Internal control systems
Internal control and risk management are fundamental components of good corporate governance. Good corporate governance means that the board must identify and manage all risks for a company. In terms of risk management, internal control systems span finance, operations, compliance and other areas, i.e. all the activities of the company.
Internal control definitions
- Controls attempt to ensure that risks, those factors which stop the achievement of company objectives, are minimised.
- An internal control system comprises the whole network of systems established in an organisation to provide reasonable assurance that organisational objectives will be achieved.
- Internal management control refers to the procedures and policies in place to ensure that company objectives are achieved.
- The control procedures and policies provide the detailed controls implemented within the company.
The UK Corporate Governance Code recommends that 'The board should maintain sound risk management and internal control systems'.
The Cadbury Report noted that risk management should be systematic and also embedded in company procedures. Furthermore there should be a culture of risk awareness.
The report's initial definition of risk management was 'the process by which executive management, under board supervision, identifies the risk arising from business and establishes the priorities for control and particular objectives'.
While Cadbury recognised the need for internal control systems for risk management, detailed advice on application of those controls was provided by the Committee of Sponsoring Organisations, (COSO) and the Turnbull Report.
Internal controls and COSO
COSO was formed in 1985 to sponsor the national commission on fraudulent reporting. The 'sponsoring organisations' included the American Accounting Association and the American Institute of Certified Public Accountants. COSO now produces guidance on the implementation of internal control systems in large and small companies.
In COSO, internal control is seen to apply to three aspects of the business:
(1)Effectiveness and efficiency of operations - that is the basic business objectives including performance goals and safe guarding resources.
(2)Reliability of financial reporting - including the preparation of any published financial information.
(3)Compliance with applicable laws and regulations to which the company is subject.
Internal controls and Turnbull
The Turnbull committee was established after the publication of the 1998 Combined Code in the UK to provide advice to listed companies on how to implement the internal control principles of the code.
The overriding requirement of their report was that the directors should:
(a) implement a sound system of internal controls, and
(b) that this system should be checked on a regular basis.
The Turnbull Report requires:
(a) That internal controls should be established using a risk-based approach. Specifically a company should:
- Establish business objectives.
- Identify the associated key risks.
- Decide upon the controls to address the risks.
- Set up a system to implement the required controls, including regular feedback.
(b) That the system should be reviewed on a regular basis. The UK Corporate Governance Code (2010) contains the statement that:
'The directors should, at least annually, conduct a review of the effectiveness of the group's system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management.'
Objectives of internal control systems
A popular misconception is that the internal control system is implemented simply to stop fraud and error. As the points below show, this is not the case.
A lack of internal control implies that directors have not met their obligations under corporate governance. It specifically means that the risk management strategy of the company will be defective.
The main objectives of an internal control system are summarised in the Auditing Practices Board (APB) and the COSO guidelines (detail provided below). An internal control system is to ensure, as far as practicable:
- the orderly and efficient conduct of its business, including adherence to internal policies
- the safeguarding of assets of the business
- the prevention and detection of fraud and error
- the accuracy and completeness of the accounting records, and
- the timely preparation of financial information.
Benefits of an internal control system are therefore:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations.
These may further give rise to improved investor confidence.
Objectives of internal control
The objectives of an internal control system follow on from the need for internal control in risk management and corporate governance.
The actual objectives of internal control systems are mentioned in many different publications and reports. Two of those are given below.
The APB in the UK provides guidance to auditors with specific reference to the implementation of International Standards on Auditing. A definition of internal controls from the APB is:
'The internal control system - includes all the policies and procedures (internal records) adopted by the directors and management of an entity to succeed in their objective of ensuring, as far as practicable:
The main point to note here is that the internal control system encompasses the whole business, not simply the financial records.
COSO defines internal control as 'a process, effected by the entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives', in three particular areas:
(1) Effectiveness and efficiency of operations.
(2) Reliability of financial reporting.
(3) Compliance with applicable laws and regulations.
This definition contains a number of key concepts which illustrate the pervasiveness of internal control systems in a company.
- Internal control is a process, rather than a structure. It is a continuing series of activities, planned, implemented and monitored by the board of directors and management at all levels within an organisation.
- Internal control provides only reasonable assurance, not absolute assurance, with regard to achievement of the organisation's objectives.
- The objectives of internal control relate to assurance not only about reliable financial reporting and compliance, but also with regard to the effectiveness and efficiency of operations.
- Internal control is therefore also concerned with the achievement of performance objectives, such as profitability.
It is also useful to think of internal control as a system for the management and control of certain risks, to restrict the likelihood of adverse events or results.
Limitations of internal control systems
Warnings should be given regarding over-reliance on any system, noting in particular that:
- A good internal control system cannot turn a poor manager into a good one.
- The system can only provide reasonable assurance regarding the achievement of objectives - all internal control systems are at risk from mistakes or errors.
- Internal control systems can be by-passed by collusion and management override.
- Controls are only designed to cope with routine transactions and events.
- There are resource constraints in provision of internal control systems, limiting their effectiveness.
In other words, it is good corporate governance to establish the system, risks within the company will be minimised, but those risks can never be entirely eliminated.
Sound control systems
It is not sufficient to simply have an internal control system since a system can be ineffective and fail to support the organisation and serve the aim of corporate governance.
- The Turnbull guidance described three features of a sound internal control system.
Turnbull's sound systems
Principle 1 of the Turnbull Report: Establish and maintain a sound system of internal control.
Elements of internal control include:
(1) Facilitate the effective and efficient operation of the company enabling it to respond to any significant riskswhich stand in the way of the company achieving its objectives. The risks could be business, compliance, operational or financial.
(2) Ensure the quality of both internal (management) and external reporting.
(3) Ensure compliance with laws and regulations and with the company's internal policies regarding the running of the business.
In terms of risk management, the internal control system is more than simply checking that, e.g. 'all goods despatched have been invoiced'. The Turnbull guidance described three features of a sound internal control system:
- Firstly, the principles of internal control should be embedded within the organisation's structures, procedures and culture. Internal control should not be seen as a stand-alone set of activities and by embedding it into the fabric of the organisation's infrastructure, awareness of internal control issues becomes everybody's business and this contributes to effectiveness.
- Secondly, internal control systems should be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment. The speed of reaction is an important feature of almost all control systems. Any change in the risk profile or environment of the organisation will necessitate a change in the system and a failure or slowness to respond may increase the vulnerability to internal or external trauma.
- Thirdly, sound internal control systems include procedures for reporting immediately to appropriate levels of management any significant control failings or weaknesses that are identified, together with details of corrective action being undertaken. Information flows to relevant levels of management capable and empowered to act on the information are essential in internal control systems. Any failure, frustration, distortion or obfuscation of information flows can compromise the system. For this reason, formal and relatively rigorous information channels are often instituted in organisations seeking to maximise the effectiveness of their internal control systems.
Roles in risk management and internal control
Responsibility for internal control is not simply an executive management role.
- All employees have some responsibility for monitoring and maintaining internal controls.
- Roles in monitoring range from the CEO setting the 'tone' for internal control compliance, to the external auditor, reporting on the effectiveness of the system.
The Turnbull Report addresses the responsibilities of directors and management in relation to risk and control.
- set appropriate internal control policies.
- seek regular assurance that the system is functioning.
- review the effectiveness of internal control.
- provide disclosures on internal controls in annual reports and accounts.
Directors should review internal controls under the five headings identified by COSO in 1992.
- Control environment
- Risk assessment
- Information systems
- Control procedures
- implement board policies.
- identify and evaluate the risks faced by the company.
The Turnbull Report also suggests that internal audit makes a significant and valuable contribution to a company.
COSO Roles in risk management
The COSO guidelines note that 'everyone in an organisation has responsibility for internal control', hence the slightly wider explanation provided here.
The guidance below is an expanded version of the COSO recommendations.
The King Report on Corporate Governance (South Africa) provides a useful framework for reviewing internal controls:
King Report - additional responsibilities
The King Report provides a list of eight points regarding responsibilities for risk management within a company. These are summarised below:
SOX section 404 responsibilities
SOX sets out responsibilities regarding risk management. However,in direct contrast to other corporate governance systems, remember that these responsibilities are statutory rather than guidance. The comments below relate specifically to the s404 requirements of SOX, i.e. the audit and reporting of internal control systems within a company.
There are two main areas of responsibility. Management are likely to delegate the authority to obtain information on internal controls to the audit committee and/or internal audit department. Obviously, the responsibility for managements' report cannot be delegated. In SOX terms, management refers to the board, with specific emphasis on the CEO and CFO - these individuals have to attest that that control system has been reviewed.
Reviewing the effectiveness of internal control
In respect of reviewing the internal control system, the Turnbull Report (principle 2) stated:
- the review is a normal responsibility of management
- the review itself, however, will be delegated to the audit committee (the board do not have the time or the expertise to carry out the review themselves)
- the board must provide information on the internal control system and review in the annual accounts
- the review should be carried out at least annually.
The COSO framework identifies five main elements of a control system against which the review should take place.
These range from the board setting the overall philosophy of the company in terms of applying internal controls to the detail of the control activities.
Elements of an effective internal control system (COSO)
COSO identify five elements of an effective control system.
(1) Control environment
This is sometimes referred to as the 'tone at the top' of the organisation. It describes the ethics and culture of the organisation,which provide a framework within which other aspects of internal control operate. The control environment is set by the tone of management, its philosophy and management style, the way in which authority is delegated, the way in which staff are organised and developed, and the commitment of the board of directors.
The control environment has been defined by the Institute of Internal Auditors as: 'The attitude and actions of the board and management regarding the significance of control within the organisation. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control.
The control environment includes the following elements:
- Management's philosophy and operating style.
- Organisational structure.
- Assignment of authority and responsibility.
- Human resource policies and practices.
- Competence of personnel.
(2) Risk assessment
There is a connection between the objectives of an organisation and the risks to which it is exposed. In order to make an assessment of risks, objectives for the organisation must be established. Having established the objectives, the risks involved in achieving those objectives should be identified and assessed, and this assessment should form the basis for deciding how the risks should be managed.
The risk assessment should be conducted for each business within the organisation, and should consider, for example:
- internal factors, such as the complexity of the organisation, organisational changes, staff turnover levels, and the quality of staff
- external factors, such as changes in the industry and economic conditions, technological changes, and so on.
The risk assessment process should also distinguish between:
- risks that are controllable: management should decide whether to accept the risk, or to take measures to control or reduce the risk
- risks that are not controllable: management should decide whether to accept the risk, or whether to withdraw partially or entirely from the business activity, so as to avoid the risk.
(3) Control activities
These are policies and procedures that ensure that the decisions and instructions of management are carried out. Control activities occur at all levels within an organisation, and include authorisations, verifications, reconciliations, approvals, segregation of duties, performance reviews and asset security measures. These control activities are commonly referred to as internal controls.
(4) Information and communication
An organisation must gather information and communicate it to the right people so that they can carry out their responsibilities. Managers need both internal and external information to make informed business decisions and to report externally. The quality of information systems is a key factor in this aspect of internal control.
The internal control system must be monitored. This element of an internal control system is associated with internal audit, as well as general supervision. It is important that deficiencies in the internal control system should be identified and reported up to senior management and the board of directors.
Within the control system, there are control activities. These are the detailed internal controls which are embedded within the operations of the company.
There have been various attempts at defining control activities - the list referred to most often is from the APC (the Auditing Practices Committee - now the APB). The APC provided a list of eight internal controls, as shown below. The controls are placed into three groups to show how they work together. However, they are normally listed in a different order to make them memorable, as the detailed explanation below shows.
The APC list of internal controls can be remembered as SPAMSOAP:
S Segregation of duties
A Authorisation and approval
A Arithmetic and accounting
which provides a useful mnemonic but does not necessarily explain the original grouping.
Segregation of duties
Most transactions can be broken down into three separate duties: the authorisation or initiation of the transaction, the handling of the asset that is the subject of the transaction, and the recording of the transaction. This reduces the risk of fraud and may also reduce the risk of error.
For example, in the system for purchases and purchase accounting, the same individual should not have responsibility for:
- making a purchase
- making the payment, and recording the purchase and the payment in the accounts.
If one individual did have responsibility for more than one of these activities, there would be potential for fraud. The individual could record fictitious purchases (e.g. the purchase of goods ordered for personal use) and pay for transactions that had not occurred.
Segregation of duties can also make it easier to spot unintentional mistakes, and should not be seen simply as a control against fraud.
At board of director level, corporate governance codes state that the duties of the chairman of the board and the CEO should be segregated, to prevent one individual from acquiring a dominant position on the board.
Although segregating duties provides protection against fraud by one individual, it is not effective against collusion to commit fraud by two or more individuals.
Physical controls are measures and procedures to protect physical assets against theft or unauthorised access and use. They include:
- using a safe to hold cash and valuable documents
- using secure entry systems to buildings or areas of a building
- dual custody of valuable assets, so that two people are needed to obtain access to certain assets
- periodic inventory checks
- hiring security guards and using closed circuit TV cameras.
Authorisation and approval
Authorisation and approval controls are established to ensure that a transaction must not proceed unless an authorised individual has given his approval, possibly in writing. For spending transactions, an organisation might establish authorisation limits, whereby an individual manager is authorised to approve certain types of transaction up to a certain maximum value.
Controls are exercised by management on the basis of information they receive.
Top level reviews. The board of directors or senior management might call for a performance report on the progress of the organisation towards its goals. For example, senior management might review a report on the progress of the organisation toward achieving its budget targets. Questions should be asked by senior management, prompting responses at lower management levels. In this way, top level reviews are a control activity.
Activity controls. At departmental or divisional level, management should receive reports that review performance or highlight exceptions. Functional reviews should be more frequent than top-level reviews, on a daily, weekly or monthly basis. As with top-level reviews, questions should be asked by management that initiate control activity. An example of control by management is the provision of regular performance reports, such as variance reports, comparing actual results with a target or budget.
Supervision is oversight of the work of other individuals, by someone in a position of responsibility. Supervisory controls help to ensure that individuals do the tasks they are required to and perform them properly.
Organisation controls refer to the controls provided by the organisation's structure, such as:
- the separation of an organisation's activities and operations into departments or responsibility centres, with a clear division of responsibilities
- delegating authority within the organisation
- establishing reporting lines within the organisation
- co-ordinating the activities of different departments or groups, e.g. by setting up committees or project teams.
Arithmetic and accounting
Controls are provided by:
- recording transactions properly in the accounting system
- being able to trace each individual transaction through the accounting records
- checking arithmetical calculations, such as double-checking the figures in an invoice before sending it to a customer (sales invoice) or approving it for payment (purchase invoice) to make sure that they are correct.
Controls should be applied to the selection and training of employees, to make sure that: suitable individuals are appointed to positions within the organisation; individuals should have the appropriate personal qualities, experience and qualifications where required; individuals are given suitable induction and training, to ensure that they carry out their tasks efficiently and effectively.
Staff should also be given training in the purpose of controls and the need to apply them. Specific training about controls should help to increase employee awareness and understanding of the risks of failing to apply them properly.
Created at 8/14/2012 9:49 AM by System Account
(GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 4/10/2014 10:28 AM by System Account
(GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Ratings & Comments
(Click the stars to rate the page)