Behavioural Implications Of Internal Control

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This report will observe internal controls, focusing primarily on the behavioural implications of internal control. Throughout, it will examine what internal control actually is, the objectives and the effectiveness of internal controls. Recent current issues have highlighted weaknesses with internal control. This report shall assess and state what the main issues involving internal control actually are.


This report will mainly focus on using research from formal papers. Use of newspapers and journals has been limited as the aim of this report is not for opinions but for fact.


Internal control is intended to supply practical reassurances concerning the attainment of objectives, affected by an entity's board of directors, management and other personnel. The objectives in question are related to the effectiveness and efficiency of operations, the reliability of financial reporting and the compliance with applicable laws and regulations. When looking at the effectiveness and efficiency of operations, it is regarding an entity's basic business objectives, including performance and profitability goals and safeguarding of resources. The reliability of financial reporting relates to the preparation of reliable published financial statements, while compliance with applicable laws is about complying with the laws and regulations to which the entity is subjected.

Internal control is made up of five interrelated components. These come about from the method management controls a business and are incorporated with the management process. Although the components apply to all entities, small and mid-size companies may implement them differently than large ones. Its controls may be less formal and less structured, yet a small company can still have effective internal control. The components are the control environment, risk assessment, information and communication, control activities and monitoring.


Types Of Internal Control

Internal controls can detective, corrective or preventive by nature. Detective controls are intended to detect errors or irregularities that may have occurred. Corrective controls are designed to correct errors or irregularities that have been detected. Preventive controls, on the other hand, are designed to keep errors or irregularities from occurring in the first place.

Objectives Of internal Control

A Company's objectives, internal organisation and the environment in which it operates are constantly evolving. Consequently, the risks it faces are frequently changing. A reliable internal control system accordingly depends on a thorough evaluation of the extent and nature of the risks to which the company is exposed. As profits, in part, are the rewards for successful risk taking in business, the purpose of internal control is to help manage and control risk appropriately.

In 2004, The Accounting Practices Board released six important standards. These standards were to strengthen auditing practices and it included the ISA 330, which was 'The Auditor's Procedure in Response to Assessed Risks'. ISA 330 stated that the main objectives of internal control are to ensure management policy is adhered to, to prevent and detect fraud, to ensure the completeness of accounting records, to safeguard assets and to achieve the timing preparation of accounting records.

Effectiveness of Internal Control

Establishing and maintaining successful internal control is a major management duty. 'The evaluation of the overall effectiveness of internal control is both the end and the beginning of the process' (Ernst and Young, 2003)

Management would need to look at a number of things to decide whether internal control is effective. These include the timings of when the control is performed, i.e. the less regularly the control is implemented, the less number of times the test has to be performed in order for the project team to be content concerning the efficient function of the control.

The reliability of documentation is also very important. It would be a good idea, if the making of very important documents were done in groups, so that no one person had full responsibility for a piece of vital information. This would lead to there being less chance of any problems of fraud.

Limitations of Internal Control

Internal control cannot by itself guarantee the attainment of the common objectives. An efficient internal control system can only give reasonable, and not absolute, reassurance to the board about the attainment of an entity's objectives or its endurance. It can however, give management information about how the entity is progressing towards its achievement of the objectives.

As internal control depends on the human factor, it is subjected to human errors of judgement or interpretation, carelessness, distraction, misunderstanding, fatigue, abuse or override, leading to incomplete processing. Efficient internal controls can become inefficient if not followed correctly. If the firm, do not understand fully how the internal control system is meant to work, then this can cause major problems with the relevance of the results.

Changes in government policy or even economic conditions may require managers to re-design controls. This mean that there will constantly be a danger that internal control will be inadequately planned.

There are some factors outside of the scope of internal control, such as competition or technological innovation. These factors will only factor into the internal control system after some time, and not immediately, maybe scuppering the chances of the firm reaching their internal control objectives.

Purpose of testing Internal Controls

Under section 404 of the Sarbanes Oxley Act, companies are required to test the effectiveness of their operating internal controls. This was to ensure that all possible errors, including any evidence of fraud, were found before an external audit. It was also to ensure that all management policies were correct. If the internal controls are found to be effective, then that would reduce the amount of substantive testing at the year end. Substantive testing is when the auditor collects evidence that the figures in the financial statements are reliable and in accordance with the required standards.

International Standards on Auditing (ISA315)

The purpose of ISA 315 was to establish standards and provide guidance on obtaining an understanding of an entity and its environment, including its internal control, and on assessing the risks of material misstatement in a financial statement audit. In particular, it states that an auditor should understand what internal controls are relevant to the audit.

Current Issues (Recession)

A huge scandal which shook the auditing profession was Enron. Worden (2002) stated that Enron caused confidence in auditors to drop dramatically, while Holm and Laursen (2007) stated that the scandal of Enron put into question the reliability of financial reporting.

Enron's spectacular collapse transpired from the disclosure that the company had reported false profits, using accounting methods that failed to follow generally accepted procedures. Financial losses disguised as profits failed to be detected by both internal and external controls. Enron's Board of Directors and Audit Committee, claimed to have not understood the financial activities as they were too complicated, therefore they did not provide sufficient oversight.

David (2002) reported that the independence of the auditors and of the audit quality was questioned by the failure at Enron. This was because it became apparent after the collapse that Arthur Anderson, the auditors of Enron, had received payment for both audit and non-audit services.

It also became apparent that Arthur Anderson did not report the fraud they had witnessed in the company's accounts to the stockholders and stakeholders as the fraud had been committed by management. The auditors feared that reporting this fraud would result in them losing the company as their non-audit client.

The Enron fraud however, was just one of the high profile accounting frauds reported worldwide in current times. Other companies across Europe and America also had massive frauds reported, such as Worldcom, Parmalat and more recently Northen Rock in 2007.

The demise of Worldcom, in 2002, was blamed on 'accounting irregularities'. Again, the fact that this was not picked up was blamed on the auditors, which was again Arthur Anderson. Worldcom failed to differentiate assets from expenses, showing unreliability and breaking the objectivity principle rule.

Due to the nature of these scandals and frauds, investors' confidence was lost and doubts were being cast over the integrity of the financial reporting system, including the efficiency of the internal control audit process.

In order to prevent further scandals like Enron and Worldcom and to restore investors' confidence, the US Federal Government bought in the Sarbanes Oxley Act in 2002.

In 2008, American Bank Lehman Brothers collapsed. Auditors Ernst and Young were blamed for signing off misleading accounting statements. A report into the demise of Lehman Brothers, by Valukas, included criticism that had been used by the bank the buy itself some time. These included a program to temporarily boost its balance sheet, and get a temporary influx of cash. When and executive tried to whistle blow by alerting the auditing firm, no action was taken. Ernst and Young were accused of failing to question the disclosures.

Main Issues

- Segregation of Duties

Segregation of duties is one of the most important aspects of internal control. Duties are segregated between numerous other people to lessen the risk of fault or unsuitable action. Generally, responsibilities for authorising business, recording dealings (accounting) and managing the associated benefit (custody) are divided. The duties assigned to staff must not conflict. A lack of segregation in duties increases the exposure to fraud. If under legitimate circumstances (small departments) these functions cannot be separated, a detailed supervisory review of related activities is required as a compensating control activity.

The case of Robert Maxwell demonstrates this, as he held both chairman and chief executive positions. Due to the lack of segregation of duties this led to the concentration of power, which therefore, enabled fraudulent activity to occur.

- Agency Problem

Jensen and Meckling defined agency costs in, their 1976 paper entitled 'Theory of the Firm: Managerial Behaviour, Agency Costs and Ownership Structure'. In the paper, they defined an agency relationship 'as a contract under which one or more persons (the principal(s)) engage another person (the agent) to perform some service on their behalf which involves delegating some decision making authority to the agent. If both parties to the relationship are utility maximisers, there is good reason to believe that the agent will not always act in the best interests of the principal'. This definition means that in the instance of the company shareholders and managers, if both parties wanted the best for themselves, then agency costs would incur.

The case of Enron magnetised the agency problem. The scam was of such a large magnitude that the question of why it was never discovered until the collapse has to be asked. Arnold and Lange (2004) stated that there was an erosion of Enron's financial statements, and that these were more readily available to the agents and less readily available to the principals. This occurred through ongoing misrepresentation of financial statements.


After the collapse of Enron, the Sarbanes Oxley Act of 2002 stated that companies must report annually on their internal controls over financial reporting. Section 4040 of Sarbanes Oxley, 'Management Assessment of Internal Controls' contracts that public companies must take accountability for maintaining a successful internal control system and for reporting on the system's efficacy. The rule is meant to help companies check financial reporting mistakes and deception. Section 404 requires most publicly registered companies and their independent auditors to provide details on the effectiveness of the company's internal controls over financial reporting.

'After a company's mangers review the internal controls, its external auditor must perform an independent assessment and report whether it agrees with management's conclusions on the review' (Yongtae, Myung, 2009).

The Higgs Review (2003), Turnbull Report (2005) and Smith Report (2003) all made huge improvements in financial performance, investor confidence and increasing the competiveness among companies, in financial reporting. Together these reports looked at the role of the effectiveness of non-executive directors, proposed a revised combined code (2003), looked at internal controls and risk management and produced guidance to assist boards in making suitable arrangements for their audit committees.


Effective internal controls are needed to ensure that financial statements give a true and fair view. Issue in internal control, such as segregation of duties and agency problem, have been reflected in business failures, including Enron and WorldCom, as well as the failure of the Lehmann Brother more recently. This all leads to the fact that internal control is still very much a human problem.

An Internal Control System is needed by all organisations. The effectiveness of an Internal Control System is a mixture of the time it takes to find and resolve incidents and the simplicity with which those can understand the risk analysis.

While laws such as the Sarbanes Oxley Act of 2002 are excellent for business, the issues described must first be found a way to be dealt with. Otherwise, there is nothing stopping more companies from failing the same way.


To help improve the problem of internal controls, entities should adhere to strict credit risk assessments, and these should not be compromised in any way. Entities should evaluate the credit worthiness of new customers, and if they feel that there is a risk that they would not be paid, then business should not be done with them. Banks have to be stricter on the security procedures of new customers. If it is felt that the customer is likely not to be able to pay off a credit card or loan for example, sufficient internal controls have to be in place to stop them from getting into debt in the first place. These provisions for internal control would all help an entity survive.