Chapter 8: Internal control systems

Chapter learning objectives

Upon completion of this chapter you will be able to:

  • define and explain internal management control
  • explain and explore the importance of internal control and risk management in corporate governance
  • describe the objectives of internal control systems
  • identify, explain and evaluate the corporate governance and executive management roles in risk management
  • identify and assess the importance of the elements or components of internal control systems
  • explore and evaluate the effectiveness of internal control systems
  • explain and assess the need for adequate information flows to management for the purposes of the management of internal control and risk
  • evaluate the qualities and characteristics of information required in internal control and risk management and monitoring.

1 Development of corporate governance regarding accountability, audit and controls

Cadbury Report (1992)

The audit and accountability section of the Cadbury Reportrecognised the importance of corporate transparency and ensuring goodcommunication and disclosure with shareholders and stakeholders. 

The report confirmed that directors should establish a sound systemof internal control and review this system on a regular basis.

Illustration 1 – Barings Bank

Barings Bank was founded in 1762. Despite surviving the NapoleonicWars and two World Wars, Barings was brought down in 1995 due tounauthorised trading by its head derivatives trader in Singapore, NickLeeson.

At the time of the massive trading loss, Leeson was supposed to bearbitraging, seeking to profit from differences in the prices of Nikkei225 futures contracts listed on the Osaka Securities Exchange in Japanand the Singapore International Monetary Exchange.

Under Barings Futures Singapore's management structure Leeson actedas both the floor manager for Barings' trading on the SingaporeInternational Monetary Exchange, and head of settlement operations. Ineffect, he was able to operate with no supervision from London (lack ofsegregation of duties).

Leeson traded to cover losses that he claims started when one ofhis colleagues bought contracts when she should have sold them, costingBarings £20,000. Using the hidden 'five-eights' account, by 23 February1995, Leeson's activities had generated losses totalling £827 million(US$1.4 billion), twice the bank's available trading capital.

ING, a Dutch bank, purchased Barings Bank in 1995 for the nominal sum of £1 and assumed all of Barings' liabilities.

Turnbull Report (1999)

The Turnbull report states the need for directors to review their systems of internal control and report these to shareholders.

  • Turnbull represented an attempt to formalise an explicit framework for establishing internal control in organisations.
  • This framework can be used to help establish systems of internal control without being overly prescriptive. It provides guidance as to how to develop and maintain internal control systems and thus reduce risk.
  • Work done by the Committee of Sponsoring Organisations (COSO) in 1992 was referred to within this report.

Smith Report (2003)

This report dealt with:

  • the relationship between the auditor and the companies they audit
  • the role and responsibilities of the audit committee.

The report stopped short of a prescriptive approach that would banall auditors from carrying out consultancy work for their clients inkeeping with the spirit of the law approach characterised by UKcompliance codes.

Illustration 2 – Société Générale

In January 2008 Société Générale lost approximately €4.9billion closing out positions on futures contracts over three days oftrading during a period in which the market was experiencing a largedrop in equity prices.

The bank claimed that Jérôme Kerviel, a trader with the company,"had taken massive fraudulent directional positions in 2007 and 2008 farbeyond his limited authority".

Société Générale characterises Kerviel as a rogue trader andclaims Kerviel worked these trades alone, and without its authorisation.Kerviel, in turn, told investigators that such practices are widespreadand that getting a profit makes the hierarchy turn a blind eye.

Establishing board committees who are responsible for these areasis one method of ensuring that the requirements of these reports areimplemented.

The detail of these committees will be covered in later chapters.

2 Internal control and risk management in corporate governance

  • Internal control and risk management are fundamental components of good corporate governance.
  • Good corporate governance means that the board must identify and manage all risks for a company.
  • In terms of risk management, internal control systems span finance, operations, compliance and other areas, i.e. all the activities of the company.

Risk Management

The UK Corporate Governance Code recommends that 'The board should maintain sound risk management and internal control systems'.

The Cadbury Report noted that risk management should be systematicand also embedded in company procedures. Furthermore there should be aculture of risk awareness.

The report's initial definition of risk management was 'theprocess by which executive management, under board supervision,identifies the risk arising from business and establishes the prioritiesfor control and particular objectives'.

While Cadbury recognised the need for internal control systems forrisk management, detailed advice on application of those controls wasprovided by the Committee of Sponsoring Organisations, (COSO) and theTurnbull Report.

Internal controls and COSO

COSO was formed in 1985 to sponsor the national commission onfraudulent reporting. The 'sponsoring organisations' included theAmerican Accounting Association and the American Institute of CertifiedPublic Accountants. COSO now produces guidance on the implementation ofinternal control systems in large and small companies.

In COSO, internal control is seen to apply to three aspects of the business:

(1)Effectiveness and efficiency of operations– that is the basic business objectives including performance goalsand safeguarding resources.

(2)Reliability of financial reporting – including the preparation of any published financial information.

(3)Compliance with applicable laws and regulations to which the company is subject.

The elements of an effective control system recommended by COSO in 1992 are covered later in this chapter.

Internal controls and Turnbull

The Turnbull committee was established after the publication of the1998 Combined Code in the UK to provide advice to listed companies onhow to implement the internal control principles of the code.

The overriding requirement of their report was that the directors should:

(a)implement a sound system of internal controls, and

(b)that this system should be checked on a regular basis.

Turnbull Report requirements

The Turnbull Report requires:

(a) That internal controls should be established using a risk-based approach. Specifically a company should:

  • Establish business objectives.
  • Identify the associated key risks.
  • Decide upon the controls to address the risks.
  • Set up a system to implement the required controls, including regular feedback.

(b) That the system should be reviewed on a regular basis. The UK Corporate Governance Code (2010) contains the statement that:

'The directors should, at least annually, conduct areview of the effectiveness of the group's system of internal controland should report to shareholders that they have done so. The reviewshould cover all controls, including financial, operational andcompliance controls and risk management.'

3 Internal control definitions

  • Controls attempt to ensure that risks, those factors which stop the achievement of company objectives, are minimised.
  • An internal control system comprises the whole network of systems established in an organisation to provide reasonable assurance that organisational objectives will be achieved.
  • Internal management control refers to the procedures and policies in place to ensure that company objectives are achieved.
  • The control procedures and policies provide the detailed controls implemented within the company.

4 Objectives of internal control systems

A popular misconception is that the internal control system isimplemented simply to stop fraud and error. As the points below show,this is not the case.

A lack of internal control implies that directors have not mettheir obligations under corporate governance. It specifically means thatthe risk management strategy of the company will be defective.

The main objectives of an internal control system are summarised inthe Auditing Practices Board (APB) and the COSO guidelines (detailprovided below and in expandable text).

Objectives of an internal control system

An internal control system is to ensure, as far as practicable:

  • the orderly and efficient conduct of its business, including adherence to internal policies
  • the safeguarding of assets of the business
  • the prevention and detection of fraud and error
  • the accuracy and completeness of the accounting records, and
  • the timely preparation of financial information.

Benefits of an internal control system are therefore:

  • Effectiveness and efficiency of operations.
  • Reliability of financial reporting.
  • Compliance with applicable laws and regulations.

These may further give rise to improved investor confidence.

Objectives of internal control

The objectives of an internal control system follow on from theneed for internal control in risk management and corporate governance.

The actual objectives of internal control systems are mentioned inmany different publications and reports. Two of those are given below.

APB objectives

The APB in the UK provides guidance to auditors with specificreference to the implementation of International Standards on Auditing. Adefinition of internal controls from the APB is:

'The internal control system … includes all the policies andprocedures (internal records) adopted by the directors and management ofan entity to succeed in their objective of ensuring, as far aspracticable:

The main point to note here, as in the previous section, is thatthe internal control system encompasses the whole business, not simplythe financial records.

COSO objectives

COSO defines internal control as 'a process, effected by theentity's board of directors, management and other personnel, designed toprovide reasonable assurance regarding the achievement of objectives',in three particular areas:

(1)Effectiveness and efficiency of operations.

(2)Reliability of financial reporting.

(3)Compliance with applicable laws and regulations.

This definition contains a number of key concepts which againillustrate the pervasiveness of internal control systems in a company.

  • Internal control is a process, rather than a structure. It is a continuing series of activities, planned, implemented and monitored by the board of directors and management at all levels within an organisation.
  • Internal control provides only reasonable assurance, not absolute assurance, with regard to achievement of the organisation's objectives.
  • The objectives of internal control relate to assurance not only about reliable financial reporting and compliance, but also with regard to the effectiveness and efficiency of operations.
  • Internal control is therefore also concerned with the achievement of performance objectives, such as profitability.

It is also useful to think of internal control as a system for themanagement and control of certain risks, to restrict the likelihood ofadverse events or results.

Limitations of internal control systems

Warnings should be given regarding over-reliance on any system, noting in particular that:

  • A good internal control system cannot turn a poor manager into a good one.
  • The system can only provide reasonable assurance regarding the achievement of objectives – all internal control systems are at risk from mistakes or errors.
  • Internal control systems can be by-passed by collusion and management override.
  • Controls are only designed to cope with routine transactions and events.
  • There are resource constraints in provision of internal control systems, limiting their effectiveness.

In other words, it is good corporate governance to establish thesystem, risks within the company will be minimised, but those risks cannever be entirely eliminated.

5 Sound control systems

  • It is not sufficient to simply have an internal control system since a system can be ineffective and fail to support the organisation and serve the aim of corporate governance.
  • The Turnbull guidance described three features of a sound internal control system.

Turnbull's sound systems

Principle 1 of the Turnbull Report: Establish and maintain a sound system of internal control.

Elements of internal control include:

(1) Facilitate the effective and efficient operation of the company enabling it to respond to any significant riskswhich stand in the way of the company achieving its objectives. Therisks could be business, compliance, operational or financial.

(2) Ensure the quality of both internal (management) and external reporting.

(3) Ensure compliance with laws and regulations and with the company's internal policies regarding the running of the business.

In terms of risk management, the internal control system is morethan simply checking that, e.g. 'all goods despatched have beeninvoiced'. The Turnbull guidance described three features of a sound internal control system:

  • Firstly, the principles of internal control should be embedded within the organisation's structures, procedures and culture. Internal control should not be seen as a stand-alone set of activities and by embedding it into the fabric of the organisation's infrastructure, awareness of internal control issues becomes everybody's business and this contributes to effectiveness.
  • Secondly, internal control systems should be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment. The speed of reaction is an important feature of almost all control systems. Any change in the risk profile or environment of the organisation will necessitate a change in the system and a failure or slowness to respond may increase the vulnerability to internal or external trauma.
  • Thirdly, sound internal control systems include procedures for reporting immediately to appropriate levels of management any significant control failings or weaknesses that are identified, together with details of corrective action being undertaken. Information flows to relevant levels of management capable and empowered to act on the information are essential in internal control systems. Any failure, frustration, distortion or obfuscation of information flows can compromise the system. For this reason, formal and relatively rigorous information channels are often instituted in organisations seeking to maximise the effectiveness of their internal control systems.

6 Roles in risk management and internal control

  • Responsibility for internal control is not simply an executive management role.
  • All employees have some responsibility for monitoring and maintaining internal controls.
  • Roles in monitoring range from the CEO setting the 'tone' for internal control compliance, to the external auditor, reporting on the effectiveness of the system.

Turnbull Report roles

The Turnbull Report addresses the responsibilities of directors and management in relation to risk and control.


Directors should:

  • Set appropriate internal control policies.
  • Seek regular assurance that the system is functioning.
  • Review the effectiveness of internal control.
  • Provide disclosures on internal controls in annual reports and accounts.

Directors should review internal controls under the five headings identified by COSO in 1992 (see later in this chapter).

  • Control environment
  • Risk assessment
  • Information systems
  • Control procedures
  • Monitoring.


Management should:

  • Implement board policies.
  • Identify and evaluate the risks faced by the company.

The Turnbull Report also suggests that internal audit makes a significant and valuable contribution to a company.

Roles in risk management

While the syllabus heading does state 'executive' roles in risk management, the COSO guidelines also note that 'everyone in an organisation has responsibility for internal control', hence the slightly wider explanation provided here.

The guidance below is an expanded version of the COSO recommendations.

King Report

The King Report on Corporate Governance (South Africa) provides a useful framework for reviewing internal controls:

King Report – additional responsibilities

The King Report provides a list of eight points regardingresponsibilities for risk management within a company. These aresummarised below:

SOX section 404 responsibilities

SOX sets out responsibilities regarding risk management. However,in direct contrast to other corporate governance systems, remember thatthese responsibilities are statutory rather than guidance. The commentsbelow relate specifically to the s404 requirements of SOX, i.e. theaudit and reporting of internal control systems within a company. Moredetail on this topic will follow in the audit and compliance chapter.

There are two main areas of responsibility. Management are likelyto delegate the authority to obtain information on internal controls tothe audit committee and/or internal audit department. Obviously, theresponsibility for managements' report cannot be delegated. In SOXterms, management refers to the board, with specific emphasis on the CEOand CFO – these individuals have to attest that that control systemhas been reviewed.

7 Review effectiveness of internal control

In respect of reviewing the internal control system, the Turnbull Report (principle 2) stated:

  • the review is a normal responsibility of management
  • the review itself, however, will be delegated to the audit committee (the board do not have the time or the expertise to carry out the review themselves)
  • the board must provide information on the internal control system and review in the annual accounts
  • the review should be carried out at least annually.

The COSO framework identifies five main elements of a control system against which the review should take place.

These range from the board setting the overall philosophy of thecompany in terms of applying internal controls to the detail of thecontrol activities.

Elements of an effective internal control system

Elements of an effective internal control system

COSO identify five elements of an effective control system.

(1) Control environment

This is sometimes referred to as the 'tone at the top' of theorganisation. It describes the ethics and culture of the organisation,which provide a framework within which other aspects of internal controloperate. The control environment is set by the tone of management, itsphilosophy and management style, the way in which authority isdelegated, the way in which staff are organised and developed, and thecommitment of the board of directors.

The control environment has been defined by the Institute ofInternal Auditors as: 'The attitude and actions of the board andmanagement regarding the significance of control within theorganisation. The control environment provides the discipline andstructure for the achievement of the primary objectives of the system ofinternal control.

The control environment includes the following elements:

  • Management's philosophy and operating style.
  • Organisational structure.
  • Assignment of authority and responsibility.
  • Human resource policies and practices.
  • Competence of personnel.

(2) Risk assessment

There is a connection between the objectives of an organisationand the risks to which it is exposed. In order to make an assessment ofrisks, objectives for the organisation must be established. Havingestablished the objectives, the risks involved in achieving thoseobjectives should be identified and assessed, and this assessment shouldform the basis for deciding how the risks should be managed.

The risk assessment should be conducted for each business within the organisation, and should consider, for example:

  • internal factors, such as the complexity of the organisation, organisational changes, staff turnover levels, and the quality of staff
  • external factors, such as changes in the industry and economic conditions, technological changes, and so on.

The risk assessment process should also distinguish between:

  • risks that are controllable: management should decide whether to accept the risk, or to take measures to control or reduce the risk
  • risks that are not controllable: management should decide whether to accept the risk, or whether to withdraw partially or entirely from the business activity, so as to avoid the risk.

(3) Control activities

These are policies and procedures that ensure that the decisionsand instructions of management are carried out. Control activities occurat all levels within an organisation, and include authorisations,verifications, reconciliations, approvals, segregation of duties,performance reviews and asset security measures. These controlactivities are commonly referred to as internal controls.

Examples of control activities are provided below.

(4) Information and communication

An organisation must gather information and communicate it to theright people so that they can carry out their responsibilities.Managers need both internal and external information to make informedbusiness decisions and to report externally. The quality of informationsystems is a key factor in this aspect of internal control.

Additional detail on information systems is provided later in this chapter.

(5) Monitoring

The internal control system must be monitored. This element of aninternal control system is associated with internal audit, as well asgeneral supervision. It is important that deficiencies in the internalcontrol system should be identified and reported up to senior managementand the board of directors.

Control activities

Within the control system, there are control activities. These arethe detailed internal controls which are embedded within the operationsof the company.

There have been various attempts at defining control activities –the list referred to most often is from the APC (the Auditing PracticesCommittee – now the APB). The APC provided a list of eight internalcontrols, as shown below. The controls are placed into three groups toshow how they work together. However, they are normally listed in adifferent order to make them memorable, as the detailed explanationbelow shows.

The APC list of internal controls can be remembered as:

S Segregation of duties

P Physical

A Authorisation and approval

M Management

S Supervision

O Organisation

A Arithmetic and accounting

P Personnel

which provides a useful mnemonic but does not necessarily explainthe original grouping. Note that at Paper P1 you will be expected tomove away from the detail of controls and take a high level view of thecontrol activities, akin to that of a board of directors.

The controls are explained below in more detail.

Segregation of duties

Most transactions can be broken down into three separate duties: the authorisation or initiation of the transaction, the handling of the asset that is the subject of the transaction, and the recording of the transaction. This reduces the risk of fraud and may also reduce the risk of error.

For example, in the system for purchases and purchase accounting, the same individual should not have responsibility for:

  • making a purchase
  • making the payment, and recording the purchase and the payment in the accounts.

If one individual did have responsibility for more than one ofthese activities, there would be potential for fraud. The individualcould record fictitious purchases (e.g. the purchase of goods orderedfor personal use) and pay for transactions that had not occurred.

Segregation of duties can also make it easier to spot unintentionalmistakes, and should not be seen simply as a control against fraud.

At board of director level, corporate governance codes state thatthe duties of the chairman of the board and the CEO should besegregated, to prevent one individual from acquiring a dominant positionon the board.

Although segregating duties provides protection against fraud byone individual, it is not effective against collusion to commit fraud bytwo or more individuals.

Physical controls

Physical controls are measures and procedures to protect physicalassets against theft or unauthorised access and use. They include:

  • using a safe to hold cash and valuable documents
  • using secure entry systems to buildings or areas of a building
  • dual custody of valuable assets, so that two people are needed to obtain access to certain assets
  • periodic inventory checks
  • hiring security guards and using closed circuit TV cameras.

Authorisation and approval

Authorisation and approval controls are established to ensure that atransaction must not proceed unless an authorised individual has givenhis approval, possibly in writing. For spending transactions, an organisation might establish authorisation limits, whereby an individual manager is authorised to approve certain types of transaction up to a certain maximum value.

Management control

Controls are exercised by management on the basis of information they receive.

Top level reviews. The board of directors or seniormanagement might call for a performance report on the progress of theorganisation towards its goals. For example, senior management mightreview a report on the progress of the organisation toward achieving itsbudget targets. Questions should be asked by senior management,prompting responses at lower management levels. In this way, top levelreviews are a control activity.

Activity controls. At departmental or divisional level,management should receive reports that review performance or highlightexceptions. Functional reviews should be more frequent than top-levelreviews, on a daily, weekly or monthly basis. As with top-level reviews,questions should be asked by management that initiate control activity.An example of control by management is the provision of regularperformance reports, such as variance reports, comparing actual resultswith a target or budget.


Supervision is oversight of the work of other individuals, bysomeone in a position of responsibility. Supervisory controls help toensure that individuals do the tasks they are required to and performthem properly.


Organisation controls refer to the controls provided by the organisation's structure, such as:

  • the separation of an organisation's activities and operations into departments or responsibility centres, with a clear division of responsibilities
  • delegating authority within the organisation
  • establishing reporting lines within the organisation
  • co-ordinating the activities of different departments or groups, e.g. by setting up committees or project teams.

Arithmetic and accounting

Controls are provided by:

  • recording transactions properly in the accounting system
  • being able to trace each individual transaction through the accounting records
  • checking arithmetical calculations, such as double-checking the figures in an invoice before sending it to a customer (sales invoice) or approving it for payment (purchase invoice) to make sure that they are correct.

Personnel controls

Controls should be applied to the selection and training ofemployees, to make sure that: suitable individuals are appointed topositions within the organisation; individuals should have theappropriate personal qualities, experience and qualifications whererequired; individuals are given suitable induction and training, to ensure that they carry out their tasks efficiently and effectively.

Staff should also be given training in the purpose ofcontrols and the need to apply them. Specific training about controlsshould help to increase employee awareness and understanding of therisks of failing to apply them properly.

8 Information flows for management

To enable management to identify and manage risks and monitorinternal controls within an organisation, they need adequate informationflows from within the business.

  • There should be effective channels of communication within the organisation, so that all managers receive timely information that is relevant to the performance of their tasks and duties.
  • Information should be provided regularly to management so that they can monitor performance with respect to efficiency, effectiveness in achieving targets, economy and quality.
  • Managers need both internal and external information to make informed business decisions and to report externally.
  • The actual information provided to management varies depending on the different levels of management.
  • Different information systems are available to provide the required information.

Management levels

Before considering the roles of management in internal control andrisk management, the different levels of management must be revised.

The information requirements of managers will vary depending ontheir specific role with regard to internal control and risk. Within anorganisation, management are normally divided into three differentlevels: strategic, tactical and operational. These three levels ofmanagement, as described by Anthony, can be illustrated by the following diagram:

In general terms, each level of management will be involved in specific activities:

The two key activities of management are therefore:

The mix of the planning/risk and monitoring/internal control activities is sometimes shown in diagrammatic form as follows:

Internal control and risk management activities

Management and internal control/risk

The activities of the three management levels regarding internal control and risk are:

To carry out these activities, each management level will need specific information from specific information systems.

Information systems for management control

The information systems providing that information must thereforevary so that appropriate information is provided to each level ofmanagement and focused on their specific objectives regarding internalcontrol and risk. The diagram below reiterates the management levels andindicates the general type of information system that will be providedfor that management level.

Types of information system

  • Executive Information System (EIS): a computer based system for total business modelling. It monitors reality and facilitates actions that improve business results.
  • Management Information System (MIS): a system to convert data from internal and external sources into information, and to communicate that information in an appropriate form to managers at all levels and in all areas of the business to enable them to make timely and effective decisions.
  • Decision Support System (DSS): a computer based system which enable managers to confront ill-structured problems by direct interaction with data and problem-solving programs.
  • Transaction Processing System (TPS): a system that routinely captures, processes, stores and outputs low level transaction data.

Management hierarchy

All systems provide information appropriate to each managementlevel – see the next section for examples of how that informationchanges at the different levels.

9 Information characteristics and quality

The information received by management needs to be of a certainstandard to be useful in internal control and risk management andmonitoring.

There should be an adequate, integrated, information system,supplying internal financial, operational and compliance data andrelevant external data.

The information should meet the criteria of 'good' information:

  • Accurate
  • Complete
  • Cost-beneficial
  • User-targeted
  • Relevant
  • Authoritative
  • Timely
  • Easy to use 

The characteristics of that information will change depending on the management level using that information.

The table below shows the characteristics of information and how their quality varies depending on what is made available.

Information characteristics

Strategic and operational information – characteristics

Given that management activities regarding internal control andrisk management are different, the characteristics of informationprovided by the different management information systems will alsodifferent. Characteristics of information for these management decisionareas can be summarised as shown below:

Tactical information – characteristics

Just as tactical decision making forms a link between strategic andoperational management, the information it requires has some of thecharacteristics of each.

Forecast and historical data are both required, although historicaldata is not needed as immediately as it is for operational decisions.Information is largely objective and quantitative but the greaterexperience of middle managers making tactical decisions makes this lessimportant than for operational information.

For each of the other information qualities – accuracy,certainty, completeness, breadth and detail – tactical informationoccupies the mid-point between strategic and operational information.

Test your understanding 1

Why is it important for the board to have accurate information for the management of internal controls ?

10 Chapter summary

Test your understanding answers

Test your understanding 1

The board have to meet their corporate governance responsibility toensure that an effective internal control system exists within theorganisation. In order to do this they will require accurate reportsfrom auditors and managers within the company regarding the currentcontrols, and any weaknesses identified.

Good information will enable the board to confirm that themonitoring activities, undertaken by auditors and critical to theinternal control system, are being carried out in an effective andefficient manner.

Information regarding the costs and benefits of internal controlswill enable the board to ensure that resources are not wasted onineffective, or unnecessary controls.

Accurate information regarding the risks facing the organisationwill enable the board to be aware of any critical issues that may arisein the near future, and hence take action accordingly to mitigate anyproblems.

Board can provide the appropriate direction to the management ofthe company if they are fully aware of all the facts relating to angiven situation. If the facts are distorted, the direction provided maybe inappropriate.

Created at 5/24/2012 12:30 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 5/25/2012 12:55 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Rating :

Ratings & Comments  (Click the stars to rate the page)


Recent Discussions

There are no items to show in this view.