Internal control is the process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives concerning the reliability of financial reporting, effectiveness, and efficiency of operations and compliance with applicable laws and regulations.
It follows that internal control is designed and implemented to address identified business risks that threaten the achievement of any of these objectives.
Does internal control refer to the whole system of internal check, internal audit, and other forms of control, financial and otherwise, established by management to carry on the business of the company in an orderly manner that safeguards its records?
Spicer and Peglar, famous authorities on auditing literature, define the system of internal control as “Internal Controls is best regarded as the whole system of controls, financial and otherwise, established by the management in the conduct of business including internal check, internal audit and other forms of control.”
According to Committee of Sponsoring Organizations (COSO), “Internal control is the process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Reliability of financial reporting.
- Cprtfpliance with applicable laws and regulations.
- Effectiveness and efficiency of operations.
Reasons for Internal Control
The reasons for internal controls can be seen in the example. They include:
- Minimizing the company’s business risk
- Ensuring the continuing effective functioning of the company.
- Ensuring the company complies with relevant laws and regulations.
Most of these reasons funnel back to the ultimate objective that the company continues to operate.
For example, if the company failed to comply with relevant laws and regulations, it might be forced to stop operations.
Types of Internal Control
- Detective: Designed to detect errors or irregularities that may have occurred.
- Corrective: Designed to correct errors or irregularities that have been detected.
- Preventive: Designed to keep errors irregularities from occurring in the first place.
Principles of Internal Control
Internal control is based on the following principles:
Principle of Separation
Financial and accounting operations must be separated, i.e., handling of cash and the recording of the movement thereof should be done by different persons.
Principle of Responsibility
Responsibility for the performance of the job must be clearly stated so that there may be no room for doubt or confusion subsequently.
Principle of Skepticism
Too much confidence should not be pinned on one individual. Nearly all frauds have been committed by trusted officials or employees.
Principle of Rotation
The rotation principle relating to the transfer of an employee from one job to another should be the inflexible guiding rule.
Principle of Review
The work should be so arranged that work done by one employee should be promptly checked by another independent employee.
Principle of Clarification
Clear and well-defined rules should be laid down and practically followed, relating to dealing with cash, ordering, receiving and issuing goods, etc.
Principle of Documentation
The arrangement of the work should be in such a manner that a written record of the part played by each employee should be maintained, and the work should pass through several hands in a well-defined manner.
Advantages of Internal Control
Application of internal control provides the following benefits to the various parties:
- Internal control helps to protect the assets of the business from misuse, theft, accident, etc.
- Internal control helps to implement management policies to attain corporate goals.
- Internal control helps the auditor in his/her work, detecting all the errors and frauds which are committed in the books of accounts.
- Internal control helps to increase the accuracy and reliability of financial statements and books of accounts.
- Internal control helps to regulate the work of staff through a division of work among the staff in a scientific manner, which helps to make the daily works of staff effective.
- Internal control helps the management to prepare and implement effective plans by providing correct and factual information.
- Internal control helps to put moral pressure on staff.
Internal Control – Accounting, Administrative Controls
Internal control areas spread over accounting and non-accounting spheres. Internal control, as it applied to the accounting system, implies control over accounting system to achieve the following objectives:
- Efficient and orderly conduct of accounting transactions.
- Safeguarding the assets in adherence to management policy.
- Prevention of error, detection of an error.
- Prevention of fraud, detection of fraud.
- Ensuring accuracy, completeness, reliability, and timely preparation of accounting data.
On the other hand, administrative controls seek to achieve the aim of management inefficient and orderly conduct of transactions in non-accounting areas.
It seeks to ensure adherence to management policy in various areas of business operations.
For example, in a manufacturing system of a business enterprise, the internal control may be established to ensure the adherence of management policy as to quality (quality control) safeguarding assets (control over wastages, ABC control over raw materials) prevention of errors (monitoring production methods, maintenance program for machines), prevention of frauds (security system) and timely supply of reliable management information (MIS).
If a good internal control system exists in the accounting system, an auditor can put greater reliance on the financial data generated in the system with a test checking of select items.
If the accounting control is not strong, the auditor may have to resort to a detailed checking of transactions, events, and practices in the accounting system.
Concerning administrative controls, the auditor may evaluate those parts of administrative controls as may have a bearing on the financial information of the entity.
For example, before certifying the valuation of stocks, the auditor may refer to the reports of consumption patterns prepared by the manufacturing segment to administration, if the auditor feels material discrepancy in the physical quantity of stocks.
On the other hand, he may not be concerned no more than a matter of general interest with the quality report of chemical A used in operation X.
Components of an Internal Control Structure
Committee of Sponsoring Organizations (COSO) identifies five interrelated internal control structure components as follows:
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
Numerous factors comprise the control environment in an entity, among which are the following:
- Integrity and ethical values
- Commitment to competence
- Board of directors and audit committee
- Management philosophy and operating style
- Organizational structure
- Assignment of authority and responsibility
- Human resource policies and practices
Risk assessment for financial reporting purposes in an entity’s identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with generally accepted accounting principles.
Management’s risk assessment should include special consideration of the risks that can arise from changed circumstances, such as new areas of business or transactions, changes in accounting-standards, new laws or regulations, the rapid growth of the entity, and changes in personnel involved in the information processing and reporting functions.
Information and Communication
The information system relevant to financial reporting, objectives, which includes the accounting system, consists of the methods and records established to identify, assemble, analyze, classify, record, and report entity transactions and to maintain accountability for the related assets and liabilities.
Communication involves providing a clear understanding of individual roles and responsibilities about the internal control structure over financial reporting.
Control activities are those policies and procedures that help ensure that management directives are carried out.
They help ensure that necessary actions are taken to address risks to the achievement of the entity’s objectives. Control activities have various objectives and are applied at various organizational and functional levels.
Control activities relevant to a financial statement audit may be categorized in many different ways. One way is as follows:
- Information processing controls
- General controls
- Application controls
- Proper authorization
- Documents and records
- Independent checks
- Segregation of duties
- Physical controls
- Performance reviews
Monitoring is the process that assesses the quality of the internal control structure’s performance over time.
It involves assessment by appropriate personnel of the design and operation of controls on a suitably timely basis to determine that the ICS is operating as intended and that it is modified as appropriate for changes in conditions.
Limitations of Internal Controls
No matter how well internal controls are designed, they can only provide reasonable assurance that objectives have been achieved. Some limitations are inherent in all internal control systems.
The effectiveness of controls will be limited by decisions made with the human judgment under pressure to conduct business based on the information at hand.
Even well designed internal controls can break down. Employees sometimes misunderstand instructions or simply make mistakes.
Errors may also result from new technology and the complexity of computerized information systems.
High-level personnel may be able to override prescribed policies and procedures for personal gain or advantage.
This should not be confused with management intervention, which represents management actions to depart from prescribed policies and procedures for legitimate purposes.
Control systems can be circumvented by employee collusion. Individuals acting collectively can alter financial data or other management information in a manner that cannot be identified by control systems.
Costs versus Benefits
The costa of an entity’s internal control structure may exceed the benefits that are expected to be ensured.
Finally, a limitation of internal controls is that they are generally designed to deal with what normally or routinely happens in a business.
However, it may be the case that an unusual transaction may occur which does not fit into the normal routines, in which case standard controls may not be relevant to the unusual transaction. Hence, mistakes may be made about that unusual transaction.
Documenting the Understanding of Internal Control Structure Components
Documenting the understanding of the internal control structure components is required in all audits.
Documentation in the working papers may take the form of completed questionnaires, flowcharts, decision tables, (in a computerized accounting system), and narrative memoranda.
A questionnaire consists of a series of questions about ICS policies and procedures that the auditor considers necessary to prevent material misstatements in the financial statements.
The questions are usually phrased so that either a ‘yes,’ ‘no,’ or ‘not applicable’ answer results, with a Yes answer indicating a favorable condition. Standardized questionnaires are used on a majority of audits.
A flowchart is a schematic diagram using standardized symbols, interconnecting flow lines, and annotations that portray the steps involved in processing information through the accounting system. Flowcharts vary in the extent of detail.
Decision tables are a precise yet compact way to model complicated logic. Decision tables associate conditions with actions to perform, but in many cases, do so in a more elegant way to present data.
A narrative memorandum consists of written comments concerning the auditor’s consideration of the ICS.
A memorandum may be used to supplement the other forms of documentation by summarizing the auditor’s overall understanding of the control structure, individual components of the control structure, or specific control policies or procedures.
In an audit of a large entity involving a combination of audit strategies, all four types of documentation may be used for different parts of the understanding. In an audit of a small entity where the primarily substantive approach predominates, a single memorandum may suffice to document the understanding of all the components.
Internal Control and the Auditor
The basic responsibility of the auditor is to certify the fairness and authenticity of the accounts of the business.
To achieve this objective, the auditor is expected to discharge his duties in such a way as would reveal the actual state of affairs of the business.
An efficient system of internal checks can indeed make an auditor’s work easy and convenient. He may be relieved of the detailed checking of the transactions.
But to what extent an auditor should depend on the system of internal check-in solely a matter of his discretion.
Though the auditor examines the accounts independently, yet he has to depend a lot on the system of the business because it becomes practically impossible for the auditor to conduct the audit in a big concern where thousands of accounts are maintained.
In the case of a big concern where there is a good internal check system, the auditor may rely upon it and may, to a great extent, presume the accuracy of the accounts.