Internal Control Concepts

Contents

• Introduction - Control in Organizations
• History of Internal Control
• Statement on Auditing Standards No. 48
• Threats, Exposure, Risk and Objectives
• Threats and Exposure
• Risk - inherent risk, control risk and detection risk
• Control Weakness
• Four Objectives for Controls
• Cost and Benefits of Internal Control
• Control Structure - Environment, Systems and Procedures
• Control Environment
• Control Systems
• Control Procedures
• Implementation of Control Objectives
• Control Process - Preventive, Detective, Corrective
• Accounting Cycle Perspective
• Summary

Introduction - Control in Organizations

• Controls are restraining and directive influences over the activities of a system
• General principles of control are applied in business organizations
• Accounting systems assist management in controlling operations
• Accounting internal controls assure that all transactions are authorized, all transactions are recorded, access to assets is allowed only for authorized purposes and accounting records describe only real assets.

History of Internal Control

• First defined in 1949, by the American Institute of Accountants (now the AICPA)
• In 1958, distinguish between accounting controls and administrative controls
• Accounting controls relate to safeguarding assets and reliability of financial records
• Administrative controls relate to operational efficiency and adherence to managerial policies
• In 1972, clarification of controls, accounting controls provide reasonable assurance that
• transactions executed as authorized
• transactions recorded to permit GAAP statements and maintain accountability for assets
• access to assets only as authorized
• regularly compare recorded assets with actual assets
• Foreign Corrupt Practices Act: Took the language of the 1972 AICPA pronouncement and made it law.
• Since 1977, all publicly owned corporations legally required to:
• keep books which accurately and fairly reflect transactions and dispositions of assets and
• devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that
• transactions are authorized by management
• transactions are recorded so GAAP statements can be prepared and maintain accountability for assets
• access to assets is authorized by management
• periodic inventory is required to compare recorded assets with existing assets
• Statement on Auditing Standards No. 48, effective for periods beginning after August 31, 1984.

Statement on Auditing Standards No. 48

"Administrative control includes but is not limited to, the plan of organization and the procedures and records that are concerned with the decision processes leading to management's authorization of transactions. Such authorization is a management function directly associated with the responsibility for achieving the objectives of the organization and is the starting point for establishing accounting control of transactions." (AU320.27)

"Accounting control comprises the plan of organization and the procedures and records that are concerned with the safeguarding of assets and reliability of financial records and consequently are designed to provide reasonable assurance that:

• a. Transactions are executed in accordance with management's general or specific authorization.
• b. Transactions are recorded as necessary
1. to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements and
2. to maintain accountability for assets.
• c. Access to assets is permitted only in accordance with management's authorization.
• d. The recorded accountability for assets is compared with the existing asset at reasonable intervals and appropriate action is taken with respect to any differences." (AU320.27)

Threats, Exposure, Risk and Objectives

• Threat: Hazard, potential loss
• Risk: likelihood of potential loss
• Weakness: risk not reduced to a low level by internal controls
• Exposure: Size of potential loss associated with a control problem
• Expected loss = exposure X risk
• Objective of Controls: Minimize losses to organization resulting from threats

Threats and Exposure

Examples of threats (incompetence)

• wasteful and inefficient use of resources
• poor management decisions
• unintentional errors recording or processing data
• accidental loss or destruction of records
• loss of assets through employee carelessness
• lack of compliance by employees with management policies

Examples of threats (illegal)

• lack of compliance with government regulations
• pilferage
• embezzlement: theft or misappropriation of assets by employees, accompanied by the falsification of records designed to conceal the theft
• other illegal acts by employees, such as the taking of a bribe

Risk - inherent risk, control risk and detection risk

• Components of Risk:

From the Auditing Standards: (AU312.20)

• "Inherent risk
  is the susceptibility of an account balance or class of transactions to error that could be material, when aggregated with error in other balances or classes, assuming that there were no related internal accounting controls."
• "Control risk
  is the risk that error that could occur in an account balance or class of transactions and could be material, when aggregated with error in other balances or classes, will not be prevented or detected on a timely basis by the system of internal accounting controls."

"Detection risk
is the risk that an auditor's procedures will lead him to conclude that error in an account balance or class of transactions that could be material, when aggregated with error in other balances or classes, does not exist when in fact such error does exist"

"At the account-balance or class-of-transaction level, audit risk consists of

• (a) the risk (consisting of inherent risk and control risk) that the balance or class contains error that could be material to the financial statements when aggregated with error in other balances or classes and
• (b) the risk (detection risk) that the auditor will not detect such error."

Control Weakness

"A material weakness in internal accounting control is a condition in which the specific control procedures or the degree of compliance with them do not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned tasks." (AU323.01)

Four objectives for controls

• authorization (all transactions are authorized)
• recording (all transactions are recorded)
• access (allow access to assets only for authorized purposes)
• asset accountability (ensure that accounting records describe only real assets)

In addition, accounting and data processing must be operationally efficient.

Cost and Benefits of Internal Control

The benefit of an internal control must exceed its cost

• Primary cost is personnel
• Benefits stem from reductions in expected loss

Consider both effectiveness and timing

• a control that prevents a loss is superior to a control that detects a loss after it has occurred
• early detection is essential if prevenion fails
• when a failures occurs, correction reduces future losses

Reliability analysis

• assess effectiveness of specific control procedure in detecting and correcting a specific type of error
• system reliability is probability that process will be completed with no errors
• risk is complement of system reliability

risk = 1 - reliability

Compliance with Foreign Corrupt Practices Act

• Use cost-benefit analysis to evaluate and document compliance with internal control provisions of the Foreign Corrupt Practices Act
• Compliance is an ongoing process - controls must be constantly reviewed and updated as the business and its environment change

Control Structure - Environment, Systems and Procedures

• Control Environment: general framework within which specific control policies and procedures operate
• Accounting System: records and procedures used to record, process and report transactions
• Control Procedures: specific steps carried out to minimize risk of particular control threats

Control Environment

Management's attitude toward internal control is the most critical element. If management shows little concern, others not likely to be diligent.

"The problem is that many of our rules are arbitrary, irrational and unworthy of support and obedience. People will comply with irrational rules when there is adequate surveillance and punishment. But the threat of punishment does not contribute to moral development; indeed, it tends to inhibit the internalization of ethical behavior. Rewarding good behavior is better than threatening punishment to influence behavior, since rewards avoid the resistance and rebelliousness that accompany punishment."
"How to stop Lying, Cheating, & Stealing," Executive Excellence, July, 1990.

Management's philosophy and operating style

• How management attempts to achieve goals take undue risks manipulate performance measures--change budget so variance does not occur -- emphasis on results or methods used to achieve results
• Management's philosophy and operating style affects "accepted" behavior of employees

Organization structure

• degree of centralization/decentralization of authority
• use of structure to separate organizational goals into sub-goals
• organization of accounting function
• responsibility accounting system consistent with managerial responsibilities

External Influence

• Stock exchange, FASB, SEC, regulatory agencies, FDIC, FSLIC, etc

Control Systems

"Internal control should not be viewed as something that must be superimposed on an organization's normal operating structure. To do so only means costs that can inhibit the organization's ability to compete. Internal control should be built into the infrastructure of an enterprise. When controls are integrated with operational activities, and a focus on controls has been instilled in all personnel, the result is better control with minimum incremental cost. Such integration avoids a superstructure of control procedures on top of existing activities. Whenever management considers changes to their company's operations or activities, the concept that it's better to 'build-in' rather than 'build-on' controls, and to do it right the first time, should be fundamental guiding premises."
Internal Control: Integrated Framework (Exposure Draft 12, March, 1991), Committee of Sponsoring Organizations of the Treadway Commission, NY, NY.

Audit Committee

• purpose - to enhance accountability of corporate managers
• structure - Board of Directors committee -
• to maintain independence. The audit committee should NOT report to management
• required to have "outside" directors if shares traded on New York Exchange
• charge - oversee
• internal control structure
• financial reporting process
• compliance with laws and regulations
• results -
• independent review of corporate manager's actions
• can provide assurance the accounting system is working as intended

Assigning authority and responsibility

• written policies and procedures manual
• includes formal job descriptions detailing responsibilities
• describes management policies
• standards of ethical behavior, acceptable practices, conflicts of interest

Monitoring performance

• effective supervision
• performance reporting system
• internal auditing
• organized independently of accounting and operating functions
• review and evaluate effectiveness of internal control structure

Personnel policies and practices

• hire, train, evaluate, compensate, promote
• fidelity bonding
• required to take annual vacation
• Many employee frauds discovered when embezzler suddenly forced by illness or accident to take time off.

Control Procedures

"Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.

The first category addresses an entity's basic business objectives, including performance and profitability goals and safeguarding of resources.

The second relates to the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly.

The third deals with complying with those laws and regulations to which the entity is subject.

These distinct but overlapping categories address different needs and allow a directed focus to meet the separate needs."

Internal Control: Integrated Framework -Framework (September 1992), Committee of Sponsoring Organizations of the Treadway Commission, NY, NY., p.1.

Implementation of Control Objectives

Management policies and rules regarding employee behavior provide reasonable assurance that control objectives are achieved by:

• Proper Authorization
• Segregation of Duties
• Adequate Documentation and Records
• Independent Checks on Performance

Proper Authorization

• empower employees to perform tasks and make decisions that impact assets
• usually involves signature and authorization code
• general authorization: limited in value--less than $5000, etc
• specific authorization: higher value more critical transactions

Segregation of duties

• Ensure that no single individual is given too much responsibility --
  no employee should be in a position to both perpetrate and conceal irregularities
• Three general categories of functions must be separated
• authorization function
• recording function: preparing source documents, maintaining journals, preparing reconciliations, or preparing performance reports
• custody of asset: direct or indirect
  e.g. receiving checks in mail

Examples that occur without segregation of duties

• If responsible for both custody and recording accounts receivable, could divert some cash receipts and falsify accounts to conceal diversion
• If can authorize account write-offs and has custody of cash receipts, could authorize false write-off and divert subsequent collection on account
• Authorize issuance of purchase orders to specific vendors and responsible for recording inventory receipts, could issue purchase order to fictitious vendor and prepare fictitious inventory receipt record, resulting in disbursement of funds for something never received

Baring lost $1 billion due to lack of internal controls

On February 23, 1995 a 232 year old British bank, Baring Bros. and Co., was bankrupt by a loss of $1 billion in futures trading by one employee, Nick Leeson.

A statement by the Singapore International Monetary Exchange (SIMEX) attributed the loss to a failure of internal controls. [Associated Press March 5, 1995]

Senior Executives conceded that controls should have been much tighter

The organization ignored several warning signs of internal control weaknesses over several years:

• In March 1992, a senior executive in Singapore wrote a letter to the head of the equity department in London stating: "My concern is that once again we are in danger of setting up a structure which will subsequently prove disastrous and with which we will succeed in losing either a lot of money or client goodwill or probably both.... In my view, it is critical that we should keep clear reporting lines and if this office is involved in SIMEX at all then [Mr. Lesson] should report to" the Singapore office operations department not the London derivatives department.
• An internal audit in the summer of 1994 cited lax internal controls and made a specific recommendation that the trading and settlement duties be separated. Mr. Lesson was monitoring himself by doing both duties.
• Mr. Lesson used an error account to hide trades he did not want his superiors to know about.

Managers were reluctant to impose tight controls which might reduce profits and bonuses.

Source: Brauchli, Marcus W., Bray, Nicholas, and Sesit, Michael, "Barings PLC Officials May Have Been Aware of Trading Position," (1995) Wall Street Journal, March 6, 1995, p. 1,6

Collusion: conspiracy of two or more persons to commit fraud

Documents and records

• Source documents designed to facilitate collection of all relevant information
• Provide space for proper authorizations, receipt of assets, etc
• Should be prenumbered--account for all documents, reducing likelihood of fraudulent use
• Audit trail: path that a transaction traces through a system
• allows verification
• consists of reference numbers, dates etc.

Safeguarding of assets

• Physical protection of assets
• Requires
• Effective supervision and segregation of duties
• Physical protection measures designed to restrict access
• Protect and control access to records and documents
  -- blank checks, purchase orders, bank codes, etc

Internal check

• independent review of performance of clerical functions
  compare two independent sets of records: e.g. bank reconciliation, subsidiary reconciliation
  compare records to physical count: e.g. periodic inventory
• basis for double entry accounting system: debits = credits
• use differences to trace error
• finds errors more likely to be made by a human than a computer

---

Control Process - Prevention, Detection, Correction

Controls for Prevention

• designed to deter problems before they arise
• monitor both operation and inputs
• attempt to predict potential problems before they occur and make adjustments
• if forecast indicates deficiency then take corrective action now.

Examples of preventive controls

• hire qualified personnel
• segregate duties (deterrent factor)
• control access to physical facilities
• use well-designed documents (prevent errors)
• establish suitable procedures for authorization of transactions
• cash budgeting system which monitors cash flows and forecasts of future cash flows
• inventory control system that predicts out-of-stock items
• credit authorization system that checks credit worthiness before goods are shipped

---

Controls for Detection

• discover control problems soon after they arise
• measure some aspect of process and adjust the process when measure indicates a deviation from plan

Examples of detective controls:

• duplicate checking of calculations
• periodic performance reporting with variances
• standard costing and variances
• report past due accounts
• report out-of-stock inventory items
• reconcile receivables
• bank reconciliations
• verify proper use of pre-numbered documents (e.g. check for missing document numbers)
• monthly trial balance
• periodic credit history review
• internal audit functions

---

Controls for Correction

• procedures put in place to remedy problems discovered by detective controls
• steps taken to identify cause of problem
• steps taken to correct errors arising out of problem
• steps taken to modify processing system to minimize future occurrences of the problem

For example: reports may indicate an unusually high number of stock-outs. Investigation reveals that the supplier is not shipping orders as quickly as in the past. Solution, place orders earlier or change suppliers.

---

Accounting Cycle Perspective

Look at control objectives and procedures for each accounting cycle

• Purchasing of assets and services
• Objective: ensure authorized purchase at reasonable prices
• Accounts payable should authorize payment only after review of purchase order, vendor invoice, and receiving report.
• Flow of inventory through production
• Objective: ensure production of required items, prevent loss of inventories
• Signed acknowledgment to transfer inventories from one department to next
• Effective supervision, physical inventory, responsibility accounting for production costs incurred by each department
• Payroll
• Objective: ensure wages and salaries paid in appropriate amounts for services properly rendered
• Separate authorization (personnel) from custodial (preparation and distribution of checks) and from recording (timekeeping)
• Sale of products and services
• Objective: ensure sales properly recorded, prevent loss of finished goods, facilitate collection of accounts
• Authorizations for credit, shipping
• Cash receipt and disbursement
• Objective: prevent loss of cash
• Classic lapping: steal from one account and apply later collections from another customer

---

Summary

• The control process ensures
• Effectiveness and efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.
• Basic objectives of control
• authorization (all transactions are authorized)
• recording (all transactions are recorded)
• access (allow access to assets only for authorized purposes)
• asset accountability (ensure that accounting records describe only real assets)
• Major element of control environment
• management attitude, philosophy and style
• organizational structure
• audit committee
• external environment
• The control process includes
• Prevention (prevent threats from occuring)
• Detection (detect problems if they occur)
• Correction (change the system so problems do not reoccur)
• Several of control policies and procedures most commonly used
• Proper Authorization
• Segregation of Duties
• Adequate Documentation and Records
• Independent Checks on Performance
• Accountants must evaluate system of internal accounting control, identify deficiencies, and prescribe modifications to remedy deficiencies.

---

Last updated January 24, 1995
Prepared by Carol E. Brown, (brownc@bus.orst.edu)