Internal Controls
Management policies & Procedures
❖ Safeguarding the assets of the company
❖ Preventing fraud
❖ Complying with the laws and regulations applicable to the entity
❖ Producing reliable financial information necessary to run the business
and satisfy the financial reporting requirements, e.g. producing the
annual financial statements.
❖ Operating the business efficiently and effectively
Internal controls
The process designed, implemented and maintained by
those charged with governance, management and other
personnel to provide reasonable assurance about the
achievement of an entity’s objectives:
→ Reliability of the financial performance
→ Effective and Efficient Operations
→ Compliance to Laws & Regulations
,Limitations of internal controls Reason why internal controls not absolute
→ Management require that cost not exceed benefit.
→ Internal controls to be directed at routine transactions rather than
non-routine transactions.
→ Potential for human error
→ Circumvention of internal controls through the collusion of a member
of management/employee with someone inside/outside organisation.
→ Abuse of responsibility
→ Control procedures may be inadequate because of changes in
conditions.
, Control Environment
Participation by those charged with governance
P ❖ Board of directors set ethical example
❖ Companies Act and King IV
ORganisation structure
→ Framework of entity to achieve objectives that are planned, executed, controlled and
OR reviewed.
→ Key areas of authority and appropriate lines of authority.
→ Management assign authority to appropriate individuals according to functions.
Management’s philosophy and operating style
S Management set example
E
Integrity and ethical values
Commitment to competence
→ Internal controls will fail if employees not act with integrity
Competent employee has knowledge and skills to do job.
→ Employees need guidance for ethical behaviour
What can management do? → Management provide fair remuneration and pleasant
C • Define jobs
• Fill position on merit
working conditions
• Provide training and tools for job
• Reward excellent performance
Human resources policies and practices
Company should have sound policies to have good control environment.
H ❖
❖
Recruit right people (interviews, background checks, minimum qualifications)
Training, workshops
❖ Fair remuneration: norms, benefits
❖ Develop and promote: educating, guidance
, Risk Assessment
Define the objectives of the entity, its departments and functions
If objectives are not defined, risks of not achieving objectives cannot be identified.
Risk assessment process include:
→ Identify business risks relevant to financial reporting objectives
→ Asses likelihood and frequency of risks
→ Estimate impact of risk
→ Decide on actions to address risk
Five ways in which large company may address the need to identify and assess numerous risks faced by company:
→ Appointment of risk committees and risk officers
→ Engagement of external risk consultants
→ Use of risk models
→ Regular meeting at divisional, departmental and sectional level to consider the risks at those levels.
→ Strategy meetings involving senior management to assess risks at an overall level.
Identify and assess risks
❖ Operational risks - threaten entity/departments/functions to achieve effective and efficient operations
❖ Financial operating risks - entity does not achieve objective of having accounting system which processes transactions that occurred, are authorised,
processed accurately and completely.
❖ Compliance risks - entity does not achieve objectives of complying with laws and regulations applicable to entity.
Respond to risks
→ Information system
Combination of machines (most often include computers), software where computers are involved, people who carry out procedures, and data.
→ Control activities
Actions supported by policies and procedures, if properly designed and implemented, reduce/eliminate risks.
, Information system Procedures and records to deal with transactions
Initiation of transaction
Valid, accurate and complete Recording transaction
Processing transaction
Accounting system needs to produce information which displays Posting transaction to general ledger
characteristics and is useful.
Related accounting records Journal entries
→ Documents used All journal entries should be authorized by a “more senior” level employee.
→ Document design
Thus, the senior employee will be held accountable for controlling all journal
Capturing events and conditions other than transactions entries.
Account headings (depreciation, bad debts)
Disclosure in the notes
Monitoring of controls
Assessment over time Independent assessment
Are objectives being met? Internal audit
Assessment at all levels External bodies
Directors Customers
Management Remedial action
Department levels
, Control Activities Know these general things for weakness
questions
Isolation of responsibilities
Segregation (division) of duties
People involved in the internal control system should
Segregation (division) of duties
aware of their responsibilities and essential for effective control
accountable for their performance. actions or procedures should be divided amongst employees
Biggest enemy: collusion
Signing → employee acknowledges in writing that he responsible
Can be circumvented if employees work together intentionally with other
for carrying out a specific control activity
inside/outside the company.
Approval & Authorisation
Access/ custody (security)
Managers authorise employees to perform tasks
Protect company’s assets
Before authorisation – evidence that transaction is valid
(i) Prevent unauthorised use, theft or loss of “non-physical” book assets (cash at
bank)
Comparison & Reconciliation
(ii) Prevent deterioration if certain “non-physical” book assets (Debtors)
Reconciliation: Comparison of two different sets of information/of
recorded information and physical asset.
Identify, investigate and resolve differences Access/ custody (security)
Preventive controls
Controls to prevent or minimize errors or illegal events from occurring.
Proactive/prevent losses.
Performance reviews
e.g. custody controls, approval and authorisation, segregation of duties
To identify problems.
Detective controls
Unexpected results to be followed up. Controls designed and implemented to identify errors, thefts and omissions.
e.g. reconciliations and reviews
General and application controls Corrective controls
Controls implemented to resolve errors and problems which have been
identified.
Management policies & Procedures
❖ Safeguarding the assets of the company
❖ Preventing fraud
❖ Complying with the laws and regulations applicable to the entity
❖ Producing reliable financial information necessary to run the business
and satisfy the financial reporting requirements, e.g. producing the
annual financial statements.
❖ Operating the business efficiently and effectively
Internal controls
The process designed, implemented and maintained by
those charged with governance, management and other
personnel to provide reasonable assurance about the
achievement of an entity’s objectives:
→ Reliability of the financial performance
→ Effective and Efficient Operations
→ Compliance to Laws & Regulations
,Limitations of internal controls Reason why internal controls not absolute
→ Management require that cost not exceed benefit.
→ Internal controls to be directed at routine transactions rather than
non-routine transactions.
→ Potential for human error
→ Circumvention of internal controls through the collusion of a member
of management/employee with someone inside/outside organisation.
→ Abuse of responsibility
→ Control procedures may be inadequate because of changes in
conditions.
, Control Environment
Participation by those charged with governance
P ❖ Board of directors set ethical example
❖ Companies Act and King IV
ORganisation structure
→ Framework of entity to achieve objectives that are planned, executed, controlled and
OR reviewed.
→ Key areas of authority and appropriate lines of authority.
→ Management assign authority to appropriate individuals according to functions.
Management’s philosophy and operating style
S Management set example
E
Integrity and ethical values
Commitment to competence
→ Internal controls will fail if employees not act with integrity
Competent employee has knowledge and skills to do job.
→ Employees need guidance for ethical behaviour
What can management do? → Management provide fair remuneration and pleasant
C • Define jobs
• Fill position on merit
working conditions
• Provide training and tools for job
• Reward excellent performance
Human resources policies and practices
Company should have sound policies to have good control environment.
H ❖
❖
Recruit right people (interviews, background checks, minimum qualifications)
Training, workshops
❖ Fair remuneration: norms, benefits
❖ Develop and promote: educating, guidance
, Risk Assessment
Define the objectives of the entity, its departments and functions
If objectives are not defined, risks of not achieving objectives cannot be identified.
Risk assessment process include:
→ Identify business risks relevant to financial reporting objectives
→ Asses likelihood and frequency of risks
→ Estimate impact of risk
→ Decide on actions to address risk
Five ways in which large company may address the need to identify and assess numerous risks faced by company:
→ Appointment of risk committees and risk officers
→ Engagement of external risk consultants
→ Use of risk models
→ Regular meeting at divisional, departmental and sectional level to consider the risks at those levels.
→ Strategy meetings involving senior management to assess risks at an overall level.
Identify and assess risks
❖ Operational risks - threaten entity/departments/functions to achieve effective and efficient operations
❖ Financial operating risks - entity does not achieve objective of having accounting system which processes transactions that occurred, are authorised,
processed accurately and completely.
❖ Compliance risks - entity does not achieve objectives of complying with laws and regulations applicable to entity.
Respond to risks
→ Information system
Combination of machines (most often include computers), software where computers are involved, people who carry out procedures, and data.
→ Control activities
Actions supported by policies and procedures, if properly designed and implemented, reduce/eliminate risks.
, Information system Procedures and records to deal with transactions
Initiation of transaction
Valid, accurate and complete Recording transaction
Processing transaction
Accounting system needs to produce information which displays Posting transaction to general ledger
characteristics and is useful.
Related accounting records Journal entries
→ Documents used All journal entries should be authorized by a “more senior” level employee.
→ Document design
Thus, the senior employee will be held accountable for controlling all journal
Capturing events and conditions other than transactions entries.
Account headings (depreciation, bad debts)
Disclosure in the notes
Monitoring of controls
Assessment over time Independent assessment
Are objectives being met? Internal audit
Assessment at all levels External bodies
Directors Customers
Management Remedial action
Department levels
, Control Activities Know these general things for weakness
questions
Isolation of responsibilities
Segregation (division) of duties
People involved in the internal control system should
Segregation (division) of duties
aware of their responsibilities and essential for effective control
accountable for their performance. actions or procedures should be divided amongst employees
Biggest enemy: collusion
Signing → employee acknowledges in writing that he responsible
Can be circumvented if employees work together intentionally with other
for carrying out a specific control activity
inside/outside the company.
Approval & Authorisation
Access/ custody (security)
Managers authorise employees to perform tasks
Protect company’s assets
Before authorisation – evidence that transaction is valid
(i) Prevent unauthorised use, theft or loss of “non-physical” book assets (cash at
bank)
Comparison & Reconciliation
(ii) Prevent deterioration if certain “non-physical” book assets (Debtors)
Reconciliation: Comparison of two different sets of information/of
recorded information and physical asset.
Identify, investigate and resolve differences Access/ custody (security)
Preventive controls
Controls to prevent or minimize errors or illegal events from occurring.
Proactive/prevent losses.
Performance reviews
e.g. custody controls, approval and authorisation, segregation of duties
To identify problems.
Detective controls
Unexpected results to be followed up. Controls designed and implemented to identify errors, thefts and omissions.
e.g. reconciliations and reviews
General and application controls Corrective controls
Controls implemented to resolve errors and problems which have been
identified.
