CHAPTER FOUR: Internal Control

4.1. Definition of Internal control

A system of internal control consists of policies and procedures designed to provide management
with reasonable assurance that the company achieves its objectives and goals. These policies and
procedures are often called controls, and collectively, they make up the entity’s internal control.
Management typically has three broad objectives in designing an effective internal control
system:
1. Reliability of financial reporting: management is responsible for preparing statements for
investors, creditors, and other users. Management has both a legal and professional responsibility
to be sure that the information is fairly presented in accordance with reporting requirements of
accounting frameworks such as GAAP and IFRS. The objective of effective internal control over
financial reporting is to fulfill these financial reporting responsibilities.
2. Efficiency and effectiveness of operations. Controls within a company encourage efficient
and effective use of its resources to optimize the company’s goals. An important objective of
these controls is accurate financial and nonfinancial information about the company’s operations
for decision making.
3. Compliance with laws and regulations. Many states require management of all public
companies to issue a report about the operating effectiveness of internal control over financial
reporting. In addition to the legal provisions by many states, public, nonpublic, and not-for-profit
organizations are required to follow many laws and regulations. Some relate to accounting only
indirectly, such as environmental protection and civil rights laws. Others are closely related to
accounting, such as income tax regulations and anti-fraud legal provisions.

Management designs systems of internal control to accomplish all three objectives. The auditor’s
focus in both the audit of financial statements and the audit of internal controls is on controls
over the reliability of financial reporting plus those controls over operations and compliance with
laws and regulations that could materially affect financial reporting.
MANAGEMENT AND AUDITOR RESPONSIBILITIES FOR INTERNAL CONTROL
Responsibilities for internal controls differ between management and the auditor. Management is
responsible for establishing and maintaining the entity’s internal controls. In contrast, the
auditor’s responsibilities include understanding and testing internal control over financial
reporting.
Management, not the auditor, must establish and maintain the entity’s internal controls. This
concept is consistent with the requirement that management, not the auditor, is responsible for
the preparation of financial statements in accordance with applicable accounting frameworks
such as GAAP or IFRS. Two key concepts underlie management’s design and implementation of
internal control—reasonable assurance and inherent limitations.
Reasonable Assurance A company should develop internal controls that provide reasonable, but
not absolute, assurance that the financial statements are fairly stated. Internal controls are
developed by management after considering both the costs and benefits of the controls. The
concept of reasonable assurance allows for only a remote likelihood that material misstatements
will not be prevented or detected on a timely basis by internal control.
Inherent Limitations Internal controls can never be completely effective, regard less of the care
followed in their design and implementation. Even if management can design an ideal system, its
effectiveness depends on the competency and depend ability of the people using it. Assume, for
example, that a carefully developed procedure for counting inventory requires two employees to
count independently. If neither of the employees understands the instructions or if both are
careless in doing the counts, the inventory count is likely to be wrong. Even if the count is
correct, management might override the procedure and instruct an employee to increase the
count to improve reported earnings. Similarly, the employees might decide to over state the
counts to intentionally cover up a theft of inventory by one or both of them. An act of two or
more employees who conspire to steal assets or misstate records is called collusion.
COMPONENTS OF INTERNAL CONTROL
COSO’s Internal Control—Integrated Framework, the most widely accepted internal control
framework, describes five components of internal control that management designs and
implements to provide reasonable assurance that its control objectives will be met. Each
component contains many controls, but auditors concentrate on those designed to prevent or
detect material misstatements in the financial statements. The COSO internal control components
include the following:
1. Control environment 5. Monitoring
2. Risk assessment
3. Control activities
4. Information and communication
As illustrated in Figure below, the control environment serves as the umbrella for the other four
components. Without an effective control environment, the other four are unlikely to result in
effective internal control, regardless of their quality.

The Control Environment

The essence of an effectively controlled organization lies in the attitude of its management. If top
management believes that control is important, others in the organization will sense this
commitment and respond by conscientiously observing the controls established. If members of
the organization believe that control is not an important concern to top management, it is almost
certain that management’s control objectives will not be effectively achieved.
The control environment consists of the actions, policies, and procedures that reflect the overall
attitudes of top management, directors, and owners of an entity about internal control and its
importance to the entity. To understand and assess the control environment, auditors should
consider the most important control subcomponents.
Integrity and Ethical Values
Integrity and ethical values are the product of the entity’s ethical and behavioral standards, as
well as how they are communicated and reinforced in practice. They include management’s
actions to remove or reduce incentives and temptations that might prompt personnel to engage in
dishonest, illegal, or unethical acts. They also include the communication of entity values and
behavioral standards to personnel through policy statements, codes of conduct, and by example.
Commitment to Competence
Competence is the knowledge and skills necessary to accomplish tasks that define an
individual’s job. Commitment to competence includes management’s consideration of the
competence levels for specific jobs and how those levels translate into requisite skills and
knowledge.
Board of Director or Audit Committee Participation
The board of directors is essential for effective corporate governance because it has ultimate
responsibility to make sure management implements proper internal control and financial
reporting processes. An effective board of directors is independent of management, and its
members stay involved in and scrutinize management’s activities. Although the board delegates
responsibility for internal control to management, it must regularly assess these controls. In
addition, an active and objective board can reduce the likelihood that management overrides
existing controls.
To assist the board in its oversight, the board creates an audit committee that is charged with
oversight responsibility for financial reporting. The audit committee is also responsible for
maintaining ongoing communication with both external and internal auditors, including the
approval of audit and non-audit services done by auditors for public companies. This allows the
auditors and directors to discuss matters that might relate to such things as management integrity
or the appropriateness of actions taken by management.
Management’s Philosophy and Operating Style
Management, through its activities, provides clear signals to employees about the importance of
internal control. For example, does management take significant risks, or is it risk averse? Are
sales and earnings targets unrealistic, and are employees encouraged to take aggressive actions to
meet those targets? Can management be described as “fat and bureaucratic,” “lean and mean,”
dominated by one or a few individuals, or is it “just right”? Understanding these and similar
aspects of management’s philosophy and operating style gives the auditor a sense of
management’s attitude about internal control.
Organizational Structure
The entity’s organizational structure defines the existing lines of responsibility and authority. By
understanding the client’s organizational structure, the auditor can learn the management and
functional elements of the business and perceive how controls are implemented.
Human Resource Policies and Practices
The most important aspect of internal control is personnel. If employees are competent and
trustworthy, other controls can be absent, and reliable financial statements will still result.
Incompetent or dishonest people can reduce the system to a shambles—even if there are
numerous controls in place. Honest, efficient people are able to perform at a high level even
when there are few other controls to support them. However, even competent and trustworthy
people can have shortcomings. For example, they can become bored or dissatisfied, personal
problems can disrupt their performance, or their goals may change.
Because of the importance of competent, trustworthy personnel in providing effective control,
the methods by which persons are hired, evaluated, trained, promoted, and compensated are an
important part of internal control.
After obtaining information about each of the subcomponents of the control environment, the
auditor uses this understanding as a basis for assessing management’s and directors’ attitudes
and awareness about the importance of control. For example, the auditor might determine the
nature of a client’s budgeting system as a part of understanding the design of the control
environment. The operation of the budgeting system might then be evaluated in part by inquiry
of budgeting personnel to determine budgeting procedures and follow-up of differences between
budget and actual.
Risk assessment
Risk assessment for financial reporting is management’s identification and analysis of risks
relevant to the preparation of financial statements in conformity with appropriate accounting
standards. For example, if a company frequently sells products at a price below inventory cost
because of rapid technology changes, it is essential for the company to incorporate adequate
controls to address the risk of overstating inventory.
Similarly, failure to meet prior objectives, quality of personnel, geographic dispersion of
company operations, significance and complexity of core business processes, introduction of
new information technologies, economic downturns, and entrance of new competitors are
examples of factors that may lead to increased risk. Once management identifies a risk, it
estimates the significance of that risk, assesses the likelihood of the risk occurring, and develops
specific actions that need to be taken to reduce the risk to an acceptable level.
While management assesses risks as a part of designing and operating internal controls to
minimize errors and fraud, auditors assess risks to decide the evidence needed in the audit. If
management effectively assesses and responds to risks, the auditor will typically accumulate less
evidence than when management fails to identify or respond to significant risks.
Auditors obtain knowledge about management’s risk assessment process using questionnaires
and discussions with management to determine how management identifies risks relevant to
financial reporting, evaluates the significance and likelihood of the risks occurring, and decides
the actions needed to address the risks.
Control activities
Control activities are the policies and procedures, in addition to those included in the other four
control components that help ensure that necessary actions are taken to address risks to the
achievement of the entity’s objectives. There are potentially many such control activities in any
entity, including both manual and automated controls. The control activities generally fall into
the following five types, which are discussed next:
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
1. Adequate Separation of Duties Four general guidelines for adequate separation of duties
to prevent both fraud and errors are especially significant for auditors.
Separation of the Custody of Assets from Accounting To protect a company from
embezzlement, a person who has temporary or permanent custody of an asset should not account
for that asset. Allowing one person to perform both functions increases the risk of that person
disposing of the asset for personal gain and adjusting the records to cover up the theft. If the
cashier, for example, receives cash and is responsible for data entry for cash receipts and sales,
that person could pocket the cash received and adjust the customer’s account by failing to record
a sale or by recording a fictitious credit to the account.
Separation of the Authorization of Transactions from the Custody of Related Assets It is
desirable to prevent persons who authorize transactions from having control over the related
asset, to reduce the likelihood of embezzlement. For example, the same person should not
authorize the payment of a vendor’s invoice and also approve the disbursement of funds to pay
the bill.
Separation of Operational Responsibility from Record-Keeping Responsibility To ensure
unbiased information, record keeping is typically the responsibility of a separate department
reporting to the controller. For example, if a department or division oversees the creation of its
own records and reports, it might change the results to improve its reported performance.
Separation of IT Duties from User Departments As t the level of complexity of IT systems
increases, the separation of authorization, record keeping, and custody often becomes blurred.
For example, sales agents may enter customer orders online. The computer authorizes those sales
based on its comparison of customer credit limits to the master file and posts all approved sales
in the sales cycle journals. Therefore, the computer plays a significant role in the authorization
and record keeping of sales transactions. To compensate for these potential overlaps of duties, it
is important for companies to separate major IT-related functions from key user department
functions.
In this example, responsibility for designing and controlling accounting software programs that
contain the sales authorization and posting controls should be under the authority of IT, whereas
the ability to update information in the master file of customer credit limits should reside in the
company’s credit department outside the IT function.
2. Proper Authorization of Transactions and Activities Every transaction must be properly
authorized if controls are to be satisfactory. If any person in an organization could acquire or
expend assets at will, complete chaos would result. Authorization can be either general or
specific.
Under general authorization, management establishes policies and subordinates are instructed
to implement these general authorizations by approving all transactions within the limits set by
the policy. General authorization decisions include the issuance of fixed price lists for the sale of
products, credit limits for customers, and fixed reorder points for making acquisitions.
Specific authorization applies to individual transactions. For certain transactions, management
prefers to authorize each transaction. An example is the authorization of a sales transaction by
the sales manager for a used-car company.
The distinction between authorization and approval is also important. Authorization is a policy
decision for either a general class of transactions or specific transactions.
Approval is the implementation of management’s general authorization decisions. An example of
a general authorization is management setting a policy authorizing the ordering of inventory
when less than a 3-week supply is on hand. When a department orders inventory, the clerk
responsible for maintaining the perpetual record approves the order, to indicate that the
authorization policy has been met. In other cases, the computer approves the transactions by
comparing quantities of inventory on hand to a master file of reorder points and automatically
submits purchase orders to authorized suppliers in the vendor master file. In this case, the
computer is performing the approval function using preauthorized information contained in the
master files.
3. Adequate Documents and Records Documents and records are the records upon which
transactions are entered and summarized. They include such diverse items as sales invoices,
purchase orders, subsidiary records, sales journals, and employee time cards. Many of these
documents and records are maintained in electronic rather than paper formats.
Adequate documents are essential for correct recording of transactions and control of assets. For
example, if the receiving department completes an electronic receiving report when material is
received, the accounts payable computer application can verify the quantity and description on
the vendor’s invoice by comparing it with the information on the receiving report, with
exceptions resolved by the accounts payable department.
A control closely related to documents and records is the chart of accounts, which classifies
transactions into individual balance sheet and income statement accounts. The chart of accounts
is helpful in preventing classification errors if it accurately describes which type of transactions
should be in each account.
4. Physical Control Over Assets and Records To maintain adequate internal control, assets
and records must be protected. If assets are left unprotected, they can be stolen. If records are
not adequately protected, they can be stolen, damaged, altered, or lost, which can seriously
disrupt the accounting process and business operations.
When a company is highly computerized, its computer equipment, programs, and data files must
be protected. The data files are the records of the company and, if damaged, could be costly or
even impossible to reconstruct.
The most important type of protective measure for safeguarding assets and records is the use of
physical precautions. An example is the use of storerooms for inventory to guard against theft.
When the storeroom is under the control of a competent employee, there is further assurance that
theft is minimized. Fireproof safes and safety deposit vaults for the protection of assets such as
currency and securities are other important physical safeguards in addition to off-site back-up of
computer software and data files.
5. Independent Checks on Performance The last category of control activities is the careful
and continuous review of the other four, often called independent checks or internal
verification. The need for independent checks arises because internal controls tend to change
over time, unless there is frequent review. Personnel are likely to forget or intentionally fail
to follow procedures, or they may become careless unless someone observes and evaluates
their performance. Regardless of the quality of the controls, personnel can make errors or
commit fraud.
Personnel responsible for performing internal verification procedures must be independent of
those originally responsible for preparing the data. The least expensive means of internal
verification is the separation of duties in the manner previously discussed. For example, when
the bank reconciliation is done by a person independent of the accounting records and handling
of cash, there is an opportunity for verification without incurring significant additional costs.
Computerized accounting systems can be designed so that much internal verification procedures
can be automated as part of the system. For example, the computer can prevent processing
payment on a vendor invoice if there is no matching purchase order number or receiving report
number for that invoice included in the system.
Auditing standards require the auditor to obtain an understanding of the process company
employees follow to reconcile detail records supporting a significant account balance to the
general ledger for those accounts to help the auditor more effectively design and perform audit
procedures. For example, an auditor is likely to send confirmations of customer accounts
receivable selected from accounts receivable master files. Before planning the confirmation
procedures the auditor needs to understand the design and implementation of controls that
company personnel use to reconcile the accounts receivable master file to the related general
ledger account balance.
Information and Communication
The purpose of an entity’s accounting information and communication system is to initiate,
record, process, and report the entity’s transactions and to maintain account - ability for the
related assets. An accounting information and communication system has several
subcomponents, typically made up of classes of transactions such as sales, sales returns, cash
receipts, acquisitions, and so on. For each class of transactions, the accounting system must
satisfy all of the transaction-related audit objectives. For example, the sales accounting system
should be designed to ensure that all shipments of goods are correctly recorded as sales
(completeness and accuracy objectives) and are reflected in the financial statements in the proper
period (timing objective). The system must also avoid duplicate recording of sales and recording
a sale if a shipment did not occur (occurrence objective).
To understand the design of the accounting information system, the auditor deter - mines (1) the
major classes of transactions of the entity; (2) how those transactions are initiated and recorded;
(3) what accounting records exist and their nature; (4) how the system captures other events that
are significant to the financial statements, such as declines in asset values; and (5) the nature and
details of the financial reporting process followed, including procedures to enter transactions and
adjustments in the general ledger.
Monitoring
Monitoring activities deal with ongoing or periodic assessment of the quality of internal control
by management to determine that controls are operating as intended and that they are modified as
appropriate for changes in conditions. The information being assessed comes from a variety of
sources, including studies of existing internal controls, internal auditor reports, exception
reporting on control activities, reports by regulators such as bank regulatory agencies, feedback
from operating personnel, and complaints from customers about billing charges.
For many companies, especially larger ones, an internal audit department is essential for
effective monitoring of the operating performance of internal controls. To be effective, the
internal audit function must be performed by staff independent of both the operating and
accounting departments and report directly to a high level of authority within the organization,
either top management or the audit committee of the board of directors.
In addition to its role in monitoring an entity’s internal control, an adequate internal audit staff
can reduce external audit costs by providing direct assistance to the external auditor.
Auditing standards provide guidance to help the external auditor obtain evidence that supports
the competence, integrity, and objectivity of internal auditors, which allows the external auditor
to rely on the internal auditor’s work in a number of ways.