Internal control is the process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives concerning the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.
Let’s understand Internal Control.
What is Internal Control?
Internal control is designed and implemented to address identified business risks that threaten the achievement of any of these objectives.
Does internal control refer to the whole system of internal checks, internal audits, and other forms of control, financial and otherwise, established by management to carry on the company’s business in an orderly manner that safeguards its records?
Spicer and Peglar, famous authorities on auditing literature, define the system of internal control as “Internal Controls is best regarded as the whole system of controls, financial and otherwise, established by the management in the conduct of business including internal check, internal audit and other forms of control.”
Internal control is the process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Reliability of financial reporting.
- Compliance with applicable laws and regulations.
- Effectiveness and efficiency of operations.
Internal Control and Accounting, Administrative Controls
Internal control areas are spread over accounting and non-accounting spheres. Internal control, as it is applied to the accounting system, implies control over the accounting system to achieve the following objectives:
- Efficient and orderly conduct of accounting transactions.
- Safeguarding the assets in adherence to management policy.
- Prevention of error, detection of an error.
- Prevention of fraud, detection of fraud.
- Ensuring accuracy, completeness, reliability, and timely preparation of accounting data.
On the other hand, administrative controls aim to manage inefficient and orderly transactions in non-accounting areas.
It seeks to ensure adherence to management policy in various areas of business operations.
For example, in a manufacturing system of a business enterprise, internal control may be established to ensure the adherence to management policy as to quality (quality control), safeguarding assets (control over wastages, ABC control over raw materials), prevention of errors (monitoring production methods, maintenance program for machines), prevention of frauds (security system) and timely supply of reliable management information (MIS).
An auditor is mainly concerned with good accounting control of the internal control system.
Suppose a good internal control system exists in the accounting system. In that case, an auditor can rely more on the financial data generated in the system with a test checking of select items.
If the accounting control is not strong, the auditor may have to resort to a detailed checking of transactions, events, and practices in the accounting system.
Concerning administrative controls, the auditor may evaluate those parts of administrative controls as they may have a bearing on the entity’s financial information.
For example, before certifying the valuation of stocks, the auditor may refer to the reports of consumption patterns prepared by the manufacturing segment to administration if the auditor feels material discrepancy in the physical quantity of stocks.
On the other hand, he may not be concerned no more than a matter of general interest with the quality report of chemical A used in operation X.
Reasons for Internal Control
The reasons for internal controls can be seen in the example. They include:
- Minimizing the company’s business risk.
- Ensuring the continuing effective functioning of the company.
- Ensuring the company complies with relevant laws and regulations.
Most of these reasons funnel back to the ultimate objective that the company continues to operate.
For example, if the company fails to comply with relevant laws and regulations, it might be forced to stop operations.
Types of Internal Control
- Detective: Designed to detect errors or irregularities that may have occurred.
- Corrective: Designed to correct errors or irregularities that have been detected.
- Preventive: Designed to keep errors and irregularities from occurring in the first place.
Principles of Internal Control
Internal control is based on the following principles:
Principle of Separation
Financial and accounting operations must be separated, i.e., handling of cash and recording the movement thereof should be done by different persons.
Principle of Responsibility
Responsibility for the performance of the job must be clearly stated so there may be no room for doubt or confusion.
Principle of Skepticism
Too much confidence should not be pinned on one individual. Trusted officials or employees have committed nearly all frauds.
Principle of Rotation
The rotation principle relating to transferring employees from one job to another should be the inflexible guiding rule.
Principle of Review
The work should be so arranged that work done by one employee should be promptly checked by another independent employee.
Principle of Clarification
Clear and well-defined rules should be laid down and practically followed, relating to handling cash, ordering, receiving, issuing goods, etc.
Principle of Documentation
The work arrangement should be in such a manner that a written record of the part played by each employee should be maintained, and the work should pass through several hands in a well-defined manner.
Advantages of Internal Control
The application of internal control provides the following benefits to the various parties:
- Internal control helps protect the business’s assets from misuse, theft, accident, etc.
- Internal control helps to implement management policies to attain corporate goals.
- Internal control helps the auditor in his/her work, detecting all the errors and frauds committed in the accounts’ books.
- Internal control helps to increase the accuracy and reliability of financial statements and books of accounts.
- Internal control helps to regulate the work of staff through a division of work among the staff in a scientific manner, which helps to make the daily works of staff effective.
- Internal control helps the management to prepare and implement effective plans by providing correct and factual information.
- Internal control helps to put moral pressure on staff.
Components of an Internal Control Structure
The Committee of Sponsoring Organizations (COSO) identifies five interrelated internal control structure components.
Control Environment
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
Numerous factors comprise the control environment in an entity, among which are the following:
- Integrity and ethical values
- Commitment to competence
- Board of directors and audit committee
- Management philosophy and operating style
- Organizational structure
- Assignment of authority and responsibility
- Human resource policies and practices
Risk Assessment
Risk assessment for financial reporting purposes in an entity’s identification, analysis, and management of risks relevant to preparing financial statements that are fairly presented in conformity with generally accepted accounting principles.
Management’s risk assessment should include special consideration of the risks that can arise from changed circumstances, such as new areas of business or transactions, changes in accounting standards, new laws or regulations, the rapid growth of the entity, and changes in personnel involved in the information processing and reporting functions.
Information and Communication
The information system relevant to financial reporting and objectives, which includes the accounting system, consists of the methods and records established to identify, assemble, analyze, classify, record, and report entity transactions and to maintain accountability for the related assets and liabilities.
Communication involves clearly understanding individual roles and responsibilities regarding the internal control structure over financial reporting.
Control Activities
Control activities are those policies and procedures that help ensure that management directives are carried out.
They help ensure necessary actions are taken to address risks to achieve the entity’s objectives. Control activities have various objectives and are applied at various organizational and functional levels.
Control activities relevant to a financial statement audit may be categorized differently. One way is as follows:
- Information processing controls
- General controls
- Application controls
- Proper authorization
- Documents and records
- Independent checks
- Segregation of duties
- Physical controls
- Performance reviews
Monitoring
Monitoring is the process that assesses the quality of the internal control structure’s performance over time.
It involves assessment by appropriate personnel of the design and operation of controls on a suitably timely basis to determine that the ICS is operating as intended and that it is modified as appropriate for changes in conditions.
Limitations of Internal Controls
No matter how well internal controls are designed, they can only provide reasonable assurance that objectives have been achieved. Some limitations are inherent in all internal control systems.
These include:
Judgment
The effectiveness of controls will be limited by decisions made with the human judgment under pressure to conduct business based on the information at hand.
Breakdowns
Even well-designed internal controls can break down. Employees sometimes misunderstand instructions or simply make mistakes.
Errors may also result from new technology and the complexity of computerized information systems.
Management Override
High-level personnel may be able to override prescribed policies and procedures for personal gain or advantage.
This should not be confused with management intervention, which represents actions to depart from prescribed policies and procedures for legitimate purposes.
Collusion
Control systems can be circumvented by employee collusion. Individuals acting collectively can alter financial data or other management information control systems that cannot identify.
Costs versus Benefits
The cost of an entity’s internal control structure may exceed the benefits that are expected to be ensured.
Unusual Transactions
Finally, a limitation of internal controls is that they are generally designed to deal with what normally or routinely happens in a business.
However, it may be the case that an unusual transaction may occur which does not fit into the normal routines, in which case standard controls may not be relevant to the unusual transaction. Hence, mistakes may be made about that unusual transaction.
Documenting the Understanding of Internal Control Structure Components
Documenting the understanding of the internal control structure components is required in all audits.
Documentation in the working papers may take the form of completed questionnaires, flowcharts, decision tables (in a computerized accounting system), and narrative memoranda.
Questionnaires
A questionnaire consists of questions about ICS policies and procedures that the auditor considers necessary to prevent material misstatements in the financial statements.
The questions are usually phrased so that either a ‘yes,’ ‘no,’ or ‘not applicable’ answer results, with a Yes answer indicating a favorable condition. Standardized questionnaires are used in a majority of audits.
Flowcharts
A flowchart is a schematic diagram using standardized symbols, interconnecting flow lines, and annotations that portray the steps involved in processing information through the accounting system. Flowcharts vary in the extent of detail.
Decision Tables
Decision tables are a precise yet compact way to model complicated logic. Decision tables associate conditions with actions to perform but often do so more elegantly to present data.
Narrative Memoranda
A narrative memorandum consists of written comments concerning the auditor’s consideration of the ICS.
A memorandum may supplement the other forms of documentation by summarizing the auditor’s overall understanding of the control structure, individual components of the control structure, or specific control policies or procedures.
In an audit of a large entity involving a combination of audit strategies, all four types of documentation may be used for different parts of the understanding.
In an audit of a small entity where the primarily substantive approach predominates, a single memorandum may suffice to document the understanding of all the components.
Auditor’s Responsibilities and Internal Control
The basic responsibility of the auditor is to certify the fairness and authenticity of the accounts of the business.
To achieve this objective, the auditor is expected to discharge his duties in such a way as would reveal the actual state of affairs of the business.
An efficient system of internal checks can indeed make an auditor’s work easy and convenient. He may be relieved of the detailed checking of the transactions.
But to what extent should an auditor depend solely on the internal check-in system as a matter of his discretion?
Though the auditor examines the accounts independently, he has to depend a lot on the business system because it becomes practically impossible for the auditor to conduct the audit in a big concern where thousands of accounts are maintained.
In the case of a big concern where there is a good internal check system, the auditor may rely upon it and may, to a great extent, presume the accuracy of the accounts.
