2. INTERNAL CONTROLS
MEANING OF INTERNAL CONTROLS
Control refers to a set of activities used to guide, manage and regulate toward a directive.
Internal controls refers to a skill developed and applied within a company, which uses
judgement to assess and determine compliance.
Internal controls refers to a program of activities established to catch and monitor a
potential exposure that could result in a significant error, omission, misstatement or fraud.
It is a means by which an organization’s resources are directed, monitored and measured.
It plays an important role in detecting and preventing fraud and protecting the
organization’s resources, both physical and intangible (e.g. reputation or intellectual
property such as trademarks)
3. At the organization level, internal control objectives relate to the reliability of
financial reporting, timely feedback on the achievement of operational or strategic
goals and compliance with laws and regulations.
At the specific transactional level, internal controls refers to the actions taken to
achieve a specific objective (e.g. how to ensure the organization’s payments to
third parties are for valid services rendered)
Those who exercise internal control must have the power and authority to actuate
and remediate findings.
4. CONCEPTS OF INTERNAL CONTROL
The most fundamental concepts of internal control include each of the mechanisms that make
internal controls successful.
Internal control is basically a process, a means to an end.
It is affected by people and not policy manuals and forms. It is the people functioning at every
level of the institution.
Internal control is expected to provide reasonable assurance to an institution leaders regarding
achievement of operational, financial reporting compliance objectives.
Internal control is a tool used by the administration to plan, execute and monitor.
5. IMPORTANCE OF INTERNAL CONTROL.
The importance of credibility in a company is priority number one. Internal controls exist to
ensure reliable financial reporting, effective and efficient operations and compliance with
applicable laws and regulations. Internal controls play a major role in that:
1.Prevention of Fraud.
Internal controls prevent fraud, detects fraud and protects tangible and intangible assets in an
organization. This is achieved through segregation of duties which brings about credibility of
tasks completed by employees in an organization.
6. 2. Operating Environment.
Internal controls promote strong daily operations that produce high quality goods and services at
the lowest cost possible. This is achieved by limiting excessive inventory high equipment cost and
excessive utilities which ensure that operational costs are maintained with a reasonable budget.
3. Risk Assessment.
Every business decision comes with certain amounts of risk. Avoiding or mitigating this risk is
achieved through strong internal controls. Controls that mitigate risk could include providing
guidelines to avoid risky securities when generating cash from investment activities thus
preventing long term negative effects on a company
7. 4. Company Policies.
Companies use policies to ensure a safe and profitable business environment. These policies are
internal controls that help management in areas including human resources, community awareness
and business-to-business relations Company Policies.
5. Performance Evaluation.
Performance evaluation allows companies an opportunity to educate and review internal controls
with employees on a regular basis. This teaches employees the value of achieving goals through
adherence to company policy hence ensuring higher profitability for the company.
8. PRINCIPLES OF INTERNAL CONTROL SYSTEMS
The principles of internal control are concepts that require management to set procedures in place
to ensure company assets are safeguarded. In other words, these are the principles management
uses to establish the ways to protect company assets.
THE PRINCIPLES INCLUDE:
a) Establishing responsibilities
Responsibilities are important as it gives each individual a sense of ownership and ultimately a
duty of care. Therefore, it is easier to hold someone accountable in the misappropriation of
organisational assets
9. b) Maintaining records
Maintaining records assists one in locating the where about of different company assets and
also allow one to monitor how transactions are taking place within the organisation i.e. flow of
assets within the business
c) Insuring assets
It is important to insure assets so as to make sure that in case of loss, damage or theft, the
organisation will not suffer any loss but with the help of insurance will be returned to their
initial financial position
10. d) Segregation of duties
Segregation of duties is very important in that it ensures that there is oversight
and review to detect errors and it also helps to prevent fraud or theft.
e) Mandatory employee rotation
Mandatory job rotation is important as it reduces misappropriation of assets in that,
because employees know another person will be assuming their duties and the new
person will be likely to discover new patterns of behaviour. This reduces moral
hazards.
11. f) Use of technological controls
From burglar alarms, electronic keypads and other technology-based security features can help
organisations protect assets. Smart companies supplement their internal control activities and
systems with appropriate and cost effective technology
g) Perform regular independent reviews on internal control systems.
Companies must review their internal control systems and activities regularly. This should be
done by an individual who did not perform the work being reviewed. An independent
evaluator can provide internal control recommendation and objectively report on the work
being done
12. COMPONENTS OF INTERNAL CONTROL
1. Control Environment
Control environment is the attitude toward internal control and control
consciousness established and maintained by the management and the employees of
an organization. It is a product of management’s philosophy, style and supportive
attitude as well as the competence, ethical values, integrity and morale of the
organization’s people. The organization structure and accountability relationships
are key factors in the control environment
13. Principles for the Control Environment
- Demonstrates commitment to integrity and ethical values
- Exercises oversight responsibility
- Establishes structure, authority and responsibility
- Demonstrates commitment to competence
- Enforces accountability
14. 2. Communication (Information)
Communication is the exchange of useful information between and among people and
organizations to support decisions and coordinate activities. Within an organization, information
should be communicated to management and other employees who need it in a form and within a
time frame that helps them to carry out their responsibilities. Communication also takes place with
outside parties such as customers, suppliers and regulators.
Principles for Communication and Information
- Uses relevant information
- Communicates internally
- Communicates externally
15. . Risk Assessment
Risks are events that threaten the accomplishment of objectives. They ultimately impact an
organization’s ability to accomplish its mission. Risk assessment is the process of identifying,
evaluating and determining how to manage these events. At every level within an organization
there are both internal and external risks that could prevent the accomplishment of established
objectives. Ideally, management should seek to prevent these risks. However, sometimes
management cannot prevent the risk from occurring. In such cases, management should decide
whether to accept the risk, reduce the risk to acceptable levels, or avoid the risk. To have
reasonable assurance that the organization will achieve its objectives, management should ensure
each risk is assessed and addressed appropriately
16. Principles for Risk Assessment
- Specifies suitable objectives
- Identifies and analyses risk
- Assesses fraud risk
- Identifies and analyses significant change
Impact – Is generally beyond the organization’s control in the short-to-medium
term.
Likelihood – Is the main focus of an organization’s internal control
What are the possible risks in your area of operations and what is the likely impact
of each?
17. How to Deal With Risk
Managing Risk
- Accept the risk: Do not establish control activities
- Prevent or reduce the risk: Establish control activities
- Avoid the risk: Do not carry out the function
Preventing or Reducing Risk
- What is the cause of the risk?
- What is the cost of control vs. the cost of the unfavorable event?
- What is the priority of this risk?
18. Managing Risk during Change
- What necessary training needs to be carried out?
- What necessary review and oversight needs to be carried out during the period of change?
4. Control Activities
Control activities are tools - both manual and automated - that help prevent or reduce the risks that
can impede accomplishment of the organization’s objectives and mission. Management should
establish control activities to effectively and efficiently accomplish the organization’s objectives
and mission.
19. Principles for Control Activities
- Selects and develops control activities
- Selects and develops general controls over technology
- Deploys through policies and procedures
5. Monitoring
Monitoring is the review of an organization’s activities and transactions to assess the quality of
performance over time and to determine whether controls are effective. Management should focus
monitoring efforts on internal control and achievement of organization objectives. For monitoring
to be most effective, all employees need to understand the organization’s mission, objectives, and
responsibilities and risk tolerance levels.
20. Principles for Monitoring
- Conducts ongoing and/or separate evaluations
- Evaluates and communicates deficiencies
21. LIMITATIONS OF INTERNAL CONTROL SYSTEMS
Internal controls help you keep your business operating smoothly and
ensures that your financial records can be trusted. They are an important
part in building a trustworthy and reliable company. However, internal
controls can’t guarantee that everything will go according to plan.
Although they are measures put in place to make certain things happen,
your internal controls have limitations that can make them ineffective
22. Collusion
Internal control systems can be compromised if multiple employees work together
to perform fraud. Although each employee may face internal controls that limit what
they can do by themselves, they can go around this limit by pairing with someone
who can. One of your employees may be authorized to enter a voucher into your
accounting system but isn’t allowed to print cheques. Another employee may be
authorized to print cheques but can’t set up to enter vouchers. If these two
employees work together, they can overcome the limits each one faces individually
to produce a fake cheque. There’s no way to overcome collusion other than having
trustworthy employees.
23. Incorrect Judgment
A lot of your internal controls are set up based on your professional
judgment. You put cash in your vault because you judge cash to be
something someone would want to steal. You hire staff based on how you
evaluate their character. You judge what responsibilities to give each of
your workers based on how well you believe they can do their jobs.
Because setting up internal controls isn’t an exact science, you have to
rely on the information you have and try to set up the best rules and
processes. Sometimes, your professional judgment is wrong, you fail to
set up an internal control, or you don’t assign the right task to the right
employee. Continually research and learn the best internal control
practices to overcome this limitation
24. Failure to Train Employees
Internal controls are only as strong as your employees’ understanding of IC system.
Training your employees on what they’re supposed to do is a critical function of
making internal controls work. Although your employees don’t need to know the
reasons why you’re setting up each internal control, you must let them know their
duties, the purpose of the limits put and the consequences. Employees should also
know general practices on how to uphold internal controls. For example, everyone
in your business should know their passwords, how to set strong passwords and that
they shouldn’t keep written trails of their login information.
25. Management Override
A common practice of internal controls is to override the control. Although you may
have policies and procedures in place, there may be exceptions to the rule where
people are allowed to skip certain steps. For example, imagine that you have an
employee with the authorization to approve invoices up to Kes 5million. If you’re
on vacation and an important invoice arrives for Kes 6million, the employee may
decide to override the company’s internal control policy to approve the invoice and
get it paid. Although these situations may not produce bad results, an auditor will
question inconsistency ICs. Having an internal auditor can help you understand
where your controls are falling short or being misused. Although it’s great to have