• +263 242 306 315

Blog Description


Demystifying Internal Controls

Posted on 14 February, 2019 at 12:26

By Epaphras Chinyakuza

There are two main reasons why organisations overlook internal controls; ignorance of the required controls and mutual trust where personnel assume everyone is properly executing their roles. According to the Turnbull Report (1999), internal controls and their scope are defined as follows:

“The policies, processes, tasks, behaviours and other aspects of an organisation that taken together facilitate effective operation by enabling it to respond in an appropriate manner to significant business, operational, financial, compliance and other risks to achieve its objectives. This includes safeguarding of assets and ensuring that liabilities are identified and managed. Internal controls ensure the quality of internal and external reporting, which in turn requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from both internal and external sources. They also ensure compliance with applicable laws and regulations and also with internal policies.”

Most NPOs have a board of directors/ trustees. The boards are responsible for ensuring that appropriate internal controls are in place. In some cases, the directors may consider it prudent to establish a dedicated internal control function. The point at which this decision is taken will depend on the extent to which the benefits of function will outweigh the costs. The directors must pay due attention to the control environment. If internal controls are to be effective, it is necessary to create an appropriate culture and embed a commitment to robust controls throughout the organisation.

Controls can be categorised in many different ways. Figure 1 described five categories that are often used.

Figure 1:  Categories of controls

Adapted from Jackson and Stent (2014)


Internal controls can also be:

Mandatory or voluntary: Mandatory controls are those which must be applied, irrespective of circumstances. These are widely used to prevent breached of laws or policy, as well as to minimise risks relating to health and safety. Voluntary controls are applied according to the judgement of the organisation and its managers.

Discretionary or non-discretionary: Managers may be permitted discretion according to their interpretation or judgement of risks in given circumstances. Non-discretionary controls must be applied.

Manual or automated: Manual controls are applied by the individual employee whereas automated controls are programmed into the systems of the organisation. Some systems combine the two: for example, when deciding on whether a customer should be permitted days on hand for payment, there could be automated ‘accept’ above a specified credit rating or ‘decline’ or below a specified credit rating, and an intermediate range in which a manager may be able to override the automated system.

General controls or application controls: This classification of controls applies specifically to information systems. General controls help to ensure the reliability of data generated by systems, helping to ascertain whether systems operate as intended and output is reliable. Application controls are automated and designed to ensure the complete and accurate recording of data from input to output.


The components of internal control

1. Control environment

Leadership can influence controls by,

Setting the right tone at the top

Leadership needs to lead by example. Leadership should not be exempt from internal control activities for example, they should submit receipts for approval.

Creating a culture of financial discipline

Policies and procedure manuals should be monitored regularly by the leadership. For example, budgets should be approved by the Board and regularly monitored by leadership.

Promoting transparency

Leadership should promote and encourage an open and transparent environment. For example, to promote transparency policies like the whistle-blower policy, conflict of interest policy should be established

Policies and procedures

Procedures, these are specific tasks and measures developed and implemented by management.


Policies are resolutions adopted by the Board for the proper functioning of the organisation.

Some of the policies that are critical and that reduce risk are as follows:


PolicyRisk reductionProcess/ transactions
Revenue/ Donor AcknowledgementProvides a check and balance for funds flowing into the organisationRegular reconciliations between finance and developments
Petty cash policyEnsures staff are aware of the organization-wide petty cash policy and allows management to review expensesPurchasing approval thresholds


Conflict of interest/ whistle blowerPromote transparencyConflict of interest disclosure form for both board and staff

Whistle blower hotline

Human Resources policyThese are guidelines on the approach an organization intends to adopt in managing its people.


A good HR policy provides generalized guidance on the approach adopted by the organization, and therefore its employees, concerning various aspects of employment.
IT policyCreates awareness of how to protect against threats to privacy / systems.

Evaluates trade-offs between security and efficiency

Staff training on what to do when encountering suspicious emails/ phishing attempts

2. Risk assessment process

This component deals with how the organisation assesses the risks which face the organisation and how they should be addressed.

The risk assessment process involves:

  • identifying business risks relevant to financial reporting objectives
  • assessing the likelihood and frequency (occurrence) of risks identified
  • estimating the potential impact (significance of) if the risk was to occur
  • deciding about actions to address the risks.


In a large organisations, the risk assessment procedures may be very formal and specific, and the following are very common;

  • the appointment of risk committees and risk officers
  • the engagement of external risk consultants
  • the use of risk models
  • regular meetings at divisional, departmental and sectional level to consider the risks at those levels.
  • strategy meetings involving senior management to assess risk at an overall level.

3. Control Activities

These are the actions, supported by policies and procedures which are carried out to manage                        or reduce the risks that the objectives of the organization will not be met.

There are numerous control activities with different objectives and which are applied at different organizational levels and functions. Control activities are listed as follows:

  • procedures supported by policies
  • approval, authorization
  • segregation of duties
  • comparisons and reconciliations

4. Monitoring of controls

The final component of internal control is monitoring. This involves the assessment of internal control performance over time. Management sets up internal controls with the intention of reducing the risks that the organisation’s objectives will not be met. Monitoring is the component of the process which tells management how they are doing. Successful monitoring is achieved by ongoing assessment by management itself, supervisory staff such as department heads or “independent” bodies such as internal audit or risk committees.

Monitoring of the internal control process is not only about determining whether the control activities are actually taking place but, also about determining whether the controls are effective.


It is important for organisations put in place controls that are effective to enable the organisation to achieve its objectives. The next article will look into the importance of these internal controls to NPOs.



NMap Technologies