INTERNAL CONTROLS

AS A MAJOR WAY OF INCREASING DIFFICULTY OF COMMITTING FRAUD

INTERNAL CONTROLS- DEFINITION &
OBJECTIVES
Internal controls are the processes and procedures implemented by management to provide
reasonable assurance that data is processed correctly, assets and information are safeguarded,
and applicable laws are followed. Internal controls aim to achieve the following objectives:-
1. Safeguard assets- prevent or detect unauthorised acquisition, use or disposal
2. Maintain records in sufficient detail or report company assets accurately and fairly
3. Provide accurate and reliable information
4. Prepare financial reports in accordance with established criteria
5. Promote & improve operational efficiency i.e. minimize wastefulness
6. Encourage adherence to prescribed managerial policies
7. Comply with applicable laws.
However internal controls provide reasonable assurance but complete assurance is difficult to
achieve and prohibitively expensive.
 INTERNAL CONTROLS- LIMITATIONS
Internal controls are designed by management to meet several objectives. However, no matter how hard an
organisation tries to implement the best controls ever, there are limitations of internal controls. This means
internal controls can never be 100% due to the following limitations:-
1. Fraud- human beings can be tempted and there fraud cannot be eradicated 100 % but can be minimised
2. Errors – these arise when employees exercise poor judgement or have a breakdown in their attention to
the job. Poor judgment produces bad decisions and results from poor training, lack of experience or lack
of knowledge. Breakdowns in attention arise from carelessness, which may be due to fatigue, outside
interruptions or overwork. Even well trained employees may make errors.
3. Collusion – it occurs when two or more employees conspire to commit a theft from their employer
4. Management override- Managers in organisations have more authority than juniors. This is when a
manager overrides his own control procedures.
5. Cost benefit analysis –The concept of reasonable assurance implies that the costs of implementing
controls should not exceed the benefits derived. Any controls whose costs to implement exceed the
benefits would not be implemented as the company can go bust.
FUNCTIONS PERFORMED BY
INTERNAL CONTROLS
• Internal controls perform three important functions:
1. Preventive controls – these deter problems before they arise. Examples hiring qualified staff ,
segregation of employee duties and controlling physical access to assets
2. Detective Controls – these discover problems that are not prevented. Duplicate checking of
calculations, preparing bank reconciliations and monthly trial balances.
3. Corrective controls – identify and correct problems as well as correct and recover from the resulting
errors. Examples maintaining back -up copies of files, correcting data entry errors.

Internal controls are often put into two categories:

4. General Controls:- these make sure an organisation’s control environment is stable and well managed.
E.g. Security, IT infrastructure, software acquisition, development and maintenance controls.
5. Application controls – prevent, detect and correct transactions errors and fraud in application
programs. They are concerned with accuracy, completeness, validity and authorisation of data
captured, entered, processed, stored, transmitted to other systems and reported.
COMPONENTS OF INTERNAL
CONTROLS
Internal controls are classified into five components
• Control environment or internal environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring & evaluation
Control/Internal Environment
This is the foundation of all the other components. It sets the tone of the organisation. The
control/internal environment is influenced by the history and culture of the organisation. The
following factors affect/impact the control /internal environment.
1. Board of Directors & Audit Committee Participation
• Directors are not employed by the organisation in another capacity
• An audit committee consists of several of these outside directors
• If audit committee is active in overseeing policies and procedures the internal control system is
effective so organisation’s objectives can be achieved.
• Audit committee can alert the entire board of issues before they become serious
• An active board with appropriate technical expertise and management knowledge is critical for
effective internal control.
• The board should have enough outsiders that is able to question management’s activities.
• The board should act in the event of management wrong doing.
Control/Internal Environment
2. Commitment to Competence
• Competence means employees have the knowledge and skills they need
to perform their tasks.
• Management decides how well these tasks are performed.
• Management must evaluate the cost of hiring people with necessary
skills.
• When management is committed to competence the system of internal
control is more likely to work.
• Organisations that lack a climate of competence, both errors and
irregularities are likely to occur.
Control/Internal Environment
3. Organisational Structure
• The organisational structure provides an overall framework for management
functions i.e. planning, executing, controlling and monitoring activities performed
by management.
• Objectives are better achieved if the structure reflects its management functions
that assign authority and responsibility.
4. Management Philosophy & Operating Style
• These include management’s approach to taking business risks, attitudes toward
accuracy of accounting data and emphasis on meeting budget and operating goals.
• They have a significant influence on the effectiveness of the organisation’s control
activities.
Control/Internal Environment
5. Integrity & Ethical Values
• Because management creates administers and monitors the system of internal
controls, its effectiveness is limited by management attitudes toward integrity and
ethical values. The ethical climate is affected by the guidance that management
communicates both formally and informally to employees. A strong ethical climate in
the organisation is also affected by incentives and temptations that management
provides.
• Official policies specify what management wants to happen, but organisational
culture determines what actually happens, which rules are followed, bent or ignored.
• If employees see top management engaging in unethical behaviour they are more
likely to commit irregularities themselves. Therefore management must walk the talk.
Control/Internal Environment
6. Assignment of Authority & Responsibility
• Management assigns authority and responsibility for operating
activities and establishes reporting relationships and methods of
authorisation.
• In decentralised environments management must align authority with
accountability. The control environment is influenced by the extent to
which employees recognise that they will be held accountable.
Control/Internal Environment
7. Human Resources Policies & Practices
• Human resources policies and practices send messages to employees about what the organisation expects in the
way of integrity, ethical behaviour and competence.
• These policies describe how the organisation trains, evaluates, promotes and pays employees.
• Hiring practices demonstrate the organisation’s commitment to hiring competent and trustworthy employees.
• Training practices communicate the expected levels of performance and behaviour.
• Bonus incentives and disciplinary actions send messages about desirable and undesirable
behaviour.
• The effectiveness of any internal control structure relies on the honesty and the abilities of the employees.
• Honest employees are less likely to perpetrate fraud and irregularities.
• Competent employees are less likely to make errors.
• Adequate human resources policies and practices ensure that the organisation hires competent people, trains
them properly, treats them fairly and pays them adequately resulting errors and irregularities less likely to occur.
Good Human Resources Policies &
Procedures
• Training:- Employees who understand their jobs are less likely to make errors.
• Recognition for work well done- Encourages employees to prevent errors and irregularities.
• “Adequate pay” – Fairly compensated employees are less likely to steal.
• Investigate employees before hiring – A potential employee may have a history of dishonesty and
carelessness.
• Job Rotation – This is when employees rotate their jobs to ensure that an employee cannot
continue to hide an error or irregularity that happened in the past.
• Required Vacation - Employees should go on leave because an employee standing in for him/her
while on vacation may discover an error or irregularity that occurred in the past.
• Bonding or Fidelity Guarantee- This is a type of insurance that a company takes to ensure its
reimbursed for the loss if an employee commits theft.
• Confidentiality agreements- employees must sign and adhere to the requirements of such
documents.
RISK ASSESSMENT – 2nd COMPONENT
• RISK ASSESSMENT
This is the second component of internal controls. This involves
management’s process of identifying and analysing risks that might
prevent the organisation from achieving its objectives. Risks arise from
both internal and external factors.
• Internal Risks (Endogenous)
These relate to specific activities of the organisation and they are
within their control. Examples are errors due to untrained or
unmotivated employees, disruption of the information system, the
result of an ineffective board of directors and audit committee etc.
RISK ASSESSMENT – 2nd COMPONENT
• External Risks (Exogenous)
These affect the organisation as a whole and they are beyond the organisation’s control. These are:-
1. Competition
2. Economic – e.g. inflation
3. Technological changes
4. Statutory or government regulations
5. Natural disasters or catastrophes
6. Change is also a risk that affects all organisations. Economic, industry and regulatory
environments change. A system of internal controls that is effective under one set of conditions
may not apply under another. As part of risk assessment an organisation needs a process to
identify changed conditions that can affect its ability to achieve its objectives. Management
must identify risks to the organisation’s objectives, estimate the extent of each risk, assess its
likelihood
CONTROL ACTIVITIES –3rd
COMPONENT
• This is the third component of internal controls. These are policies and procedures
that management adopts to provide reasonable assurance that management
directives are carried out. They help ensure that actions are taken to address the risks
to the achievement of the organisation’s objectives. Control activities can be classified
into 4 categories: -
1. Procedures for Authorising Transactions
Management implements procedures for authorising transactions and states activities
for processing them. The proper way to process transactions differs for each class of
accounting transactions. Authorisations are often documented by signing, initialising,
or entering an authorisation code on a document or record. Computer systems can
record a digital signature i.e. electronically signing a document with data that cannot
be forged. There are several good procedures for authorising transactions.
Control Activities- Procedures for Processing
Transactions
• Prompt recording- Employees should record transactions immediately as they occur. This decreases opportunities for
errors and irregularities in recording transactions.
• Visual checking- An employee recording the transaction confirms visually that all data are complete and correct. For
example, ensure that a student identity number tallies with the student name when issuing a receipt.
• Balancing- The employee determines that total debit entries equal total credit entries for the transaction.
• Batch controls- Employees accumulate transactions into batches and total the amount of each batch. In each later
processing the total is recalculated.
Proper procedures for authorising transactions depend on the kind of transaction. Management authorises transactions in
two ways:-
• General authorisation – describes conditions under which employees may initiate record and process one kind of
transaction. When these conditions are met an employee is authorised to carry out these actions without further
consultation with management. An example is a Cashier in a supermarket who charges merchandise from a customer and
receives payment for the merchandise.
• Specific authorisation:- it applies only to a specific single transaction. Before an employee initiates a transaction of this
kind, the employee consults with management and obtains approval specifically for it. Management normally requires
specific authorisation for large dollar amounts or those that present a high potential for fraud. Examples are voiding a
transaction in a supermarket requires a supervisor, purchasing a new factory building requires board approval.
Control Activities – Security for Assets &
records
2 . Security for Assets & Records
This is the second category of control activities where management should implement
adequate safeguards to protect assets and records. Safeguards include two types:-
• Physical security- Management implements procedures to provide physical security for
inventory, cash, property, plant & equipment and for the records of these assets. Many
organisations attach a non-removable label to each item of equipment with an identifying
number which is entered in an asset register. Physical security is effective when management
fixes responsibility for it with specific individuals.
• Fixed Responsibility- this is when management assigns responsibility for specific assets and
records to specific job positions. If an error or irregularity occurs, management holds the
individual in that job position responsible.
Internal control is best when management summarises and communicates responsibilities in
writing and this encourages employees to do their jobs accurately and honestly.
Control Activities- Segregation of Duties
3. This is the third category of control activities. Good internal controls do not permit a
single employee too much responsibility over business transactions and processes as
this may lead to committing and concealing fraud. Segregations of duties is in two
categories i.e. segregation of accounting duties and segregation of system duties.
• Segregation of Accounting Duties:- Effective segregation of accounting duties is
achieved when the following functions are separated:
• Authorisation –approving transactions and decisions
• Recording- preparing source documents, inputting data into computer systems,
maintaining journals, ledgers, files or databases and preparing reconciliations and
preparing performance reports.
• Custody- handling cash, tools, inventory or fixed assets, receiving incoming customer
cheques, writing cheques.
Control Activities- Segregation of Duties
• If one person performs two of these functions problems can arise. Where there is effective
separation of duties it is difficult for an employee to successfully perpetrate fraud. However
if two or more people are in collusion to override controls it is more difficult as fraud is
committed and concealed.
• Employees can collude with other employees, customers or vendors.
• Examples of most common employee/vendor collusions includes billing at inflated prices,
performing substandard work and receiving full payment, payment for non-performance,
duplicate billings or improperly purchasing more goods from a colluding company.
• Examples of most common employee/customer collusions includes unauthorised loans,
writing off amounts owed and unauthorised of extension of due dates.
• Segregating of Systems Duties- where a person has unrestricted access to the computer, its
programs and live data fraud can be perpetrated and concealed. Authority and
responsibility should be divided clearly among the following functions:-
Segregation of Systems Duties
1. Systems administration- Systems administrators ensure all information system components
operate smoothly and efficiently.
2. Network management- Network managers ensure that devices are linked to the organisation’s
internal and external networks and that the networks operate properly.
3. Security management- ensures systems are secure and protected from internal and external
threats.
4. Change management- it is a process of ensuring changes are made smoothly and efficiently so
that they do not negatively affect reliability, security, confidentiality, integrity and availability.
5. Users- records transactions authorise data to be processed and use the system output.
6. System analysis- help users to determine their information needs and design system to meet
those needs.
7. Programming- programmers take the analysts’ design and develop, code and test computer
programmes.
Segregation of Systems Duties
8. Computer operations- operators run the software on the company’s
computers ensuring that data are input properly, processed correctly and
that needed output is produced.
9. Information system library- the information system librarian maintains
custody of corporate databases, files and programmes in a separate storage.
10. Data control – ensures that source data has been properly approved,
monitors flow of work through the computer, reconciles input and output,
maintains a record of input errors to ensure correction and resubmission
and distributes output.
Allowing one person to do two or more of these jobs exposes the company to
fraud.
Control Activities-Safeguarding Assets,
Records & Data
This is the fourth category of control activities. The proper design and
use of electronic and paper documents and records help ensure the
accurate & complete recording of all relevant transaction data. Their
form and content should be as simple as possible, minimize errors and
facilitate reviews and verification. Documents that initiate a transaction
should contain space for authorisations.
• Those that transfer assets need a space for receiving party’s signature.
Documents should be sequentially pre-numbered so each can be
accounted for. An audit trail facilitates tracing individual transactions
through the system, correcting errors and verifying system output.
INFORMATION & COMMUNICATION –
4th COMPONENT
• This is the fourth component of internal controls dealing with information at all
levels for making operating decisions, for financial reporting and for compliance.
It is identified, captured, processed and reported by information systems.
• Communication is part of it and also includes policy manuals, accounting
manuals and memoranda and notices. Information systems communicate both
internal and external information. The following features in accounting help
prevent and detect errors and irregularities: -
• Debit & Credit Analysis
• The double entry system where transactions are entered in two or more
accounts helps detect many errors and detects or prevents many irregularities. It
doubles the chance of detection.
INFORMATION & COMMUNICATIPN –
Chart of Accounts
The chart of accounts is a list of all the accounts names and account codes used by the organisation. An
employee may use only those accounts listed when making debit and credit entries. This restricts the
opportunity for an employee to make errors or commit irregularities when recording transactions.
A properly designed chart of accounts also minimizes errors and it should have some of the following
characteristics: -
Characteristics of A Well Designed Chart Of Accounts
1. Responds to organisation’s needs. Accounts included in a chart of accounts should meet management’s
needs for control of operations and financial accounting requirements for external reporting.
2. Facilitates report preparation. Accounts in the chart of accounts should be listed in their order of
appearance in the financial statements and should be compatible with the organizational structure.
3. Provides adequate description. A description of each account and its contents should be provided. This
guidance to the accounting staff enables consistent use of the accounts.
4. Account titles provide clear distinctions. Account titles should be chosen to minimise ambiguities
concerning the contents of an account.
5. Control accounts. The chart of accounts should incorporate control accounts.
INFORMATION & COMMUNICATION –
Trial Balance & Control Accounts
Trial Balance
• A trial balance is prepared as one step in the accounting cycle. For manual accounts an
inequality is evidence of an error. Some of the common errors include misfooting and
transposition. A trial balance is reviewed for abnormal account balances and an abnormal
balance may indicate errors in posting or during debit credit analysis. Asset and expense
accounts normally have debit balances and liability, capital/equity and revenue accounts credit
balances. If a different balance is noted investigations are carried out to determine the cause.
Control Accounts
• A control account in the general ledger summarizes the contents of many accounts in the
subsidiary ledger. If the total of the individual accounts in the subsidiary ledger is different from
the control account in the ledger it alerts the accountant of a recoding error. The ideal is the
control accounts must be reconciled every month. Examples of control accounts are the payroll,
accounts receivables and payables, inventory and fixed assets.
MONITORING & EVALUATION – 5th
(Final) COMPONENT
It is a process that assesses the quality of internal control performance
over time. Organisations change and the ways in which controls are
applied in them evolve. Monitoring and evaluation helps management
determine what modifications to the system are needed as conditions
and operating environment change. It involves assessing the design and
operation of controls and taking corrective actions.

Monitoring performance can be done through various methods

MONITORING & EVALUATION -
METHODS
Internal Control Evaluation
• Can use a formal or self assessment evaluation by a special team selected to
carry out the evaluation
• Evaluation can be done by internal audit
Ensure Effective Supervision
• Training & assisting employees as a continuous process
• Monitoring employees’ performance
• Correcting errors
Supervision very important if there is no responsibility reporting & no adequate
segregation of duties
MONITORING & EVALUATION -
METHODS
Implement Responsibility Accounting Systems
• Note that it is difficult to apply in unstable environments
• Relates to budgets, targets, quality standards, comparing actual
against planned performance
• Includes procedures for investigating and correcting significant
variances .
Conduct Periodic Audits
• Includes external & internal & network security audits to monitor
risks and detect fraud and errors
MONITORING & EVALUATION -
METHODS
• Auditors to test system controls regularly
• Internal audit function to assess reliability of financial & operating
information.
• Internal audit also to assess internal control effectiveness & employee
compliance with management policies & procedures.
• Internal audit to assess compliance with applicable laws & regulations in
each specific environment
Monitor System Activities
• Implement risk analysis & management software to review computer &
network security, detect illegal access & test for weaknesses
MONITORING & EVALUATION -
METHODS
• Reasonableness checks can be done after setting parameters of acceptable
levels/thresholds
• System also monitors and address virus issues
• System to record all transactions & activities in a log that says who accessed
what data, when and from which device
Employ Computer Security Officer & Compliance Officer
• These should be independent of system functions
• Their roles are to test and evaluate security procedures & computer
systems.
• Can outsource these functions to computer consultants
MONITORING & EVALUATION -
METHODS
Engage Forensic Specialists
• Forensic accountants to assist in specialized investigations
• Computer forensic specialists also have specialized knowledge to
investigate fraud, sabotage, retrieving erased data etc.
Install Fraud Detection Software
• Assist organization in detecting fraud
Implement a Fraud Hotline
• Helps reporting fraud witnessed by people to minimize
whistleblowers being persecuted
CONCLUSION
The five components of internal controls are the control environment,
risk assessment, control activities, information and communication and
monitoring. Management creates internal controls in order to ensure
that the organisation’s goals are met.