INTERNAL CONTROL

INTERNAL CONTROL

• Internal control, as defined in accounting and auditing, is a process for

assuring achievement of an organization's objectives in operational
effectiveness and efficiency, reliable financial reporting, and compliance with
laws, regulations and policies.
• A broad concept, internal control involves everything that controls risks to
an organization.
FIVE COMPONENTS OF INTERNAL CONTROL

• Control Environment sets the tone for the organization, influencing the
control consciousness of its people. It is the foundation for all other
components of internal control.
• Risk Assessment is the identification and analysis of relevant risks to the
achievement of objectives, forming a basis for how the risks should be
managed.
FIVE COMPONENTS OF INTERNAL CONTROL

• Information and Communication Systems or processes that support the

identification, capture, and exchange of information in a form and time frame
that enables people to carry out their responsibilities
• Control Activities are the policies and procedures that help ensure
management directives are carried out.
• Monitoring are processes used to assess the quality of internal control
performance over time.
ROLES AND RESPONSIBILITIES IN INTERNAL
CONTROL

• Management
The Chief Executive Officer (the top manager) of the organization has overall
responsibility for designing and implementing effective internal control. More than
any other individual, the chief executive sets the "tone at the top" that affects
integrity and ethics and other factors of a positive control environment.
ROLES AND RESPONSIBILITIES IN INTERNAL
CONTROL

• Board of Directors
Management is accountable to the board of directors, which provides
governance, guidance and oversight. Effective board members are objective,
capable and inquisitive. They also have knowledge of the entity's activities and
environment, and commit the time necessary to fulfil their board responsibilities.
A strong, active board, particularly when coupled with effective upward
communications channels and capable financial, legal and internal audit
functions, is often best able to identify and correct such a problem.
ROLES AND RESPONSIBILITIES IN INTERNAL
CONTROL

• Auditors
The internal auditors and external auditors of the organization also measure
the effectiveness of internal control through their efforts. They assess whether the
controls are properly designed, implemented and working effectively, and make
recommendations on how to improve internal control. To provide reasonable
assurance that internal controls involved in the financial reporting process are
effective, they are tested by the external auditor (the organization's public
accountants), who are required to opine on the internal controls of the company
and the reliability of its financial reporting.
ROLES AND RESPONSIBILITIES IN INTERNAL
CONTROL

• Audit Committee
• The role and the responsibilities of the audit committee are to:
• Discuss with management, internal and external auditors and major stakeholders
the quality and adequacy of the organization’s internal controls system and risk
management process.
• Review and discuss with management and the external auditors and approve the
audited financial statements of the organization and make a recommendation
regarding inclusion of those financial statements in any public filing.
• Review and discuss with management the types of information to be disclosed and
the types of presentations to be made with respect to the Company's earnings.
ROLES AND RESPONSIBILITIES IN INTERNAL
CONTROL

• Audit Committee
The role and the responsibilities of the audit committee are to:
• Confirm the scope of audits to be performed by the external and internal auditors.
• Manage complaints concerning accounting, internal accounting controls or
auditing matters.
• Receive regular reports from the regarding deficiencies in the design or operation
of internal controls and any fraud that involves management or other employees
with a significant role in internal controls.
• Support management in resolving conflicts of interest.
ROLES AND RESPONSIBILITIES IN INTERNAL
CONTROL

• Personnel Benefit Committee

The role and the responsibilities of the audit committee are to:
• Approve and oversee administration of the Company's Compensation Program;
• Review and approve specific compensation matters
• Review, as appropriate, any changes to compensation matters
• Review and monitor all human-resource related performance and compliance
activities and reports
ROLES AND RESPONSIBILITIES IN INTERNAL
CONTROL

• Operating Staff
All staff members should be responsible for reporting problems of operations,
monitoring and improving their performance, and monitoring non-compliance with
the corporate policies and various professional codes, or violations of policies,
standards, practices and procedures.
Staff and junior managers may be involved in evaluating the controls within
their own organizational unit using a control self-assessment.
PRINCIPLES OF INTERNAL CONTROL

• Establish Responsibilities
Assigning specific responsibilities to individuals ensures they understand
what their part is in maintaining internal control.
• Perform regular and independent reviews
Companies must review their internal control systems regularly that should
be done by an individual who did not perform any of the work being
checked.
PRINCIPLES OF INTERNAL CONTROL

• Insure and assets and bond employees

By insuring assets and bonding employees, an organization can rest assured
that it will be reimbursed for the value of an asset if the asset is stolen, or
otherwise misappropriated.
• Separate record keeping and custody of assets
The people who have physical access to cash and other assets are not the
same people who keep the records relating to that asset.
PRINCIPLES OF INTERNAL CONTROL

• Divide responsibility for related transactions

It is important that different employees each perform the separate tasks
making up the transaction. This ensures that more than one person was
involved in completing the task, increasing the odds that any mistakes or
fraudulent acts are discovered.
PRINCIPLES OF INTERNAL CONTROL

• Apply technological controls

Burglar alarms, electronic keypads and other technology-based
security features can help organizations protect assets. Technology
can often go where people cannot, and can be on the job 24 hours a
day without requiring extra pay or breaks.
PRINCIPLES OF INTERNAL CONTROL

• Maintain adequate records

Having correct record-keeping procedures will enable companies to have
an accurate history of transactions on hand. Such historical data allows for
the company to refer to it later, if a problem is discovered or if clarification
is necessary.
IMPORTANCE OF INTERNAL CONTROL

• Fraud Detection
Under the Sarbanes-Oxley Act, companies are required to perform a fraud
risk assessment and assess related controls. This typically involves
identifying scenarios in which theft or loss could occur and determining if
the existing internal controls procedures effectively manages the risk to an
acceptable level.
IMPORTANCE OF INTERNAL CONTROL

• Process Improvement
Controls can be evaluated and improved to make a business operation run
more effectively and efficiently. Internal controls can also be used to
systematically improve businesses, particularly in regard to effectiveness
and efficiency.
IMPORTANCE OF INTERNAL CONTROL

• Controls Monitoring
Advances in technology and data analysis have led to the development of
numerous tools which can automatically evaluate the effectiveness of
internal controls. Used in conjunction with continuous auditing, continuous
controls monitoring provides assurance on financial information flowing
through the business processes.
LIMITATIONS OF INTERNAL CONTROL

• Judgement
Poor judgment can also be a critical limitation of internal controls. Usually, the management of a company makes
decisions based on the information provided to them. However, if the information is not adequate, it may end up in
the wrong decisions from the management. Judgment is a vital part of internal control systems.

• Breakdowns
Sometimes even well-designed internal controls break down. Whether it’s a result of employees misunderstanding
instructions or simply making mistakes, errors will inevitably occur at some point.

• Management Override
Management override occurs when high level personnel or privileged user accounts override prescribed policies
and procedures for personal gain, advantage, or convenience.
LIMITATIONS OF INTERNAL CONTROL

• Collusion
Many internal control systems can be circumvented by employee collusion: several internal
actors working together against the organization, usually to alter financial data or other
management information in ways that can’t be identified by control systems.

• Costs Versus Benefit

Full implementation of control as well as properly segregation of duties require high cost to carry
out. Thus, sometimes the costs may outweigh the benefits; especially for small companies.
Therefore, by considering this cost and benefit, some control or proper segregation of duties
might not be properly carried out.
HOW TO WRITE INTERNAL CONTROL
PROCEDURES MANUAL
1. Write an overview and table of contents
The overview briefly describes fiscal responsibility, which includes the concepts and components
of internal control. The table of contents begins with Segregation of Duties. The contents that
typically follow are: Reviews, Reconciliations, Approvals, Assets, Disbursements, Human
Resources, Purchasing and Contacts.

2. Complete the Segregation of Duties section.

Outline details regarding the separation of duties for things such as employees receiving and
posting payments, as opposed to depositing payments. Another important separation is that if one
employee is a payee, another employee makes the check out.
HOW TO WRITE INTERNAL CONTROL
PROCEDURES MANUAL
3. Determine procedures for the next two sections, Reviews and Reconciliations.
Reviews are procedures set up to routinely perform budget investigations, spot-check transactions and investigate
unusual activity. The Reconciliations section contains procedures such as comparing sets of data to ensure accuracy,
looking into differences and taking action. This also includes specifically outlining that an employee entering
transactions does not reconcile any of the bank accounts.

4. Complete the Approvals, Assets and Distributions sections.

The Approvals part states which employees have authority for approving transactions. Authority is only given to
responsible employees with detailed knowledge about the company. The Assets section lists all types of assets within
the organization. Under each asset category, specific procedures are outlined detailing how assets are handled and
monitored. The Distributions section details the company's policies and procedures of distributing money, including
payroll checks.
HOW TO WRITE INTERNAL CONTROL
PROCEDURES MANUAL

5. Complete the manual by finishing the last three sections

The Human Resources (HR) section details instructions for HR employees as to how
employee information is handled. The Purchasing section explains the company's
purchasing procedures. Finally, the Contacts section lists people in the company who
employees can contact when questions or problems arise.
STEPS IN CHECKING THE EFFECTIVENESS
OF AN INTERNAL CONTROL SYSTEM
1. View the five elements of internal controls. These are control environment, risk assessment, control
activities, information and communication, and monitoring. These five elements all work together to
ensure that the internal control procedures set up are working effectively. Each element must be
present, and the procedures around the activity must be carefully planned and monitored.
2. Choose the internal control activity you want to check. Verify that all five elements are included
within the procedures of this activity by beginning with analyzing the control environment. This refers
to the work environment within your organization, the way it is structured and the supervision in place.
3. Assess risk. With each control activity, a risk assessment is conducted. This is done to locate potential
problems and to focus on correcting those and reducing the risk.
STEPS IN CHECKING THE EFFECTIVENESS
OF AN INTERNAL CONTROL SYSTEM
4. Analyze the management control activities. This step is conducted in order to make sure that all processes used
within the organization are necessary and have a purpose. Sometimes, within an activity, a business finds that there
are several unnecessary steps being done. This costs the company extra money and could cause additional
problems because there are more opportunities for mistakes than are necessary.
5. Assess the information and communication processes used for this activity. This consists of determining if the
appropriate workers are getting the information needed to effectively do their jobs. This also includes ensuring that
information is only shared with necessary workers and that there is limited access to certain types of information.
6. Perform regular evaluations. In order to ensure that internal control procedures are operating effectively, it is
important to check them regularly, at least once a year. It is also important to have regular audits conducted from
external auditing firms to also check how a system is functioning.
INTERNAL CONTROL QUESTIONNAIRE (ICQ)

• An ICQ is a formal and usually standardized document which comprises: a

list of internal controls in existence and highlights any weaknesses. It is used
in large company audits to place reliance on internal controls and to design
audit approach.
OBJECTIVES OF ICQ

1. Ascertain the client’s systems of accounting and internal control

2. Evaluate the control system
3. Identify those controls which indicate strengths in the system upon which
the auditor will seek to place reliance
4. Identify those areas over which there are weak or no controls and which
therefore must be subjected to more extensive substantive testing and
reported by inclusion in the Management Letter.
CONSTRUCTION OF ICQ

1. It is good practice when designing ICQs to state, as a brief introduction, a list of control objectives
which each sub-system under consideration should seek to achieve and any business considerations
specific to the enterprise under review which should be taken into account. The reason for this is
essentially to highlight for the audit staff key areas for their consideration to the audit staff.
2. The questions in an ICQ should be designed to ascertain whether the control objectives are being
achieved and should therefore cover such aspects as: (a) instructions given to staff in the
performance of their duties (b) authorization procedures (c) documents and procedures used to
originate transactions (d) recording procedures (e) sequence of procedures (f) custody procedures (g)
relative independence of the persons involved at each stage of a transaction (i.e. segregation of
duties).
CONSTRUCTION OF ICQ

3. The questions should be framed such that a Yes/No answer is given, with a No answer
usually indicating a control weakness.
4. An ICQ should carry such basic information as: (a) the name of the document (ICQ)
(b) the system to which it relates (e.g. purchasing cycle) (c) the client to whom it relates
(d) the accounting period under review (e) evidence of who has prepared and reviewed
the document (f) the provision of columns for: Yes and No answers, comments where
neither Yes or No are applicable, indicating the significance or otherwise of apparent
weaknesses, references to audit programs and references to Management Letters.