1999) • The Turnbull Report was first published in 1999 and set out best practice on internal control for UK listed companies. • The Turnbull Report (Turnbull Committee, 1999) was the end point of a convoluted process originating from a requirement in the Cadbury Report (Cadbury Committee, 1992) for listed companies to report on their systems of internal financial control. • A key feature of the Turnbull Report was the close coupling of internal control and risk management that seemed to signify a change in the way in which internal control was regarded by boards of directors and the financial reporting community. • Internal controls should help organisations counter risks, maintain the quality of financial reporting and comply with laws and regulations. • They provide reasonable assurance that organisations will fulfil their strategic objectives. • An internal control is any action taken by management to enhance the likelihood that established objectives and goals will be achieved. • Control is the result of proper planning, organising and directing by management (Institute of Internal Auditors). Internal management control • Internal management control can be viewed as management planning, organising and directing performance so that organisational objectives are achieved. • Planning and organising includes establishing objectives, determining and obtaining the resources required to fulfill objectives and defining the policies and procedures that will be used in the organisation's operations. • Directing means ensuring resources are used efficiently and effectively, and also ensuring that operational tasks are carried out in line with the established procedures and policies. The process of control • The cybernetic control model describes the process of control. A general cybernetic control model has six key stages. 1. Identification of objectives • Objectives for the process being controlled must exist, for without an aim or purpose control has no meaning. • Objectives are set in response to environmental pressures such as customer demand. 2. Setting targets • A target or prediction of the process being controlled is required so that managers can see whether or not objectives have been achieved and whether action will be needed to remedy problems. • Targets could include budgets or cost standards. 3. Measuring achievements/outputs • The output of the process must be measurable 4. Comparing achievements with targets • Managers need to compare the actual outcomes of the process with the plan – this is known as obtaining feedback. 5. Identifying corrective action • It must be possible to take action so that failures to meet objectives can be reduced or eliminated. 6. Implementing corrective action • Action could involve changing objectives, resource inputs, the process or the whole system Important features of control systems Fisher has suggested that management control systems can be viewed in terms of the following criteria. • Flexibility and ease of achievement of targets • Relative importance of numerical and subjective performance measures • Relative importance of short and long-term measures • Consistency of measures used across the organisation • Whether management actively intervenes or intervenes by exception • How automatic control mechanisms are • Extent of participation below top management • Extent of reliance on social relationships Effectiveness of control systems • In order for internal controls to function properly, they have to be well-directed. • Managers and staff will be more able (and willing) to implement controls successfully if it can be demonstrated to them what the objectives of the control systems are. • Objectives also provide a yardstick for the board when they come to monitor and assess how controls have been operating. Purposes of control systems • The UK Turnbull report provides a helpful summary of the main purposes of an internal control system. Turnbull comments that internal control consists of 'the policies, processes, tasks, behaviours and other aspects of a company that taken together: a) Facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company's objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed. b) Help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and without the organisation. c) Help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of businesses. Characteristics of internal control systems
The Turnbull report summarises the key characteristics
of the internal control systems. They should: • Be embedded in the operations of the company and form part of its culture. • Be capable of responding quickly to evolving risks within the business. • Include procedures for reporting immediately to management significant control failings and weaknesses together with control action being taken. • The Turnbull report also explains that a sound system of internal control reduces but does not eliminate the possibilities of losses arising from poorly-judged decisions, human error, deliberate circumvention of controls, management override of controls and unforeseeable circumstances. • Systems will provide reasonable (not absolute) assurance that the company will not be hindered in achieving its business objectives and in the orderly and legitimate conduct of its business, but won't provide certain protection against all possible problems Internal control frameworks The internal control framework includes the control environment and control procedures. Other important elements are the risk assessment and response processes, the sharing of information and monitoring the environment and operation of the control system. Need for control framework Organisations need to consider the overall framework of controls, since controls are unlikely to be very effective if they are developed sporadically around the organisation and their effectiveness will be very difficult to measure by internal audit and ultimately by senior management. Control environment and control procedures The internal control framework comprises the control environment and control procedures. It includes all the policies and procedures (internal controls) adopted by the directors and management of an entity to assist in achieving their objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including: • Adherence to internal policies • The safeguarding of assets • The prevention and detection of fraud and error • The accuracy and completeness of the accounting records • The timely preparation of reliable financial information. Internal controls may be incorporated within computerised accounting systems. • However, the internal control system extends beyond those matters which relate directly to the accounting system. Purposes of internal control framework
a) Achieving orderly conduct of business
Internal controls should ensure the organisation's operations are conducted effectively and efficiently. In particular they should enable the organisation to respond appropriately to business, operational, financial, compliance and other risks to achieving its objectives. b) Adherence to internal policies and laws Controls should ensure that the organisation and its staff comply with applicable laws and regulations, and that staff comply with internal policies with respect to the conduct of the business. c) Safeguarding assets • Controls should ensure that assets are optimally utilised and stop assets being used inappropriately. • They should prevent the organisation losing assets through theft or poor maintenance. d) Prevention and detection of fraud • Controls should include measures designed to prevent fraud such as segregation of duties and checking references when staff are recruited. • The information that systems provide should highlight unusual transactions or trends that may be signs of fraud. e) Accuracy and completeness of accounting records • Controls should ensure that records and processes are kept that generate a flow of timely, relevant and reliable information that aids management decision- making. f) Timely preparation of reliable financial information They should ensure that published accounts give a true and fair view, and other published information is reliable and meets the requirements of those stakeholders to whom it is addressed. Internal control frameworks and risk Turnbull states that in order to determine its policies in relation to internal control and decide what constitutes a sound system of internal control, the board should consider: • The nature and extent of risks facing the company . • The extent and categories of risk which it regards as acceptable for the company to bear. • The likelihood of the risks concerned materialising. • The company's ability to reduce the incidence and impact on the business of risks that do materialise • The costs of operating particular controls relative to the benefits obtained in managing the related risks • An organisation's risks are continually changing, as its objectives, internal organisation and business environment are continually evolving. • New markets and new products bring further risks and also change overall organisation risks. • Diversification may reduce risk (the business is not over- dependent on a few products) or may increase it (the business is competing in markets in which it is ill-equipped to succeed). • Therefore the organisation needs to constantly re-evaluate the nature and extent of risks to which it is exposed. Challenges in developing internal control
Guidance from the Committee of Sponsoring Organisations
of the Treadway Commission has highlighted a number of potential problems that smaller companies may face when developing internal control. These include: • Insufficient staff resources to maintain segregation of duties • Domination of activities by management, with significant opportunities for management override of controls. This arises from smaller companies having fewer levels of management with wider spans of control and their managers having significant ownership interests or rights • Inability to recruit directors with the requisite financial reporting or other expertise. • Inability to recruit and retain staff with sufficient knowledge of, and experience in, financial reporting. • Management having a wide range of responsibilities and thus having insufficient time to focus on accounting and financial reporting. • Control over computer information systems with limited in-house technical expertise. Limitations of internal controls An internal control framework in any organisation can only provide the directors with reasonable assurance that their objectives are reached, because of inherent limitations, including: • The costs of control not outweighing their benefits. Sometimes setting up an elaborate system of controls will be too costly when compared with the financial losses those controls may prevent. • Poor judgement in decision-making. • The potential for human error or fraud • Collusion between employees • The possibility of controls being by-passed or overridden by management or employees • Controls being designed to cope with routine and not non- routine transactions • Controls being unable to cope with unforeseen circumstances • Controls depending on the method of data processing – they should be independent of the method of data processing • Controls not being updated over time Evaluating control systems Principles or rules approach? • Having rules requiring organisations to implement internal controls should mean that controls are applied consistently by organisations. • External stakeholders dealing with these organisations will have the assurance that they should have certain prescribed controls in place. • However this does not mean that all organisations will be operating the same controls with the same effectiveness. • A principles-based approach to internal control implementation means that organisations can adopt controls that are most appropriate and cost-effective for them, based on their size and risk profile, and the sector in which they operate. Assessment of control systems The assessment can be based on the following: 1. Objectives The controls in place need to help the company fulfil key business objectives, including conducting its operations efficiently and effectively, safeguarding its assets and responding to the significant risks its faces. 2. Links with risks • Links between controls and risks faced are particularly important, with the organisation needing a clear framework for dealing effectively with risks. • Key elements are the board defining risk appetite, which will determine which risks are significant. • There need to be reliable systems in place for identifying and assessing the magnitude of risks. 3. Control system compatibility • Guidance on control procedures needs to be supported by other aspects of the control system, and the overall systems need to deliver a consistent message about the importance of controls. • Human resource policies and the company's performance reward systems should provide incentives for good behaviour and deal with flagrant breaches. 4. Mix of controls • Detailed controls at the transaction level will not make all that much difference unless there are other controls further up the organisation. • There should ideally be a pyramid of controls in place, ranging from corporate controls at the top of an organisation (for example ethical codes), management controls (budgets), process controls (authorisation limits) and transaction controls (completeness controls). • Controls shouldn't just cover the financial accounting areas, but should include non-financial controls as well. 5. Human resource issues • How well control procedures operate will also be determined by the authority and abilities of the individuals who operate the controls. • There need to be clear job descriptions that identify how much authority and discretion individuals have at different levels of the organisation. • Controls can also be undermined if the people who operate them make mistakes. Therefore managers and staff need to have the requisite knowledge and skills to be able to operate controls effectively. • Documentation and training will be required, and individuals' abilities assessed on a continuing basis as part of the appraisal process. 6. Control environment • The control environment matters because the company's culture will determine how seriously control procedures are taken. • If there is evidence that directors are overriding controls, this will undermine them. If staff resent controls, they may be tempted to collude to render controls ineffective. 7. Review of controls Directors should demonstrate their commitment to control by reviewing internal controls. 8. Information sources • In order to carry out effective reviews of controls, the board needs to ensure it is receiving sufficient information. • There should be a system in place of regular reporting by subordinates and control functions, also reports on high-risk activities. • The board needs also to receive confirmation that weaknesses identified in previous reviews have been resolved. • Finally there also needs to be clear systems of reporting problems to the board. 9. Feedback and response • A basic principle of control system design is that the feedback received should be used as the basis for taking action to change the controls or modify the overall control systems. • There should be rapid responses if serious problems are picked up, for example involvement of senior management in reviewing possible fraud. 10. Costs and benefits • Rational consideration of whether the costs of operating controls are worth the benefits of preventing and detecting problems should be an integral part of the board's review process. • Directors may decide not to operate certain controls on the grounds that they are prepared to accept the risks of not doing so. conclusion • Internal controls should help organisations counter risks, maintain the quality of financial reporting and comply with laws and regulations. • They provide reasonable assurance that organisations will fulfill their strategic objectives. • The internal control framework includes the control environment and control procedures. Other important elements are the risk assessment and response processes, the sharing of information and monitoring the environment and operation of the control system.