Internal Control Systems:- Any Check/Procedure/Action developed in Business Organizations with an intent to safeguard assets/reduce chances of fraud and errors/ generation of reliable financial Information are called Internal Control Systems. Formally defined as “The plan of organization and all methods and procedures adopted by the management of an entity to assist in achieving management’s objective of assuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, prevention and detection of fraud and errors, the accuracy and completeness of accounting records, and the timely preparation of reliable financial Information. The system of internal control extends beyond those matters which relates directly to the functions of the accounting system.”
Various Internal Controls
Preventive Control Systems : Internal Controls Systems which are established to reduce chances of frauds and errors before they actually occur in business. These type of controls systems are very vital to the business since these reduces damage to the maximum extant which can be caused by frauds or errors.
1.Segregation and Rotation of Duties : Under this control mechanism either the work of one person is made complimentary to the work performed by the other person or the work of one person is checked independently by the another person on a real-time basis. The purpose is to minimize the chances of errors and frauds, and to detect them in a timely manner before they occur.
Typically followings functions are segregated :
1. Authorization of transactions
2. Execution of transactions
3. Physical custody of asset related with transaction
4. Maintenance of records and documents
Mostly it is argued that segregation of duties is not possible in a small concern where there are only few employees. But concept should be implemented so that procedure not become too cumbersome or costly.
Normally it is desirable to rotate the duties of various personnel periodically this is done with an object to reduces chances of development of vested interest and to develop a concern among employees as commission of fraud and errors.
At times frauds/errors are detected as a result of rotation of duties, in those case rotation of duties is detective control and not preventive control.
2. Accountability for, and Safeguarding of Assets : The accountability for assets at the time of their acquisition and continues till their use or disposal. The Accountability for assets is achieved by maintenance of record of assets. Assets may be Cash, Investments, Scrips, Fixed Assets and Inventories, and bank reconciliations. Once an asset is entrusted to an employee he shall be made accountable to any depletion. Like in banks Head Cashier is made accountable for any shortage of cash at the end of the day. Some times when assets are given for job work abnormal loss in their volume is compensated by the job worker.
3. Authorization : Normally authority is delegated to various persons in organization as per their organizational status. It is necessary to establish procedures which provide assurance that authorizations are issued by persons acting within the scope of their authority, and that the transactions confirm to the terms of authorization. This procedure implicitly cast the responsibility on the person having authority to exercise prudence while authorizing transaction including comparison of transaction documents with the instructions for authorization.
4. Maintenance of Adequate Records and Documents : Accounting controls should ensure that the transactions are recorded at correct amount and in the accounting period in which they are executed and they are classified in appropriate account. Apart from account books &vouchers, other record should be kept in such a manner that proper control for asset safeguarding is established and chances of fraud and errors are reduced. For example – Fixed Assets Register is maintained, Serially number invoices and chalans with multiple copies are prepared, maintenance of self balancing ledgers.
Records should be maintained in such a way that audits and reconciliations should be in position to detect the deviations.
5. Pre Employment Screening : Employee should be screened properly before giving responsibility as to integrity and honesty. Only those employees which qualify the test of integrity, honesty and sincerity should be made part of organization. This is also an important preventive control measure.
6.Control System where data are valuable Assets : Data is a valuable asset as it has three values viz. Confidentiality, Financial and Copy Right Value. Now a day it is imperative to lay control checks for protection of value of data. These controls system should be designed considering pillars of Cyber Security.
Pillars of Cyber Security :– Some Cyber experts concludes that Cyber security has 4 pillars (First Four enumerated below), while some others are of the opinion that there are more than 4 pillars of data security. Some other cyber professional discuss only first 3 which are called CIA in short
Confidentiality :--Quality of confidentiality has to be maintained. Security system which address confidentiality of data is a good security system. If a security system cannot maintain confidentiality of information it is futile.
Integrity : Integrity of data means data should remain in same form and should not be allowed to be tempered and manipulation. This concept should be respected the most when data is in transit.
Availability : This concept says that data should be made available at all times as envisaged from system. Non availability of data at the time of need of it makes entire system vulnerable. DOS – Denial of System and DDOS – Distributed Denial of System are among most common bugs in our computer systems.
Non Repudiation: this pillar says that all stake holders of data should be made responsible and should not be permitted to deny their responsibility. A. Creator owns the responsibility of data entry, B. Sender owns the responsibility of sending data, C. Receiver owns the responsibility of receiving data and finally D. Network provider owns the responsibility of carrying data. No one of them should be allowed to step back and every one of them should be made responsible for their job.
Authorization : Process of confirming whether the user has authority to access and issue commands which he is accessing and issuing.
Authentication : This is a process which confirms that he is the actual person or entity who has accessed the system. One factor Authentication this authentication is exercised through possession of device or card. e.g. Id cards or debit cards etc. Two Factor Authentication: In addition of card or device if a person is required to enter PIN or password then it will be called two factor authentication.
Reliability : Dependability is a subset of integrity. If one can rely upon in times of crisis or disaster data will be called reliable.
Detective Controls: Once a Fraud or Error occurs in the organization, best damage controls can be exercised if it is detected as soon as possible. There are various means to detect frauds and errors mostly techniques used are internal audits, reconciliations, MIS reporting and physical verifications. It is right place to emphasize the importance of detective control mechanism as they are vital tools which reduces the size of damage which can be caused by frauds and errors & bring into the notice of management faults in control systems even before any fraud or error occurs.
1.Internal Audits: Internal Audit are basically control mechanism to evaluate accounting and Internal Control Systems. Institute of Internal Auditors, USA defines it, “ Internal Auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization. The objective of Internal Auditing is to assist members of the organization in the effective discharge of their responsibilities. To this end, internal auditing furnish them with analysis, appraisals, recommendations, counsel and information concerning the activities reviewed.”
Traditionally a narrower version of Internal Auditing was in prevalence where it was an auditing on behalf of management to ensure :
1. The existing Internal Controls are adequate and effective
2. The financial and other records and reports show the results of actual operations, accurately and promptly
3. Each unit of the organization follows the policies and procedures as laid down by the top management
Thus it was manly related with concern of management about safeguarding of assets, reliable accounting and other record maintenance and observance of management’s policies and procedures.
From above it can be deduced that scope of Internal Auditing has enlarged considerably and now it is not merely limited to fault finding mechanism rather it has become a constructive auditing whereby suggestions and recommendations are sought by the management for optimum utilization of resources.
Internal Auditing is most important detective control mechanism.
2. Reconciliation and Financial Reporting : As proper and adequate recordkeeping is an preventive control measure likewise their reconciliation and reporting mechanism is very vital from the point of view of detective control mechanism. Size and nature of industry plays a very important role in determination of internal control systems. In some industries like Banks, Educational Institutions and Not for Profit Institutions reporting mechanism plays a very crucial role as detective mechanism.
In banks we may find reconciliation mechanism a very important control mechanism. In Banks firstly it is ensured that adequate & proper records are kept so that information or data (Processed or Unprocessed) is generated from different sources and then same is reconciled to lay a check on the limitations of humans (Frauds and Errors). Similarly In some Department of bank periodic returns are relied as a control mechanism. Even the Quarterly/Annual reporting is full of instances of reconciliations Advances, Deposits etc. are reconciled – figures which are generated by various field functionaries are normally reconciled.
Similarly in educational Institutions reconciliation mechanism is normally relied as vital control tool – Fees Reconciliations, Reconciliation of De mat A/cs & Bank Reconciliations are normally accepted practices. So is the case of other Not for profit organizations.
3.Physical Verification : If accountability in respect of asset is fixed and safeguarding is ensured through access control in those cases periodic physical verification of asset is a very important detective control check. As size & nature of industry plays an important role in deciding control mechanism same is the case with volume and nature of assets. Normally we resort to physical verification is resorted for Cash, Fixed Assets and Inventories verification.
Corrective Controls : Once a fraud or error has actually occurred it becomes imperative on the management to change system so that no such eventualities arise in future. Normally these control includes Patch management for Software, Policy changes at micro and macro level and at last disciplinary actions against dubious/erring officials.
1.Patch Management : Patch management is the process of delivering and installing software updates. These patches are frequently required to remedy flaws (also known as “vulnerabilities” or “bugs”) in software.
Patches are commonly required for operating systems, applications, and embedded devices (such as network equipment). When a vulnerability is discovered after a piece of software has been released, a patch can remedy it. Proper patch management protects information security by preventing data breaches and leaks.
2.Policy/Procedure Updation : Whenever any Errors or fraud occurs as corrective measure policies and procedures are updated so that no such eventualities arise in future. These changes are at institutional level as well as at Industry Level. Following table shows us Policy Changes in Indian Banking Industry as a result of major frauds of recent times:
| Date of Fraud | Name of Affected Bank/Financial Oragnization | Nature of Fraud and it’s Modus operandi | Policy Initiatives in Banking |
| February 2018 | PNB | A handful of PNB bank staffers at Bradys House Branch issued fake bank guarantees in excess of Rs. 13,800 crores over the years, aiding companies of two jewellery groups – led by diamond magnate Nirav Modi and Mehul Choksi. They received credit from overseas banks to fund their business/ imports. CBI arrested 8 PNB officials in connection with the case. | In March 2018 the RBI scrapped banking instruments such as letter of undertaking. The government also approved Fugitive Economic Offenders Bill to stop economic offenders from escaping Law. |
| 2013-2019 | All Banks | A mix of aggressive and carefree lending alongside willful loan defaults/ frauds and economic slowdown resulted in a rapid rise in bank NPAs. Not a single public and private sector bank had been spared | The impact after six years is acute: from operation concerns such as higher provisioning for bad loans and lower profitability. |
| March 2018 | IDBI Bank | Former Aircel promoter-C Sivasankaran, his son and companies controlled by them Axcel Sunshine Ltd. And WinWin D Oy were accused by the CBI of efaulting on loans worth Rs. 600 Crores from IDBI Bank. Fifteen bank officials – including MD and CEO Kishore Kharat who worked when the loans were sanctioned (2010-14) to Sivasanskaran’s companies were named in the FIR registered on a complaint from central Vigilance Commission | The government indicated indirectly that it is not keen to provide additional capital to the lossmaking IDBI Bank. Bank has said it requires Rs. 7000 crores as regulatory requirement |
| September 2019 | Laxmi Vilas Bank | Financial Services Firm Religare Finvest has accused the bank management of misappropriation of Rs. 790 crores (which it kept as fixed deposit). In a peport filed with Ecnomic Offence Wing | The RBI intensified it’s “Fit and proper” checks on the management of the bank and indiabulls with whome the merger was sought. |
| September 2019 | Punjab and Maharashtra Cooperative (PMC ) Bank | Cooperative lender PMC is in the midst of a scam for under reporting NPAs. The managing director of the firm, in his confession letter claimed that the bank had created new accounts to keep it’s loan to reveal estate firm HDIL as standard loans which had ideally become NPA. The bank has lent nearly 70% capital to the developer which is against RBI norms. | Existing Bak account holders are allowed to withdraw Rs. 10000 per month from their account. |
3.Disciplinary Actions: Last resort as control mechanism is disciplinary action against erring official. This deter others from committing same or similar frauds/ negligence (Errors).
Disciplinary actions are corrective actions taken in response to employee misbehavior, rule violations, or poor performance. Discipline can take several forms depending on the seriousness of the situation, including a verbal warning, formal warning, an unfavorable performance evaluation, or even termination.
Disclaimer: The contents of this article are for information purposes only and do not constitute an advice or a legal opinion and are personal views of the author. It is based upon relevant law and/or facts available at that point of time and prepared with due accuracy & reliability. Readers are requested to check and refer relevant provisions of statute, latest judicial pronouncements, circulars, clarifications etc before acting on the basis of the above write up. The possibility of other views on the subject matter cannot be ruled out. By the use of the said information, you agree that Author / TaxGuru is not responsible or liable in any manner for the authenticity, accuracy, completeness, errors or any kind of omissions in this piece of information for any action taken thereof. This is not any kind of advertisement or solicitation of work by a professional.
Author Bio
