top of page

Internal Control:Definition

The term'internal control is frequently used by accountants,but there is no generally-accepted definition.This point was made by the Securities and Exchange Commission (SEC) in the US,in a paper explaining its rules to implement section 404 of the Sarbanes-Oxley Act.There has been some confusion over the exact meaning and scope of the term 'Internal Control' because the definition of the term has evolved over time.'

 

Historically,the term 'Internal Control' was used by the accountancy profession in auditing.When auditing practice changed from a process of detailed testing of all transaction and account balances towards a process of testing just a sample of transactions and balances,the auditors had to give more consideration to internal controls and their effectiveness.

 

If an internal control was well designed and appeared to be effective,the detailed checking task could be limited to making sure that the control was properly applied in practice.Assessing the design of internal controls and their implication allowed the auditors to reduce the amount of detailed checks on transactions and account balances.

 

Purpose of Internal Control:

The general objectives of an internal control system are to control governance risks(internal control risks) within the oganization,as follows.

  • There should be controls to ensure that the organization,its systems and procedures operate in the way that is intended without disruption or disturbance.

  • There should be controls to ensure that assets are safeguarded.For example there shold be controls to ensure that money received is banked and is not stolen and that non current assets are not damaged or lost.

  • Controls should include measures to reduce the risk of fraud.

  • Financial controls should ensure the completeness and accuracy of accounting records and the timely preparation of financial information.

  • Controls should be in place to ensure compliance with key regulations such as H&S regulations or in the case of banks,anti-money laundering regulations.

 

Internal Control:Financial,Operational and compliance controls:

The turnbull Report in the UK defined an internal control system as the policies,processes,tasks,behaviours and other aspects of a company that taken together.

  • Help it to operate effectively and efficiently.These operational controls should allow the company to respond in an appropriate way to significant risks to achieving the company's objectives.This includes the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed.

  • Help it to ensure the quality of external and internal financial reporting(financial controls)

  • Help ensure compliance with applicable laws and regulations and also with internal policies for the conduct of business(compliance controls).

 

Financial Controls:

Financial controls have been explained as internal accounting controls that are sufficient to provide reasonable assurance that:

  • transactions are made only in accordance with the general or specific authorisation of management.

  • transaction are recorded so that assets can be accounted for

  • access to assets is only allowed in accordance with the general or specific authorisation of management.

  • the accounting records for assets are compared with actual assets at reasonable intervals of time and appropriate action is taken whenever there are found to be differences.

 

Operational Controls:

Operational controls are controls that help to reduce operational risks,or identify failures in operational systems when these occur.The nature of operational risks varies between companies because their operations differ widely.In general terms,operational risks are risks of failure in operations due to factors such as human error,a failure in processes,a failure in systems and so on.

One example of operational risk is the risk of a failure in health and safety systems and system controls.A well-publicised example was the series of apparent safety failures(and failures in safety controls) that led to an explosion at the texas oil refinery of oil company BP in 2005,where 15 people were killed and about 500 injured.In addition to the direct losses suffered by BP,the incident also led to over 1000 civil legal actions against the company and a federal grand jury investigation into whether criminal charges should be brought against the company.

 

Compliance Controls:

Compliance controls are concerned with making sure that an entity complies with all the requirements of relevant legislation and regulations.The potential consequences of failure to comply with law and regulations vary according to the nature of the industry and the regulations.For a manufacturer of food products for example food hygiene regulations are important.For a bank regulations to protect consumers against misselling and other unfair practices are important.

 

When regulations are specific,compliance controls often involve detailed procedures for checking that every regulation has been properly complied with and that there is documentry evidence that the checks have been made.This is often called a box-ticking approach to compliance.A box-ticking approach to compliance control is more usually associated with a rules-based approach to regulation rather than a principle based approach.

 

The nature of internal controls:

If you have studies audting,you should be familiar with the nature of internal financial controls.If you are not sure what internal controls are a brief reminder is given here.Some year ago,a guideline of the UK Auditing Practices Board identified eight categories of internal(financial) Controls,which can be remembered by the mnemonic SPAMSOAP.

             Type of Control                     Explanation

S         Segregation of duties            Where possible,duties should be divided between two or more people

                                                               So that the work done by one person automatically act as a check on 

                                                               the work done by the other person.This should reduce the risk of accidental 

                                                               mistakes or deliberate fraud.

 

P          Physical Controls                  These are measures to protect assets against theft,loss or physical damage.

 

A         Authorisation and                 These are controls over spending decisions and decisions to enter into transactions.

            approval controls                   These decisions must be taken or approved by a person with specific authority.

 

M        Management                           Controls over systems are applied by management.In accounting one example of a 

            Controls                                    management control system is the system of budgeting and budgetary control.

 

S         Supervision                              Controls can be applied by supervising the work done by employees.

 

O         Organization                           Everyone in the company should understand what his or her responsibilities are,

            Controls                                    and there should be lines of reporting from junior to senior staff.

 

A         Arithematical and                  In accounting systems there are many controls of this type such as control total

            accounting controls               checks and bank reconciliation checks.

 

P        Personal                                    There should be controls over the selection and training of employees to ensure

           Controls                                     that they are suitably qualified and skilled for the work that they do.

 

This brief list should help you to understand the range of controls that might be applied and that together make up the controls in an internal control system.

 

Causes of internal control failure:

Internal control failure occurs when internal controls donot work and donot prevent a loss or adverse event from happening.Although there are controls in place they fail to prevent the loss that they were intended to prevent.

 

There are two main causes of internal control error:

  • Weaknesses in the design of controls: Controls are intended to prevent a loss or adverse event may not be good enough or sufficiently robust.

  • Weaknesses in the application of controls: The design of the controls may be sufficient but the controls are not applied in practice in the way that they should be.

 

Controls may not be applied properly for several reasons.

  • Human Error:Employees or manager may make mistakes so that controls intended to prevent a loss do not work properly.A supervisor may be required to check that an employee has done a task properly but may fail to carry out the check.

  • Poor Judgement:Information may be provided that enables a manager to make a control decision,but the manager may make a poor decision based on the information he has been given for example a manager may be given information to suggest that there is excessive spending on materials purchases but he may decide to do nothing about it.

  • Control systems may break down:If controls are automated,they may occasionally fail because of a technical breakdown in the system.For example an aeroplane may crash because of failures in the on-board control systems for the pilot.

  • Overriding of controls:Controls may not work because manager may decide to ignore them or override them.Senior managers may be guilty of this offence when they have an attitude that controls are for other people but not for them.

  • Unforeseeable circumstances:controls may fail because circumstances arise that had not been foreseen and controls were therefore not designed to deal with them.

 

 

 

 

 

 

 

 

bottom of page