Internal controls
Establish
effective
IT system Risks
internal controls
to address risk
Five broad objectives management of any business will set + risks threatening to
achieve these objectives
1. Safeguarding the assets of the company
Risks:
• theft of inventory
• damage to plant and equipment
• unauthorised access to company’s bank account, e.g. inadequate EFT controls
2. Preventing fraud
Risks:
• Directors taking unauthorised loans and writing them off as expense
• Practice of buyer arranging personal “kick-back” from a supplier for placing order
with that supplier at inflated prices
• Inclusion of fictitious employees on company payroll
3. Complying with the laws and regulations applicable to the entity
Risks:
• VAT not correctly charged on all sales
• Foreign exchange regulations are not complied with when importing
• Failing to obtain/renew important trading licences
4. Producing reliable financial information necessary to run the business and satisfy
the financial reporting requirements, e.g. producing the annual financial statements.
Risks:
• Failing to employ competent staff with thorough understanding of financial reporting
standards
• Failing to review accounting software used by company to ensure it is up to date and
complaint with laws and regulations
5. Operating the business efficiently and effectively
,Why is it important to set objectives?
Objectives of the business will be set,
the risks relating to achieving those objectives will be identified
and suitable books, records and documents, and policies and procedures (internal control
measures) will be in place to address those risks.
Definition of internal control
The process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of an
entity’s objectives:
Reliability of the financial performance
Effective and Efficient Operations
Compliance to Laws & Regulations
Responsibility of internal control
Board of directors Identify risks of business
Management at different levels Design, implement and maintain internal control process
Ordinary employees Execute internal control procedures
Read through 1.3 on page 5/4
Limitations of internal control
Management require that cost not exceed benefit.
Internal controls to be directed at routine transactions rather than non-routine transactions.
Potential for human error (careless, distracted, mistakes, misunderstanding).
Circumvention of internal controls through the collusion of a member of
management/employee with someone inside/outside organisation.
Abuse of responsibility
Control procedures may be inadequate because of changes in conditions.
Artificial intelligence “internet of things”
Components of internal control (summary page 5/6)
See graded questions 4.15/4.16/4.17 for questions
, Control environment Risk assessment process Information systems
Control consciousness of the entity. Includes
governance and management functions and the
attitudes, awareness and actions of those charged
with governance and management concerning the
entity’s internal control and its importance.
Communication and enforcement of integrity Define the objectives of the entity, its Valid, accurate and complete
and ethical values departments and functions
→ Internal controls will fail if not all If objectives are not defined, risks of not achieving Accounting system needs to produce information
employees act with integrity objectives cannot be identified. which displays characteristics and is useful.
→ Employees need guidance for ethical Risk assessment process include:
behaviour → Identify business risks relevant to financial
→ Management should provide fair reporting objectives
remuneration and pleasant working → Asses likelihood and frequency of risks
conditions → Estimate impact of risk
→ Decide on actions to address risk
Commitment to competence Five ways in which large company may address Procedures and records to deal with
the need to identify and assess numerous risks transactions
Competent employee has knowledge and skills to faced by company: → Initiation of transaction e.g. receipt of
do job. → Appointment of risk committees and risk customer’s order
→ Everyone should know what to do and how officers → Recording transaction e.g. enter details of
to do it → Engagement of external risk consultants order on sales order
→ What can management do? → Use of risk models → Processing transaction e.g. pick goods
• Define jobs → Regular meeting at divisional, ordered from warehouse; dispatch to
• Fill position on merit departmental and sectional level to customer
• Provide training and tools for job consider the risks at those levels. → Posting transaction to general ledger e.g.
• Reward excellent performance → Strategy meetings involving senior sales journal to debtors’ ledger
management to assess risks at an overall
level.
Participation by those charged with Identify and assess risks Related accounting records
governance
→ Board of directors set ethical example for → Operational risks → Documents used
management and other employees. Risks that threaten Documents specific to type of transaction.
→ Companies Act and King IV report provide entity/departments/functions to achieve → Document design
guidance on how board should meet effective and efficient operations Properly designed – help with accuracy and
corporate responsibilities. → Financial operating risks completeness
Risks that entity does not achieve objective of • Pre-printed: minimum amount to fill in
having accounting system which processes
, Management’s philosophy and operating style transactions that occurred, are authorised, • Pre-numbered: to see missing
processed accurately and completely. documents
Management set example of importance of → Compliance risks • Multi-copied for multiple use
internal control process. Risks that entity does not achieve objectives • Logical and simple to complete
of complying with laws and regulations • Blank blocks for authorisation
Organisation structure applicable to entity. Capturing events and conditions other than
transactions
→ Framework of entity to achieve objectives → Account headings (depreciation, bad
that are planned, executed, controlled and debts)
reviewed. → Disclosure in the notes
→ Key areas of authority and appropriate
lines of authority.
Assignment of authority and responsibility Respond to risks Journal entries
→ Individuals should be aware of authority, → Information system All journal entries should be authorized by a “more
how they exercise it, responsibilities they Combination of machines (most often include senior” level employee.
have. computers), software where computers are Thus, the senior employee will be held
→ Management assign authority to involved, people who carry out procedures, and accountable for controlling all journal entries.
appropriate individuals according to data.
functions.
→ Steps to be followed and different levels of “Related business processes” are activities
responsibility necessary to obtain authority designed to purchase, produce, sell and distribute
for an action. the entity’s products and ensure compliance with
→ Do not have overly strict policies and laws and regulations, and record information.
procedures *demotivating Linked because they are a combined
process/method of initiating, recording,
Human resources policies and practices processing and reporting transactions,
Company should have sound policies to have either manually or through computers or a
good control environment. combination of both.
→ Recruit right people (interviews,
background checks, minimum → Control activities
qualifications) Actions supported by policies and procedures, if
→ Training, workshops properly designed and implemented,
reduce/eliminate risks.
→ Fair remuneration: norms, benefits
→ Develop and promote: educating,
guidance
→ Counsel: HR personnel
