INTERNAL CONTROL

Penn has adopted the Integrated Internal Control Framework (IICF), an adaptation of COSO
(Committee of Sponsoring Organizations of the Treadway Commission), for utilization as the
foundation of the internal control and compliance environment.

This Framework defines internal control is a process, effected by an entity's board of directors,
management and other personnel. This process is designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:

 Effectiveness and efficiency of operations.

 Reliability of financial reporting.
 Compliance with applicable laws and regulations.

This definition reflects certain fundamental concepts:

 Internal control is a process. It is a means to an end, not an end in itself.

 Internal control is effected by people. It is not merely policy manuals and forms, but people functioning at
every level of an organization.
 Internal control is geared to the achievement of objectives in several overlapping categories.
 Internal control can be expected to provide only reasonable assurance, not absolute assurance, to the
institution's leaders regarding achievement of operational, financial reporting and compliance objectives.

Effective administration involves planning, executing and monitoring. Internal control is a tool used by
administrators to accomplish these processes.

Management's Responsibility For Internal Control

In accordance with University Policy 2701, management is responsible, in both the central and
decentralized operating units, for establishing, maintaining and promoting effective business practices
and effective internal controls. Such systems of internal control will vary from activity to activity
depending upon the operating environment, including the size of the entity, its diversity of operations
and the degree of centralization of financial and administrative management.

While there may be practical limitations to the implementation of some internal controls, each
business function throughout the University and Penn Medicine must establish and maintain a system
of controls which meets the minimum requirements as established by the University's Internal Control
Policy. A properly functioning system of controls improves the efficiency and effectiveness of
operations, contributes to safeguarding assets and identifies and discourages irregularities, such as
questionable or illegal payments and practices, conflict of interest activities and other diversions of
assets.

Components of Internal Control

Internal Control consists of five interrelated components derived from basic University operations and
administrative processes as follows:

 Control Environment – The core of any educational institution is its people. They are the engine that drives
the organization. Their individual attributes (integrity, ethical values and competence) and the environment in
which they operate determine the success of the institution.
 Risk Assessment – Colleges and universities must be aware of and deal with the risks they face. They must
set objectives that integrate key activities so the total organization operates in concert. They also must
establish mechanisms to identify, analyze, and manage the related risks.
 Control Activities – Control policies and procedures must be established and executed to help ensure that
actions necessary to achieve the institution's objectives are effectively carried out.
 Information and Communication – Surrounding these activities are information and communication
systems. These enable the organization's people to capture and exchange the information needed to conduct,
manage, and control its operations.
 Monitoring – The entire process must be monitored and modified as necessary. Thus, the system can react
dynamically to changing conditions.

The following models show the relationships among these components:

COSO Pyramid shows the correlation between internal control components.

COSO Cube shows the relationship between units, activity and objectives.

The Control Environment provides an atmosphere in which people conduct their activities and carry
out their control responsibilities. It serves as the foundation for the other components. Within this
environment, management assesses risks to the achievement of specified objectives. Control
activities help ensure that management directives are carried out to address the risks. Meanwhile,
relevant information is captured and communicated throughout the organization. The entire process is
monitored and modified as conditions warrant.

Types of Controls

Many types of controls can help management direct their activities, such as:

 Preventive Controls are intended to deter inappropriate events from happening. These are the best types of
controls, but they are typically the most expensive to implement.
 Detective Controls are actions that are taken to detect and correct undesirable events that have already
occurred.
 Directive Controls are to trigger a desired behavior or event to occur.
 Often, the best strategy is a combination and collection of all types of controls used together that
enable an organization to achieve its goals and objectives.

OPERATIONAL

Segregation of Duties

Segregation of duties is a key internal control intended to minimize the occurrence of errors or fraud
by ensuring that no employee has the ability to both perpetrate and conceal errors or fraud in the
normal course of their duties. Generally, the primary incompatible duties that need to be segregated
are:

 Authorization or approval
 Custody of assets
 Recording transactions
 Reconciliation/Control Activity

Some examples of incompatible duties are:

 Authorizing a transaction, receiving and maintaining custody of the asset that resulted from the transaction
 Receiving funds (checks or cash) and approving write-off of receivables
 Reconciling bank statements/accounts and booking entries to general ledger
 Depositing cash and reconciling bank statements
 Approving time cards and having custody of pay checks

If internal control is to be effective, there needs to be an adequate division of responsibilities among

those who perform accounting procedures or control activities and those who handle assets. Ideally,
separate employees will perform each of the four major duties. In general, the flow of transaction
processing and related activities should be designed so that the work of one individual is either
independent of, or serves to check on, the work of another. Such arrangements reduce the risk of
undetected error and limit opportunities to misappropriate assets or conceal intentional misstatements
in the financial statements.

When duties cannot be sufficiently segregated due to the small size of a unit, it is important that
mitigating controls, such as a detailed supervisory review of the activities, be put in place to reduce
risks.

Delegation of Authority

In today's busy and dynamic environment it is impossible for one individual to perform all the duties
and tasks that are required to achieve the University's objectives. To meet the needs of their
customers, managers delegate authority to staff so that decisions and related actions can occur in a
timely manner. Delegation of Authority (DOA) is the formal process in which one person delegates the
authority and responsibility to another person to carry out specific activities. Typically a manager will
delegate to a subordinate a certain authority for a specific transaction (e.g. approve reimbursements
up to $500). However the person who delegated the work remains accountable for the outcome of the
delegated work. If DOA is done properly the University can save time and money while building the
skills of its workforce. Managers should develop a framework in which they document the types of
transactions and related dollar thresholds in which they delegate their authority to another individual.
This documentation needs to be maintained as personnel change within their unit. It should include at
a minimum: specified time period not greater than one year, name of the individual and title, type of
transactions and related dollar limits, and scope of authority. Managers need to ensure that
 individuals who received delegated authority have been properly trained and are well versed in
University policies that govern the authority delegated. At least annually, the DOA framework needs to
be reviewed for appropriateness to ensure University objectives are being achieved while limiting risk
to an acceptable level.

Purchasing Card Monitoring

The key control to ensuring the effectiveness of your unit's Purchasing Card Program is a strong
supervisory review and approval process. Purchasing Card Roles & Responsibilities require that
transaction approvers confirm cardholder transactions for legitimacy and compliance with University
policies. This is most readily achieved through a monthly supervisory review of cardholders'
Statement of Account and supporting documentation and evidenced by the reviewer's signature.

Perform the monthly supervisory review to:

 Ensure that adequate receipts are present and match all purchases shown on the cardholders' monthly
statement.
o If supporting documentation is not provided, request the cardholder to provide it or obtain a copy from the
vendor.
 Validate the business appropriateness of items purchased.
o If questionable transactions are identified, contact the cardholder for an explanation of the transaction.
o Validate the explanation with other departmental personnel, if possible (e.g. the explanation provided was
that the item was purchased at the request of Dr. Smith).
o If the cardholder is not able to appropriately support or explain a questionable transaction, contact the
Senior Business Officer (or their designee) and the Purchasing Card Administrator.
 Ensure that Purchasing policies are being followed:
o Transactions are not split to avoid single transaction limits
o Items purchased do not include restricted commodities or were not acquired through restricted suppliers
o The Purchasing Card was the appropriate buying method for the transaction (refer to the Buying Decision
Chart and BEN Financials Commodity Matrix).
 Sign and date the monthly statement to document that the review has taken place.

Cash Controls

Any unit collecting or maintaining cash needs to ensure that collections are sufficiently safeguarded.
“Cash” for purposes of controls discussion includes currency, coins, checks, money orders, and gift
certificates/cards. Types of cash typically on hand include cash receipts, petty cash accounts, and
change funds. The following principles of good cash handling will be discussed in greater detail:
Segregation of duties, Security, Reconciliation, Management Review, Documentation.

Segregation of Duties: Cash handling duties can be divided into four stages: receiving, depositing,
recording, and reconciling. Ideally, all four stages would be performed by different individuals. The
purpose of this segregation of duties is to minimize the opportunity for an employee to misappropriate
funds and avoid detection. In a smaller department, it may not be feasible to fully segregate all of the
cash-related duties. In these circumstances, the department may rely on compensating controls to
mitigate the risk that cash is misappropriated (e.g., increased monitoring).

Security: Keep all cash in a safe until it is deposited. For areas with regular cash receipts, a drop safe
is recommended to limit access to the contents of the safe. Regardless of the type of safe used, limit
access to supervisory and authorized personnel only. Locate the safe where it is continually visible by
departmental employees but out of public sight. Change the combination of the safe on a regular
basis (e.g. annually) and when an employee who knows the combination to the safe leaves the unit. If
cash boxes are used ensure that they can be locked, are fire resistant, are not easily movable or
concealable, and access is limited to the person collecting the cash. Cash boxes cannot be shared
amongst employees as accountability for the cash will be diminished and management will not be
able to readily assign responsibility for shortages to the appropriate employee. If large sums of money
are being collected and/or cash is collected in a high traffic area, consider installing a camera and
alarm system.

Reconciliation & Documentation: Cash collections must be reconciled on a daily basis to the cash
register/point of sale system to ensure the completeness of receipts. On a monthly basis, an
employee who does not collect funds must reconcile deposit tickets to general ledger accounts to
ensure that all amounts were properly deposited and reconcile general ledger balances to bank
records to ensure that deposits were appropriately credited by the bank. See below for additional
information on documenting reconciliations.

Record keeping requirements exist throughout the cash collections process. A record of cash
collected must be maintained by the employee responsible for accepting the cash. This could be in
the form of a cash register tape, a revenue log, a pre-numbered receipts book, etc. This record will be
compared to the actual cash on hand during the daily balancing of the register or cash box. Records
of deposits made must be documented and retained to assist in the performance of reconciliations.
Reconciliations between book and bank balances must be performed on a monthly basis and
documentation that the reconciliation was performed, that reconciling items were investigated and
resolved must be retained.

Management Review: Supervisors should initial and date all reconciliations to demonstrate that they
were reviewed and approved.

Policies and Procedures

In accordance with University Policy 2701 – Internal Control Policy management is responsible for
establishing, maintaining and promoting effective business practices and effective internal controls.
The development of written departmental policies and procedures are an effective way to maintain a
strong system of internal controls. Use documented policies and procedures to clearly delineate the
control activities performed throughout the unit's various business processes. These will aid in the
orientation of new employees, help ensure business continuity in the event of turnover, and help
ensure compliance with applicable laws and regulations.

Business Purpose Documentation

All expenditures are expected to be made for ordinary, reasonable, and actual business-related
activities in furtherance of University and Health System missions. Additionally, Penn receives
significant funding from federal sponsors and other sources that carry substantial fiduciary
responsibilities. Failure to require supporting documentation evidencing business purpose to internal
reviewers can result in inappropriate expenditures going undetected. Failure to provide supporting
documentation with business purposes to external reviewers could result in disallowances, fines,
penalties which have financial and reputational impacts for the University.

An adequate business purpose should describe the reason why the transaction occurred as opposed
to only restating the item purchased. For example, “Freezer” would not be a sufficient business
purpose explanation. An appropriate explanation could be: “Freezer for storage of research samples
in Dr. Smith's lab.” Business purpose explanations should be sufficiently detailed to allow the
reviewer, whether s/he be an internal supervisor, a federal auditor, an IRS agent, etc., to establish
that the transaction was for the sole benefit and use of the University in accordance with its non-
taxable mission.

Approval of Time Cards

 In order to ensure the propriety of submitted hours, employee time cards/records are to be approved
by their supervisor as certification that the hours/work were actually performed as reported. If feasible,
overtime should be approved in advance. Supervisors should sign or initial and date the timecards to
document their review and approval. Do no return approved timecards to employees for delivery to
the timekeeper for input. This provides individuals with the opportunity to alter an already approved
timecard and receive inappropriate additional pay.

Performing Annual Performance Evaluations

Performance evaluations are valuable tools that provide staff members with feedback on their
performance and accomplishments for the previous year. They also assist staff members in
understanding their job responsibilities and supervisor's performance expectations. Evaluations are
expected to be fair, representative of actual performance, written, and performed on an annual basis.
Failure to provide documented evaluations could complicate later disciplinary processes.

Petty Cash Accounts

Petty Cash is easily misappropriated if business processes and internal controls are not established
and enforced. The following controls and concepts will help you ensure that your petty cash accounts
are appropriately used and safeguarded:

 Do not allow the use of petty cash for operating purposes including the payment of invoices or miscellaneous
amounts, to pay salaries or wages, or to make advances or loans to staff.
 Allow only the established custodian to access the funds. If that individual is not available for an extended
period, contact the Office of the Treasurer to transition responsibility to someone else.
 Require receipts/documentation for all petty cash reimbursements.
 Require that petty cash vouchers be approved by the requesting employee's supervisor or another appropriate
individual familiar with activity that resulted in the original expenditure.
 Safeguard petty cash fund through the use of lockable cash boxes and secure the boxes in a locked cabinets
drawer or safe when not in use by the custodian.
 During the supervisory review and approval of the replenishment request, ensure that receipts are included
and appear appropriate.
 Perform periodic surprise cash counts by an administrative business officer or designee (other than the
custodian). The Petty Cash Count form can be used to facilitate and document the surprise counts.

IT

Software Licensing

Installing unlicensed software on departmental computers exposes the University to possible

penalties from software vendors and could result in fines, penalties, or possible litigation having
financial and reputational impacts for the University. Departments are expected to employ an effective
software management process which includes:

 Maintaining documentation supporting the purchase of software

 Associating each software license to a particular machine
 Ensuring that licenses are purchased prior to installing software
 Maintaining a software inventory and license additions, deletions, or expirations
 Removing demonstration, trial, or test copies of software within the specified timeframe when the software is
not purchased.

[ Back to Top ]

Sharing of ID's and Passwords

Never share network or application ID's and passwords. These are used to identify system users and
provide a trail of each user's activity. Sharing these compromises security on multiple levels. First, it
could provide access to data that the individual using the credentials is not authorized to access.
Second, it could facilitate the breakdown in proper segregation of duties to allow the inappropriate
individual to perform a responsibility that conflicts with their own. Third, system audit trails will not
reflect who is actually executing activities; rather they will reflect that they are being performed by you.
This includes fraudulent transactions and inappropriate access to records. The more individuals you
share your credentials with, the more risk you expose yourself to.

Terminating Systems Access

It is increasingly important to ensure that employee access to systems is terminated in a timely

manner, particularly as systems shift to web-based applications. In order to facilitate a process that
ensures appropriateness of access, consider using a checklist of systems access granted to
departmental employees. Use the same list to remove or update access when the employee leaves,
trasfers to a new School or Center, or is assigned new responsibilities.

Mission Continuity

Penn’s Mission Continuity program is an institution-wide effort, designed to ensure that protocols and
procedures exist to allow you to resume operations after unexpected interruptions (such as a fire,
flood, or other cause of interruption in operations). As part of Penn’s Mission Continuity program,
Schools, Centers and departments are responsible for developing mission continuity plans and
recording them online using special software tailored for Penn, called Shadow-Planner.

When compiling your mission continuity plan consider the following types of data that will allow you to
effectively respond to events:

 Contacts
 Call lists
 Critical processes and owners
 Building / facility information
 Necessary equipment / supplies
 Key technology and system applications
 Vital documents
 Key supplier contact information

Further examples and a more detailed checklist are available as part of the reference material for the
Shadow-Planner training program. Also, completing the Pre-Planning Questionnaire will also help
to structure your thinking about this information.

Once plans have been formalized, test the plans annually to ensure that they are current and
sufficient to resume key business processes in a reasonable timeframe. This can be accomplished
through the performance of a tabletop exercise which includes such activities as calling the call tree to
make sure the listing and numbers are accurate and personnel are responsive, testing remote access
connections, backup restoration capabilities, etc.).

Data Backup & Recovery

Replication of data (especially critical data) and documentation is a prerequisite for any type of
recovery. Develop a formal backup and tape rotation schedule in order to ensure expedient system
and data recovery. This schedule should define a procedure for performing and storing backup media
at an environmentally safe and secure off-site location.

Specifically, two copies of full backups should be retained. One copy should remain on-site for system
interruptions due to hardware failures and data corruption, and one copy should be moved off-site to
address server room disasters. We recommend that a full data backup be rotated off-site weekly. A
backup of the operating system should be made after each successful upgrade and rotated to off-site
storage.

Other methods for backup and off-site storage are available - for example, ISC’s Back-IT-UP service.
Additional information regarding this service can be found at: https://www.mr.isc-
seo.upenn.edu/Pages/BIU.aspx. Another alternative is to partner with a third party vendor that
specifically provides data backup and off-site storage, such as VRI or Iron Mountain.

Whether using the University's Back-IT-UP service or another third party vendor, ensure that a
contract and service level agreement are in place. Agreements should be reviewed and, if required,
contracts should be provisioned to ensure confidentially of critical data. Further detail about evaluating
third party vendors can be found on OACP's Privacy web site
at http://www.upenn.edu/oacp/privacy/penndata/evaluating-third-parties.html.

IT Asset Inventory

Efficient and effective computing inventory and software management processes to ensure that
servers, desktops, workstations and other computing equipment are appropriately accounted for are
critical to any organization. Failure to properly track computing inventories significantly increases
financial, compliance and operational risks.

Create a formalized computing asset and software asset inventory process. Ensure that critical
applications maintained by departmental personnel are adequately documented and maintained. This
inventory process and documentation facilitates disaster recovery and business continuity planning
and operational efficiencies. Develop maintenance procedures to ensure the inventory reflects current
operations on an on-going basis. Consider utilizing scanning tools, such as BigFix, Track-It, Audit
Wizard, Apple Remote Desktop etc., to facilitate effective and efficient maintenance of hardware and
software inventories.

Web Application Security

The use of web applications has increased significantly as organizations try to find innovative ways to
interact with users and customers. The increasing number of computer break-ins, the amount of
critical data captured, processed, stored and transmitted across networks, and the rules concerning
privacy and protection of personal information requires having effective controls in place for managing
and administering network security and applications. Management has a responsibility to ensure that
users are aware of the latest web application security vulnerabilities, verify that web developers are
using secure coding techniques, securely configure web servers, periodically monitor the
effectiveness of web application security processes and controls, and verify that user access to the
web application is appropriate. It is critical that web applications are secure from the latest web
application and web server security vulnerabilities and that only authorized individuals have access to
the application.
Create a process to scan web applications or perform code reviews periodically to identify
vulnerabilities and errors in code followed by appropriate resolution of any confirmed vulnerabilities
and errors. The Open Web Application Security Project (OWASP) is an excellent resource who is
focused on improving the security of software. Visit their site at https://www.owasp.org.

Looking for an automated commercial scanning tool that you can run against your web applications to
identify vulnerabilities within and free of charge? OACP has licensed HP WebInspect to provide just
such a service for the Penn Community. Our license allows us to scan any machine owned by the
University or Penn Medicine. If you would like more information and to schedule a scan, please
contact IT Audit at http://www.upenn.edu/oacp/contact-us.html.

[ Back to Top ]

Employee Turnover Checklist

Begin planning the employee’s separation and preparing the exiting process and exit interview as
soon as you find out that a staff member is leaving. It is the responsibility of the supervisor/business
administrator to manage this turnover or exit process. The online Human Resources Policy Manual
should be used as the primary tool to use to guide this process. These policies are located
at https://www.hr.upenn.edu/myhr/resources/policy/termination. An individual separating from the
University is responsible for returning University owned equipment and materials. These may include
any purchasing cards, library materials, research notes, keys, identification cards and other University
property to his/her business administrator or immediate supervisor. Any personal accounts must be
settled with the University.

Removing terminated employee’s access to systems and applications typically requires coordination
from Human Resources, the supervisor/business administrator, and IT. Applicable user access forms
should be completed to disable or remove the staff member’s access from systems and applications
in a timely manner.
Patching Systems

Administrators should ensure that security patches are up-to-date for systems, applications, and
infrastructure. In addition to increased downtime and costs, poor IT patch management increases the
likelihood of security vulnerabilities being present that could be exploited to gain unauthorized access
to systems, applications, and infrastructure.

To the extent possible, patches should be tested in a test/staging environment first before being
deployed into the production environment to verify that patches “behave” appropriately in your
environment.

Because patches affect production, they should be viewed as a “change” and follow your
organization’s structured change management process.

Spyware, Adware and Malware

Adware is the common name used to describe software that is given to the user with advertisements
embedded in the application. Many software developers offer their software as “sponsored” freeware
(adware) until the end-user pays for the software and the ads should disappear. Adware sometimes is
used to describe a form of spyware that collects information about the user in order to display
advertisements in the Web browser. Spyware collects information about you and the ways in which
you use your computer. Unfortunately, some of this tracking can become intrusive and move into the
spyware category causing privacy and security concerns.

These forms of spyware falls into the general category of malware. Malware is generally software that
you don’t want on your computer and in a generic sense, refers to software that was written with
malicious intent and performs its actions without the user’s permission. Some examples of these
include viruses, worms, Trojans, adware, spyware, browser hijackers, toolbars, searchbars, packet-
capturing programs, keystroke loggers and password crackers.
 To limit your exposure to this type of software described, make sure you use the firewalls and anti-
virus software approved by your unit. Keep the virus definitions up-to-date by setting the automatic
updates to run daily. There are numerous spyware detection/removal software available and should
be used in coordination with your local support provider if you think your computer has been
compromised. If downloading these free tools, confirm you are downloading from a legitimate site.

The SANS Institute (SysAdmin, Audit, Network, Security) have defined the following “quick wins” for
the quickest way to defend ourselves against these types of attacks:
 Monitor workstations, servers, and mobile devices for irregular activity
 Ensure systems are up-to-date and use auto-update features
 Disable all auto-run features
 Configure automated scanning
 Require and enforce software installation testing and validation prior to production
 Educate users
 Employ anti-malware software
 Block dangerous attachments at e-mail gateways

Server Security

“Monitor, detect, analyze, protect, report, and respond against known vulnerabilities, attacks, and
exploitations” and “continuously test and evaluate information security controls and techniques to
ensure that they are effectively implemented”. This statement summarizes the 2009 US Senate
Homeland Security and Government Affairs Committee in drafting the U.S. ICE Act of 2009 as a
mandate for federal agencies. This guiding principle is a best practice to be followed. To maintain
security of servers (or any device) connected to the network, run the latest version, have up-to-date
patches, and confirm it is properly configured before connecting to the network.

Insufficient configuration controls can lead to security and availability exposures that may permit
unauthorized access to systems and data. Manage server configurations by hardening server security
using industry best practices for the server type to eliminate security holes. Common configuration
mistakes include:

1. Leaving default settings on deployed servers

2. Leaving unnecessary services activated.
3. Leaving default passwords on deployed servers.
4. Building too many security roadblocks into the patch remediation path.

The organization should develop server configuration manuals to instruct IT on how to configure new
servers added to the IT environment, thereby promoting consistency, standardization, and adequate
security across the IT environment.

The SANS Institute (SysAdmin, Audit, Network, Security), have defined the following “quick wins” for
the quickest way to ensure configuration issues for creating secure systems:
 Create a secure system image
o Document security settings
o Approved by change control board
o Registered with central image library
o Update image based on new threats
o Validate integrity of master image
o Remove unnecessary accounts and services
 Manage image
o Properly validate and secure images
o Negotiate contracts to have image preloaded
o Complement existing security devices
o Document any deviations
 Assessment programs
o Validate number of systems properly configured
o Provide compliance charts to executives
o Track measureable improvements
o Re-image compromised systems
The purpose of this article is to provide an overview of internal control, with particular
emphasis on topics relevant to Part C of the F1/FAB syllabus. The article will focus
on the following learning objectives, as set out in section C6 of the study guide:

a) Explain internal control and internal check b) Explain the importance of internal
financial controls in an organisation c) Describe the responsibilities of management
for internal financial control.

The article will also describe the roles of internal audit and internal audit testing,
relevant to section C2(e) and (f) of the study guide.

Definition and purposes of internal control

The Turnbull Report, first published in 1999, defined internal control and its scope as
follows:

‘The policies, processes, tasks, behaviours and other aspects of an organisation that
taken together:

Facilitate effective operation by enabling it to respond in an appropriate manner to

significant business, operational, financial, compliance and other risks to achieve its
objectives. This includes safeguarding of assets and ensuring that liabilities are
identified and managed.

Ensure the quality of internal and external reporting, which in turn requires the
maintenance of proper records and processes that generate a flow of timely, relevant
and reliable information from both internal and external sources.

Ensure compliance with applicable laws and regulations and also with internal
policies.’

Turnbull’s explanation focuses on the positive role that internal control has to play in
an organisation. Facilitating efficient operations implies improvement, and, properly
applied, internal control processes add value to an organisation by considering
outcomes against original plans and then proposing ways in which they might be
addressed.

At the same time, Turnbull also conceded that there is no such thing as a perfect
internal control system, as all organisations operate in a dynamic environment: just
as some risks recede into insignificance, new risks will emerge, some of which will
be difficult or impossible to anticipate. The purpose of any control system should
therefore be to provide reasonable assurance that the organisation can meet its
objectives.
Objectives of internal control

Internal control should have the following objectives:

Efficient conduct of business: Controls should be in place to ensure that

processes flow smoothly and operations are free from disruptions. This mitigates
against the risk of inefficiencies and threats to the creation of value in the
organisation.

Safeguarding assets: Controls should be in place to ensure that assets are

deployed for their proper purposes, and are not vulnerable to misuse or theft. A
comprehensive approach to his objective should consider all assets, including both
tangible and intangible assets.

Preventing and detecting fraud and other unlawful acts: Even small businesses
with simple organisation structures may fall victim to these violations, but as
organisations increase in size and complexity, the nature of fraudulent practices
becomes more diverse, and controls must be capable of addressing these.

Completeness and accuracy of financial records: An organisation cannot

produce accurate financial statements if its financial records are unreliable. Systems
should be capable of recording transactions so that the nature of business
transacted is properly reflected in the financial accounts.

Timely preparation of financial statements: Organisations should be able to fulfil

their legal obligations to submit their account, accurately and on time. They also
have a duty to their shareholders to produce meaningful statements. Internal controls
may also be applied to management accounting processes, which are necessary for
effective strategic planning, decision taking and monitoring of organisational
performance.

Responsibilities for internal control

In many smaller, unincorporated businesses such as sole traders and unlimited

partnerships, the responsibility for internal controls often lies with the owners
themselves. In most cases, the owners are fully engaged in the business itself, and if
employees are engaged, it is usually within the capability of the owners to remain
fully aware of transactions and the overall state of the business.

As organisations grow, the need for internal controls increases, as the degree of
specialisation increases and it becomes impossible to remain fully aware of what is
going on in every part of the business.

In a limited company, the board of directors is responsible for ensuring that

appropriate internal controls are in place. Their accountability is to the shareholders,
as the directors act as their agents. In turn, the directors may consider it prudent to
establish a dedicated internal control function. The point at which this decision is
taken will depend on the extent to which the benefits of function will outweigh the
costs.

The directors must pay due attention to the control environment. If internal controls
are to be effective, it is necessary to create an appropriate culture and embed a
commitment to robust controls throughout the organisation.

Generic control categories

Controls and be categorised in many different ways. Figure 1 described five

categories that are often used.

Figure 1: Categories of controls

Internal controls can be:

Mandatory or voluntary: Mandatory controls are those which must be applied,

irrespective of circumstances. These are widely used to prevent breached of laws or
policy, as well as to minimise risks relating to health and safety. Voluntary controls
are applied according to the judgement of the organisation and its managers.

Discretionary or non-discretionary: Managers may be permitted discretion

according to their interpretation or judgement of risks in given circumstances. Non-
discretionary controls must be applied.

Manual or automated: Manual controls are applied by the individual employee

whereas automated controls are programmed into the systems of the organisation.
Some systems combine the two: for example, when deciding on whether a customer
should be permitted days on hand for payment, there could be automated ‘accept’
above a specified credit rating or ‘decline’ or below a specified credit rating, and an
intermediate range in which a manager may be able to override the automated
system.

General controls or application controls: This classification of controls applies

specifically to information systems. General controls help to ensure the reliability of
data generated by systems, helping to ascertain whether systems operate as
intended and output is reliable. Application controls are automated and designed to
ensure the complete and accurate recording of data from input to output.

Common control procedures

Physical controls: These controls include restrictions on access to buildings,

specified office or factory areas or equipment, such as turnstiles at the entrance to
the premises, swipe cards and passwords. They also include physical restraints,
such as fixing non-current assets to prevent removal.

Authorisation and approval limits: Many employees must adhere to authorisation

limits, and these will usually be specified in the terms of employment. For example, a
junior manager may be permitted to book business flights up to the value of $500,
but for tickets costing more than this, the purchase may have to be approved by
someone more senior.

Segregation of duties: To minimise the risk of errors and fraud, duties associated
with cash handling are often segregated. For example, in the post room of a
company that received cash by post, the employee recording the cash will be a
different person to the one who opens the post. Segregation is also relevant to other
functions. At executive level, it is now best practice to segregate the roles of
chairman and chief executive officer, and as an independent assurance function,
internal audit should be totally segregated from the finance department, with a
reporting line direct to the board of directors or the audit committee.

Management controls: These controls are operated by managers themselves. An

example is variance analysis, through which a manager may be required as part of
their job to consider differences between planned outcomes and actual performance.
Performance management of subordinates is also an integral part of many
managerial positions. Further down the chain of command, supervision
controls are exercised in respect of day-to-day transactions. Organisation
controlsoperate according to the configuration of the organisation chart and
line/staff responsibilities.

Arithmetic and accounting controls: These controls are in place to ensure

accurate recording and processing of transactions. Procedures here include
reconciliations and trial balances.

Human resources controls: Controls are implemented for all aspects of human
resources management. Examples include qualifications verification, references and
 criminal record checks on recruits, checks on staff who have to be attested for
competence and training effectiveness.

Internal check

Internal check is a system through which the accounting procedures of an

organisation are so laid out that the accounts procedures are not under the absolute
and independent control of any person. The work of one employee is complementary
of that of another, enabling a continuous audit of the business to be made.

The essential elements of an internal check are:

 checks are implemented on day-to-day transactions

 checks operate continuously as a part of the system
 the work of each person is complementary to the work of another.

By allocating duties in this way, no one person has exclusive control over any
transaction.

Internal audit

Definition and purposes of internal audit: Internal audit may be defined as an

independent appraisal function established within an organisation to examine and
evaluate its activities as a service to the organisation.

Internal audit supports management in the effective discharge of their

responsibilities. To this end, internal audit furnishes management with analyses,
appraisals, recommendations, counsel and information concerning the activities
reviewed.

Objectives of internal audit

The formal objectives of internal audit may include some or all of the following:

 review of accounting and internal control systems

 examination of financial and operating information
 review of the ‘three E’s (economy, efficiency and effectiveness)
 review of compliance with laws and regulations
 review of arrangements for the safeguarding of assets
 review of implementation of corporate goals and objectives
 identification of significant risks to the organisation, and monitoring risk management
policy and risk management strategies
 special investigations as required.

Why internal audit necessary?

The importance of internal audit was highlighted by the Turnbull Report. It states that
listed public companies that do not have an internal audit function should review the
need to have such a function at least annually. Turnbull goes on to state that listed
public companies that do have an internal audit function should review the scope,
authority and resources of this function at least annually.

Turnbull suggests that the need for the internal audit function will depend on several
factors. These include:

 the scale, diversity and complexity of the organisation’s activities

 the number of employees – the need for an internal audit function increases as the
number of employees increases, or if employee interrelationships become more
complex
 where the benefits of such a function will outweigh the costs of implementation and
operation
 when changes occur over time in the organisation’s structures, reporting processes
or underlying information systems
 the nature of risks, changes to risks and emerging risks
 problems and issues arising with internal control systems, both actual and perceived
 the occurrence of an increasing number of unexplained or unacceptable events.

Internal audit and internal control

Internal audit is an internal but independent assurance function. While internal

auditors are usually employees of the organisation, they should operate
independently of management so that their analyses, judgements and reports are
free from bias or undue influence. The head of internal audit should report to the
board of directors, or to the audit committee. Some organisations reinforce
independence by outsourcing the internal audit function to professional external
firms.

Internal audit testing is the internal assessment of internal controls and as such is
a management control to ensure compliance and conformity of internal controls to
pre-determined standards.
Key risks: Internal audit reviews and reports on internal controls in relation to key
risks affecting the organisation. The objective here should be to test the extent to
which the controls will control the risk if it crystallises. The conclusions of these
reports should enable management to reconsider the controls and modify or
redesign them if appropriate.

Financial and operating information: Internal audit may examine this information
in order to ensure it is accurate, fit for purpose and timely. Tests may be applied to
determine whether information is correctly measured and therefore suitable as a
basis for informing management and external stakeholders.

Compliance: Increasingly, organisations have to implement performance standards

in relation to compliance. This may be to satisfy the demands of external regulators,
or to operate to pre-determined internal standards. Internal audit should review
operations for compliance with such standards. In this respect, the work of internal
auditors in broadening, as organisations increasingly pursue compliance not only
with industry standards for products and service provision, but also with criteria
relevant to environmental standards.

Types of audit

In the course of their duties, internal auditors may carry out various types of audit.
These include the following:

Operational audits may be concerned with the efficiency of the organisation’s

activities. They consider performance relative to pre-determined criteria.

Systems audits are used to test and evaluate controls as described in the last
section. They test whether the controls can be relied upon to ensure that resources
are allocated and managed effectively. They also test whether the information
provided by the organisation’s systems is accurate. Compliance tests verify
whether internal controls are being applied in a proper manner. Substantive
tests verify the accuracy of figures, and can be used to identify errors and
omissions.

A transactions or probity audit is concerned with detecting fraud and other types of
criminal or unlawful behaviour. However, it can also be extended to matters relating
to fairness of dealings, impartiality, accountability and transparency, sometimes
considered to be within the scope of social audit. Generally, social audit may be
concerned with any matters relating to governance.