header page

Modulus e-Books: Selecting and Implementing Internal Controls

[...pages omitted...]


When re-engineering processes, whether for risk reduction, improved effectiveness or efficiency, appropriate internal controls should be designed into the process to avoid misuse or abuse of the new process. Well-designed internal controls are an essential element of process management.

The purposes of internal controls include:

The general model for internal controls which has the widest acceptance (especially in the United States) is the COSO model. The COSO model recognises five distinct components necessary for effective internal control, as represented in the diagram below.

Coso pyramid
Figure 01: components of internal control framework
Published in 1992, the COSO report defines internal control as:
"a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

The wording of this definition is carefully chosen. Firstly, although "effected by the entity's board of directors, management and other personnel" may, at first blush, appear to say little more than "effected by the entity's personnel", in fact it commits the board of directors and management to actively managing the internal control process and leaves little room for delegation of this fundamental process by the board. It is a reasonable expectation that, for an organisation adopting the COSO framework, the board will actively participate in the establishment of an appropriate control environment, perform process risk assessment, establish and monitor control activities and foster the information and communication activities necessary to the proper operation of these elements.

Secondly, the limitation that the internal controls will result in "a reasonable assurance" rather than a pretence of achieving an absolute assurance, helps qualify what may be achieved by internal controls and, by corollary, what remains to be done. In concrete terms it should be evident that to achieve the level of confidence which is necessary for a public organisation to state that its financial accounts are a true representation of the state of affairs of the organisation, more is required than simply demonstrating that there are internal controls in place. This higher level of confidence is usually achieved by means of internal and external audit of the financial records. Such audits will always make reference to the internal controls, but not rely on them alone, i.e. a robust set of internal controls is a necessary but not sufficient condition for achievement of the organisation's objectives.

Thirdly, the objectives to be addressed by internal controls are not limited to certitude of financial records and legal compliance, but are extended to include effectiveness and efficiency of operations. The "effectiveness and efficiency of operations" is essentially that aspect of the business with which line management is principally concerned. Thus we can see that the system of internal controls is intended to concern itself not only with issues such as "was this purchase order appropriately authorised by a manager with the requisite authority and is there a matching record of the asset being acquired and inventoried?" but also with issues such as "is the productive capacity of this plant being properly utilised at a competitive cost".

Control activities were once thought to be the most important element of internal control, but COSO suggests that the control environment is more critical since the control environment fosters the best actions, while control activities provide safeguards to prevent wrong actions from occurring.

This book discusses the elements of internal control framework in detail and then turns its attention to good practice for each of these elements. At each stage, the book's page header shows which element of the COSO model is being discussed.

[...pages omitted...]

Internal Controls - Segregation of Duties

An important principle to be observed in establishing an internal control environment is the segregation of duties. Segregation of Duties (sometimes referred to as Separation of Duties or Separation of Powers), in basic terms means that no single individual should have control over two or more phases of a transaction or operation, so that a deliberate fraud is more difficult to perpetrate because it requires collusion of two or more individuals or parties.

A simple example to illustrate this segregation is that, when dealing with the acquisition and disposal of assets, one party may be responsible for the physical receipt or disposal of the asset but may not be responsible for the book entry which adds or deletes the asset to the financial records of the company.

Critical duties can be categorized into four types of functions, viz:

With ideal Segregation of Duties, no one organisational role should be responsible for more than one of these duties (with respect to any particular asset). In practice, strict segregation of duties can be cumbersome and, more importantly, expensive to implement for minor items. Where there is not strict segregation of duties, it is necessary to add on compensating control activities such as audit trails and transaction logs, exception reports and supervisory reviews; a balance must be struck between strict segregation of duties, materiality and additional control activities.

The segregation of duties and/or the monitoring of further control activities where this segregation of duties is not strictly enforced has been simplified to a large extent by the use of integrated software systems such as Enterprise Resource Planning (ERP) systems like SAP, Oracle and J.D. Edwards. These systems have clearly defined transactions and a rights allocation system that grants an individual user clearly defined transactional rights such that it is possible to use the software's rights controls to enforce separation, or report exceptionally on transactions which transgress these rules.

In addition, each of the ERP system vendors has identified and prioritised potential conflicts of duties such that the most important segregations can be identified and implemented. For example, consider the following example matrix of (SAP) duties which should be segregated as they are considered high risk. The list is only partial, but illustrates some of the reasoning behind the segregation of duties.

[...pages omitted...]

Selecting and Implementing Internal Controls - Where Next?

The complete series of Business Process Management e-books is as follows:

The series is available at the following website:

Modulus provides tools, applications and services to consultancies and website developers. For more information contact Peter Hill, peter.hill@modulus.com.au.

[...pages omitted...]