Internal Control

It is a process for assuring achievement of an organization's objectives in operational

effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations
and policies. A broad concept, internal control involves everything that controls risks to an
organization.
It is a means by which an organization's resources are directed, monitored, and measured.
It plays an important role in detecting and preventing fraud and protecting the organization's
resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or
intellectual property such as trademarks).
The internal control system comprises policies, practices, and procedures employed by the
organization to achieve four broad objectives:
1.
2.
3.
4.

To safeguard the assets of the firm.

To ensure the accuracy and reliability of accounting records and information.
To promote operational efficiency in the firms operations.
To measure compliance with managements prescribed policies and procedures.

Components of Internal Control are:

Control Environment
The control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for all other components of internal control,
providing discipline and structure. Control environment factors include the integrity, ethical
values and competence of the entity's people; management's philosophy and operating style; the
way management assigns authority and responsibility, and organizes and develops its people; and
the attention and direction provided by the board of directors.

Risk Assessment
Risk assessment is the identification and analysis of relevant risks to achievement of the
objectives, forming a basis for determining how the risks should be managed. Because economic,
industry, regulatory and operating conditions will continue to change, mechanisms are needed to
identify and deal with the special risks associated with change.
Control Activities
Control activities are the policies and procedures that help ensure management directives
are carried out. They help ensure that necessary actions are taken to address risks to achievement
of the entity's objectives. Control activities occur throughout the organization, at all levels and in
all functions. They include a range of activities as diverse as approvals, authorizations,
verifications, reconciliations, reviews of operating performance, security of assets and segregation
of duties.
Information and Communication
Pertinent information must be identified, captured and communicated in a form and
timeframe that enable people to carry out their responsibilities. Information systems produce
reports, containing operational, financial and compliance-related information, that make it
possible to run and control the business. They deal not only with internally generated data, but
also information about external events, activities and conditions necessary to informed business
decision-making and external reporting. Effective communication also must occur in a broader
sense, flowing down, across and up the organization. All personnel must receive a clear message
from top management that control responsibilities must be taken seriously. They must understand
their own role in the internal control system, as well as how individual activities relate to the work
of others. They must have a means of communicating significant information upstream. There
also needs to be effective communication with external parties, such as customers, suppliers,
regulators and shareholders.
Monitoring
Internal control systems need to be monitored--a process that assesses the quality of the
system's performance over time. This is accomplished through ongoing monitoring activities,

separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of
operations. It includes regular management and supervisory activities, and other actions personnel
take in performing their duties. The scope and frequency of separate evaluations will depend
primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures.
Internal control deficiencies should be reported upstream, with serious matters reported to top
management and the board.
There is synergy and linkage among these components, forming an integrated system that
reacts dynamically to changing conditions. The internal control system is intertwined with the
entity's operating activities and existed for fundamental business reasons. Internal control is most
effective when controls are built into the entity's infrastructure and are a part of the essence of the
enterprise. "Built in" controls support quality and empowerment initiatives, avoid unnecessary
costs and enable quick response to changing conditions. There is a direct relationship between the
three categories of objectives, which are what an entity strives to achieve, and components, which
represent what is needed to achieve the objectives. All components are relevant to each objectives
category. When looking at any one category--the effectiveness and efficiency of operations, for
instance--all five components must be present and functioning effectively to conclude that internal
control over operations is effective.

Physical Controls
This class of controls relates primarily to human activities employed in accounting
systems. These controls also includes physical security measures including locked doors and desk
drawers, safe filing cabinet, and vaults whereby access is restricted to authorized person only.
Transaction Authorization the purpose of transaction authorization is to ensure that all
material transactions processed by the information system are valid and in accordance
with managements objectives.
Segregation of Duties one of the most important control activities is the segregation of
-

employee duties to minimize incompatible functions.

The segregation of duties should be such that the authorization for a transaction is
separate from the processing of the transaction.

Responsibility for the custody of assets should be separate from the recording

responsibility.
The organization should be structured so that a successful fraud requires collusion
between two or more individuals with incompatible duties.
The following activities shall be adequately separated to provide for a distinct distribution

of functions and accountabilities.

Receiving and depositing of cash;

Control for vault operation;

Authorizing disbursements;

Disbursing ;

Recording of disbursements; and

Reconciliation of registers and log books

Supervision implementing adequate segregation of duties requires that a firm employ a

sufficiently large number of employees. Achieving adequate segregation of duties often
presents difficulties for small organization. In small organizations or in functional areas
that lack sufficient personnel, management must compensate for the absence of
segregation controls with close supervision.

Accounting Records the accounting records of an organization consist of source

documents, journals, and ledgers. These records capture the economic essence of
transactions and provide an audit trail of economic events

Access Control the purpose of access controls is to ensure that only authorized
personnel have access to the firms assets. Unauthorized access exposes assets to
misappropriation, damage, and theft.

Independent Verification verification procedures are independent checks of the

accounting system to identify errors and misrepresentations.

Number Control

The number control is defined as the use of pre-assigned numbers in certain documents to
ensure the integrity and completeness of transactions.
-

The numbers are usually pre-printed on the form. The number control shall be used for
cash vouchers, official receipts, expense vouchers, and other important records of the

company.
A master registry of documents that are numbered shall be maintained and each issuance
shall be recorded to determine its completeness. The number shall always be used when
posting the transactions in the ledgers (subsidiary and general) and when making
verifications. Documents that are numbered shall at all times be kept in the vault under the
joint custody of two (2) employees. The working file or those which are used for daily
transactions can be in the custody of the employee in charge of these transactions. At the
end of the day, these working files must be kept inside the vault.

Issuance must always be in accordance with the numerical sequence.

Dual Control
Dual control means that the work of one person shall be verified by another person to
determine:
-

That proper authority has been given to handle the transactions;

That the transaction is properly recorded; and
That proper settlement of the transaction is made.

Joint custody
Joint Custody shall mean keeping cash, vital records and documents in safes or with the
keys and combinations under the care of two (2) employees, one of whom be an officer. With
this policy, no one person can gain sole access to the contents of the vault. The custodian of the
keys and combinations shall ensure that these are not made available to any other person in the
company. Duplicate keys and combinations shall be maintained and used in case of absence of
anyone of the regular custodians. Alternate custodians shall also be appointed to facilitate
access to the cash records. Vault combinations must be changed after it has been exposed to
persons other than the regular custodian or alternate custodian.

Arithmetic controls
Calculations and summations are recomputed and checked in source documentation,
financial listing, and reports.

Physical control
This means physical security measures of assets and accounting records or documents. This
may also include locked doors and desk drawers, safe filing cabinet, and vaults whereby access is
restricted to authorized person only.

Personnel
Only those persons who are adequately qualified and experienced are recruited to
undertake specified duties and responsibilities. As far as possible a level of honesty and
integrity should also be assured before hiring the applicant. This control includes capability and
psychological testing as well as taking up of reference and inquiry to previous employers.
Also, if employees have a fundamental understanding of company systems, which comes
from a combination of experience and intensive training by the company, then they will
understand why controls are used, as well as the ramifications of their absence. Conversely, the
lack of experience or training tends to result in the lapsing of controls.

Independent balancing
Independent balancing is the process wherein the records posted by one person shall be
verified by another person in the same department or office.
-

The subsidiary ledger totals be verified against the general ledger figures and must at all
times be balanced.

Reconciliation should be made to any discrepancy or differences between the records.

All discrepancies must be investigated and must be identified.