every level of an organization.
 Internal control can be expected to provide only reasonable assurance, not absolute
assurance, to an entity’s management and board.
 Internal control is geared to the achievement of objectives in separate but overlapping
categories:
✓ Operations – relating to effective and efficient use of the entity’s resources;
✓ financial reporting – relating to preparation of reliable published financial
statements;
✓ compliance – relating to the entity’s compliance with applicable laws and
regulations;
✓ safeguarding of assets.

2|11
 5.2. Objectives of internal control
Every business enterprise is expected to devise a suitable system of internal control in order
to carry on the business in an efficient and orderly manner. These controls are accounting
control, budgetary control, statistical analysis and internal checks and internal audit. In
simple words, it means number of checks and controls over the various activities of a
business.

Generally, a system of internal control will include all those measures which assist business
enterprises to fulfil the following objectives.

➢ To minimize, if not completely eliminate, wastage and inefficiencies in business

operations and to safeguard the assets of the business.
➢ To ensure high degree of accuracy and reliability of accounting data and promote
operational efficiency.
➢ To measure how far the policies of the management are being implemented, and
➢ To evaluate the efficiency of performance in all aspects of business activities and to
highlight the weaknesses.

5.3 Purpose of Internal Control

The purpose of internal control can be seen from two aspects:

i) The management (client) concern and

ii) The Auditors concern
i) The client concern
The reason organization establishes a system of internal control is to attain objectives
(goals). Generally management has six purposes in setting good system of internal control.
These are: Achieve reliability of accounting records, safeguard assets, increase profitability,
prevent and defeat frauds and errors, prepare financial statements timely, discharge laws,
rules & regulations

ii) Auditors Concern

The generally accepted auditing standard field work standard, number, (3) three states that a
sufficient understanding of internal control is to be obtained to plan the audit and determine
the nature, timing and extent of testes to be performed. Thus, the primary purpose of studying
and evaluating of internal control system by external auditors is to determine the amount of
audit work. It is assumed that good internal control provides more reliable financial data and
statements.

3|11
5.4. Essential requisites of Internal Control System

Competent, trustworthy personnel with clear lines of authority and responsibility

The most important element of any internal control is personnel. If the employees are
component (well trained) and trustworthy (TRUST), some of other elements can be absent
and reliable financial information’s will still result. Specific responsibility for performance
of a given duties must be assigned to specific Individuals. Organizational structure defines
how authority and responsibility are delegated and monitored. It provides a frame work for
planning executing, and monitoring operations.

Segregation of Duties

It is Important for an organization to segregate (separate) the authorization of transactions,

recording of transactions, and custody of the related assets. Independent performance of each
of these functions reduces the opportunity for any one person to be in a position both to
perpetrate and to conceal errors or Irregular in the normal course of his or her duties.
Example: first, if an employee can authorize the sale of marketable securities and has access
to the stock certificates, the assets can be misappropriated.

Second, if an employee receives payment from customers on account and has access to the
accounts receivable subsidiary ledger, it is possible for that employee to misappropriate the
cash and cover the shortage in the accounting records.

There are different guidelines for segregations of duties to prevent both intentional and
unintentional errors and frauds.

a) Separation of the custody of assets from accounting. For example, If one person is
responsible for store keeping (custody of inventory) and maintains inventory records, it is
possible to ship (dispatch) some Items for his /herself and adjust the Inventory balance by
recording a factious transaction.
b) A well-developed plan of organisation with proper delegation of functional
responsibilities should be revised. No internal control system can be effective without
such plan of organisation.
c) Adequate system of authorisation and record procedure should be developed with a view
to provide proper control over assets, liabilities, revenue and expenses of the organisation.
d) It should be developed in such a fashion as to ensure that a) assets are under proper
custody and they are not improperly applied, b) expenditures are incurred on getting
proper authorisation and c) revenues received are duly accounted for.

4|11
e) A system of healthy practices and traditions should be developed with a view to discharge
the duties and functions of the various departments of the organisation smoothly.
f) Since internal control system is to be exercised by the personnel employed in the
organisation, there should be a team of people with sound character and integrity who are
properly trained and capable of discharging their responsibilities.
g) Constant managerial supervision and periodical review of the system should be
introduced with a view to make the system more efficient and effective.

Documentation Procedures

Documents provide evidence that transactions and events have occurred. Several procedures
should be established for documents. first, whenever, possible, document should be pre –
numbered and all documents should be accounted for pre numbering accounting documents
should be promptly forwarded to accounting to help timely recording documents should be
produced in copies, they should be simple to understand, sufficient, and designed for multiple
uses.

Authorization Procedures

Every transaction must be properly authorized. Properly authorization implies that concerned
personnel should authorize (approve) each transactions at each step where transactions
occurs. For example, the authorized person for paying cash is the cashier, for receiving, it is
the store clerk, for permitting the transaction it is the manager etc.

Physical Control over Assets and Records

Physical control relates primarily to safeguard asset from theft, deterioration, spoilage, etc.
Accounting records and securities, (bonds, Debentures, Treasury stocks, cheeks, notes,)
should be in well locked custody. Inventories should be protected by constructing from fire
proof materials, well – ventilated room and locked doors, generally, Safes and vaults are
necessary to store cash before the cash is deposited in a bank. Locked warehouses for
inventories, fencing of the organization, locked storage cabinets for accounting records. etc;
are necessary elements, of physical control.

5|11
Internal verification (Independent Internal Verification or Checking)

This element of internal control refers to the need of Independent checking process. Which
involves, Reviewing, comparison, reconciliation of data, which are prepared by the other
personnel, and the findings (discrepancies) should be corrected.

5.5 Essential Elements of Sound (Effective) Internal Control

Internal control consists of five interrelated components:

1. Control environment;
2. Risk assessment process;
3. The information system, communication, and related business processes;
4. Control procedures;
5. Monitoring of controls.

Control Environment.

The control environment means the overall attitude, awareness, and actions of directors and
management regarding the internal control system and its importance in the entity.
The control environment has a pervasive influence on the way business activities are
structured, the way objectives are established, and the way risks are assessed. The control
environment is influenced by the entity’s history and culture. It influences the control
consciousness of its people. Effectively controlled companies set a positive “tone at the top”
and establish appropriate policies and procedures.
The core of any business is its people—their individual attributes, including integrity, ethical
values, and competence and the environment in which they operate. Some examples include:

❖ Clear lines of authority and accountability that emphasize the importance of internal
controls
❖ A documented code of conduct/ethical standards
❖ A formal budget process and prompt variance analysis
❖ A plan to attract and retain competent personnel
❖ An effective audit committee and internal audit functions
Risk Assessment.

All components of internal control, from control environment to monitoring, should be

assessed for risk. Management assesses risks as part of designing and operating the internal
control system to minimize errors and irregularities. Auditors assess risks to decide the
evidence needed in the audit. The two risk assessment approaches are related in that if

6|11
management effectively assesses and responds to risks, the auditor will typically need to
accumulate less audit evidence than when management fails to, because control risk is lower.

The entity must be aware of and deal with the risks it faces. It must set objectives, integrated
with all activities so that the organization is operating in concert. It also must establish
mechanisms to identify, analyze and manage the related risks. Some examples include:

✓ Clear objectives regarding operating, financial reporting, and law compliance functions
✓ An entity-wide review to assess and evaluate risk.
Control Activities/procedures

Control procedures (sometimes called “control activities”) are policies and procedures that
help ensure management directives are carried out. They help ensure that necessary actions
are taken to address risks to the achievement of the entity’s objectives for operations,
financial reporting, or compliance. Generally, control procedures fall into four broad
categories: performance reviews, information processing, physical controls, and segregation
of duties.
Control policies and procedures must be established to ensure that management’s responses
to risks are effectively carried out.

Information and Communication

Information and communication systems surround all of these activities. They enable people
to capture and share the information needed to conduct, manage, and control operations.
Some examples include:

✓ Management support for developing and maintaining effective financial management

information systems
✓ The sharing of information on emerging risk issues with others
✓ Channels of communication for employees and organization workers to report suspected
irregularities or illegal acts.
Monitoring

The entire process must be monitored, and modifications must be made as necessary. In this
way, the system can react dynamically, changing as conditions warrant. Some examples
include:

7|11
✓ Regular receipt—and prompt acting on—reports of problems in internal controls (from
external/internal auditors, etc.)
✓ Prompt follow-up on unusual variances from budget
✓ Periodic comparison of physical inventories of salable and permanent assets to
accounting records and the reconciliation of differences.

5.6 Forms of Internal control

Various forms of internal control help in ensuring correct and reliable records of transactions
and operational efficiencies. Let us discuss them in detail

Accounting Control

It ensures correct and reliable records of transactions in conformity with normally accepted
accounting principles. Such controls comprise primarily the plan of organisation and the
procedures and records that are concerned with and directly related to the safeguarding of
assets and liabilities of financial records.

Accounting financial controls include budgetary control, standard cost control, self balancing
ledger, bank reconciliation and internal checks and internal auditing. Accounting controls
deal with the process of recording of transactions, safeguarding the assets and adherence to
prescribed managerial policies.

Physical Control

Accounting records must be protected by physical barriers, such as locked rooms or drawers
accessible only to authorized individuals. All accounting and financial records should be
safeguarded at all times.

This means that these records should be kept in a locked, fireproof safe in the
parish/school/entity’s office when not in use. Pastors/principals/directors should not allow
financial records to be taken and kept in someone’s house, car, office, etc. In addition to
accounting records, all physical assets should be properly secured. All parish facilities should
be locked when not in use. This includes both exterior and interior doors and windows. A
safe attached to a wall or floor, outdoor planters which are bolted down, or desk drawers
which are locked are specific examples of physical controls. Closets, desks, and other secure
areas should be lockable. Whenever possible, outdoor property should be permanent and
secured to prevent theft or vandalism.

8|11
Administrative control

The scope of this control is very wide. They also include accounting controls. Such controls
comprise of the plan of organisation that are concerned mainly with operational efficiencies.
In short they may include anything from plan of organisation to procedures, record keeping,
distribution of authority and the process of decision making. They include controls through
time and motion studies, quality control through inspection, statistical analysis and
performance evaluation etc. An auditor should make a careful review of accounting controls
as they have a direct bearing on the reliability of the financial statements. He is primarily
concerned with the accounting controls.

5.7 Limitations of Internal Control

An effective internal control system can only ever provide reasonable assurance that an
organization’s operating systems, financial controls, reporting and other agency processes are
working effectively. No matter how well designed and operated internal control systems
cannot provide absolute assurance that organization objectives have been, and will continue
to be, met. Designing and implementing effective systems of internal control requires
management to clearly understand organization objectives and its operating environment.
Management also needs to recognise the inherent limitations in the design and application of
systems that may impact on the ultimate delivery of organization objectives and services.

An internal control system should be designed and operated to provide reasonable assurance.
That is an entity’s cost of internal control system should not exceed the benefits that are
expected to be derived. The necessity of balancing the lost of Internal controls with the
related benefits requires considerable estimation and judgment on the part of management.

Therefore the idea of reasonable assurance arises from two concepts: cost – benefit, and the
inherent weakness: The cost – includes paying employees for implementing the system,
constructing and acquiring facilities (safes, stoves) printing of vouchers, forms, etc.

The benefits include prevention of potential losses. The inherent limitations include
management override of internal control, personnel errors, or mistakes, and collusion.

❖ Management override of internal control: an entity’s controls may be overridden by

management. For example, a senior – Level manager can require a low – level employee
to record entries into the accounting records (because) that is not consistent with the
substance of the transactions and are in violation of the organization’s control. The lower

9|11
 – level employee may record the transaction, even though he or she knows that it is a
violation of control, because of fear of losing he’s or her job.
❖ Personnel errors or mistakes – The internal control system is only as effective as the
personnel who implement and perform the controls. For example, employees may
misunderstand instructions or make errors of judgment. They may make mistakes
because of personnel carelessness, distraction, or fatigued.
❖ Collusion – the effectiveness of segregation of duties lies in the Individuals per forming
only their assigned tasks or in the performance of one person being checked by another.
Collusion may occur, for example, an individual who receives cash receipts from
customers’ collide (agree) with the one who records those receipts in the customers’
records order to steal cash from the entity.
❖ a culture that does not reinforce the value of internal controls
❖ staff carelessness, poor judgement or lack of knowledge
❖ staff taking short-cuts instead of following procedures
❖ staff failing to recognise or act on unusual transactions
❖ internal control processes which do not reflect changed operating conditions, specific
organization
❖ activities or potential new risks
❖ collusion by staff for personal gain or other motives
❖ controls failing to capture or flag unusual transactions, and
❖ Controls and processes being viewed as a hindrance in the delivery of organization
services so are overridden.

How to Minimize Internal Control Failure?

Actions to minimise internal control failures might include:

✓ management displaying a culture of responsiveness to identified control weaknesses and

encouraging reporting of internal control weaknesses
✓ training in internal control processes as part of staff induction, with regular follow up
training
✓ easy access to user-friendly documented internal procedures
✓ having a financial management practice manual that reflects current practice of the
agency
✓ regular review of potential risks that may significantly impact agency operations

10 | 1 1
✓ regular review and update of internal operational, financial and other processes
✓ establishment of effective internal audit and risk management functions
✓ assessment and adoption of audit recommendations, when appropriate, and
✓ Design and implementation of an effective fraud, corruption and official misconduct
mitigation strategy.

11 | 1 1