INTERNAL CONTROLS

The Turnbull Report (Turnbull Committee,

1999)
• The Turnbull Report was first published in 1999 and set out
best practice on internal control for UK listed companies.
• The Turnbull Report (Turnbull Committee, 1999) was the end
point of a convoluted process originating from a requirement
in the Cadbury Report (Cadbury Committee, 1992) for listed
companies to report on their systems of internal financial
control.
• A key feature of the Turnbull Report was the close coupling of
internal control and risk management that seemed to signify a
change in the way in which internal control was regarded by
boards of directors and the financial reporting community.
• Internal controls should help organisations counter risks,
maintain the quality of financial reporting and comply
with laws and regulations.
• They provide reasonable assurance that organisations
will fulfil their strategic objectives.
• An internal control is any action taken by management
to enhance the likelihood that established objectives
and goals will be achieved.
• Control is the result of proper planning, organising and
directing by management (Institute of Internal Auditors).
 Internal management control
• Internal management control can be viewed as management
planning, organising and directing performance so that
organisational objectives are achieved.
• Planning and organising includes establishing objectives,
determining and obtaining the resources required to fulfill
objectives and defining the policies and procedures that will
be used in the organisation's operations.
• Directing means ensuring resources are used efficiently and
effectively, and also ensuring that operational tasks are carried
out in line with the established procedures and policies.
 The process of control
• The cybernetic control model describes the
process of control. A general cybernetic control
model has six key stages.
1. Identification of objectives
• Objectives for the process being controlled must
exist, for without an aim or purpose control has
no meaning.
• Objectives are set in response to environmental
pressures such as customer demand.
2. Setting targets
• A target or prediction of the process being
controlled is required so that managers can see
whether or not objectives have been achieved
and whether action will be needed to remedy
problems.
• Targets could include budgets or cost standards.
3. Measuring achievements/outputs
• The output of the process must be measurable
4. Comparing achievements with targets
• Managers need to compare the actual outcomes of the
process with the plan – this is known as obtaining
feedback.
5. Identifying corrective action
• It must be possible to take action so that failures to
meet objectives can be reduced or eliminated.
6. Implementing corrective action
• Action could involve changing objectives, resource
inputs, the process or the whole system
 Important features of control systems
Fisher has suggested that management control
systems can be viewed in terms of the following
criteria.
• Flexibility and ease of achievement of targets
• Relative importance of numerical and subjective
performance measures
• Relative importance of short and long-term
measures
• Consistency of measures used across the
organisation
• Whether management actively intervenes or
intervenes by exception
• How automatic control mechanisms are
• Extent of participation below top
management
• Extent of reliance on social relationships
 Effectiveness of control systems
• In order for internal controls to function properly,
they have to be well-directed.
• Managers and staff will be more able (and willing) to
implement controls successfully if it can be
demonstrated to them what the objectives of the
control systems are.
• Objectives also provide a yardstick for the board when
they come to monitor and assess how controls have
been operating.
 Purposes of control systems
• The UK Turnbull report provides a helpful summary of the
main purposes of an internal control system. Turnbull
comments that internal control consists of 'the policies,
processes, tasks, behaviours and other aspects of a company
that taken together:
a) Facilitate its effective and efficient operation by enabling it
to respond appropriately to significant business, operational,
financial, compliance and other risks to achieving the
company's objectives. This includes the safeguarding of
assets from inappropriate use or from loss and fraud and
ensuring that liabilities are identified and managed.
b) Help ensure the quality of internal and
external reporting. This requires the
maintenance of proper records and processes
that generate a flow of timely, relevant and
reliable information from within and without
the organisation.
c) Help ensure compliance with applicable laws
and regulations, and also with internal policies
with respect to the conduct of businesses.
Characteristics of internal control systems

The Turnbull report summarises the key characteristics

of the internal control systems. They should:
• Be embedded in the operations of the company and
form part of its culture.
• Be capable of responding quickly to evolving risks within
the business.
• Include procedures for reporting immediately to
management significant control failings and weaknesses
together with control action being taken.
• The Turnbull report also explains that a sound system of
internal control reduces but does not eliminate the
possibilities of losses arising from poorly-judged
decisions, human error, deliberate circumvention of
controls, management override of controls and
unforeseeable circumstances.
• Systems will provide reasonable (not absolute) assurance
that the company will not be hindered in achieving its
business objectives and in the orderly and legitimate
conduct of its business, but won't provide certain
protection against all possible problems
 Internal control frameworks
The internal control framework includes the
control environment and control procedures.
Other important elements are the risk
assessment and response processes, the
sharing of information and monitoring the
environment and operation of the control
system.
 Need for control framework
Organisations need to consider the overall
framework of controls, since controls are
unlikely to be very effective if they are
developed sporadically around the
organisation and their effectiveness will be
very difficult to measure by internal audit and
ultimately by senior management.
 Control environment and control
procedures
The internal control framework comprises the control
environment and control procedures. It includes all the
policies and procedures (internal controls) adopted by the
directors and management of an entity to assist in
achieving their objective of ensuring, as far as practicable,
the orderly and efficient conduct of its business, including:
• Adherence to internal policies
• The safeguarding of assets
• The prevention and detection of fraud and error
• The accuracy and completeness of the accounting records
• The timely preparation of reliable financial
information. Internal controls may be
incorporated within computerised accounting
systems.
• However, the internal control system extends
beyond those matters which relate directly to
the accounting system.
 Purposes of internal control framework

a) Achieving orderly conduct of business

Internal controls should ensure the organisation's
operations are conducted effectively and efficiently. In
particular they should enable the organisation to respond
appropriately to business, operational, financial,
compliance and other risks to achieving its objectives.
b) Adherence to internal policies and laws
Controls should ensure that the organisation and its staff
comply with applicable laws and regulations, and that
staff comply with internal policies with respect to the
conduct of the business.
c) Safeguarding assets
• Controls should ensure that assets are optimally utilised and
stop assets being used inappropriately.
• They should prevent the organisation losing assets through
theft or poor maintenance.
d) Prevention and detection of fraud
• Controls should include measures designed to prevent fraud
such as segregation of duties and checking references when
staff are recruited.
• The information that systems provide should highlight
unusual transactions or trends that may be signs of fraud.
e) Accuracy and completeness of accounting records
• Controls should ensure that records and processes are
kept that generate a flow of timely, relevant and
reliable information that aids management decision-
making.
f) Timely preparation of reliable financial information
They should ensure that published accounts give a
true and fair view, and other published information is
reliable and meets the requirements of those
stakeholders to whom it is addressed.
 Internal control frameworks and risk
Turnbull states that in order to determine its
policies in relation to internal control and decide
what constitutes a sound system of internal
control, the board should consider:
• The nature and extent of risks facing the
company .
• The extent and categories of risk which it regards
as acceptable for the company to bear.
• The likelihood of the risks concerned materialising.
• The company's ability to reduce the incidence
and impact on the business of risks that do
materialise
• The costs of operating particular controls
relative to the benefits obtained in managing
the related risks
• An organisation's risks are continually changing, as its
objectives, internal organisation and business environment
are continually evolving.
• New markets and new products bring further risks and
also change overall organisation risks.
• Diversification may reduce risk (the business is not over-
dependent on a few products) or may increase it (the
business is competing in markets in which it is ill-equipped
to succeed).
• Therefore the organisation needs to constantly re-evaluate
the nature and extent of risks to which it is exposed.
Challenges in developing internal control

Guidance from the Committee of Sponsoring Organisations

of the Treadway Commission has highlighted a number of
potential problems that smaller companies may face when
developing internal control. These include:
• Insufficient staff resources to maintain segregation of duties
• Domination of activities by management, with significant
opportunities for management override of controls. This
arises from smaller companies having fewer levels of
management with wider spans of control and their managers
having significant ownership interests or rights
• Inability to recruit directors with the requisite
financial reporting or other expertise.
• Inability to recruit and retain staff with sufficient
knowledge of, and experience in, financial reporting.
• Management having a wide range of responsibilities
and thus having insufficient time to focus on
accounting and financial reporting.
• Control over computer information systems with
limited in-house technical expertise.
 Limitations of internal controls
An internal control framework in any organisation
can only provide the directors with reasonable
assurance that their objectives are reached,
because of inherent limitations, including:
• The costs of control not outweighing their benefits.
Sometimes setting up an elaborate system of
controls will be too costly when compared with the
financial losses those controls may prevent.
• Poor judgement in decision-making.
• The potential for human error or fraud
• Collusion between employees
• The possibility of controls being by-passed or overridden by
management or employees
• Controls being designed to cope with routine and not non-
routine transactions
• Controls being unable to cope with unforeseen circumstances
• Controls depending on the method of data processing – they
should be independent of the method of data processing
• Controls not being updated over time
 Evaluating control systems
Principles or rules approach?
• Having rules requiring organisations to implement
internal controls should mean that controls are applied
consistently by organisations.
• External stakeholders dealing with these organisations
will have the assurance that they should have certain
prescribed controls in place.
• However this does not mean that all organisations will
be operating the same controls with the same
effectiveness.
• A principles-based approach to internal
control implementation means that
organisations can adopt controls that are most
appropriate and cost-effective for them, based
on their size and risk profile, and the sector in
which they operate.
 Assessment of control systems
The assessment can be based on the following:
1. Objectives
The controls in place need to help the company fulfil key business
objectives, including conducting its operations efficiently and effectively,
safeguarding its assets and responding to the significant risks its faces.
2. Links with risks
• Links between controls and risks faced are particularly important, with
the organisation needing a clear framework for dealing effectively with
risks.
• Key elements are the board defining risk appetite, which will determine
which risks are significant.
• There need to be reliable systems in place for identifying and assessing
the magnitude of risks.
3. Control system compatibility
• Guidance on control procedures needs to be
supported by other aspects of the control system,
and the overall systems need to deliver a consistent
message about the importance of controls.
• Human resource policies and the company's
performance reward systems should provide
incentives for good behaviour and deal with flagrant
breaches.
4. Mix of controls
• Detailed controls at the transaction level will not make all
that much difference unless there are other controls further
up the organisation.
• There should ideally be a pyramid of controls in place,
ranging from corporate controls at the top of an
organisation (for example ethical codes), management
controls (budgets), process controls (authorisation limits)
and transaction controls (completeness controls).
• Controls shouldn't just cover the financial accounting areas,
but should include non-financial controls as well.
5. Human resource issues
• How well control procedures operate will also be determined by the
authority and abilities of the individuals who operate the controls.
• There need to be clear job descriptions that identify how much
authority and discretion individuals have at different levels of the
organisation.
• Controls can also be undermined if the people who operate them make
mistakes. Therefore managers and staff need to have the requisite
knowledge and skills to be able to operate controls effectively.
• Documentation and training will be required, and individuals' abilities
assessed on a continuing basis as part of the appraisal process.
6. Control environment
• The control environment matters because the
company's culture will determine how
seriously control procedures are taken.
• If there is evidence that directors are
overriding controls, this will undermine them.
If staff resent controls, they may be tempted
to collude to render controls ineffective.
7. Review of controls
Directors should demonstrate their commitment to control by
reviewing internal controls.
8. Information sources
• In order to carry out effective reviews of controls, the board needs to
ensure it is receiving sufficient information.
• There should be a system in place of regular reporting by subordinates
and control functions, also reports on high-risk activities.
• The board needs also to receive confirmation that weaknesses
identified in previous reviews have been resolved.
• Finally there also needs to be clear systems of reporting problems to
the board.
9. Feedback and response
• A basic principle of control system design is that the feedback received
should be used as the basis for taking action to change the controls or
modify the overall control systems.
• There should be rapid responses if serious problems are picked up, for
example involvement of senior management in reviewing possible fraud.
10. Costs and benefits
• Rational consideration of whether the costs of operating controls are
worth the benefits of preventing and detecting problems should be an
integral part of the board's review process.
• Directors may decide not to operate certain controls on the grounds that
they are prepared to accept the risks of not doing so.
 conclusion
• Internal controls should help organisations counter
risks, maintain the quality of financial reporting and
comply with laws and regulations.
• They provide reasonable assurance that organisations
will fulfill their strategic objectives.
• The internal control framework includes the control
environment and control procedures. Other important
elements are the risk assessment and response
processes, the sharing of information and monitoring
the environment and operation of the control system.