Internal controls are a set of policies, processes, and behaviours designed to manage risks and achieve organisational objectives effectively. They protect assets from theft, ensure that financial records are accurate and complete, and boost operational efficiency. Internal controls keep organisations on the right side of the law, avoiding legal troubles and reputational damage, keeping a close watch on performance and rooting out errors, internal controls make financial reports more reliable, building trust among investors, regulators, and other key players.

Why should accountant care about internal controls?

The Companies Act requires accountants to prepare financial statements that are a ‘true and fair representation’ of the entity's financial status. Internal controls help safeguard the integrity of financial information, which is fundamental for effective governance, investor confidence, and the overall transparency of the entity. Accountants therefore have a vested interest in the controls for various reasons:

1. Accurate and Reliable Financial Information: Effective internal controls ensure that all financial transactions are accurately recorded and that the financial records are free from errors or fraudulent activities. This accuracy is essential for accountants when aggregating this data into financial statements.

2. Compliance with Standards: Internal controls are aligned with accounting standards and principles, ensuring that the financial statements prepared by accountants adhere to accepted norms and practices. This compliance is critical for maintaining the trust of investors, regulators, and other stakeholders.

3. Timeliness: Strong internal controls facilitate the timely recording of transactions and the efficient preparation of financial statements. This timeliness ensures that all financial reporting deadlines are met, which is crucial for decision-making and compliance purposes.

4. Prevention and Detection of Fraud: Stringent controls can help prevent and detect fraud within the organisation. This not only protects the entity's assets but also ensures that the financial statements provide a true and fair view of the entity’s financial condition.

5. Assessment of Financial Health: Internal controls enable accountants to obtain a clear and comprehensive view of the entity’s financial health. This insight is critical when drafting financial statements, as it allows accountants to make informed judgments and estimates that reflect the true economic reality of the entity.

Although the International Standard on Related Services ISRS4410 Engagements to Compile Financial Statements does not specifically require the evaluation of internal controls, it is important for accountants to understand the types and roles of internal controls. In addition, accountants can provide valuable services by evaluating and improving clients' internal controls, offering expert advice that enhances system efficiency, reduces risk, and ensures compliance with regulatory standards.

Management Responsibility to Implement Internal Controls

The responsibility for internal controls starts with the organisation's management. In smaller businesses, owners directly oversee these controls, while in larger organisations, the board of directors typically takes on this responsibility, reflecting their duty to shareholders. Management must also promote a culture that values strong internal controls, aligning them with the organisation's goals and strategies.

Balancing risks and controls

Conducting risk assessments is a foundational element of internal control systems. This process involves identifying potential risks that could impact the organisation and assessing the effectiveness of existing controls to manage these risks. For accountants, facilitating robust risk assessment processes is crucial for ensuring that the controls are well-aligned with the potential risks.

Adequate internal control is fundamentally about ensuring that the controls implemented within a business are proportionate to the identified risks. When a high risk is identified, more elaborate and potentially costly controls may be necessary to mitigate that risk effectively. Conversely, when the risk level is low, the cost of implementing additional controls might not justify the benefits. This approach emphasises the importance of strategic risk assessment and management, ensuring that resources are allocated efficiently and that internal controls are practical and cost-effective, thereby optimising the balance between risk management and operational efficiency.

Importance of Internal Financial Controls

Accountants are not required to evaluate the internal controls of a client when compiling financial statements, they need to for accountants, implementing and understanding internal controls is crucial. They provide the foundation for reliable financial reporting and help delivering timely and accurate financial information to stakeholders. Effective internal controls also play a key role in preventing and detecting fraud and minimising operational risks.

Types of Internal Controls

Among the many frameworks guiding internal controls, the COSO Framework stands as a benchmark. Developed by the Committee of Sponsoring Organizations of the Treadway Commission, it is a comprehensive model with five key components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.

Internal controls can be categorised into several types, each serving specific functions:

Control Environment

The control environment sets the overall tone for the organisation. It involves the integrity, ethical values, and competence of the organisation’s people, management's philosophy and operating style, the way management assigns authority and responsibility and organises and develops its people; and the attention and direction provided by the board of directors. A strong control environment provides discipline and structure, which are crucial for the effectiveness of the other components. For example, a company might establish a code of conduct that all employees are required to follow and provide regular ethics training. Management’s philosophy and operating style, how authority and responsibility are assigned, and how staff are developed, are all key aspects. The board of directors might show its commitment by actively overseeing these initiatives and conducting regular reviews of management practices. A strong control environment provides the discipline and structure necessary for the effectiveness of other control components.

Risk Assessment

Internal controls are based on risks that threaten the achievement of the organisation's objectives. Companies need to establish mechanisms to identify and address potential obstacles. For instance, a technology firm may perform regular analyses to identify external changes like new regulations or emerging competitors that could impact its objectives.

Control Activities

Detailed control procedures are included in policies and procedures of the organisation at all levels, and in all functions. They include activities such as approvals, authorisations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. Examples include:

• Preventing errors or Irregularities:

  • Approvals and Authorisation Procedures: A construction company requires project managers to obtain signed approvals from the chief financial officer for any expenditure above R50,000.

  • Access Controls: A retail store restricts access to its stock room with electronic keycards assigned only to authorized personnel to prevent theft.

• Detecting errors or Irregularities:

  • Reconciliations: A financial institution mandates monthly reconciliation of bank statements against the ledger to identify and correct discrepancies promptly.

  • Reviews of Performance: A sales department reviews quarterly sales data against targets to spot deviations and address underlying issues.

• Correcting Errors or Irregularities:

  • Adjusting Policies and Procedures: After noticing recurrent billing errors, a utility company revises its billing process and implements automated checks to enhance accuracy.

  • Employee Training and Disciplinary Actions: Following several incidents of data breaches, a company could introduce more stringent security training for its IT staff, coupled with clear disciplinary processes for breaches of data policy.

  • Independent Reviews: Often, firms engage external auditors to review their financial statements and internal controls annually to provide an unbiased opinion on their adequacy and effectiveness.

IT General Controls:

• Network Security Measures: A bank employs state-of-the-art firewalls and encryption to protect client data from cyber-attacks.

• Data Integrity Controls: E-commerce platforms use software that routinely checks and cleanses data to prevent and correct errors in customer and inventory information.

• Access Management: A hospital uses biometric scanners to restrict access to patient records, ensuring only authorized medical personnel can view sensitive information.

• Disaster Recovery and Business Continuity Planning: A cloud services provider maintains multiple data centers in geographically diverse locations to ensure seamless service continuity in case one site is compromised.

Information and Communication

Effective communication is critical. A multinational might use an intranet site to regularly update employees worldwide about changes in internal control processes, ensuring everyone is informed about their roles and responsibilities in maintaining these controls. This proactive communication helps in swiftly addressing any IT-related issues or breaches that may arise.

Management Monitoring and Internal Audit

Internal controls should be continuously monitored by management. This means they regularly check and update these systems to ensure they are working well and keeping up with changes in the business and regulatory landscapes. Doing this management ensures that the organisation follows rules, reduces risks, and runs smoothly. This ongoing supervision is key to protecting assets, ensuring accurate financial reports, and helping the organisation meet its goals. It also helps pinpoint areas that need improvement, promoting a culture of continual progress and responsibility.

The internal audit function is responsible for independently evaluating the suitability and effectiveness of internal controls. Providing objective findings and recommendations, internal auditors help management achieve better governance, risk management, and control processes.

Internal auditors evaluate risk management practices and assess the effectiveness of internal controls, ensuring they are well-designed and function as intended. They provide critical insights and recommendations to management supporting informed. Additionally, they facilitate effective communication between management and the board, enhancing the overall control environment and helping the organisation achieve its strategic goals.

Conclusion

Effective internal controls are indispensable for ensuring the integrity of financial reporting, safeguarding assets, and maintaining compliance with regulatory requirements. The roles of internal audit and comprehensive risk assessment are critical in maintaining and improving this framework, enabling continuous adaptation to new challenges. For accountants, expertise in these areas is essential to maintain the financial health and operational efficiency of the organisations they serve.

Prepare compliant financial statements with CIBA’s Accountant-In-Practice CPD Subcsription

Subscribing to the Accountant-in-Practice series provides you access to monthly webinars covering ethics, financials, reporting, audit and assurance, working papers, law, technology, management topics, and enable you to:

• Be aware of the latest legislative changes and what it means for your business, practice, and your clients;

• Prepare compliant financial statements fast;

• Issue reliable reports on financial statements;

• Understand the laws and regulations that govern your profession; and

• Develop enhanced business advisory skills.