CHAPTER THREE: INTERNAL CONTROL

3.1 The meaning of internal control

In the best broad sense an organization organizational structure (also referred to as internal
control system) consist of the policies and procedures establish to provide reasonable assurance
that the organization objectives will be achieved.
The general objectives of ICS can be:
 Improving operational efficiency and effectiveness
 Reliability of financial reporting
 Safeguarding of assets and
For the purpose of auditor’s internal controls may be defined as all the policies and procedures a
company uses to prevent, detect, and correct material errors, irregularities and misstatements that
might get into financial statements.
The following are the major reasons for evaluation of internal control:
1. To give the internal auditor a base for planning the audit and to determine the nature, timing,
and extent of audit procedure.
2. To formulate constructive suggestion for improvement in the organizational internal controls
deficiencies such as:
Absence of appropriate segregation of duties
Absence of appropriate reviews and approval of transactions
Evidence of failure of control procedures by persons in authority to the detriment of control
objectives.
Evidence of willful wrong doing by employees or management including manipulation,
falsification or alteration of accounting records.
3.2 Internal control components
Internal control system varies significantly from one organization to the other because of many
factors such as:
 The size of the entity
 The characteristics of the organization and ownership
 The nature of the business
 Diversity and complexity of its operation
 Methods of processing data
 Legal and regulatory requirement
The following are the three major components of internal control system.
A. The control environment
B. Control procedures
C. The accounting system
A. The control environment
The control environment is the collective effect of various over all factors that establish,
enhance, or mitigate the effectiveness of specific control policies and procedures. In other
words, it is the client’s environment (internal as well as external) within which controls exist or
operate. The flow of hierarchy in the organization may be upward, downward or both.
It includes the attitude, awareness, and actions of the board of directors, management, owners,
and other parties in controlling the firm’s overall situations. The following are factors that affect
the internal control environment.
1. Management philosophy and operational style: managers differ in both their philosophies
towards financial reporting and their attitudes towards business risk.
2. Organizational structure: a well designed organizational structure provides a basis for
planning, directing, and controlling operations. A sound organizational structure of an entity
should separate responsibilities for authorization of transactions, record keeping of
transactions, custody of resulting assets, and execution of the operation.
The responsibilities for financial matters and operating problems should be given to two separate
departments namely finance and accounting departments respectively. While the finance
department conducts financial activities, the accounting department establishes accountability
through accounting record.
3. Personnel policies and procedures: the effectiveness of an internal control structure is
affected by the characteristics for hiring, training, evaluating, promoting, and compensating
employees.
4. Method of assigning authority and responsibility:
 The effectiveness of method of communicating employees’ authority and responsibilities (job
description) including the organization’s rules and regulation affects the quality of the
organization
 Having sound organizational policies related to such matters as acceptable business practices,
conflicts of interests and codes of conduct
 Very effective methods of assignment of authority and responsibility will reduce the
likelihood of irregularities that may result in a significant misstatement in financial statement
figures.
5. Management control method
 Management control methods are used to exercise control over the authority delegated to
others
 One good example is developing plans and monitoring the process toward accomplishment
of those plans: budgeting and control system and variance analysis.
6. Internal auditing
 Another component of the internal control environment is an internal auditing staff or unit.
 Internal auditors investigate and appraise the internal control structure and the efficiency with
which the various units of the business are performing their assigned functions, and report
their findings and recommendations to top management.
 The amount and quality of work done by internal auditors are important considerations to
external auditors in assessing the control environment of a firm.
 The effectiveness of the internal audit unit of an organization mainly affected by factors such
as its authority, the qualification of its staff, and the resources made available it.
B. Control Procedures
In addition to the control environment and the accounting system, management establishes other
control over the entity’s transactions and assets. Control procedures that can be implemented by
a firm may be categorized as procedures for:
1. Proper authorization of transactions and activities
2. Appropriate segregation of duties
3. Adequate documentation and recording of transactions and events.
4. Effective safeguards over access to and use of assets and records access controls, and
5. Independent checks on performance and proper valuation of recorded amounts
1. Authorization of Transactions
o Authorization of transactions may be either general or specific
o General authorization occurs when management establishes criteria for acceptance of a
certain type of transaction such as quantity discounts. Specific authorization occurs when
transactions are authorized on an individual basis (e.g. sale of a major asset).
2. Segregation of Duties
A functional concept of internal control is that no one department or person should handle all
aspects of a transaction from beginning to end.
No one department or individual should perform more than one of the functions of
authorizing transactions, recording transactions, and maintaining custody over assets.
3. Adequate Documentation
 A system of well-designed forms and documents is necessary to create records of the
activities of all departments like use of serial numbers for business documents or preparing
documents in different colors.
 Adequate safeguarding and numerical control should be maintained at all times for unused
pre numbered documents.
4. Safeguarding of assets and records
Physical access to assets and important records, documents, and blank forms should be limited to
authorized personnel. Limit access to assets such as cash inventory and securities, cost
documents and account receivable records, and blank forms like a blank checks, blank sales
invoices and shipping orders. Generally, direct physical access to assets may controlled through
the use of safes, locks, fences, guards, surveillance cameras, and security codes and so on.
5. Independent checks on performance and proper valuation
 The accuracy of the work of various individuals in a company may be verified by
independent checks on performance and valuation such as clerical checks, computer program
controls, independent review report and reconciliations.
 An independent body should make periodic comparison of accounting records and the
physical assets on hand.
 Any discrepancies thus obtained, when investigated, will uncover weakness either in
procedures for safeguarding assets or in maintaining the related accounting records-recorded
accountability.
 Periodic comparisons may include counts of cash on hand, reconciliation of bank statements,
counts of securities, confirmation of accounts receivable and payables, and other such
comparison of operations.
 The frequency of such comparison is governed by the related costs and benefits. Yet,
periodic comparison and action to correct errors lowers the risk that material misstatements
remain the account.
C. The Accounting System
An accounting system consists of the methods and records established to gather and report an
entity’s transactions and to maintain accountability for the related assets and liabilities. An
accounting system is maintained to attain the following objectives:
1. Identify and record all valid transactions
2. Describe on a timely basis the transactions in sufficient detail to permit proper classification
of transactions for financial reporting.
3. Measure the value of transactions in a manner that permits recording their proper monetary
value in the financial statements.
4. Determine the time period in which transactions occurred to permit recording of transaction
in proper accounting period
5. Present properly the transactions and related disclosures in the financial statements.
3.3 Internal Control Objectives
Following are the general objectives of internal control of any organization.
1. Accomplishment of established goals and objectives: the focus of implementing and
maintaining internal control systems should be on accomplishing institutional objectives and
goals. Management should, therefore, strive towards establishing an internal control system,
which is not only cost-effective, but also ensures the achievement of institutional goals and
objectives.
2. Reliable information: for an institution to carry out different activities and projects,
management requires reliable and accurate information. The objective of internal control is,
therefore, to maintain the reliability and integrity of the system.
3. Safeguarding assets: another objective of an internal control system is the protection of an
institution’s assets. It is for this reason and purpose that the most visible internal controls,
 such as locks on the doors, computer passwords, fences, and joint responsibility for certain
valuable assets are developed and utilized.
4. Promote efficiency: the promotion of efficiency of an internal activities as well as the
efficient use of resources is also objective that the internal control system should strive for. It
is, therefore, necessary that the various controls prevent unnecessary duplication of efforts,
prevent wastage in all aspects of institutional activities, and discourage the inefficient use of
resources. The efficient use of resources is based on the fact of limited supplies never being
sufficient to provide for the infinite needs of a public institution.
5. Ensure compliance: management usually uses policies, strategic and business plans as well as
procedures in maintaining internal control systems. Staff therefore, is encouraged to act in
accordance with these control devices. On the other hand, controls described and contained
in policies and procedures are necessarily applied ensuring planned implementation of
program.
6. Encourage adherence (devotion): the internal control system should provide reasonable
assurance that set policies and procedures are followed by all staff members. If these are not
adhered to, management should take institutional measures.
3.4 Classification of Internal Control
Two different approaches to the classification of internal controls can be followed: broad and
specific.
i. Broad categories: internal control system vary broadly into two categories:
organizational and procedural.
A. Organizational Controls: these are often referred to as general or environmental controls
involving organizational structures, segregation of duties, supervision, management and
personnel.
Structural: the structural aspect of organizational controls refers to a clear structure and
hierarchy of responsibilities according to which authority is delegated. The structure creates an
environment where employees on one level can exercise control over employees on one another.
Segregation of duties: this aspect of control is designed to avoid concentration of control and
execution (implementation) of duties in a single official. Segregation can be instituted at various
stages of processing and recording of transactions. Practically, the following three functions are
separated-custody of goods received, authorization of payments, and their records in
accounts. If a computerized accounting system is used, which is usual, system development
including programming should be separated from operations.
Supervision: supervision refers to daily arrangement for overseeing and checking transactions
and asset security.
Management: internal control should ensure management achieves their objectives. These
management controls represent among others, provision of institutions, financial regulation,
reviews and checks by internal audit, budgetary controls, and monitoring of income and
expenditures. Most of them are long-term arrangement for over all staff supervision.
Personnel: the reliability of personnel responsible for the application and maintenance of
internal controls is an important factor in determining that controls are reliable.
B. Procedural Control
Procedural control often referred to as application or specific control, involve three aspects.
Physical: these are designed to safeguard the custody of assets such as cash and easily
removable important documentation and these can be stored safes with only authorized personnel
having access.
Authorization: the authorization and approval of transactions by responsible and designated
officials, with regulatory limits, is a control ensuring accountability.
Accounting: these include arithmetical and recording functions such as trial balances,
reconciliation of cash and bank accounts, and the matching of orders with goods-received notes.
ii. Specific categories: internal control are, however, usually classified as, management,
accounting, and administrative.
Management control
Accounting officers, financial managers, departmental heads, and line managers are responsible
for ensuring that government’s resources are managed effectively. They must necessarily
develop implement administrative and operational procedures to ensure that these procedures are
adhered to, and internal control is a key management tool in this regard. This is the reason
managers depend on control process by utilizing:
 Effective plans of the organization with clear lines of reporting and responsibility,
 Adequate administrative structures including budgetary and cost control and policy and
procedural manuals,
 An effective and streamlined(efficient) approval and authorized process, and
 Professional and well-trained personnel.
Management control depending on information generated by the procedures that they have
implemented to assist them in exercising their control responsibilities. That is why it is necessary
for management to have reassurance that these internal control procedures are functioning
properly, and are adequate to provide them with all the relevant information to control their
responsibility affairs. Essentially the procedure consists of:
o The process of comparing results with the institutional plan,
o Explaining variance(deviations from the initial plan), and
o Taking corrective action.
Picket and Vinten (1997, p.172) describe the management control system as consisting of these
areas:
 Objectives- clear statement of goals
 Strategic plans- an efficient way of achieving goals
 Structuring- the way in which resources will be deployed
 Human resource management- process of acquiring the required resources
 Quality standard- stands applied to the operation in terms of quality and quantity
 Procedures- the way work will be undertaken
 Operational activities- the activities themselves
 Marketing- the way the clients’ needs are defined and met, and
 Management information-information required to manage and control the activities
Accounting controls: are internal control related to the accounting system of organizations.
They are related with achieving the following controls objectives. They are designed to make
sure that:
 Transactions are implemented in accordance with the management’s authorization, i.e., in
accordance with the laid down policies and procedures.
 Transactions are promptly recorded in proper manner to ensure timely preparation and
communication of reliable financial information.
 Accountability for assets is maintained and assets are safeguarded from unauthorized access,
use or disposal
For example, preparation of bank reconciliation by an employee independent of (not authorized)
to issue checks or handle cash is an internal control that increases the probability that cash
transactions are presented fairly in the accounting records and financial statements.
Administrative controls: some of these controls have little or no bearing on the financial
statements and are thus not direct interest to auditors. Administrative controls emphasize the
effectiveness and efficiency of management decision making process. Administrative controls
emphasize controls for management decision concerning on authority and responsibility for
authorization of information. Administrative controls include the plan of organization structure,
procedures & records related to the decision process. The plan of the organization refers to the
organization structure and methods of assigning authorities and responsibilities. A proper plan of
organization is important for effective operation of the entire internal control system.
Accounting controls have a direct compact on the reliability of financial information while
administrative controls have only an indirect effect on the financial information. The first
concern in financial statement audit is with reviewing accounting controls but not forgetting
administrative controls which have an indirect impact on the reliability of financial statements.
3.5 Elements of Sound Internal Control System
An internal control system usually contains elements forming the basis for an effective system
and contributes to accomplishing set objective of the institution. These elements can be
separately identified as:
Sound management characteristics: the management style and characteristics of managers’
display have a significant effect on the internal control environment. Managers should
necessarily set an example as far as application and adherence to controls is concerned. If
managers, on the different levels, continuously attempt to override or ignore these, then it can be
expected that their subordinates do the same.
Efficient Organizational Structure: the organizational structure of the organization indicates
the responsibility and authority of various officials as well as the lines of communication to be
followed. If all officials clearly understood the structure and their responsibilities relative to
other officials, this would certainly contribute to applying and maintaining the system.
Acceptable Personnel Policies: since competent and trustworthy personnel will produce reliable
and accurate financial information and ensure internal controls are adhered to, it is important that
personnel policies and practices form a critical part of internal control environments. As such, it
is essential that policies be developed to the extent that personnel employed enhance compliance
with controls and do not undermine the system.
Written Procedure: written procedures in the form of procedure manuals, instructions, and
directives require developing for use by all staff. These written procedures are part of internal
control, and therefore their practical application is vital in ensuring uniform approaches to tasks.
This approach strengthens the system by setting minimum standards of conduct.
Effective Internal Audit Function: legislation requires the establishment of internal audit unit
in each organization. One function of an internal audit unit is monitoring the effectiveness of the
internal control system and reporting deficiencies to an audit committee and management. The
auditors belonging to such a unit should be independent of the institution being monitored and
should, therefore, report directly to the committee.

3.6 Limitation of Internal control

Even if internal control can do much to protect against both errors and irregularities & assure the
reliability of accounting data, it has inherent limitation. What so ever its structure is. Besides, the
following situations increase the limitation of any internal control system.
Collusion: collusion can be defined as an agreement between two parties to defeat an internal
control system to carry out an improper act. For instance, you may assign a store keeper and a
guard to prevent assets from being taken for personal use, but what if these two persons collude.
Management outride or manipulation and collusion: management may override procedures
designed to assure execution and recording of transaction in accordance with management
authorization. For example, the manager may authorize improper payment to him and threaten
employees under him to hide the theft.
Cost versus benefit: organization is faced with challenge to find the right cost-versus –benefit
balance for internal control. Excessive control can be too costly and counterproductive, as result
100% control might not be adapted.
Temporary failure: there are two basic reasons under this limitation:
1. Human error: due to carelessness, interruption, fatigue(tiredness), misunderstanding
institutions, etc.
2. Change: a new employer may hire and he/she makes mistake until they understand the
system.
Mistake in judgment: this includes such as mistakes in recording transactions in wrong
accounting period, erroneous classification of transactions, in capitalizing expenditure, etc.