System of Internal Control
An organisation's system of internal control is established by management to provide reasonable assurance of effective and efficient operations, internal financial control, appropriate internal and external reporting and compliance with laws and regulations. The system of internal control should form part of the organisation’s culture, be capable of responding quickly to emerging risks and include procedures for reporting any significant control failures and weaknesses.
It must be stressed that the system of internal control has a significant human element. It is not merely the existence of regulations, policies and procedures but also the behaviour of people in their day to day work, the decision-making processes in place and the management style which play a pivotal role in control.
Any system of internal control can and should only provide reasonable and not absolute assurance as to effectiveness of the control arrangements. Given the human dimension and judgment required for the system, the requirement to give absolute assurance on all aspects of the organisation would significantly impair, promote a risk averse climate which would arguably prevent the organisation from the delivery of some of its services.
Controls may be classified as follows:-
- Directive Controls are designed to cause or encourage a desired result. Examples of a directive control would be policies and procedures and their implementation through communication and training, seminars, inductions and information events.
- Preventative controls are designed to deter the occurrence of unwanted events. Examples of preventative controls include ensuring segregation of duties where there is clarity of roles and responsibilities and authorities to approve involving several people, physical safeguards including restricted access to buildings, computer information via passwords and destruction of confidential documentation and information.
- Corrective Controls are designed to detect and rectify undesirable events which have occurred. Examples would include exceptional reporting arrangements for out of the ordinary occurrences, system validation checks and control reviews.