INTERNAL CONTROL SYSTEM
Internal control is not only essential to maintaining the accounting and financial records of an organization, it is essential to managing the entity. For that reason everyone, from the external auditors to management to the board of directors to the stockholders of large public companies to government, is interested in internal controls. Recently corporate governance discussion has centered on effective internal controls and professional institutes are in the process of updating their standards on internal control to bring them more into line with recent developments. This chapter will concentrate on the meaning and objective of internal control, type of internal control, element of internal control and auditor’s consideration of internal control.
4.1 Definition of Internal Control
Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations,
- Reliability of financial reporting,
- Compliance with applicable laws and regulations, and
- Safeguarding of assets against unauthorized acquisition, use or disposition.
The above meaning reflects certain fundamental concepts:
Internal control is a process. Internal control is not one event or circumstance, but a series of actions that permeate an entity’s activities. These actions are persuasive and are inherent in the way management runs the business.
Internal control is effected by people. Internal control is effected by a board of directors, management and other personnel in the entity. It is accomplished by the people of an organization, by what they do and say. People establish the entity’s objectives and put control mechanisms in place.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board that the company’s objectives are achieved.
Internal control is geared to the achievement of objectives in one or more separate overlapping categories.
On the other hand, internal control system means all the policies and procedures adopted by the directors and management of an entity to assist in achieving their objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including:
- adherence of internal policies,
- the safeguarding of assets,
- the prevention and detection of fraud and error,
- the accuracy and completeness of the accounting records, and
- the timely preparation of reliable financial information.
4.2 Objectives of Internal Control
Some studies suggest that management typically has the following objectives in setting up a good system of internal control.
a) Orderly and efficient conduct of its business
An organization which is efficient and conducts its affairs in an orderly manner is much more likely to be able to supply the auditors with sufficient appropriate audit evidence on which to base their audit opinion. More importantly, the level of inherent and control risk will be lower, giving extra assurance that the financial statements do not contain material errors.
b) Adherence to Internal Policies
Management is responsible for setting up an effective system of internal control and management policy provides the broad framework within which internal controls have to operate. Unless management does have a pre-determined set of policies, then it is very difficult to imagine how the company could be expected to operate efficiently. Management policy will cover all aspects of the company's activities and will range from broad corporate objectives to specific areas such as determining selling prices and wage rates.
Given that the auditors must have a sound understanding of the company's affairs generally, and of specific areas of control in particular, then the fact that management policies are followed will make the task of the auditors easier in that they will be able to rely more readily on the information produced by the systems established by the management.
c) Safeguarding of Assets
This objective may relate to the physical protection of assets (for example by locking monies in a safe at night) or to less direct safeguarding (for example ensuring that there is adequate insurance, cover for all assets). It can also be seen as relating to the maintenance of proper records in respect of all assets.
The auditors will be concerned to ensure that the company has properly safeguarded its assets so that they can form an opinion on existence of specific assets and, more generally, on whether the company's records can be taken as a reliable basis for the preparation of financial statements. Reliance on the underlying records will be particularly significant where the figure in the financial statements is derived from such records rather than as the result of physical inspection.
d) Prevention and Detection of Fraud and Error
The directors are responsible for taking reasonable steps to prevent and detect fraud. They are also responsible for preparing financial statements, which give a true and fair view of the entity's affairs. However, the auditors must plan and perform their audit procedures and evaluate and report the results thereof, recognizing that fraud or error may materially affect the financial statements. A strong system of internal control will give the auditors some assurance that frauds and errors are not occurring, unless management are colluding to overcome that system.
e) Accuracy and completeness of the accounting records
This objective is most clearly related to statutory requirements relating to both management and auditors. The auditors must form an opinion on whether the company has fulfilling this obligation and also conclude whether the financial statements are in agreement with underlying records.
f) timely preparation of reliable financial information
4.3 Types of Internal Control
Internal control may be characterized as two types: administrative controls and accounting controls.
1. Administrative controls
Administrative controls are primarily concerned with the promotion of operational efficiency and the adherence to prescribed managerial policies. Administrative controls are related to operational audits and compliance audits.
2. Accounting controls
Accounting controls are principally concerned with safeguarding assets and providing assurance that the financial statements and the underlying accounting records are reliable. Internal accounting controls relate to external and internal financial audits. The independent auditor is primarily concerned with the accounting controls, which generally bear directly and importantly on the reliability of financial records.
4.4 Components of Internal Control
Internal control consists of five interrelated components. These are derived from the way management runs a business, and are integrated with the management process. The components are given as follows:
- Control environment
- Risk assessment
- Information and communication
- Control activities/procedures
- Control Environment
The control environment means the overall attitude, awareness, and actions of directors and management regarding the internal control system and its importance in the entity. It is the foundation for all other components of internal control, providing discipline and structure. The attitude of an organization’s management, its management style, corporate culture and values are the essence of an efficient control. If management beliefs control is important, others in the company will observe the control policies and procedures. If employees in the organization feel control is not important to top management, it will not be important to them. The control environment has a pervasive influence on the way business activities are structured, the way objectives are established, and the way risks are assessed. The control environment is influenced by the entity’s history and culture.
The auditor should obtain an understanding of the control environment sufficient to assess the director’s and management’s attitudes, awareness and actions regarding internal controls and their importance in the entity.
Elements Contributing to a Successful Control Environment
There are a number of specific elements that usually contribute to a successful control environment and which may be used as indicators of the quality of the control environment of a particular organization. These elements are:
a) Integrity and Ethical values
The effectiveness and efficiency of the internal control structure depends directly upon the integrity and ethical values of the personnel who are responsible for creating, administrating, and monitoring that structure. Management should establish behavioral and ethical standards that discourage employees from engaging in activities that would be considered dishonest, unethical or illegal. The standards must be communicated by appropriate means and also remove and reduce the temptations and incentives to engage in such behavior.
b) Commitment to Competence
The employees employed must be competent enough to perform the assigned tasks. They must possess the skills and knowledge essential for the performing the jobs and also in applying the internal control policies and procedures. The employees appointed should have adequate education and experience and also should provide adequate training and supervision.
c) Board of Directors or Audit Committee
The effectiveness of the Board of Directors or Audit Committee will significantly influence the control environment. The extent of its independence from the management, the experience and stature of its members, the extent to which it raises and pursue the difficult questions with the management and its interaction with the internal and external auditors will improve the effectiveness of the internal control system. The independence of the Board of Directors or the Audit Committee enables it to be effective at overseeing the quality of the organization’s financial reports, and act as a deterrent to management override of internal controls and to management fraud.
d) Management’s Philosophy
Management philosophies will differ towards financial reporting and towards taking business risks. Some may be very aggressive in financial reporting and may be willing to take great risks, while others may be conservative and risk adverse. The differing attitudes and styles may have an impact on the overall reliability of the financial statements. The internal control in an informal organization will be implemented by face to face contact with employees and in formal organization, it will establish written policies, performance reports, and exception reports to control its various activities.
e) Organizational Structure
Another factor affecting the control environment is the organizational structure. A well-designed organizational structure provides a basis for planning, directing, and controlling operations. It divides authority, responsibilities and duties among members of the organization by dealing with such issues as centralized versus decentralized decision-making and appropriate segregation of duties among the various departments. When the management decision-making is centralized and dominated by one individual, that the individual’s moral character is extremely important to the auditors. When decentralized style is used, procedures to monitor the decision making of the many managers involved become equally important.
f) Human resource Policies and Procedures
The effectiveness of the internal control is affected by the nature and characteristics of the people working in the organization. The management’s policies and practice of hiring, training, evaluating, promoting and compensating employees have a significant effect on the effectiveness of the control environment. Effective human resource policies often can reduce or sometimes remove other weaknesses in the control environment.
g) Assignment of Authority and Responsibility
The employees in the organization should have a clear understanding of their responsibilities and rules and regulations that govern their actions. To enhance the control environment, the management should develop employee job descriptions and should define clearly the authority and responsibility within the organization. Policies should be established describing appropriate business practices, knowledge and experience of the key personnel and the use of resources.
2. Risk assessment
The second component of internal control is the risk assessment. The management should carefully consider the factors that affect the risk of an organization. The risks affecting the preparation of financial statements in accordance with the generally accepted accounting principles (GAAP) should be considered in the financial reporting objective. The factors that affect the increased financial reporting risks are the following:
- Changes in the organization’s regulatory or operating environment
- Changes in personnel
- Implementation of a new or modified information system
- Rapid growth of the organization
- Changes in technology affecting production process or information system
- Introduction of new lines of business, products or process
The scope of management’s risk assessment is more comprehensive and it considers all factors affect the organization. But the auditors are concerned with the levels of inherent risk and control risk that affect the organization’s ability to produce financial statements that are in accordance with the generally accepted accounting principles.
3. Accounting Information and Communication System
Accounting information and communication systems capture, process, and report information to be used by parties both within and outside the organization. An organization’s accounting information system consists of the methods and records established to identify, assemble, analyze, classify, record, and report an entity’s transactions and to maintain accountability for the related assets. Accordingly, an accounting information system should:
- Identify and record all valid transactions.
- Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
- Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
- Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
- Present properly the transactions and related disclosures in the financial statements.
In addition to the typical system of journals, ledger, and other recordkeeping devices, an accounting information system should include a chart of accounts and a manual of accounting policies and procedures as aids for communication of policies. Chart of accounts is a classified listing of all accounts in use, accompanied by a detailed description of the purposes and content of each. A manual of accounting policies and procedures states clearly in writing the methods of treating transactions. In combination, the chart of accounts and manuals of accounting policies and procedures should provide clear guidance that will allow proper and uniform handling of transactions.
Open communication channels are essential to proper functioning of an information system. Personnel that process information should understand how their activities relate to the work of others, and the importance of reporting exceptions and other unusual items to an appropriate level of management.
4. Control Activities
The policies and procedures that help the management to carry out the directives are known as the control activities. These policies and procedures will help the management to ensure that the actions are taken to address the risks that affect the organization. The following are the control activities that are relevant to an audit of the organizations financial statements:
- Performance reviews
- Information processing
- Physical controls
- Segregation of duties
Performance review: these controls include reviews of actual performance as compared to budgets, forecasts, and prior period performance: relating different sets of data to one another; and performing overall review of performance. Performance review provides management with an overall indication whether personnel at various levels are effectively pursuing the objectives of the organization. By investigating the reasons for unexpected performance, management may make timely changes in strategies and plans, or take other appropriate corrective actions.
Information processing: the control activities are performed to check the accuracy, completeness, and authorization of transactions and information processing control is one of them.
Physical controls: These control activities include the physical security over both records and other assets. Safeguarding of records may include maintaining control at all times over an issued renumbered documents, as well as other journals and ledgers, and restricting access to computer programs and data files. Only individuals who are authorized should be allowed access to the company’s assets. Direct physical access to assets may be controlled through the use of safes, locks, fences, and guards. Improper indirect access to assets, generally accomplished by falsifying financial records, must also be prevented. This may be accompanied by safeguarding the financial records, as described above.
Periodic comparisons should be made between accounting records and the physical assets on hand. Investigation as to the cause of any discrepancies will uncover weakness either in procedures for safeguarding assets or in maintaining the related accounting and records. Without these comparisons waste, loss, or theft of the related assets may go undetected.
Segregation of duties: a fundamental concept of internal control is that no one department or person should handle all aspects of a transaction from beginning to end. In similar manner, no one individual should perform more than one of the functions of authorizing transactions, recording transactions, and maintaining custody over assets. Also, to the extent possible, individuals executing the specific transaction should be segregated from these functions. The goal is to reduce the opportunities for any one person to be in a position to both perpetrate and conceal errors or irregularities in the normal course to his or her duties.
A credit sale transaction may be used to illustrate appropriate authorization and segregation procedures. Top management may have generally authorized the sale of merchandise at specified credit terms to customers who meet certain requirements. The credit department may approve the sales transactions by ascertaining that the extension of credit and terms of sale are in compliance with company policies. Once the sale is approved, the shipping department executes the transaction by obtaining custody of the merchandise from the inventory stores department and shipping it to the customer. The accounting department uses copies of the documentation created by the sales, credit, and shipping departments as a basis for recording the transaction and billing the customer. With this segregation of duties, no one department or individual can initiate and execute an unauthorized transaction.
Monitoring is a process that assesses the quality of the internal control structure over time and it is the last component of internal control. The monitoring of the internal control structure is important to determine whether it is operating as intended and whether any modifications are necessary. Monitoring can be achieved by:
- Ongoing monitoring activities include regularly performed supervisory and management activities such as continuous monitoring of customer complaints or reviewing the reasonableness of the management reports.
- Separate evaluations are monitoring activities that are performed on a non-routing basis, such as periodic audits by the internal auditors. Internal auditors investigate and appraise the internal control structure and the efficiency with which the various units of the organization are performing their assigned functions, and report their findings and recommendations to the top management
4.5 Auditor’s consideration of internal control
In planning an audit it is essential that the auditors have a sufficient understanding of the client's internal control structure. This encompasses both an understanding of the design of the policies, procedures, and records, and knowledge of whether they have been placed in operation by the client. It is difficult to imagine designing tests of financial statement balances without an understanding of the internal control structure. For example, auditors who do not understand the client's policies and procedures for executing and recording credit sales would have a difficult time substantiating the balances of account receivable and sales.
The auditor's consideration of the internal control structure also provides a basis for their assessment of control risk – the risk that material misstatements will not be prevented or detected by the client's internal control structure. If the auditors determine that the client's internal control is effective, they will assess control risk to be low. They can then accept a higher level of detection risk, and substantive testing can be decreased. Conversely, if internal controls are weak, control risk is high and the auditors must increase the scope of their substantive tests to limit the level of detection risk. Therefore, the auditors' understanding of internal control is a major factor in determining the nature, timing, and extent of substantive testing necessary to verify the financial statement assertions.
Since an effective internal control structure is a major factor in an audit, the question arises as to what action the auditors should take when internal control is found to be seriously deficient. Can the auditors complete a satisfactory audit and properly express an opinion on the fairness of financial statements of a company in which control risk is considered to be extremely high? The answer to this question depends on whether the auditors believe that inherent risk is at a satisfactory level so that substantive tests can be designed that will reduce audit risk to an acceptable level. For example, the auditors of a small business with a limited segregation of duties often apply an approach of restricting detection risk through extensive substantive tests of financial statement assertions, rather than performing tests of internal control.