Internal controls

The purpose of this article is to provide an overview of internal control, with particular emphasis on topics relevant to Part C of the BT/FBT syllabus. The article will focus on the following learning objectives, as set out in section C6 of the study guide:

a) Explain internal control and internal check
b) Explain the importance of internal financial controls in an organisation
c) Describe the responsibilities of management for internal financial control.

The article will also describe the roles of internal audit and internal audit testing, relevant to section C2(e) and (f) of the study guide.

Definition and purposes of internal control

The Turnbull Report, first published in 1999, defined internal control and its scope as follows:

‘The policies, processes, tasks, behaviours and other aspects of an organisation that taken together:

Facilitate effective operation by enabling it to respond in an appropriate manner to significant business, operational, financial, compliance and other risks to achieve its objectives. This includes safeguarding of assets and ensuring that liabilities are identified and managed.

Ensure the quality of internal and external reporting, which in turn requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from both internal and external sources.

Ensure compliance with applicable laws and regulations and also with internal policies.’

Turnbull’s explanation focuses on the positive role that internal control has to play in an organisation. Facilitating efficient operations implies improvement, and, properly applied, internal control processes add value to an organisation by considering outcomes against original plans and then proposing ways in which they might be addressed.

At the same time, Turnbull also conceded that there is no such thing as a perfect internal control system, as all organisations operate in a dynamic environment: just as some risks recede into insignificance, new risks will emerge, some of which will be difficult or impossible to anticipate. The purpose of any control system should therefore be to provide reasonable assurance that the organisation can meet its objectives.

Objectives of internal control

Internal control should have the following objectives:

Efficient conduct of business:
Controls should be in place to ensure that processes flow smoothly and operations are free from disruptions. This mitigates against the risk of inefficiencies and threats to the creation of value in the organisation.

Safeguarding assets:
Controls should be in place to ensure that assets are deployed for their proper purposes, and are not vulnerable to misuse or theft. A comprehensive approach to his objective should consider all assets, including both tangible and intangible assets.

Preventing and detecting fraud and other unlawful acts:
Even small businesses with simple organisation structures may fall victim to these violations, but as organisations increase in size and complexity, the nature of fraudulent practices becomes more diverse, and controls must be capable of addressing these.

Completeness and accuracy of financial records:
An organisation cannot produce accurate financial statements if its financial records are unreliable. Systems should be capable of recording transactions so that the nature of business transacted is properly reflected in the financial accounts.

Timely preparation of financial statements:
Organisations should be able to fulfil their legal obligations to submit their account, accurately and on time. They also have a duty to their shareholders to produce meaningful statements. Internal controls may also be applied to management accounting processes, which are necessary for effective strategic planning, decision taking and monitoring of organisational performance.

Responsibilities for internal control

In many smaller, unincorporated businesses such as sole traders and unlimited partnerships, the responsibility for internal controls often lies with the owners themselves. In most cases, the owners are fully engaged in the business itself, and if employees are engaged, it is usually within the capability of the owners to remain fully aware of transactions and the overall state of the business.

As organisations grow, the need for internal controls increases, as the degree of specialisation increases and it becomes impossible to remain fully aware of what is going on in every part of the business.

In a limited company, the board of directors is responsible for ensuring that appropriate internal controls are in place. Their accountability is to the shareholders, as the directors act as their agents. In turn, the directors may consider it prudent to establish a dedicated internal control function. The point at which this decision is taken will depend on the extent to which the benefits of function will outweigh the costs.

The directors must pay due attention to the control environment. If internal controls are to be effective, it is necessary to create an appropriate culture and embed a commitment to robust controls throughout the organisation.

Generic control categories

Controls and be categorised in many different ways. Figure 1 described five categories that are often used.

Figure 1:  Categories of controls


Internal controls can be:

Mandatory or voluntary:
Mandatory controls are those which must be applied, irrespective of circumstances. These are widely used to prevent breached of laws or policy, as well as to minimise risks relating to health and safety. Voluntary controls are applied according to the judgement of the organisation and its managers.

Discretionary or non-discretionary:
Managers may be permitted discretion according to their interpretation or judgement of risks in given circumstances. Non-discretionary controls must be applied.

Manual or automated:
Manual controls are applied by the individual employee whereas automated controls are programmed into the systems of the organisation. Some systems combine the two: for example, when deciding on whether a customer should be permitted days on hand for payment, there could be automated ‘accept’ above a specified credit rating or ‘decline’ or below a specified credit rating, and an intermediate range in which a manager may be able to override the automated system.

General controls or application controls:
This classification of controls applies specifically to information systems. General controls help to ensure the reliability of data generated by systems, helping to ascertain whether systems operate as intended and output is reliable. Application controls are automated and designed to ensure the complete and accurate recording of data from input to output.

Common control procedures

Physical controls:
These controls include restrictions on access to buildings, specified office or factory areas or equipment, such as turnstiles at the entrance to the premises, swipe cards and passwords. They also include physical restraints, such as fixing non-current assets to prevent removal.

Authorisation and approval limits:
Many employees must adhere to authorisation limits, and these will usually be specified in the terms of employment. For example, a junior manager may be permitted to book business flights up to the value of $500, but for tickets costing more than this, the purchase may have to be approved by someone more senior.

Segregation of duties:
To minimise the risk of errors and fraud, duties associated with cash handling are often segregated. For example, in the post room of a company that received cash by post, the employee recording the cash will be a different person to the one who opens the post. Segregation is also relevant to other functions. At executive level, it is now best practice to segregate the roles of chairman and chief executive officer, and as an independent assurance function, internal audit should be totally segregated from the finance department, with a reporting line direct to the board of directors or the audit committee.

Management controls:
These controls are operated by managers themselves. An example is variance analysis, through which a manager may be required as part of their job to consider differences between planned outcomes and actual performance. Performance management of subordinates is also an integral part of many managerial positions. Further down the chain of command, supervision controls are exercised in respect of day-to-day transactions. Organisation controls operate according to the configuration of the organisation chart and line/staff responsibilities.

Arithmetic and accounting controls:
These controls are in place to ensure accurate recording and processing of transactions. Procedures here include reconciliations and trial balances.

Human resources controls:
Controls are implemented for all aspects of human resources management. Examples include qualifications verification, references and criminal record checks on recruits, checks on staff who have to be attested for competence and training effectiveness.

Internal check

Internal check is a system through which the accounting procedures of an organisation are so laid out that the accounts procedures are not under the absolute and independent control of any person. The work of one employee is complementary of that of another, enabling a continuous audit of the business to be made.

The essential elements of an internal check are:

  • checks are implemented on day-to-day transactions
  • checks operate continuously as a part of the system
  • the work of each person is complementary to the work of another.

By allocating duties in this way, no one person has exclusive control over any transaction.

Internal audit

Definition and purposes of internal audit:
Internal audit may be defined as an independent appraisal function established within an organisation to examine and evaluate its activities as a service to the organisation.

Internal audit supports management in the effective discharge of their responsibilities. To this end, internal audit furnishes management with analyses, appraisals, recommendations, counsel and information concerning the activities reviewed.

Objectives of internal audit

The formal objectives of internal audit may include some or all of the following:

  • review of accounting and internal control systems
  • examination of financial and operating information
  • review of the ‘three E’s (economy, efficiency and effectiveness)
  • review of compliance with laws and regulations
  • review of arrangements for the safeguarding of assets
  • review of implementation of corporate goals and objectives
  • identification of significant risks to the organisation, and monitoring risk management policy and risk management strategies
  • special investigations as required.

Why internal audit necessary?

The importance of internal audit was highlighted by the Turnbull Report. It states that listed public companies that do not have an internal audit function should review the need to have such a function at least annually. Turnbull goes on to state that listed public companies that do have an internal audit function should review the scope, authority and resources of this function at least annually.

Turnbull suggests that the need for the internal audit function will depend on several factors. These include:

  • the scale, diversity and complexity of the organisation’s activities
  • the number of employees – the need for an internal audit function increases as the number of employees increases, or if employee interrelationships become more complex
  • where the benefits of such a function will outweigh the costs of implementation and operation
  • when changes occur over time in the organisation’s structures, reporting processes or underlying information systems
  • the nature of risks, changes to risks and emerging risks
  • problems and issues arising with internal control systems, both actual and perceived
  • the occurrence of an increasing number of unexplained or unacceptable events.

Internal audit and internal control

Internal audit is an internal but independent assurance function. While internal auditors are usually employees of the organisation, they should operate independently of management so that their analyses, judgements and reports are free from bias or undue influence. The head of internal audit should report to the board of directors, or to the audit committee. Some organisations reinforce independence by outsourcing the internal audit function to professional external firms.

Internal audit testing is the internal assessment of internal controls and as such is a management control to ensure compliance and conformity of internal controls to pre-determined standards.

Key risks:
Internal audit reviews and reports on internal controls in relation to key risks affecting the organisation. The objective here should be to test the extent to which the controls will control the risk if it crystallises. The conclusions of these reports should enable management to reconsider the controls and modify or redesign them if appropriate.

Financial and operating information:
Internal audit may examine this information in order to ensure it is accurate, fit for purpose and timely. Tests may be applied to determine whether information is correctly measured and therefore suitable as a basis for informing management and external stakeholders.

Increasingly, organisations have to implement performance standards in relation to compliance. This may be to satisfy the demands of external regulators, or to operate to pre-determined internal standards. Internal audit should review operations for compliance with such standards. In this respect, the work of internal auditors in broadening, as organisations increasingly pursue compliance not only with industry standards for products and service provision, but also with criteria relevant to environmental standards.

Types of audit

In the course of their duties, internal auditors may carry out various types of audit. These include the following:

Operational audits may be concerned with the efficiency of the organisation’s activities. They consider performance relative to pre-determined criteria.

Systems audits are used to test and evaluate controls as described in the last section. They test whether the controls can be relied upon to ensure that resources are allocated and managed effectively. They also test whether the information provided by the organisation’s systems is accurate. Compliance tests verify whether internal controls are being applied in a proper manner. Substantive tests verify the accuracy of figures, and can be used to identify errors and omissions.

A transactions or probity audit is concerned with detecting fraud and other types of criminal or unlawful behaviour. However, it can also be extended to matters relating to fairness of dealings, impartiality, accountability and transparency, sometimes considered to be within the scope of social audit. Generally, social audit may be concerned with any matters relating to governance. 

Written by a member of the BT/FBT examining team