Effective internal control as a critical aspect in an organisation became more pertinent for business functions in the early 2000s when accounting scandals were prominent in companies in the United States of America (USA). In light of this, several guidelines, laws or Acts were released such as the Sarbanes-Oxley Act of 2002 in the USA and Security and Exchange Commission (SEC) guidance on the implementation of Sections 60 – 63 of the Investment and Securities Act of 2007 published in 2021 in Nigeria. These laws protect investors from fraudulent financial reporting by organisations and improve the accuracy and reliability of corporate or organisational disclosures. The laws impacted the corporate governance code by re-emphasising that business managers are responsible for financial reporting and creating a step-by-step process through which the organisation ensures that set objectives are achieved. The process created is termed as internal control.
Internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. It is essential to state that a successful internal control system depends on the participation of all employees at every level within the organisation.
Having defined internal control above, it is noteworthy to state that internal control differs from internal audit as both terms are often misconstrued to mean the same. Internal audit is the process of independently evaluating a company's internal control, including its corporate governance and accounting processes. In summary, Internal Audit is an independent function, while Internal Control is an organisational system. In this article, we have discussed management's role in ensuring that an organisation has an effective internal control system.
Establishing an Effective Internal Control System
In establishing an effective internal control system, it is imperative to understand the Institute of Internal Auditors (IIA) Three Lines Model. The first line roles involve the modalities of carrying out daily operational activities while executing risk and control procedures on a day-to-day basis. The second line roles on the other hand comprises those complementary activities focused on risk-related matters. Finally, the third line roles are those that provide assurance to the senior management that the first-two lines' efforts are consistent with expectations.
Organisations will typically experience rapid growth and development when there is an established control environment that aids efficient execution of operational activities. Specifically, an effective internal control system within an organisation will:
- provide reasonable assurance that policies, processes, tasks, behaviours and other aspects of an organisation, when combined, facilitate effective and efficient operations;
- help to ensure the quality of internal and external reporting; and
- aid compliance with applicable laws and regulations while ensuring the implementation of leading business practices.
- help organisation to add value to their shareholders and achieve their strategic objectives.
Furthermore, section 61 subsections 1 and 2 of the Investment and Securities Act of 2007 states that:
Section 61 (1) – "a public company shall establish a system of internal controls over its financial reporting and security of its assets and it shall be the responsibility of the board of directors to ensure the integrity of the company's financial controls and reporting".
Section 61 (2) – "the directors of a public company shall report on the effectiveness of the company's internal control system in its annual report".
The SEC Guidelines also reemphasised and reinforced management's responsibility for establishing and maintaining an effective system of internal control. Management is required to oversee these controls, review the effectiveness of the system as a whole and define and communicate the overall organisational objectives. Once the objectives are clearly defined, activities required to be carried out are to be identified by management.
Furthermore, management should seek to answer the following questions:
- Why does the organisation exist?
- What key controls can be put in place?
- What more can be done to improve these controls?
- Who performs what task?
- Who reports to whom?
Providing answers to the above questions will give clarity on how the organisation's activities are to be performed. Specifically, the responsibility of management includes planning, organising, directing and controlling. Controlling ensures that set objectives from the highest level (management level) to the lowest level in the organisation are achieved as prescribed by control activities. In other words, the control activities are simply the policies and procedures that help to ensure top-level management directives are carried out as prescribed. Control activities may include:
- Authorisations: Transactions must be authorised and executed in accordance with management's directives. For instance, in an organisation, management should ensure that there is a delegation of authority matrix that defines the financial and administrative responsibilities and authorities delegated to the designated personnel in charge of approving the decisions and transactions within the business.
- Segregation of Duties: Segregation of duties is adequate when no one person is in a position to initiate and conceal errors and/or irregularities in the normal course of their duties. Using a payment process as an illustration, management should ensure that there is a three-way match (The process of comparing the purchase order to the vendor's invoice and the goods received note) before vendor bills are settled.
- Record Keeping: Adequate record keeping ensures that assets are properly controlled and transactions are properly recorded. For example, management should ensure adequacy of organisational records such as the fixed assets schedule, monthly management report, expense and inventory records agrees to the source documents. It is important for management to ensure validation of these records are done periodically to achieve its objective on effective control.
- Safeguarding: Controlling the use of assets and records are ways to safeguard those assets and records. Management is expected to define policies and procedures that provide reasonable assurance regarding prevention or timely detection of unauthorised acquisition, use or disposition of the company's assets that could have a material effect on the financial statements.
- Reconciliations: Reconciliations are independent verifications, which help to ensure that the control activities are functioning as intended. Management can leverage on emerging technologies such as Robotic Process Automation (RPA) or data analytics in ensuring that bank, inventory and account reconciliations are accurately and adequately performed.
"Establishing control activities within an organisation is an integral aspect in achieving effective internal control. Management is responsible for ensuring that control activities are established, and that the established controls are adequate and operating effectively within an organisation. Overall, effective internal control is a collective effort of every personnel in an organisation. "
Every member of the organisation is expected to strictly comply with controls put in place by management in discharging their duties. Where there are irregularities while discharging these duties, it is important to bring these to the attention of management in due course. Assessing the effectiveness of the internal control system is the major function of management. Management should regularly review reports on internal control and be informed about how the data which gave rise to the reports were determined.
Benefits of an Effective Internal Control System to an Organisation
The benefits of an effective internal control in an organisation are enormous. Specifically, companies would benefit in the following ways:
- A reliable financial reporting process
- Compliance with statutory regulations
- Reduced possibility of fraud occurring within the organisation
- Safeguard of assets owned by the organisation
- Reduced decision-making time as appropriate measures have been implemented
- Seamless and smooth operations system as there is a clear hierarchy and chain of communication
Adverse Effects of Lack of Internal Controls
An organisation achieving its set objectives is a clear indication of an effective internal control system. A lack of internal control may result in the following:
- Prevents the right people from accessing required information in an organisation
- Inability to track performance
- High rate of customer dissatisfaction
- Inefficient use of organisational resources
- High error rates and poor business practices
- Lack of lucrative business development
- Stagnancy and/or reduced productivity in all aspect of the organisation
Essentially, establishing control activities within an organisation is an integral aspect in achieving effective internal control. Management is responsible for ensuring that control activities are established, and that the established controls are adequate and operating effectively within an organisation. Overall, effective internal control is a collective effort of every personnel in an organisation. It is rather important that management set structures and determine how personnel perspectives are aligned with management goal. In achieving this, management may consider the use of the top-down (management to lower-level employees) and bottom-up (lower-level employees to management) approaches as an essential communication structure that should be adopted.
Furthermore, note that it is mandatory for listed companies in Nigeria to report their internal control system over its financial reporting as it has been stated in section 61 subsection 1 and 2 of the Investments and Securities Act of 2007. Even though not mandatory, it is also necessary for unlisted entities to ensure an effective internal control where processes and procedures set by management are complied with to aid the accuracy and the adequacy of financial reporting. To achieve the set goals and meet the requirement of SEC, Management has a key role to play in ensuring an effective internal control system within an organisation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.