APPENDIX 4: LIST OF SCHEDULE 1 OFFENCES 270
5.4 INTERNAL CONTROL IN THE 21 ST CENTURY
5.3.5 Internal Control During the 16th and 17th Centuries
Geijsbeek (1914:12) refers to Simon Stevin, who was born in 1548 near Antwerp in the Netherlands. Stevin was multi-skilled in that he was an engineer, accountant, writer and auditor, among other things. According to Geijsbeek (1914:12), Stevin wrote a book
“Verrechning Van Domeine” in 1604, in which he explained the many forms of internal control methods. Some examples were:
The pay roll of soldiers and public officials were sent directly to the auditors for checking;
The cook, who prepared meals for these soldiers and public officials, reported independently to the auditors about the number of meals they served;
In order to prevent errors and theft when collecting taxes and rents, the sub- treasurer reported to the general treasurer monthly about the receipt of cash and expenditure as well as about people who were not making their payment.
Arrear rent was reported monthly to the general treasurer so that the property of the defaulter could be sold or other suitable payment agreed upon.
According to Lee (1971:157), there are other examples which prove that internal controls were regarded as an essential aspect of the book-keeping process. Some examples of this are:
Jan Yamey Christoffels who published a book in 1547, wherein he suggested that the pages of accounting books should be numbered to prevent fraud and error.
Gerald Malynes wrote in Lex Mercatoria in 1656, that fraud could be prevented if no spaces are left between journal entries.
Internal control as a method to prevent fraud and error is relevant today, particularly in respect of employee fraud and prevention strategies at universities in KwaZulu-Natal.
are insufficient to prevent fraud from taking place because they only reasonably assure the board of directors and management, and also because there are not many internal controls which cannot be manipulated by fraudsters. KPMG (2011:10) reports a significant increase in the number of incidents where weak internal controls were exploited by fraudsters. While Rae and Subramaniam (2008:104) suggest that a key deterrent of fraud is internal control, fraud continues to occur in organisations. Shah and Usman (2013:2) propose that factors such as internal control coupled with the education of staff and clients is essential to prevent fraud.
Flostoiu (2012:25) believes that a fraudster has profound knowledge about the activities of a company including its internal control environment and its weaknesses. This makes a fraudster a risk to an organisation unless internal controls are robust enough to prevent fraud from occurring or at least detect fraud shortly after it occurs. Flostoiu (2012:27) asserts that internal control is the most appropriate mechanism to prevent fraud from occurring. Albrecht (1998:111) believes that a significant factor that facilitates fraud is not the lack of internal controls but rather the failure to uphold existing controls. According to KPMG (2011:21), internal control weaknesses increasingly contribute to the commission of fraud. The view of KPMG (2011:21) is that an organisation should make itself resistant to fraud and improve its fraud prevention programmes.
According to Wells (2002:28), fraud can be prevented with the implementation of fundamental internal controls as well as through audits and appropriate oversight. KPMG (2013:3) suggests that fraudsters are constantly creating new ways to commit fraud and organisations should respond with appropriate ways to defending themselves from this. KPMG (2013:6) argues that, although internal controls are essential, controls are reliant on human beings to function.
Seidman (2002:415) argues that frauds are frequently discovered, not by internal controls or auditing techniques, but by chance. Kaymaz et al. (2011:171) take the stance that a sound corporate culture, coupled with effective internal controls, are essential against employee fraud. KPMG (2011:21) emphasises that the challenge for companies is determining how to tighten controls and prevent fraud from occurring and also detect and investigate fraud that has already occurred. The survey by KPMG (2011:10) also found a significant increase in cases where deficient internal controls were exploited by the fraudsters, escalating in 2007 from 49%
to 74% during 2011. Haugen and Selin (I999:340) assert that weak internal controls create the opportunity for fraud to be committed. Internal controls are an essential intervention in preventing fraud, but may not be the only intervention required in the prevention of fraud.
Internal auditors are generally not skilled to detect fraud. According to Flostoiu (2012:27), an internal auditor does not have expertise in the detection and investigation of fraud.
Organisations cannot rely entirely on their internal audit department to detect or investigate fraud. The onus is on management to devise appropriate and adequate systems of internal controls aimed at preventing and detecting fraud.
In managing risks, COSO (2013:1) avers that internal controls assist organisations in achieving, maintaining and improving its performance. COSO also believes that its framework provides management and the board of directors of an organisation, with guidance to appropriately address risks with a specific focus on fraud prevention measures. Similarly, the Institute of Directors Southern Africa, suggests in King III (2009:44) that management should ensure that internal controls are adequate and effective in preventing fraud. KPMG (2011:21) supports this view and believes that organisations should tighten internal controls and prevent fraud from occurring as well as detect and investigate fraud, should it occur. It is management’s responsibility to adequately implement internal controls to manage fraud risks.
Albrecht and Schmoldt (1988:18) argue that a lack of segregation of duties between employees has resulted in many frauds.
There is clearly a need to prevent frauds from recurring in the workplace. The Chartered Institute of Management Accountants (CIMA, 2008:24) suggests that the implementation of adequate internal controls, policies and procedures, and fraud awareness initiatives will contribute to the prevention of fraud. CIMA (2008:24) asserts that fraud prevention is the cornerstone for the sustainability of an organisation but many have not adopted an appropriate stance for the prevention of fraud. The recovery of stolen funds from the perpetrator or through insurance is most often low (CIMA 2008:24). This suggests that prevention is better than cure.
Jackson and Stent (2010:5/3) suggest that there are four aspects of internal control. First, internal control is an ongoing process and not an end state. Second, people are required to give effect to the internal control. Third, internal control can only provide reasonable assurance that the desired objectives set by management will be achieved. It does not provide absolute assurance. Lastly, internal control is intended to provide reasonable assurance to the board and management about the achievement of objectives in three inter-related categories, namely:
economy, efficiency and effectiveness of its operations;
internal financial control, and
compliance with applicable laws and regulations.
Internal controls are essential to organisations because of their contribution towards the safeguarding of assets against fraud and error. This section is pertinent when considering employee fraud and prevention strategies at universities in KwaZulu-Natal. In order to prevent fraud organisations should devise and implement other measures as well because internal controls alone will not deter a resolute fraudster.
5.4.1 Elements of Internal Control
According to a report by The Financial Reporting Council (2005), commonly referred to as the Turnbull Report (2005:7), the elements of a sound system of internal control include the organisation’s policies, procedures, tasks, behaviours and other activities which enable it to:
operate effectively and efficiently while addressing risks such as business, operational, financial, compliance and others which prevent the organisation from achieving its objectives, including protecting assets from fraud, loss and abuse;
ensure appropriate quality of reporting based on sound information, and
ensure compliance with legislation, regulations, policies and procedures.
Turnbull (2005:7) suggests that the control environment is determined by the internal control system implemented by an organisation within its operational structure, which includes control activities, procedures that impact information and communications, and the process of monitoring.
According to Turnbull (2005:7), the system of internal control of an organisation should:
be consolidated within its culture and operations;
have the capacity to promptly adapt and respond to emerging risks, and
have laid down reporting mechanisms for employees to report control deficiencies as well control enhancements.
Turnbull (2005:7) postulates that robust internal control systems are able to minimise the effects of risks associated with bad decision-making, error, circumvention of controls, overriding of controls and other unforeseeable situations, but is unable to totally eradicate
risks. According to Turnbull (2005:8), an organisation receives reasonable assurance from a robust internal control system. Absolute assurance cannot be provided to an organisation that it will achieve its set objectives.
According to Jackson and Stent (2010:5/4), the ISA statement 315 highlights five components of internal control. They components are made up of the control environment, risk assessment, control activities, information and communication system and monitoring activities. These five components are elaborated on in more detail further in this chapter.
5.4.2 Objectives of Internal Control
Jackson and Stent (2010:5/4) suggest that there are five objectives of internal control.
Management designs and implements policies and procedures which assist them to achieve objectives in an effective and efficient manner. The objectives of internal control are to ensure that:
there is adherence to laid down policies and procedures;
assets are safeguarded against abuse and theft;
fraud and error are prevented and detected;
accounting records are accurate and complete, and
financial and other information is prepared timeously so that reliance can be placed on it to run the organisation.
5.4.3 Characteristics of Internal Control
In the quest to design and implement a robust system of internal control, the ISA 315 statement set out seven essential aspects to achieve sound internal controls. The characteristics of an organisation with sound internal control, according to ISA (2009:289), are:
Integrity and sound ethical values are communicated and enforced;
Management displays commitment to ensuring that there are competent skills and knowledge for specified jobs;
Individuals that responsible for governance remain independent from management, possess the appropriate experience, are involved and receive adequate and timely information, scrutinise activities, ask the difficult questions and interact with internal and external auditors;
The business philosophy and style of management encompasses sound risk taking, financial reporting and interaction with accounting functions and related staff;
Organisational structure is geared to plan, execute, control and review activities aimed at achieving its objectives;
Authority and responsibility are allocated to employees together with established reporting lines and authorisation regimes, and
Policies and procedures pertaining to human resources, for example recruitment, training, counselling, promotion and compensation, are in existence.
5.4.4 Limitations of Internal Control
Jackson and Stent (2010:5/4) aver that absolute assurance that internal controls will ensure that the objectives of an organisation will be achieved, cannot be given. This is due to the inherent limitations of internal controls. COSO (2013:137) similarly postulate that internal controls can only provide reasonable assurance to the board and management that the organisational objectives will be met. According to Jackson and Stent (2010:5/5), the limitation on the effect of internal controls is impacted by the following six elements:
the cost of the internal control versus the benefit to be derived;
internal controls directed at routine transactions only;
human error;
circumvention of internal controls involving collusion among employees or third parties;
overriding of internal controls by management, and
internal controls not updated timeously when the control environment changes.
Although there are limitations to internal control, it is particularly essential to employee fraud and prevention strategies at universities in KwaZulu-Natal.