Skip to main content

Internal Controls

Internal Controls

Whether or not your unit has ever been audited, you may have heard of Internal Controls. This section presents a brief, practical discussion of Internal Controls for the unit manager.

 

What are internal controls and why are they important?

A system of checks and balances established to prevent and detect intentional and unintentional errors. Internal controls are the methods employed to help ensure the achievement of an objective. They are tools used every day by managers.

Writing procedures to encourage compliance, locking your office to discourage theft, and reviewing your monthly statement of account to verify transactions are common internal controls employed to achieve specific objectives.

 

Preventive & Detective Controls

Most internal controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities.

  • Internal checks by senior accounting officers (in some areas pre-audit by Internal Audit staff) help prevent wrong transaction being paid or policy override by other staff
  • A computer application which checks validity prevents the entry of an invalid account number.
  • Reading and understanding University Human Resource policies, such as Work Hours, code of conduct , helps prevent violations of the University’s policies
  • A manager's review, (or pre- audit) of purchases for specification and validity prior to approval prevents inappropriate expenditures.
  • Using Goods Received Vouchers (GRVs) and stores issue vouchers duly approved by a senior person help prevent abuse of University’s stock items   

 

Detective controls are designed to identify an error or irregularity after it has occurred.

  • Preparing bank reconciliation statement will detect errors committed in the bank accounts;
  • Comparing pay-in-slip with receipts issued in a period will detect short banking;
  • Reviewing of assets register detect University’s assets that have found it way in other people’s homes 
  • An exception report detects and lists incorrect or invalid entries or transactions.
  • A comparison of validated Cash Receipt Vouchers to monthly financial statements will detect deposits posted to erroneous accounts.
  • The manager's review of long distance telephone charges will detect improper or personal calls that should not have been charged to the account.

Through careful design, the system of internal controls can help your unit operate more efficiently and effectively and provide a reasonable level of assurance that the processes and products for which you are responsible are adequately protected.

 

What is a manager's responsibility?

Senior Management in organizations play very important role in the success of internal controls. Internal Controls, is defined by Committee on Sponsoring Organisations of the Treadway Commission’s (COSO) (1992) as having five interrelated components

  • Control Environment
  • Risk Assessment
  • Information and Communication
  • Monitoring
  • Control Activities

Control Environment is the foundation for the entire internal control system. The personal and professional integrity and ethical values of management and staff, including a supportive attitude toward internal control at all times throughout the organization is the bedrock of internal control. The “tone at the top”, is seen as very crucial to have a sound control environment.

In other words if the tone at the top does not support internal controls, no amount of audit recommendations would see the light of day.    

Therefore, as managers of units, you are responsible for ensuring that internal controls are established and functioning to achieve the mission and objectives of your unit. To establish or evaluate internal controls, first think about the following general objectives then identify your unit's specific objectives within these broad categories.

  • Propriety of Transactions for all activities within accounts for which the manager is responsible.
  • Reliability and Integrity of Information for internal management decisions and external agency reports
  • Compliance with KNUST Policies and Government Regulations, including but not limited to: Financial administration and Procurement Acts, Human Resource policies and other polices of the University
  • Safeguarding Assets, including physical objects and University data
  • Economy and Efficiency of Operations to optimize the use of limited resources in accomplishing the mission of the unit and the University; minimizing abuse, waste and fraud.

 

What is Internal Audit's responsibility?

Internal Audit provides an independent evaluation of the adequacy of internal controls and reports the results to the University’s administration and the Council. The Auditor would evaluate whether basic standards are being maintained on basic internal control procedures. Some of the basic elements in internal control have been identified below.

 

Elements of Internal Control

Personnel:- Competent and trustworthy people should be employed, with clearly established lines of authority and responsibility. There should be a document in the form of job descriptions and procedures manuals. Organizational charts provide a visual presentation of lines of authority and periodic updates of job descriptions which ensures that employees are aware of the duties they are expected to perform.

Authorization Procedures:- This should include a thorough review of supporting information to verify the propriety and validity of transactions. Approval authority should be commensurate with the nature and significance of the transactions and in compliance with KNUST policy. For example no one person should write as a claimant for travelling allowance and still be the approval of that allowance. Procurement of Goods and services above GHC5,000 to be approved by the Entity Tender Committee is also an example of the authorization procedures

Segregation of Duties:- Usually, this reduces the likelihood of errors and irregularities. An individual should not have responsibility for more than one of the three transaction components: authorization, custody, and record keeping.

Physical Restrictions:– These are the most important types of protective measures for safeguarding University assets, processes, and data. Examples include:

  • Locking of doors after close of work
  • Marking some of the offices “restricted” or ‘no entry’ by other staff.
  • Critical forms, such as cheque books, receipt books and Goods Received Vouchers (GRVs) should be adequately secured.

Documentation and Record Retention:- These include providing reasonable assurance that assets are controlled and transactions are correctly recorded. For example the keeping of assets register monitors assets sent to the department. The keeping of special advance register keeps records of staff who collects monies for University business and are yet to account for them.

Monitoring Operations:– This is essential to verify that controls are operating properly. Reviewing reconciliation reports, confirmation of receipts, and reviewing exception reports assist in monitoring. For example, preparation of monthly bank reconciliation statements to monitor transactions between the cash book and the bank, reviewing quarterly investment schedules helps to track investments made with financial institutions

 

Responsibility for Detecting Fraud

When it comes to fraud it is a shared responsibility. The management of the University is responsible for establishingand maintaining controls that discourage perpetuation of fraud. Internal Audit is responsible for examining and evaluating the adequacy and effectiveness of those controls. Audit programmes are developed in such a way that when there are serious fraud, the audit should be able to identify them.

 

What can jeopardize Internal Controls?

While many circumstances may compromise the effectiveness of internal control structure, a few of the most common and serious warrant special mention:

Control Override – Exceptions to policies are sometimes necessary to accomplish a specific task, but can pose a significant risk if not effectively monitored and limited. Usually, management staff believe that internal controls are formulated for other staff and therefore they tend to ignore some of these rules when they are involved.

Bringing to the attention of these management staff the need to follow the rules sometime help, but can be costly in this part of our world.

Inadequate Segregation of Duties - Separating responsibility for physical custody of an asset from the related record keeping is a critical control. For example one person should not do purchasing, issue the items, record and process the payment for the supplier.

Inappropriate Access to Assets - Internal controls should provide safeguards for physical objects, restricted information, critical forms, and update applications. For example:

  • All value books should be kept under lock and key. Sometimes employees do not see the need of keeping other value documents under lock and key with the exception of cheque books.
  • Access to computer information should be limited to those who keep data. Top Managers should be given Read Only Access.
  • Only authorized individuals should be issued keys for restricted areas.

Inadequate Knowledge of University Policies:- The University is not a static environment. New policies and policy revisions are a part of our continual evolution. Many University policies are available electronically and printed copies can be supplied upon request by contacting the relevant departments. Managers must stay abreast with these changes and understand their responsibilities. It is possible that sometimes some of these polices cannot be found due to improper filing.

Inherent Limitations:- There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to properly segregate duties, which requires the implementation of compensating controls to ensure that objectives are achieved. A limitation inherent in any system is the element of human error (misunderstandings, fatigue, and stress).

A manager who encourages employees to take earned vacation time can assist employees to overcome or avoid stress and fatigue.

 

How much do internal controls cost?

The cost of implementing a specific control should not exceed the expected benefit of the control. For example the potential loss of a computer printer may justify the cost of a door lock but not an alarm system.

Computer screen savers with passwords are inexpensive but effective methods of protecting sensitive data on a computer.

Sometimes there is no out-of-pocket cost to establish an adequate control. A realignment of duty assignments may be all that is necessary to accomplish an objective. For example

  • Pay AFUF at the bank instead of collecting cash at the faculties
  • Use Stores Issued Voucher (SIV) to take goods from store
  • Use trump card to buy fuel instead of cash purchases
  • All office telephones should be “receiving only”. HODs and above should be able to make call and monthly review would be conducted by audit department
  • All receipts must be banked intact

A well-designed internal control structure can enhance operations by improving your unit's overall efficiency and effectiveness, as well as reducing the risk of loss or theft.

In analyzing the pertinent costs and benefits, managers should also consider the possible ramifications for KNUST Community at large, and attempt to identify and weigh the intangible as well as the tangible consequences.

Who is responsible for internal controls? Everyone in the organization!

 

General Best Practice of controls

Below is a list of general best practices for people in authority in maintaining an effective control environment:

  1. Set a strong example for the expectation of ethical behavior, compliance with laws/policies, and communicate your expectations routinely to your unit's personnel.
  2. Never sign something you do not understand.
  3. Limit signature authority and do not let anyone sign your name (an employee should sign his/her own name). Never use a signature stamp.
  4. If something does not make sense ask questions about it. Pay attention to what your employees are doing.
  5. Be familiar with University policies and procedures. Be willing to call and ask questions.
  6. Consider unique risks your unit may have (i.e. cash collections, contracts, abnormal payments, create and share, grants, etc.) and ensure additional oversight is provided.
  7. Ensure regular reports are reconciled monthly and review this reconciliation for any unusual transactions.
  8. Do not let one employee have complete control of any process.
  9. Keep offices and labs locked to protect property, data, and other resources. (Remember to shred paper documents with identifying information.)
  10. Ensure University assets are used for University business.