Internal Control—Integrated Framework is the standard by which companies design, analyze, and evaluate internal control.4 In this section, the objectives of internal control are described, followed by a discussion of how these objectives can be achieved through the Integrated Framework’s five elements of internal control.
1. Objectives of Internal Control
The objectives of internal control are to provide reasonable assurance that:
- Assets are safeguarded and used for business purposes.
- Business information is accurate.
- Employees and managers comply with laws and regulations.
These objectives are illustrated below.
Internal control can safeguard assets by preventing theft, fraud, misuse, or misplacement. A serious concern of internal control is preventing employee fraud. Employee fraud is the intentional act of deceiving an employer for personal gain. Such fraud may range from minor overstating of a travel expense report to stealing millions of dollars. Employees stealing from a business often adjust the accounting records in order to hide their fraud. Thus, employee fraud usually affects the accuracy of business information.
Accurate information is necessary to successfully operate a business. Businesses must also comply with laws, regulations, and financial reporting standards. Examples of such standards include environmental regulations, safety regulations, and generally accepted accounting principles (GAAP).
2. Elements of Internal Control
The three internal control objectives can be achieved by applying the five elements of internal control set forth by the Integrated Framework.5 These elements are as follows:
- Control environment
- Risk assessment
- Control procedures
- Monitoring
- Information and communication
The elements of internal control are illustrated in Exhibit 2.
In Exhibit 2, the elements of internal control form an umbrella over the business to protect it from control threats. The control environment is the size of the umbrella. Risk assessment, control procedures, and monitoring are the fabric of the umbrella, which keep it from leaking. Information and communication connect the umbrella to management.
3. Control Environment
The control environment is the overall attitude of management and employees about the importance of controls. Three factors influencing a company’s control environment are as follows:
- Management’s philosophy and operating style
- The company’s organizational structure
- The company’s personnel policies
Management’s philosophy and operating style relates to whether management emphasizes the importance of internal controls. An emphasis on controls and adherence to control policies creates an effective control environment. In contrast, overemphasizing operating goals and tolerating deviations from control policies creates an ineffective control environment.
The business’s organizational structure is the framework for planning and controlling operations. For example, a retail store chain might organize each of its stores as separate business units. Each store manager has full authority over pricing and other operating activities. In such a structure, each store manager has the responsibility for establishing an effective control environment.
The business’s personnel policies involve the hiring, training, evaluation, compensation, and promotion of employees. In addition, job descriptions, employee codes of ethics, and conflict-of-interest policies are part of the personnel policies. Such policies can enhance the internal control environment if they provide reasonable assurance that only competent, honest employees are hired and retained.
4. Risk Assessment
All businesses face risks such as changes in customer requirements, competitive threats, regulatory changes, and changes in economic factors. Management should identify such risks, analyze their significance, assess their likelihood of occurring, and take any necessary actions to minimize them.
5. Control Procedures
Control procedures provide reasonable assurance that business goals will be achieved, including the prevention of fraud. Control procedures, which constitute one of the most important elements of internal control, include the following as shown in Exhibit 3.
- Competent personnel, rotating duties, and mandatory vacations
- Separating responsibilities for related operations
- Separating operations, custody of assets, and accounting
- Proofs and security measures
Competent Personnel, Rotating Duties, and Mandatory Vacations A successful company needs competent employees who are able to perform the duties that they are assigned. Procedures should be established for properly training and supervising employees. It is also advisable to rotate duties of accounting personnel and mandate vacations for all employees. In this way, employees are encouraged to adhere to procedures. Cases of employee fraud are often discovered when a long-term employee, who never took vacations, missed work because of an illness or another unavoidable reason.
Separating Responsibilities for Related Operations The responsibility for related operations should be divided among two or more persons. This decreases the possibility of errors and fraud. For example, if the same person orders supplies, verifies the receipt of the supplies, and pays the supplier, the following abuses may occur:
- Orders may be placed on the basis of friendship with a supplier, rather than on price, quality, and other objective factors.
- The quantity and quality of supplies received may not be verified; thus, the company may pay for supplies not received or that are of poor quality.
- Supplies may be stolen by the employee.
- The validity and accuracy of invoices may not be verified; hence, the company may pay false or inaccurate invoices.
For the preceding reasons, the responsibilities for purchasing, receiving, and paying for supplies should be divided among three persons or departments.
Separating Operations, Custody of Assets, and Accounting The responsibilities for operations, custody of assets, and accounting should be separated. In this way, the accounting records serve as an independent check on the operating managers and the employees who have custody of assets.
To illustrate, employees who handle cash receipts should not record cash receipts in the accounting records. To do so would allow employees to borrow or steal cash and hide the theft in the accounting records. Likewise, operating managers should not also record the results of operations. To do so would allow the managers to distort the accounting reports to show favorable results, which might allow them to receive larger bonuses.
Proofs and Security Measures Proofs and security measures are used to safeguard assets and ensure reliable accounting data. Proofs involve procedures such as authorization, approval, and reconciliation. For example, an employee planning to travel on company business may be required to complete a “travel request” form for a manager’s authorization and approval.
Documents used for authorization and approval should be prenumbered, accounted for, and safeguarded. Prenumbering of documents helps prevent transactions from being recorded more than once or not at all. In addition, accounting for and safeguarding prenumbered documents helps prevent fraudulent transactions from being recorded. For example, blank checks are prenumbered and safeguarded. Once a payment has been properly authorized and approved, the checks are filled out and issued.
Reconciliations are also an important control. Later in this chapter, the use of bank reconciliations as an aid in controlling cash is described and illustrated.
Security measures involve measures to safeguard assets. For example, cash on hand should be kept in a cash register or safe. Inventory not on display should be stored in a locked storeroom or warehouse. Accounting records such as the accounts receivable subsidiary ledger should also be safeguarded to prevent their loss. For example, electronically maintained accounting records should be safeguarded with access codes and backed up so that any lost or damaged files could be recovered if necessary.
6. Monitoring
Monitoring the internal control system is used to locate weaknesses and improve controls. Monitoring often includes observing employee behavior and the accounting system for indicators of control problems. Some such indicators are shown in Exhibit 4.
Evaluations of controls are often performed when there are major changes in strategy, senior management, business structure, or operations. Internal auditors, who are independent of operations, usually perform such evaluations. Internal auditors are also responsible for day-to-day monitoring of controls. External auditors also evaluate and report on internal control as part of their annual financial statement audit.
7. Information and Communication
Information and communication is an essential element of internal control. Information about the control environment, risk assessment, control procedures, and monitoring is used by management for guiding operations and ensuring compliance with reporting, legal, and regulatory requirements. Management also uses external
information to assess events and conditions that impact decision making and external reporting. For example, management uses pronouncements of the Financial Accounting Standards Board (FASB) to assess the impact of changes in reporting standards on the financial statements.
8. Limitations of Internal Control
Internal control systems can provide only reasonable assurance for safeguarding assets, processing accurate information, and compliance with laws and regulations. In other words, internal controls are not a guarantee. This is due to the following factors:
- The human element of controls
- Cost-benefit considerations
The human element recognizes that controls are applied and used by humans. As a result, human errors can occur because of fatigue, carelessness, confusion, or misjudgment. For example, an employee may unintentionally shortchange a customer or miscount the amount of inventory received from a supplier. In addition, two or more employees may collude together to defeat or circumvent internal controls. This latter case often involves fraud and the theft of assets. For example, the cashier and the accounts receivable clerk might collude to steal customer payments on account.
Cost-benefit considerations recognize that the cost of internal controls should not exceed their benefits. For example, retail stores could eliminate shoplifting by searching all customers before they leave the store. However, such a control procedure would upset customers and result in lost sales. Instead, retailers use cameras or signs saying “Weprosecute all shoplifters.”
Source: Warren Carl S., Reeve James M., Duchac Jonathan (2013), Corporate Financial Accounting, South-Western College Pub; 12th edition.
Superb site you have here but I was curious about if you knew of any community forums that cover the same topics
talked about here? I’d really love to be a part of online community where I can get comments from other knowledgeable people that share the same interest.
If you have any suggestions, please let me know. Cheers!
Thanks for one’s marvelous posting! I quite enjoyed reading it, you happen to be a great author.
I will make certain to bookmark your blog and will eventually come back later on. I want to encourage one to
continue your great writing, have a nice evening!