APPENDIX 5

Internal Control - A Guide for Management and Staff

Note:

This is a shorter version of the Guide. The longer version is given as

Appendix 4. In its shorter form it is more suitable for issue to management
and staff. In its longer form it is more suitable for use as reference by those
who need to develop similar guides for their organisations. The Table of
Key Control Issues is identical in both versions and is repeated in the
interests of completeness in each case.
1. Why internal control?

• Four in five organisations in the UK have suffered a breakdown in their I.T. systems during the past two
years at an annual cost of £1.2bn and increasing. A quarter of the incidents led to serious losses.

• Age Concern, the UK’s leading charity for the elderly, ground to a halt after theft of computer chips.

• In February 1995 the UK’s oldest merchant bank, Barings, collapsed. When Leeson had joined Barings,
he had two outstanding Country Court judgements against him. Because of this record, Barings had
failed to get Leeson a trading license in the UK, but they had not disclosed his record to the Singaporean
authorities. An ignored internal audit report in August 1994 had concluded that there was “a significant
general risk that the controls could be over-ridden by Nick Leeson as he is the key manager in the front
and the back office”. He was also not only trading but was supervising the trading function (ie. the
“front room”) as well.

• On 26 September 1995, criminal complaints were filed against a rogue trader, Mr. Iguchi, for running
up £700m losses over eleven years in the New York trading arm of Daiwa Bank (Japan’s tenth biggest
commercial bank), through unauthorised trading of American Treasury bonds and falsification of the
bank’s books and records to conceal the losses. Mr. Iguchi had been in charge of front and back office
operations.

At least half of large companies are victims of fraud more than once a year, and in most cases an
employee is involved. Fraud is avoidable loss due to an inadequate system of internal control.
Other avoidable losses, including accidental errors or omissions, may be even more damaging.
flood.

Internal control is not designed just to prevent these sorts of unwanted consequences. Internal
control, probably designed and observed, provides reasonable assurance of the achievement of
objectives - not an absolute guarantee as a business may be thrown off course by external events.
Without effective internal control no enterprise is likely to achieve its objectives.

2. What is internal control?

Internal control is control by management of what happens within the business. It is
management control:

Internal control is broadly defined as a process, effected by the entity’s board of

directors, management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations.

• Reliability of financial reporting.

• Compliance with applicable laws and regulations.

“Effectiveness and efficiency of operations” includes the safeguarding of assets, that is the
prevention or timely detection of unauthorised acquisition, use or disposition of the entity’s
assets.
Internal control is much more than internal (cross) check. It is the totality of methods that
management has introduced to provide reasonable assurance of the achievement of objectives and
the avoidance of unwanted outcomes. As such, internal control is the essence of good
management. The classic view of management is that it comprises effective planning, organising,
staffing, directing and controlling. Each of these must be done well if there is to be effective
internal control.

We can distinguish between (a) preventative controls designed to avoid the non-achievement of
objectives or to avoid the occurrence of unwanted outcomes and (b) detective controls to inform
management and others when things have gone wrong.

3. Practical advice on internal control

Internal control should assist management to achieve their objectives. These objectives must be
clear when an internal control framework is established.

There is no such thing as 100% effective control. The allocation of additional resources to
improve control may have inadequate marginal benefit. Whether that is so is a matter of
management judgement in the light of:

• The importance of the objectives, and the degree of risk of not achieving them

• The seriousness of the potential exposures, and the degree of risk of them occurring

• The cost, if any, of additional control measures

Control must be cost effective - tailored to a realistic assessment of need and appropriate for the
purpose. Control will be more cost effective if:

• Complex controls are rejected in favour of simple ones which have the same control
effect.

• Redundant controls are jettisoned.

• Compensating controls are rationalised.

• Checks are performed on samples where appropriate.

Much can be done in a well controlled way with no additional use of resources. For instance,
dividing work between two members of staff will not necessarily be costly.

It is best to place control as early as possible within the system. Until control has been
established there is a greater possibility of error or loss which may go undetected.

Where control depends upon a reconciliation of figures, the reconciliation should be performed or
supervised by someone who is (a) competent and (b) independent of the generation of any of the
figures which are to be reconciled.

Where control depends upon supervision it is important that this is taken seriously. Delegation is
an important and valid management approach but it should not be abdication. Authority is
delegated but not responsibility.

A well designed system of internal control is worse than worthless unless it is complied with,
since the semblance of control may lead to a false assurance. Senior management should set a
good example with regard to control compliance.

While control serves a much broader purpose than the prevention and detection of fraud, this is
nevertheless an important aspect. But fraud often involves the circumvention of controls through
deception and/or collusion. Management and staff must be encouraged to watch out for tell-tale
signs of both fraud and error.

Broadly, a 25%-50%-25% rule applies. 25% will be honest in all circumstances. 25% dishonest
whenever circumstances permit. 50% are easily swayed. Few will be able to resist the
temptation to defraud if they have an unsharable financial problem, there is opportunity and very
little risk of detection, and the consequences upon detection would be modest.

We should take a lot of trouble to recruit trustworthy staff. But thereafter systems of internal
control should confirm they are working in a trustworthy way. This is in the interests of staff
themselves - otherwise the finger of suspicion is likely to start pointing at them. A good system
of internal control reduces the opportunity for fraud and makes detection more likely. It has
been said that the best form of prevention (of fraud) is detection.

4. Key controls which should be in place

There are five necessary components of a system of internal control:

Control environment

• Commitment to competence and integrity.

• Communication of ethical values and control consciousness.

• Appropriate organisational structure.

• Appropriate delegation of authority with accountability.

Risk assessment

• Identification of key business risks in a timely manner.

• Consideration of the likelihood of risks crystallising and their likely impact.

• Prioritising allocation of resources for control.

Control activities
• Procedures to ensure completeness and accuracy of transactions, accounting, data
processing and information reports.

• Appropriate authorisation limits.

• Controls to limit exposure to loss of assets or to fraud.

• Procedures to ensure compliance with laws and regulations.

Information and communication

• Performance indicators to monitor activities, risks and progress in meeting objectives.

• Systems which communicate relevant, reliable and up-to-date information.

Monitoring

• A monitoring process to give reasonable assurance to the Board of appropriate control

procedures in place.

• Identification of business change which may require modification of the system of internal
control.

• Formal procedures for reporting weaknesses and for ensuring appropriate corrective
action.

Table 1 is a checklist of some of key control issues likely to be relevant in most contexts.

5. Control self assessment

Contemporary management approaches risk effective internal control. Delayering broadens the
span of supervisory control of remaining management layers and empowers staff to make more
decisions; replacing hierarchical management by project based management may have the effect
of increasing individual authority and weakening reporting.

Any process of business re-engineering must preserve the essential internal control framework
both during the process of re-engineering (when the attention of staff to internal control matters
may be diverted) and after processes have been re-engineered (when essential controls may have
been superseded inadvertently).

In an environment of empowered staff management and staff may assume more responsibility for
identifying risks and improving internal control - through a process of control risk self
assessment - especially where delegation of this to internal audit results in only incomplete
coverage on an annual basis.
6. Internal control for the smaller operating unit
In a small business there is less opportunity rely on forms of segregation to achieve internal
control at minimal or no cost. On the other hand the closeness to operations of the small unit’s
senior management, means that they may be more sensitive to control problems as they develop.
Where control cannot be achieved by segregation it has to be achieved by supervision. Parts of
the supervisory control process may be automated using the computer.

It is the control risk rather than the number of staff employed which should determine the
controls which are appropriate even for the operating unit which employs few people.
Table 1
Key Control Issues

Yes No
1. Is there shared responsibility for all important parts of the accounting system - so that
absolute and independent control by any one person is avoided?
2. Have you avoided giving any one person custody or control of (a) assets (such as cash or
stock), or (b) operations (such as Purchasing) - where that person also has involvement
in accounting for those assets or operations?

.1 If this is unavoidable, is there frequent, independent review of the accounting

records?
3. Is authorisation of (a) the acquisition, use or disposal of an asset, or (b) the initiation of
any operation or programme - segregated from those who have custodial or operational
responsibilities for these matters?
4. Do two people always work together when handling significant qualities of cash and
other attractive assets?
5. Where control depends upon a reconciliation of accounting and other data, is it always
conducted by someone independent of the generation of any of the data being reconciled?
6. Have you avoided situations where a single person or department inappropriately is
allowed to handle all or several phases of a transaction or operation?
7. Wherever possible is the work of one employee complementary to (ie. serves as a check
upon) that of another so that a continuous audit is made of the details of the business?
8. Do staff who have been assigned to segregated duties also use adequately segregated
office facilities (such as office, telephone, filing cabinet, E-Mail)?
9. Do you successfully avoid staff standing in for other staff when their respective duties are
meant to be segregated for control purposes?
10. Are authorisation limits and methods of authorisation (sole, dual, by committee, etc)
appropriate to the risks involved in every case?

.1 Is “third level” authorisation applied where risks of collusion are greatest?

.2 Is “after the event” authorisation applied where prior authorisation may not be effective?1

11. Is full use made of the potential of exception reports, and are these reports followed up?

12. Are physical security controls applied wherever necessary and are they satisfactory in the
light of the risks involved?
13. Do personnel controls maximise the opportunities for recruiting and retaining
trustworthy staff?

.1 Are procedures upon dismissal adequate to minimise the security risks associated with
terminated staff?
14. Are all managers capable of supervising effectively the number of staff for which they are
directly responsible?

.1 Is the supervision of contractors, suppliers etc. similarly effective?

15. Are adequate records created and retained in accessible form for a sufficient period of
time?
 Yes No
16. Is all information necessary for management control available promptly (eg. no later than
_ of way thru’ the next period so that timely corrective action is possible)?
17. Is there satisfactory control over who can add, delete, amend and interrogate computer-
based corporate data?
18. Where appropriate, as a last resort to achieve satisfactory internal control, is certain
knowledge segregated on a need to know basis?
19. Are there effective procedures to ensure the validity of payments?

20. Is there effective physical and accounting control over returns from customers, and over
the payment of refunds?
21. Is there effective custody and control (including accurate accounting for) all promotional
vouchers (and other “accountable documents” with potential value)?
22. Is the control over non-standard transactions effective?

23. Are all staff required to take their holidays?

.1 Do all staff take at least one holiday of at least two weeks’ duration each year?

.2 Are duties re-assigned to other staff when staff are on holiday?

24. Is excessive dependence upon key members of staff avoided?

.1 In every case are there substitute staff ready to step in promptly to perform competently
the duties of staff who become unavailable?
25. Are duties rotated where appropriate?

26. Is original documentation (such as expenses vouchers) required to support claims - to

avoid the risk of multiple presentation?
27. Is all documentation stamped appropriately - eg. with “Date Received” or with a
cancellation stamp?
28. Are there adequate arrangements to protect corporate data and data processing?

.1 Where appropriate are they tested?

29. Are there effective arrangements to ensure business continuity?

.1 Where appropriate, are they tested?

30. Are all important procedures fully documented?

.1 Are the procedures known to those who apply them?

.2 Is the documentation of procedures kept up-to-date?

31. Is there an effective internal audit with unrestricted scope and unrestricted rights of
access?
ENDNOTES
 For instance, changes to computer-based customer credit limits may require prior authorisation; but additionally it may be helpful for a changed cr
it not to be applied by the computer until an appropriate manager has had it displayed on his or her screen and has approved the new value. This acts as
itional safeguard against unauthorised or invalid computer input.