Office of Audit, Risk & Compliance • Vanderbilt University • Nashville, TN 37203 • Phone 615-343-6660
© Vanderbilt University · All rights reserved. Site Development: University Web Communications Vanderbilt University is committed to principles of equal opportunity and affirmative action.
Vanderbilt®, Vanderbilt University®, V Oak Leaf Design®, Star V Design® and Anchor Down® are trademarks of The Vanderbilt University
Internal controls can be:
Mandatory or voluntary:
Mandatory controls are those which must be applied, irrespective of circumstances. These are widely used to prevent breached of laws or policy, as well as to minimise risks relating to health and safety. Voluntary controls are applied according to the judgement of the organisation and its managers.
Discretionary or non-discretionary:
Managers may be permitted discretion according to their interpretation or judgement of risks in given circumstances. Non-discretionary controls must be applied.
Manual or automated:
Manual controls are applied by the individual employee whereas automated controls are programmed into the systems of the organisation. Some systems combine the two: for example, when deciding on whether a customer should be permitted days on hand for payment, there could be automated ‘accept’ above a specified credit rating or ‘decline’ or below a specified credit rating, and an intermediate range in which a manager may be able to override the automated system.
General controls or application controls:
This classification of controls applies specifically to information systems. General controls help to ensure the reliability of data generated by systems, helping to ascertain whether systems operate as intended and output is reliable. Application controls are automated and designed to ensure the complete and accurate recording of data from input to output.
Common control procedures
Physical controls:
These controls include restrictions on access to buildings, specified office or factory areas or equipment, such as turnstiles at the entrance to the premises, swipe cards and passwords. They also include physical restraints, such as fixing non-current assets to prevent removal.
Authorisation and approval limits:
Many employees must adhere to authorisation limits, and these will usually be specified in the terms of employment. For example, a junior manager may be permitted to book business flights up to the value of $500, but for tickets costing more than this, the purchase may have to be approved by someone more senior.
Segregation of duties:
To minimise the risk of errors and fraud, duties associated with cash handling are often segregated. For example, in the post room of a company that received cash by post, the employee recording the cash will be a different person to the one who opens the post. Segregation is also relevant to other functions. At executive level, it is now best practice to segregate the roles of chairman and chief executive officer, and as an independent assurance function, internal audit should be totally segregated from the finance department, with a reporting line direct to the board of directors or the audit committee.
Management controls:
These controls are operated by managers themselves. An example is variance analysis, through which a manager may be required as part of their job to consider differences between planned outcomes and actual performance. Performance management of subordinates is also an integral part of many managerial positions. Further down the chain of command, supervision controls are exercised in respect of day-to-day transactions. Organisation controls operate according to the configuration of the organisation chart and line/staff responsibilities.
Arithmetic and accounting controls:
These controls are in place to ensure accurate recording and processing of transactions. Procedures here include reconciliations and trial balances.
Human resources controls:
Controls are implemented for all aspects of human resources management. Examples include qualifications verification, references and criminal record checks on recruits, checks on staff who have to be attested for competence and training effectiveness.
Internal check
Internal check is a system through which the accounting procedures of an organisation are so laid out that the accounts procedures are not under the absolute and independent control of any person. The work of one employee is complementary of that of another, enabling a continuous audit of the business to be made.
The essential elements of an internal check are:
- checks are implemented on day-to-day transactions
- checks operate continuously as a part of the system
- the work of each person is complementary to the work of another.
By allocating duties in this way, no one person has exclusive control over any transaction.
Internal audit
Definition and purposes of internal audit:
Internal audit may be defined as an independent appraisal function established within an organisation to examine and evaluate its activities as a service to the organisation.
Internal audit supports management in the effective discharge of their responsibilities. To this end, internal audit furnishes management with analyses, appraisals, recommendations, counsel and information concerning the activities reviewed.
Objectives of internal audit
The formal objectives of internal audit may include some or all of the following:
- review of accounting and internal control systems
- examination of financial and operating information
- review of the ‘three E’s (economy, efficiency and effectiveness)
- review of compliance with laws and regulations
- review of arrangements for the safeguarding of assets
- review of implementation of corporate goals and objectives
- identification of significant risks to the organisation, and monitoring risk management policy and risk management strategies
- special investigations as required.
Why internal audit necessary?
The importance of internal audit was highlighted by the Turnbull Report. It states that listed public companies that do not have an internal audit function should review the need to have such a function at least annually. Turnbull goes on to state that listed public companies that do have an internal audit function should review the scope, authority and resources of this function at least annually.
Turnbull suggests that the need for the internal audit function will depend on several factors. These include:
- the scale, diversity and complexity of the organisation’s activities
- the number of employees – the need for an internal audit function increases as the number of employees increases, or if employee interrelationships become more complex
- where the benefits of such a function will outweigh the costs of implementation and operation
- when changes occur over time in the organisation’s structures, reporting processes or underlying information systems
- the nature of risks, changes to risks and emerging risks
- problems and issues arising with internal control systems, both actual and perceived
- the occurrence of an increasing number of unexplained or unacceptable events.
Internal audit and internal control
Internal audit is an internal but independent assurance function. While internal auditors are usually employees of the organisation, they should operate independently of management so that their analyses, judgements and reports are free from bias or undue influence. The head of internal audit should report to the board of directors, or to the audit committee. Some organisations reinforce independence by outsourcing the internal audit function to professional external firms.
Internal audit testing is the internal assessment of internal controls and as such is a management control to ensure compliance and conformity of internal controls to pre-determined standards.
Key risks:
Internal audit reviews and reports on internal controls in relation to key risks affecting the organisation. The objective here should be to test the extent to which the controls will control the risk if it crystallises. The conclusions of these reports should enable management to reconsider the controls and modify or redesign them if appropriate.
Financial and operating information:
Internal audit may examine this information in order to ensure it is accurate, fit for purpose and timely. Tests may be applied to determine whether information is correctly measured and therefore suitable as a basis for informing management and external stakeholders.
Compliance:
Increasingly, organisations have to implement performance standards in relation to compliance. This may be to satisfy the demands of external regulators, or to operate to pre-determined internal standards. Internal audit should review operations for compliance with such standards. In this respect, the work of internal auditors in broadening, as organisations increasingly pursue compliance not only with industry standards for products and service provision, but also with criteria relevant to environmental standards.
Types of audit
In the course of their duties, internal auditors may carry out various types of audit. These include the following:
Operational audits may be concerned with the efficiency of the organisation’s activities. They consider performance relative to pre-determined criteria.
Systems audits are used to test and evaluate controls as described in the last section. They test whether the controls can be relied upon to ensure that resources are allocated and managed effectively. They also test whether the information provided by the organisation’s systems is accurate. Compliance tests verify whether internal controls are being applied in a proper manner. Substantive tests verify the accuracy of figures, and can be used to identify errors and omissions.
A transactions or probity audit is concerned with detecting fraud and other types of criminal or unlawful behaviour. However, it can also be extended to matters relating to fairness of dealings, impartiality, accountability and transparency, sometimes considered to be within the scope of social audit. Generally, social audit may be concerned with any matters relating to governance.
Written by a member of the BT/FBT examining team