Internal control and compliance - Policies procedures and au...

Learning Outcomes

After reading this article, you will be able to explain the purpose and components of internal control, distinguish between policies, procedures, and authorisation, and recognise their importance in preventing errors and fraud within an organisation. You will understand how internal checks, segregation of duties, and proper documentation support compliance and reliable financial reporting. By the end, you should be able to describe effective internal financial controls and identify management responsibilities for internal control under ACCA Business and Technology requirements.

ACCA Business and Technology (BT) Syllabus

For ACCA Business and Technology (BT), you are required to understand the principles and practice of internal control as they relate to policies, procedures and authorisation, and their application within financial and business systems. This article focuses on:

• Explaining internal control, internal check, and their objectives
• Outlining management’s responsibilities for establishing and monitoring effective internal control systems
• Describing the features and benefits of documented policies, procedures, and authorisation processes
• Identifying key control activities, such as segregation of duties, reconciliations, and documentation
• Recognising the importance of compliance in protecting client money and maintaining organisational integrity

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

1. What is the main difference between internal control and internal check?
2. Give two examples of control activities commonly found in a purchasing system.
3. Why is segregation of duties considered an important internal control?
4. Which key management responsibility relates to ensuring internal controls are properly implemented and maintained?

Introduction

Effective internal control is essential in any organisation to ensure reliable financial reporting, safeguard assets, and meet compliance needs. Central to internal control are documented policies, step-by-step procedures, and clear authorisation requirements. Properly designed controls help prevent fraud, detect errors, and ensure legal and regulatory requirements are met, supporting stakeholder confidence and business success.

Key Term: internal control
A process designed and maintained by management to provide reasonable assurance regarding the achievement of objectives in financial reporting, operational efficiency, and compliance.

Key Term: internal check
The arrangement of duties so that work performed by one person is automatically checked by another, reducing the risk of error or fraud.

The Role of Policies, Procedures, and Authorisation

Policies

Policies are formal, written statements that establish the organisation’s intentions and expectations in specific areas (e.g. credit policy, expense approval policy). They guide staff on required behaviour and decision-making.

Key Term: policy
A guiding principle or rule set by an organisation to direct decisions and actions.

Procedures

Procedures are the detailed, step-by-step instructions for carrying out tasks in accordance with policies. For example, a procedure might specify exactly how to process supplier invoices from receipt to payment.

Key Term: procedure
A defined sequence of actions or steps to perform a task consistently and correctly.

Authorisation

Authorisation is the process of granting approval before certain transactions or activities can occur. It ensures only permitted individuals can commit the organisation’s resources or make binding decisions.

Key Term: authorisation
The permission granted by management or a responsible person to enable a transaction or activity to proceed, usually evidenced in writing.

The Purpose of Documented Controls

Documented policies and procedures support internal control by:

• Ensuring consistency in performing tasks and recording transactions
• Serving as a reference for training staff and supporting new hires
• Providing a standard for audit and review
• Reducing confusion and ambiguity about roles and responsibilities
• Creating accountability for actions taken

Worked Example 1.1

An accounts assistant receives an invoice for office supplies. The organisation’s purchasing policy requires that any invoice over £1,000 must be approved by the purchasing manager. What control should be in place, and why?

Answer:
The procedure should state that the assistant cannot process payment for invoices over £1,000 without obtaining the purchasing manager’s written authorisation, ensuring compliance with policy and preventing unauthorised expenditure.

Control Activities Supporting Compliance

Control activities are measures embedded in daily operations to ensure policies and procedures are followed. Common control activities supporting compliance include:

• Segregation of duties (splitting responsibilities between different people for related tasks)
• Authorisation of transactions (pre-approval by managers)
• Physical controls (safeguarding assets and documents)
• Reconciliations (regular comparison of records for discrepancies)
• Documented reviews and approvals
• Exception reporting (highlighting unusual items for investigation)

Segregation of Duties

No single person should be able to process a transaction from start to finish. For example, one person orders goods, another receives them, and a third approves payment. This minimises risk of error and fraud.

Reconciliations

Regular checks, such as matching bank statements to the cash book, help detect errors or unauthorised transactions quickly.

Worked Example 1.2

In a payroll process, the same staff member is responsible for adding new employees to the payroll records and processing wage payments. What internal control weakness exists, and how should it be corrected?

Answer:
Combining both duties allows the staff member to create fake employees and pay themselves fraudulently. Segregation should be introduced so that one employee maintains the records and another processes payments.

Authorisation Controls in Practice

Authorisation can be general (e.g. all routine purchases up to £500 by any department head) or specific (e.g. board approval for capital expenditure over £10,000). Evidence of authorisation is an important audit trail.

Worked Example 1.3

A sales clerk issues customer refunds without any managerial approval. What risk does this pose, and what control should be added?

Answer:
The risk is unauthorised or fraudulent refunds. The procedure should require that all refunds be approved and signed by a manager before payment.

Management Responsibilities for Internal Control

Management is responsible for:

• Establishing a control environment (culture of compliance and integrity)
• Designing, implementing, and reviewing internal control systems
• Documenting and communicating policies, procedures, and authorisation requirements
• Training staff and monitoring compliance
• Responding to control weaknesses and updating procedures as necessary

Failing to maintain effective controls can result in errors, fraud, regulatory breaches, financial loss, and reputational damage.

Key Term: control environment
The overall attitude, awareness, and actions of management regarding internal controls within the organisation, shaping how controls are applied and respected.

Internal Check and Systems Compliance

Internal checks mean that processes are designed so that no task is completed by just one individual without review, reducing the opportunity for both intentional and accidental errors.

For compliance, internal controls must also ensure:

• Adherence to legal obligations (e.g. safeguarding client money)
• Protection of confidential and sensitive information
• Timely and accurate record-keeping for audit and monitoring

Key Term: compliance
Observing and acting in accordance with relevant laws, regulations, policies, and procedures.

Features of Effective Internal Financial Controls

An effective internal control system typically includes:

• Clearly documented policies and procedures
• Appropriate levels of authorisation and approval
• Segregation of incompatible duties
• Systematic record-keeping and checks (such as reconciliations)
• Physical security over assets and documents
• Ongoing monitoring and improvement based on reviews and audits

Exam Warning

Weak documentation or unclear authorisation procedures greatly increase fraud and error risk. For the exam, be ready to identify where controls are lacking and suggest improvements.

Summary

Organisational compliance relies on robust internal controls—clear policies, step-by-step procedures, and strong authorisation practices—supported by management oversight. Controls such as segregation of duties, reconciliations, and regular review reduce risks, enable reliable reporting, and help meet both external requirements and internal standards.

Key Point Checklist

This article has covered the following key knowledge points:

• Explain internal control, internal check, and management responsibility for controls
• Distinguish between policies, procedures, and authorisation
• List common control activities and their importance (e.g. segregation of duties, reconciliations)
• Describe the role of authorisation in reducing risk and supporting compliance
• State features of effective internal financial controls
• Recognise why documenting controls and checking compliance is essential in business

Key Terms and Concepts

• internal control
• internal check
• policy
• procedure
• authorisation
• control environment
• compliance