Internal Control System
According to American Institute of Certified Public Accountants (AlCPA) Internal controls system includes a set of rules, policies, and procedures an organization implements to provide direction, increase efficiency and strengthen adherence to policies
The internal control environment relates to:
- Management’s overall style in encouraging awareness of the need for good controls, for example.
- The existence of organisational controls such as review of the payroll by an independent person such as the managing director, and the rotation of payroll duties amongst staff responsible for processing it – this helps achieve all of the objectives set out above.
- Segregation of duties and supervisory controls to avoid the misappropriation of cash and to avoid fraudulent collusion to create, for example, dummy employees or to make inflated payments – this prevents the loss of assets and/or inaccurate records
Objective of Internal Control
- To minimize, if not completely eliminate, wastage and inefficiencies in business operations and to safeguard the assets of the business.
- To ensure high degree of accuracy and reliability of procurement data
and promote operational efficiency.
- To measure how far the policies of the management are being implemented, and
- To evaluate the efficiency of performance in all aspects of business activities and to highlight the weaknesses
Components of Internal Control System
ISA 315 identifies five elements which together make up the internal control system. These are:
(1) The control environment
The control environment includes the views, awareness and actions of management regarding an entity’s internal control. It also includes moral values, managerial skill and the honesty of employees. It is the basis for good internal control, providing guidance and structure. The control environment includes the following elements:
– Communication and enforcement of integrity and ethical values
– Commitment to competence
– Participation of management
– Management’s philosophy and operating style
– Organizational structure
– Assignment of authority and responsibility
– Human resource policies and practices
(2) The entity’s risk assessment
Within a strong system of internal control, management should identify, assess and manage business risks, on a continual basis. Significant business risks are any events or omissions that may prevent the entity from achieving its objectives. Identifying risks means recognizing the existence of risks or potential risks. Assessing the risks means deciding whether the risks are significant, and possibly ranking risks in order of significance. Managing risks means developing and implementing controls and other measures to deal with those risks.
ISA 315 requires the auditor to gain an understanding of these risk assessment processes used by the client company’s management, to the extent that those risk assessment processes may affect the financial reporting process. Risks can arise or change due to circumstances such as:
– changes in the entity’s operating environment
– new personnel
– new or revamped information systems
– rapid growth
– new technology
– new business models, products or activities
– corporate restructurings
– expanded foreign operations
– new procurement pronouncements.
(3) The information system
It consists of infrastructure, software, people, procedures and data. For financial reporting objectives, the procedures and records that initiate, record, process and report transactions and maintain accountability for assets, liabilities and equity.
(4) Control activities (internal controls)
The policies and procedures that help ensure that management directives are carried out. The categories most relevant to an audit:
– Performance reviews
– Information processing
– Physical controls
– Segregation of duties
(5) Monitoring of controls
Once the internal control system is in place, assessing the design and operation of controls over time is part of regular management activity. In addition, separate monitoring may be performed by internal auditors.
Internal Control Procedures
These are the policies and procedures in addition to the control environment, which the management has established to achieve the entity’s specific objectives. The mix of types of controls implemented by management will depend on the control objectives and the size of the entity.
a) Organizational plan chart
Companies should have proper organization plans. An organized plan shows clearly the various departments within the company, their functions and persons charged with ensuring that such functions are fulfilled. They seek to ensure that the entity is properly departmentalized preventing duplication of duties across departments and boosting accountability within the entity. Delegation and limits of authority should be well and clearly defined.
b) Segregation of duties.
This refers to separation of various duties and responsibilities such that one person cannot process and record a complete transaction from beginning to the end without being checked by another person. E.g. in purchase of fixed assets, an individual should not authorize the purchase, place the order, receive the assets, record the transaction and keep custody of the assets. To minimize risk of error and or intention the following should be performed by different individuals and departments as much as practicable.
- Initiation of transaction: This is where if an item is found to be out of stock and a requisition is made.
- Authorization: Different levels of management should be given limits as to what they can authorize or to what extent they can commit company resources.
- Execution: Person’s independent from those who authorize the transactions should execute them.
- Recording: Segregation of duties also includes an internal check which refers to the activities of one person being complementary to those of another person.
Example of segregation of duties in the procurement and supply chain
The purchasing of inventory involves several different tasks. Someone has to initiate a purchase requisition for a new supply of inventory. Someone has to place a purchase order with a supplier. Someone has to check that the items are delivered by the supplier. Someone has to record the amount payable in the procurement system, and someone has to make the payment at the appropriate time.
Control risks include the risks that inventory will be ordered when it is not needed, that the supplier will not deliver any inventory or will deliver the incorrect quantity, or that the supplier will be paid too much or will be paid for items that he has not delivered.
A segregation of duties can help to reduce these risks:
c) Physical controls
These are security measures concerned with the custody of company’s assets by limiting access to authorized people only. Direct physical controls include keeping assets under lock and key, employment of security guards, building fences and use of closed circuit cameras. Indirect physical controls include use of a fixed asset movement registers and use of computers to record utilization of company vehicles.
d) Authorization and approval.
Transactions that commit the organizations resources should be subject to authorization and approval by a responsible official. The limits for authorization should also be specified.
The proper functioning of any system is dependent on the competence and integrity of those operating it. The company must therefore recruit competent staff with integrity and intelligence. Staff should be assigned responsibilities that match their capability and undergo training where necessary.
Transactions and their recording should be subjected to supervision by competent and responsible officials. Supervision is necessary because it gives the chance of correcting errors and also because lower level employees generally tend to be indiscipline if not closely supervised.
h) Management controls.
These are controls exercised by management in addition to daily routines of the system. They include comparison of actual performance with budgets review of management accounts e.g. budgets and internal audit function.
i) Rotation of duties.
Duties should be rotated between personnel at the same organizational level e.g. payroll staff and credit control staff. Staff should be encouraged to take annual leave to provide an opportunity for their work to be checked by an independent person.
j) Routine and automatic checks.
These are conducted on routine duties and operations to ensure that they are operating efficiently. Such checks are conducted on surprise basis to minimize errors and frauds. Examples may include surprise cash counts and physical inspection of fixed assets.
k) Internal audit
This is a control function set up by management to review the procurement and internal control system. Internal audit carries out continuous evaluation of operating effectiveness of the internal control policies and procedures. The findings and recommendations are then reported to management.
Importance of the Internal Control System
- Ensures efficiency in business operations. E.g. There will be procedures laying out the procedures to be followed in procuring raw materials
- Ensures adherence to management policies
- Ensures business objectives are realised.
- Safeguards the company’s assets
- records maintained
- Strong internal controls help in preventing and detecting errors and frauds.
- For the auditor a good system justifies a reduction in the level of substantive testing but does not eliminate it fully.
Factors Influencing the Control of Environment
- The function of the board of directors or the audit committee. The control environment is significantly influenced by the effectiveness of the board of directors or the audit committee. This effectiveness is determined by the extent of its independence from management, experience and status of members and the extent to which it raises and pursues difficult matters with management and also its relationship with internal and external auditors.
- Management philosophy, style and ease with which managers could override controls.
- The implementation of organizational structure and methods of assigning authority and responsibility. This determines how well employees understand the limits placed upon their powers and responsibilities. The objective is to separate responsibility for authorizing a transaction, keeping records for the transaction and custody of assets acquired from the transaction.
- Personnel policies and procedures. Employees should be recruited on basis of skills and knowledge essential for the performance of their jobs and if necessary, be trained
Although the statutory reporting requirements of the Companies Act only calls for the auditor to make a report to the members as to whether the procurement records show a true and fair view.
In addition to this, auditors provide management with a summary of their findings concerning strengths and weaknesses of procurement and internal control system as well as material issues arising from review of the procurement records. This summary is called the management letter.
Purposes of management Letter
- Enables the auditor to give his comments on the procurement records that he has examined during the course of the audit. Areas of weakness in internal control system which my result to material errors will be highlighted and brought to management’s attention together with advice as to their improvement.
- Provides management with other constructive advice regarding areas where efficiency may be improved.
- Communicates matters arising during the audit so that there is a written record of all such matters. In case of litigation, the auditor may rely on the management letter for defence.
- Ensures auditor’s comments on the procurement on the internal control system reach those responsible members of management who have powers to act on the findings.
A report to management will normally be a natural way of adding value to the client and the auditor should incorporate the need to report in the planning of the audit. Before documenting the weaknesses in management letter, the auditor should discuss these with the appropriate officials. This eliminates the possibility that the auditor may have misunderstood. The operation of the system and will also enable the company take quick corrective actions. The management letter should be addressed to the board of directors or the audit committee.
The timing of the management letter will vary. It will often be useful to complete the compliance tests before its submission, so that weaknesses in internal control system may be included.
However, serious weaknesses discovered should be reported immediately. This may make it necessary to submit more than one management letter.