INTERNAL CONTROL

Aamer Allauddin

The board of directors of a listed

company shall also ensure that:
a system of sound internal control is
established, which is effectively
implemented and maintained at all
levels within the company;
(The Code of Corporate Governance 2012)

The directors of listed companies

shall annex statement to the
following effect with the Directors
Report, prepared under Section 236
of the (Companies) Ordinance
(1984):
The system of internal control is
sound in design and has been
effectively implemented and
monitored;

Directors Report extract

The system of internal control is
sound in design and has been
effectively implemented and
monitored and is being continuously
reviewed by the internal audit
function
(Annual Report 2013: Packages Limited- Directors
Report)

The terms of reference of the Audit Committee

shall also include the following:
ascertaining that the internal control systems
including financial and operational controls,
accounting systems for timely and appropriate
recording of purchases and sales, receipts and
payments, assets and liabilities and the reporting
structure are adequate and effective;
review of the listed companys statement on
internal control systems prior to endorsement by
the Board of Directors and internal audit reports;
(The Code of Corporate Governance 2012)

 The board is responsible for determining the nature

and extent of the significant risks it is willing to take
in achieving its strategic objectives. The board
should maintain sound risk management and
internal control systems
The board should, at least annually, conduct a review
of the effectiveness of the companys risk
management and internal control systems and should
report to shareholders that they have done so .The
review should cover all material controls, including
financial, operational and compliance controls
(The UK Corporate Governance Code)

 The board has ultimate responsibility for risk management

and internal control including for the determination of the
nature and extent of the principal risks it is willing to take to
achieve its strategic objectives and for ensuring that an
appropriate culture has been embedded throughout the
organisation
This guidance provides a high-level overview of some of the
factors boards should consider in relation to the design,
implementation, monitoring and review of the risk
management and internal control systems. Such systems
cannot eliminate all risks, but it is the role of the board to
ensure that they are robust and effective and take account
of such risks
(Guidance on Risk Management, Internal Control and Related
Financial and Business Reporting (FRC-September 2014)

 Sarbanes-Oxley Act in the U.S. requires that

all annual reports must contain an internal
control report stating managements
responsibility for establishing and maintaining
an adequate system of internal controls as
well as managements assessment, as of the
fiscal year ending date, on the effectiveness
of those installed internal control procedures
(Section 404, Sarbanes-Oxley Act)

Listing Regulation
The terms of reference of the Audit
Committee shall also include the following:
ascertaining that the internal control
system including financial and operational
controls, accounting system and reporting
structure are adequate and effective;
review of the listed companys statement
on internal control systems prior to
endorsement by the Board of Directors;
(The Listing Regulations of the Karachi Stock Exchange)

Auditors Report extract

It is the responsibility of the
Companys management to establish
and maintain a system of internal
control, and prepare and present the
above said statements in conformity with
the approved accounting standards and
the requirements of the Companies
Ordinance, 1984
(Annual Report 2013: Packages Limited- Auditors Report)

The meaning of corporate

governance
A company is governed by its
directors on behalf of the
shareholders. Arguably, the directors
also govern on behalf of other
stakeholders in the company, such
as its employees
Corporate governance is the system
by which a company is directed and
controlled

The meaning of corporate

governance
An important aspect of corporate governance is
the relationship between the owners of a
company (its equity shareholders) and its
governors (the board of directors)
The strength of the relationship between
owners and governors depends largely on the
quality of the communication between them
The most important method of
communication is the annual financial
statements and accompanying reports (the
report and accounts)

The responsibility of directors for the management of

risks
Another issue in corporate governance is the
management of risks. Companies face many different
risks, but most risks can be divided into two categories:
Business risks or enterprise risks. These are the
risks associated with investing in products and services,
and competing in markets.
Governance risks. These are the risks that errors
(deliberate or accidental) may occur due to weaknesses
in existing internal controls. For example, there may be
excessive risks that financial transactions will be
recorded incorrectly in the accounting system, or there
may be an unacceptable risk that fraud could occur and
remain undetected. There may be risks of failure to
comply with regulations or laws. There may also be risks
of operational errors in day-to-day operating activities,
due to human error, machine breakdowns or poor
supervision by management.

Internal Control: Definition in the

seventies
By internal Control is meant not only
internal check and internal audit but the
whole system of controls, financial and
otherwise, established by the management,
in order to carry on the business of the
company in an orderly manner, safeguard
its assets and secure as far as possible the
accuracy and reliability of its records
(U1 General Principles of Auditing, and U4,
Internal Control-ICAEW)

Internal Control: Definition in COSO

Standard on Internal Control
Internal controls are processes, implemented
by management, that are designed to provide
reasonable assurance for:
Reliable financial and operational information
Compliance with policies and procedures plans,
laws, rules, and regulations
Safeguarding of assets
Operational efficiency
Achievement of an established mission, objectives
and goals for enterprise operations and programs
Integrity and ethical values

Internal Control: ISA 315 definition

Internal control may be defined as the process designed,
put in place and maintained to provide assurance of a
reasonable level regarding the achievement of the
objectives of an entity
These objectives relate to the reliability of the financial
reports, the efficiency and effectiveness of operations
and adherence to relevant and applicable laws and
regulations
It is the responsibility of management to design and put
in place a suitable system of internal controls.
Internal controls are designed to deal with financial risks,
operational risks and compliance risks.
(ISA 315)

Types of controls
Internal controls are normally divided into three categories for
the purpose of corporate governance:
Financial controls
Compliance controls (to ensure compliance with laws and regulations)
operational controls.

Examples of financial controls are:

controls that safeguard the assets of the company
controls that ensure that adequate accounting records are maintained
controls over the preparation and delivery of the annual financial
statements

Although it is the responsibility of management to design and

implement internal controls, it is the responsibility of the
companys governors (directors) to satisfy themselves that the
system of internal control is adequate and that it functions
properly

The internal control system and internal controls

A distinction should be made

between an internal control
system, and internal controls
Internal controls are a part of
the internal control system,
but the internal control
system is more than just the
internal controls

Internal Control System

The Turnbull Report on Internal Control defines an internal
control system as follows:
An internal control system encompasses the policies,
processes, tasks, behaviours and other aspects of a company
that, taken together:
facilitates its effective and efficient operation by enabling it to respond
appropriately to significant business, operational, financial, compliance
and other risks to achieving the companys objectives. This includes
the safeguarding of assets from inappropriate use or from loss and
fraud, and ensuring that liabilities are identified and managed;
help ensure the quality of internal and external reporting. This requires
the maintenance of proper records and processes that generate a
flow of timely, relevant and reliable information from within and outside
the organisation;
help ensure compliance with applicable laws and regulations, and also
with internal policies with respect to the conduct of business.

Internal Control System

The degree of effectiveness of an internal
control system will depend on the
following two factors:
The design of the internal control system and
the individual internal controls. Is the control
system able to prevent material
misstatements, or is it able to detect and
correct material misstatements if they occur?
The proper implementation of the controls. Are
the controls operated properly by the
management and other employees?

The Five Elements of Internal

Control
ISA 315 identifies five elements which
together make up the internal control
system
These are:
(1) The control environment
(2) The entitys risk assessment process
(3) The information system
(4) Control activities (internal controls)
(5) Monitoring of controls

The control environment

The control environment is often referred
to as the general attitude to internal
control of management and employees in
the organisation
The control environment includes the
views, awareness and actions of
management regarding an entitys internal
control. It also includes the governance and
functions of management. It is the basis for
good internal control, providing guidance
and structure

The control environment

The control environment includes the following elements:
Communication and enforcement of integrity and ethical values
Commitment to competence
Participation of management
Managements philosophy and operating style
Organisational structure
Assignment of authority and responsibility
Human resource policies and practices

A strong control environment is typically one where management

shows a high level of commitment to establishing and operating
appropriate controls
The existence of a strong control environment cannot guarantee
that controls are operating effectively, but it is seen as a positive
factor .Without a strong control environment, the control system
as a whole is likely to be weak.

The entitys risk assessment

process
Within a strong system of internal control, management
should identify, assess and manage business risks, on a
continual basis
Significant business risks are any events or omissions
that may prevent the entity from achieving its objectives
Identifying risks means recognising the existence of risks
or potential risks
Assessing the risks means deciding whether the risks are
significant, and possibly ranking risks in order of
significance.
Managing risks means developing and implementing
controls and other measures to deal with those risks

The information system

Pertinent information must be identified, captured and
communicated in a form and timeframe that enable
people to carry out their responsibilities
Information systems produce reports, containing
operational, financial and compliance-related
information, that make it possible to run and control
the business.
Effective communication also must occur in a broader
sense, flowing down, across and up the organization.
All personnel must receive a clear message from top
management that control responsibilities must be
taken seriously. They must understand their own role
in the internal control system, as well as how
individual activities relate to the work of others
They must have a means of communicating significant

Control activities
Control activities are the policies and
procedures, other than the control
environment, used to ensure that the entitys
objectives are achieved. They are the
application of internal controls.
Control activities are the specific procedures
designed:
to prevent errors that may arise in processing
information, or
to detect and correct errors that may arise in
processing information.

Categories of control activities

(internal controls)
ISA 315 categorises internal controls into the following types:
Performance reviews. These include reviews and analyses of
actual performance against budgets, forecasts and prior period
performance. Most of these control activities will be performed by
management and are often referred to as management controls.
They include supervision by management of the work of
subordinates, management review of performance and control
reporting (including management accounting techniques such as
variance analysis).
Information processing. A variety of controls are used to check
the accuracy, completeness and authorisation of transactions.
These controls are split into :
Application controls
General IT controls

Categories of control activities

(internal controls)
Physical controls. These include
controls over the physical security of
assets and records to prevent
unauthorised use, theft or damage.
Examples include limiting access to
inventory areas to a restricted
number of authorised personnel, and
requiring authorisation for access to
computer programs and data files.

Categories of control activities

(internal controls)
Segregation of duties. This control involves assigning different
people the responsibilities of authorising and recording
transactions and maintaining the custody of assets. This reduces
the likelihood of an employee being able to both carry out and
conceal errors or fraud.
Segregation of duties means dividing the work to be done
between two or more individuals, so that the work done by one
individual acts as a check on the work of the others. This reduces
the risk of error or fraud.
If several individuals are involved in the completion of an overall task,
this increases the likelihood that errors will be detected when they are
made. Individuals can often identify mistakes of other people more
easily than they can identify their own.
It is more difficult for a person to commit fraud, because a colleague
may identify suspicious transactions by a colleague who is trying to
commit a fraud

Monitoring of controls
It is important within an internal
control system that management
should review and monitor the
operation of the controls, on a
systematic basis, to satisfy
themselves that the controls remain
adequate and that they are being
applied properly

Limitations of internal control

systems
Internal control systems are never foolproof. All
systems, no matter how effective they may appear
to be, have several limitations:
Human error may result in incomplete or inaccurate
processing which may not be detected by control systems.
It may not be cost-effective to establish certain types of
controls within an organisation.
Controls may be in place, but they may be ignored or
overridden by employees or management.
Collusion may mean that segregation of duties is
ineffective. Collusion means that two or more people work
together to avoid a control, possibly for the purpose of
committing fraud.

Limitations of internal control

systems
This point is made in the Turnbull Report on
Internal Control (in the UK), which comments
that:
A sound system of internal control reduces,
but cannot eliminate, the possibility of poor
judgement in decision-making; human error;
processes being deliberately circumvented
by employees and others; management
overriding controls; and the occurrence of
unforeseeable circumstances.

Limitations of internal control

systems
Such systems cannot eliminate all
risks, but it is the role of the board to
ensure that they are robust and
effective and take account of such
risks
(Guidance on Risk Management, Internal Control
and Related Financial and Business Reporting
(FRC-September 2014)

Problems for small

entities
Many of the control activities that are typically found in a
large company may be inappropriate for a small entity
because they are too costly or impractical.
Segregation of duties is an obvious example of this. It is
difficult to segregate duties in a small company with only a
few employees. The same individual has to carryout a
variety of different tasks.
Often, control systems in small entities are based on a high
level of involvement by the directors or owners.
Authorisation and performance review controls, with the
owner-manager personally authorising many transactions,
might therefore be a key feature of control systems in small
entities. The active involvement of an owner manager might
mitigate risks arising from a lack of segregation of duties.

Sources

Code of Corporate Governance 2012 (Pakistan)

UK Corporate Governance Code
International Standard on Auditing 315
COSO Standard on Internal Control Framework
Internal Control-Guidance for Directors on Combined
Code (ICAEW)
Guidance on Risk Management, Internal Control and
Related Financial and Business Reporting (FRCSeptember 2014)
Turnbull Report on Internal Control (ICAEW)
KSE Listing Regulations
Packages Limited-Annual Report 2013