Internal Control Systems

According to the Turnbull guidance in the UK Combined Code, control systems need to:

  • Safeguard company assets
  • Maintain the efficient running of the business
  • Protect the accuracy of financial reporting information
  • Protect the company from breaking laws and regulations

There are several ways in which control can be achieved in an organisation:

  • The use of contracts (e.g. with employees) to clarify roles and responsibilities
  • A system of reward and discipline
  • Feedback and feedforward
  • A clear organisational and command structure

It is generally accepted that a good Internal Control System is made up of 5 elements:

  • A strong Control Environment
  • Good Control Procedures
  • Good Risk Assessment
  • Good Information Systems
  • Effective Monitoring (typically the role of internal auditors)


Control environment
The control procedures are unlikely to be effective unless there is a strong control environment:

  • Management Attitude needs to be strong:
    • managers follow same controls as staff, no override
    • those breaching controls are punished
    • controls are part of staff training
  • Staff who are likely to follow the controls:
    • recruitment process to get “right” sort of people (e.g. No criminal record)
    • training to ensure all understand importance of controls
  • Segregation of Duties
    • different parts of processes done by different people
    • nobody checks their own work
    • nobody has total control of all parts of a transaction

Control procedures
There are several types of control procedure:
C omparison
A uthorisation
R econciliations
C omputer Controls
A rithmetical
P hysical
or CARCAP for short.

Your company, Southgate Snax, has recently won a contract to provide on-board refreshments on all the trains servicing the Southern England railway network.
Your company will operate a trolley system serving hot and cold drinks (including alcohol) and a selection of light snacks.
Overall, 128 different routes will be serviced.

Risk assessment
Clearly, if the risks are not identified properly at the start of a risk management process, the wrong control procedures will be put in place ... and so the control system will fail.
Unfortunately, this issue can never be completely avoided ... because whatever controls you have in place, a clever criminal will inevitably find a way around them!

Information systems
You can only know if your controls are effective if you have accurate information being produced. Inaccurate information may be hiding problems.

On paper, many systems sound fantastic and impossible to break. In reality, the truth is often very different. Despite massive security, high profile buildings often get broken into ... often because the controls that management THINK are happening are in fact routinely ignored.
Companies should monitor their controls to ensure they are taking place, and are achieving the desired effect.
Monitoring is typically carried out by Internal Auditors.


Limitations of internal control systems
Even if Control Systems are assessed as very strong, auditors will still do SOME substantive testing. Controls are never completely reliable because:

  • staff make mistakes
  • staff collude to override systems
  • staff believe the cost of the control is greater than the benefit ... so refuse to do it
  • controls are designed for normal events ... unique / new types of transaction may bypass the system

In running large organisations, directors cannot directly control every event and transaction. They rely on organisational structures, control systems, and risk management processes to ensure the business runs smoothly, fraud is eradicated (as far as possible) etc.
Directors need assurance that these processes are working properly, and advice on how improvements can be made. Historically, this is the role of internal auditors.

Role of internal audit
Internal auditors will be involved in a wide range of “checking” and reporting activities, including:

  • checking that internal control systems are operating
  • reporting on the effectiveness of risk management systems
  • fraud investigations
  • efficiency audits (e.g. Value for Money Audits) on individual departments
  • project audits

Independence of internal audit
Internal auditors are often:

  • employees of the organisation
  • reporting to the directors …
  • …about matters that are the responsibility of the directors!

As such, their independence is bound to be questionable. For example:

  • they may ignore frauds because they trust workplace colleagues, or feel sympathy for them
  • they may decide not report problems for fear of upsetting their ultimate bosses, the directors
  • they may decide not to report problems for fear that the company may get into trouble and they might lose their jobs
  • as internal staff, they may be pressured or intimidated into keeping quiet
  • if they report to directors and directly criticise them, the report may be ignored

Improving Independence

  • The internal audit function could be outsourced to experts (e.g. a firm of accountants!)
  • The internal audit function should not report to the Board directly … but should first report to an Audit Committee, made up of independent NEDs (more detail on audit committees is below).
  • The Chief Internal Auditor should have access to the Chairman, or another very senior non-executive director
  • Where the internal audit team are internal employees:
    • They should have no operational duties, nor should they have had in the recent past
    • Ideally, they should have no major family or personal ties to operational staff or departments on whom they report
  • Where they are outsourced, independence can be improved by following similar guidelines as with external auditors:
    • The same outsource firm should not act as internal auditor for Company X for too many years in a row
    • The outsource firm should not be performing too many other services for the company (as a self-review or self-interest threat may arise)
    • Fee levels should be monitored to ensure that the outsource firm is not too dependent on a single internal audit client.



Role in corporate governance

  • To oversee all financial reporting so as to be assured that the annual report and financial statements present a fair and balanced, accurate view of the company
  • To oversee risk management and internal control systems (if there is a separate Risk Committee then the Audit Committee will focus on financial controls)
  • To ensure that internal control systems are reviewed for effectiveness at least annually, and that the results of this review are disclosed in the Annual Report
  • To liaise with the internal and external audit functions, meet regularly with them, receive their reports, consider the need to replace them etc. Benefits of audit committees
  • Strengthens the independence of internal and external audit functions by:
    • Taking appointment, fee-setting etc out of the hands of executive directors
    • Ensuring that the company, as well as the audit firm, is considering independence
  • Raises the profile and importance of audit, risk management etc.
  • May help to allow interaction and co-operation between internal and external audit functions
  • Provides a quality control function over internal and external audit functions.