Definition and purposes of internal control
The Turnbull Report, first published in 1999, defined internal control and its scope as follows:
‘The policies, processes, tasks, behaviours and other aspects of an organisation that taken together:
Facilitate effective operation by enabling it to respond in an appropriate manner to significant business, operational, financial, compliance and other risks to achieve its objectives. This includes safeguarding of assets and ensuring that liabilities are identified and managed.
Ensure the quality of internal and external reporting, which in turn requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from both internal and external sources.
Ensure compliance with applicable laws and regulations and also with internal policies.’
Turnbull’s explanation focuses on the positive role that internal control has to play in an organisation. Facilitating efficient operations implies improvement, and, properly applied, internal control processes add value to an organisation by considering outcomes against original plans and then proposing ways in which they might be addressed.
At the same time, Turnbull also conceded that there is no such thing as a perfect internal control system, as all organisations operate in a dynamic environment: just as some risks recede into insignificance, new risks will emerge, some of which will be difficult or impossible to anticipate. The purpose of any control system should therefore be to provide reasonable assurance that the organisation can meet its objectives.
Objectives of internal control
Internal control should have the following objectives:
Efficient conduct of business:
Controls should be in place to ensure that processes flow smoothly and operations are free from disruptions. This mitigates against the risk of inefficiencies and threats to the creation of value in the organisation.
Safeguarding assets:
Controls should be in place to ensure that assets are deployed for their proper purposes, and are not vulnerable to misuse or theft. A comprehensive approach to his objective should consider all assets, including both tangible and intangible assets.
Preventing and detecting fraud and other unlawful acts:
Even small businesses with simple organisation structures may fall victim to these violations, but as organisations increase in size and complexity, the nature of fraudulent practices becomes more diverse, and controls must be capable of addressing these.
Completeness and accuracy of financial records:
An organisation cannot produce accurate financial statements if its financial records are unreliable. Systems should be capable of recording transactions so that the nature of business transacted is properly reflected in the financial accounts.
Timely preparation of financial statements:
Organisations should be able to fulfil their legal obligations to submit their account, accurately and on time. They also have a duty to their shareholders to produce meaningful statements. Internal controls may also be applied to management accounting processes, which are necessary for effective strategic planning, decision taking and monitoring of organisational performance.
Responsibilities for internal control
In many smaller, unincorporated businesses such as sole traders and unlimited partnerships, the responsibility for internal controls often lies with the owners themselves. In most cases, the owners are fully engaged in the business itself, and if employees are engaged, it is usually within the capability of the owners to remain fully aware of transactions and the overall state of the business.
As organisations grow, the need for internal controls increases, as the degree of specialisation increases and it becomes impossible to remain fully aware of what is going on in every part of the business.
In a limited company, the board of directors is responsible for ensuring that appropriate internal controls are in place. Their accountability is to the shareholders, as the directors act as their agents. In turn, the directors may consider it prudent to establish a dedicated internal control function. The point at which this decision is taken will depend on the extent to which the benefits of function will outweigh the costs.
The directors must pay due attention to the control environment. If internal controls are to be effective, it is necessary to create an appropriate culture and embed a commitment to robust controls throughout the organisation.
Generic control categories
Controls and be categorised in many different ways. Figure 1 described five categories that are often used.
Figure 1: Categories of controls
Internal controls can be:
Mandatory or voluntary:
Mandatory controls are those which must be applied, irrespective of circumstances. These are widely used to prevent breached of laws or policy, as well as to minimise risks relating to health and safety. Voluntary controls are applied according to the judgement of the organisation and its managers.
Discretionary or non-discretionary:
Managers may be permitted discretion according to their interpretation or judgement of risks in given circumstances. Non-discretionary controls must be applied.
Manual or automated:
Manual controls are applied by the individual employee whereas automated controls are programmed into the systems of the organisation. Some systems combine the two: for example, when deciding on whether a customer should be permitted days on hand for payment, there could be automated ‘accept’ above a specified credit rating or ‘decline’ or below a specified credit rating, and an intermediate range in which a manager may be able to override the automated system.
General controls or application controls:
This classification of controls applies specifically to information systems. General controls help to ensure the reliability of data generated by systems, helping to ascertain whether systems operate as intended and output is reliable. Application controls are automated and designed to ensure the complete and accurate recording of data from input to output.