Adequate and effective internal controls

March 1st, 2019

By Simthandile Kholelwa Myemane

The Rules formulated as per ss 95(1), 95(3) and 109(2) of the Legal Practice Act 28 of 2014, and published on 28 July 2018, require of legal practices to have internal controls in place and state under r 54.14.7 as follows:

‘A firm shall ensure: Internal Controls that adequate internal controls are implemented to ensure compliance with these rules and to ensure that trust funds are safeguarded; and in particular to ensure – that the design of the internal controls is appropriate to address identified risks; that the internal controls have been implemented as designed; that the internal controls which have been implemented operate effectively throughout the period; that the effective operation of the internal controls is monitored regularly by designated persons in the firm having the appropriate authority.’

Right from the outset, I encourage readers to read this article together with ‘Find the problem before it finds you’ 2015 (July) DR 29.

The Internal Control-Integrated Framework published by the Committee of Sponsoring Organisations of the Treadyway Commission (COSO) is the recognised standard for establishing internal controls. (When referring to an organisation, it includes legal practice.) COSO defines internal control as:

‘[A] process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations.
  • Reliability of financial reporting.
  • Compliance with applicable laws and objectives.’

Under the COSO model a system of internal controls is a process that is made up of five interrelated components, to which COSO has added 17 principles to support each of the components. These five components are aimed at achieving one or more of the objectives listed below:


Five components of internal controls

  • Control environment

The control environment is the ‘tone’ of the organisation and is the foundation for all other controls. One of the largest factors influencing the control environment in an organisation is the ‘tone at the top’. This is a term used to define management’s leadership and commitment towards openness, honesty, integrity, and ethical behaviour.

  • Risk assessment

All organisations and levels within an organisation face a myriad of operating risks. Risks affect the organisation’s ability to survive, successfully compete, maintain financial strength and positive public image, and to maintain the quality of services and products. This component, therefore, deals with the organisations ability to set clear operating goals and objectives, identify risks that could impede achievement of those objectives, and to mitigate exposure to those risks to acceptable levels.

  • Control activities

These are policies and procedures that have been put in place to ensure that management’s directives are carried out. This is the component that most people consider when they think of ‘internal controls’.

  • Information and communication

This component concerns the way in which information is communicated throughout the organisation. Communication is essential for achieving all three of the objectives identified under the definition for internal controls.

  • Monitoring

All internal control systems and processes change over time. Some controls continue to evolve. However, some may lose effectiveness because they are no longer performed, are not consistently applied, or are applied incorrectly. This may be the result of training, staff turnover, lack of management response and attention to violations of control, time or resource constraints, or any number of other reasons. Because of this, controls must be monitored. This is typically done in two ways, on an ongoing basis and on a periodic basis. Ongoing monitoring is typically done during regular operations. Separate monitoring is typically performed by auditors, peer reviewers, or through self-assessments.

It is important that as a legal practice internal controls are established and that these are adequate and effective. Adequacy of controls refers to their design, a design that ensures that they are appropriate and good enough to assist the legal practice in its quest to achieve its objectives. Internal controls are adequate if they reduce either the likelihood or the impact of a negative event happening, or both. A control that neither reduces the likelihood of a negative event from happening, nor the impact of that event on the legal practice, should it occur, is as good as being absent.

The effectiveness of controls considers if the implemented controls achieve the purpose for which they were designed, as well as if they are consistently and correctly applied, and remain effective throughout the period. It should, however, be noted that ensuring consistent application of controls throughout the period, while their design is not adequate, will not assist the legal practice in its quest to achieve its objectives. Ensuring adequacy of controls, therefore, is key before ensuring their consistent and correct application.

Perhaps at this stage I need to remind readers that designing and having controls in place is but one of the risk responses that a legal firm may employ, this response being to mitigate against a threat. Other risk responses available to a legal practice are to avoid, transfer, or accept a risk. The decision on the risk response is influenced by various elements, including but not limited to cost benefit analysis. For instance, if a control to be implemented costs a legal firm R 20 million, but it effectively mitigates a risk of R 1 million, it would make sense to explore other alternatives to respond to the risk.

Internal controls

There are three types of controls that legal practices can have, and these are illustrated and discussed below:

  • Preventative controls

Some preventative controls are very basic and include the physical protection of facilities and assets. Other examples of preventative controls are segregation of duties (ie, separation of incompatible functions) especially within the finance environment, proper authorisations, adequate documentation, etcetera. With segregation of duties, legal practices are encouraged to vest the responsibilities for receiving of money and the recording thereof to different personnel. Proper authorisations refer to ensuring that transactions are properly authorised before they are effected, for instance when making withdrawals out of the trust and business bank accounts, these should follow certain laid down procedures for authorisation before a withdrawal is made. Adequate documentation ensures that transactions are properly recorded and can be easily traced. Preventative controls, when applied consistently, also tend to deter individuals from planning mischievous actions against the legal practice, as they will fear being caught, thus protecting the legal practice from attempts.

  • Detective controls

Unlike the preventative controls, which are used as deterrents, detective controls do not prevent an act from happening, but can detect it once it has happened. They are backup procedures that are designed to catch items or events that have been missed by the first line of defence. Examples of detective controls are review of reconciliations by management. Detective controls are also audit oriented, for example, one may audit the legal practice’s assets by taking stock of the available assets against purchasing records of the legal firm. A further example of detective controls is setting up an anonymous tipoff where known or suspected acts of dishonesty are reported and brought to the attention of those who should know. As can be seen, this type of control is applied after the fact, but is no less important and is necessary.

  • Corrective controls

Internal controls do not exist just to discover fraud, but to also identify errors and other unintentional irregularities that require remedial action. At times corrective actions may also involve additional training of an employee and/or disciplinary action. It should be noted though that following discovery of fraud, corrective controls are developed to counter the particular scheme employed by the perpetrator. Corrective actions, also being after-the-fact controls, therefore, also tend to respond to and redress those areas that may not have been identified as requiring preventative controls from the onset or strengthening already existing controls.

From the foregoing, it becomes clear that strong internal controls can help keep a legal practice healthy. Strong controls help achieve at least four key objectives:

– Safeguarding of assets: Physical and financial assets from fraud, theft, errors and irregularities.

– Ensuring reliable financial reporting: Strong internal controls ensure validity of financial data, thus helping management to make more informed decisions.

– Maintaining compliance: Credible data enables legal practices to meet their regulatory and statutory filing and reporting requirements.

– Accomplishing operational efficiency: A strong internal control environment can foster efficiency through removing unnecessary or duplicative steps in a process, or even combining certain functions in a cost-effective manner. While internal controls can be expensive, properly implemented internal controls can help streamline operations and increase operational efficiency, in addition to preventing fraud.


In conclusion, legal practitioners are encouraged to ensure that risk responses employed at their legal practices are informed and reduce either or both the likelihood and/or impact of negative events that have been identified during the risk identification and risk assessment stages. A risk response to mitigate against a negative event should pass the cost benefit analysis test and should not be viewed as the only available response. All staff and management at the legal practice are responsible for internal controls. They are responsible to ensure that there are necessary controls in place in their respective areas of responsibility, and that everyone in the legal practice adheres to those controls. Not only should a legal practice put controls in place, but individuals responsible for ensuring application and monitoring of the controls should be identified.

The value of enterprise risk management is truly derived once the components of the enterprise risk management process are embedded throughout the legal practice, and everyone understands what the legal practice seeks to achieve, and how each person contributes to the achievement or non-achievement of the legal practice’s objectives.

Overriding of internal controls should be authorised at a very high level within the legal practice but should be an exception and not a norm, otherwise the very existence of the controls are worthless.

Simthandile Kholelwa Myemane BCom Dip Advanced Business Management (UJ) Cert Forensic and Investigative Auditing (Unisa) Certified Control Self Assessor (Institute of Internal Auditors) is the Practitioner Support Manager of the Legal Practitioners’ Fidelity Fund in Centurion.

 This article was first published in De Rebus in 2019 (March) DR 8.

De Rebus