Internal Controls

Whether or not your unit has ever been audited, you may have heard of Internal Controls. This section presents a brief, practical discussion of Internal Controls for the unit manager.


What are internal controls and why are they important?

A system of checks and balances established to prevent and detect intentional and unintentional errors. Internal controls are the methods employed to help ensure the achievement of an objective. They are tools used every day by managers.

Writing procedures to encourage compliance, locking your office to discourage theft, and reviewing your monthly statement of account to verify transactions are common internal controls employed to achieve specific objectives.


Preventive & Detective Controls

Most internal controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities.


Detective controls are designed to identify an error or irregularity after it has occurred.

Through careful design, the system of internal controls can help your unit operate more efficiently and effectively and provide a reasonable level of assurance that the processes and products for which you are responsible are adequately protected.


What is a manager's responsibility?

Senior Management in organizations play very important role in the success of internal controls. Internal Controls, is defined by Committee on Sponsoring Organisations of the Treadway Commission’s (COSO) (1992) as having five interrelated components

Control Environment is the foundation for the entire internal control system. The personal and professional integrity and ethical values of management and staff, including a supportive attitude toward internal control at all times throughout the organization is the bedrock of internal control. The “tone at the top”, is seen as very crucial to have a sound control environment.

In other words if the tone at the top does not support internal controls, no amount of audit recommendations would see the light of day.    

Therefore, as managers of units, you are responsible for ensuring that internal controls are established and functioning to achieve the mission and objectives of your unit. To establish or evaluate internal controls, first think about the following general objectives then identify your unit's specific objectives within these broad categories.


What is Internal Audit's responsibility?

Internal Audit provides an independent evaluation of the adequacy of internal controls and reports the results to the University’s administration and the Council. The Auditor would evaluate whether basic standards are being maintained on basic internal control procedures. Some of the basic elements in internal control have been identified below.


Elements of Internal Control

Personnel:- Competent and trustworthy people should be employed, with clearly established lines of authority and responsibility. There should be a document in the form of job descriptions and procedures manuals. Organizational charts provide a visual presentation of lines of authority and periodic updates of job descriptions which ensures that employees are aware of the duties they are expected to perform.

Authorization Procedures:- This should include a thorough review of supporting information to verify the propriety and validity of transactions. Approval authority should be commensurate with the nature and significance of the transactions and in compliance with KNUST policy. For example no one person should write as a claimant for travelling allowance and still be the approval of that allowance. Procurement of Goods and services above GHC5,000 to be approved by the Entity Tender Committee is also an example of the authorization procedures

Segregation of Duties:- Usually, this reduces the likelihood of errors and irregularities. An individual should not have responsibility for more than one of the three transaction components: authorization, custody, and record keeping.

Physical Restrictions:– These are the most important types of protective measures for safeguarding University assets, processes, and data. Examples include:

Documentation and Record Retention:- These include providing reasonable assurance that assets are controlled and transactions are correctly recorded. For example the keeping of assets register monitors assets sent to the department. The keeping of special advance register keeps records of staff who collects monies for University business and are yet to account for them.

Monitoring Operations:– This is essential to verify that controls are operating properly. Reviewing reconciliation reports, confirmation of receipts, and reviewing exception reports assist in monitoring. For example, preparation of monthly bank reconciliation statements to monitor transactions between the cash book and the bank, reviewing quarterly investment schedules helps to track investments made with financial institutions

Responsibility for Detecting Fraud

When it comes to fraud it is a shared responsibility. The management of the University is responsible for establishing and maintaining controls that discourage perpetuation of fraud. Internal Audit is responsible for examining and evaluating the adequacy and effectiveness of those controls. Audit programmes are developed in such a way that when there are serious fraud, the audit should be able to identify them.


What can jeopardize Internal Controls?

While many circumstances may compromise the effectiveness of internal control structure, a few of the most common and serious warrant special mention:

Control Override – Exceptions to policies are sometimes necessary to accomplish a specific task, but can pose a significant risk if not effectively monitored and limited. Usually, management staff believe that internal controls are formulated for other staff and therefore they tend to ignore some of these rules when they are involved.

Bringing to the attention of these management staff the need to follow the rules sometime help, but can be costly in this part of our world.

Inadequate Segregation of Duties - Separating responsibility for physical custody of an asset from the related record keeping is a critical control. For example one person should not do purchasing, issue the items, record and process the payment for the supplier.

Inappropriate Access to Assets - Internal controls should provide safeguards for physical objects, restricted information, critical forms, and update applications. For example:

Inadequate Knowledge of University Policies:- The University is not a static environment. New policies and policy revisions are a part of our continual evolution. Many University policies are available electronically and printed copies can be supplied upon request by contacting the relevant departments. Managers must stay abreast with these changes and understand their responsibilities. It is possible that sometimes some of these polices cannot be found due to improper filing.

Inherent Limitations:- There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to properly segregate duties, which requires the implementation of compensating controls to ensure that objectives are achieved. A limitation inherent in any system is the element of human error (misunderstandings, fatigue, and stress).

A manager who encourages employees to take earned vacation time can assist employees to overcome or avoid stress and fatigue.


How much do internal controls cost?

The cost of implementing a specific control should not exceed the expected benefit of the control. For example the potential loss of a computer printer may justify the cost of a door lock but not an alarm system.

Computer screen savers with passwords are inexpensive but effective methods of protecting sensitive data on a computer.

Sometimes there is no out-of-pocket cost to establish an adequate control. A realignment of duty assignments may be all that is necessary to accomplish an objective. For example

A well-designed internal control structure can enhance operations by improving your unit's overall efficiency and effectiveness, as well as reducing the risk of loss or theft.

In analyzing the pertinent costs and benefits, managers should also consider the possible ramifications for KNUST Community at large, and attempt to identify and weigh the intangible as well as the tangible consequences.

Who is responsible for internal controls? Everyone in the organization!


General Best Practice of controls

Below is a list of general best practices for people in authority in maintaining an effective control environment:

  1. Set a strong example for the expectation of ethical behavior, compliance with laws/policies, and communicate your expectations routinely to your unit's personnel.
  2. Never sign something you do not understand.
  3. Limit signature authority and do not let anyone sign your name (an employee should sign his/her own name). Never use a signature stamp.
  4. If something does not make sense ask questions about it. Pay attention to what your employees are doing.
  5. Be familiar with University policies and procedures. Be willing to call and ask questions.
  6. Consider unique risks your unit may have (i.e. cash collections, contracts, abnormal payments, create and share, grants, etc.) and ensure additional oversight is provided.
  7. Ensure regular reports are reconciled monthly and review this reconciliation for any unusual transactions.
  8. Do not let one employee have complete control of any process.
  9. Keep offices and labs locked to protect property, data, and other resources. (Remember to shred paper documents with identifying information.)
  10. Ensure University assets are used for University business.

Print page