Basic Concepts and Elements of Internal Control

Nature and Purpose of Internal Control

Internal Control – comprises the plan of organization and all of the coordinate
methods and measures adopted within a business to safeguard its assets, check the
accuracy and reliability of its accounting data, promote operational efficiency, and
encourage adherence to prescribed policies.
Internal Control also called internal control structure as a process that is effected by
an entity’s board of directors, management and other personnel and that is designed
to provide reasonable assurance that specific entity objectives will be achieved.
Those objectives fall into three categories: 1. Reliability of financial reporting 2.
Effectiveness and efficiency of operations 3. Compliance with applicable laws and
regulations.
Internal Control – is the process designed and implemented by management and
individuals charged with governance to provide reasonable assurance about
achievement of the entity’s objectives (see other materials for the objectives of
internal control and its components).
Limitations of the Internal Control – Because of inherent limitations, no internal
control process can provide absolute assurance that all the entity’s objectives will be
met:
1. Human judgment can contribute to errors in the design of internal control (errors
by personnel)
2. Individuals can make errors in the application of specified internal controls
3. Two or more individuals can circumvent controls through collusion
4. Individuals, especially those in management, can over-ride or disable internal
controls
5. Human judgment can affect decisions about which internal controls are cost-
effective
6. The extent of segregation of duties can be limited in smaller entities
7. Management override
8. Present conditions are not guaranteed in the future
9. Cost-benefit relationship
10. Most internal controls tend to be directed at routine transactions rather than non
-routine transactions.
Components of Internal Control that enable an entity to achieve its objectives:
1. Control environment - the collective effect on an entity’s board, management, and
owner’s on establishing, enhancing, or mitigating the effectiveness of specific control
policies or procedures. The control environment sets the tone and provides discipline
and structure.
2. Risk Assessment - management’s efforts to identify, analyze, and manage risks
pertaining to the preparation of financial statements.
3. Control Activities – policies and procedures to ensure that necessary actions are
taken to address risks to the achievement of preparing reliable financial statements.
Control activities pertain to performance reviews, information processing, physical
controls, and segregation of duties.
4. Information and Communication – the entity’s information system and procedures
for communicating matters related to the processing of accounting data. This
component generates the financial statements. This includes methods and records
that enable all valid transactions to be completely recorded, properly classified,
valued and presented according to GAAP.
5. Monitoring – the process an entity uses to assess the quality of internal control
over time. This involves assessing the design and operation of controls on a timely
basis and taking corrective action as necessary.
Control environment – means the overall attitude, awareness and actions of directors
and management regarding the internal control system and its importance in the
entity. The environment in which internal control operates has an impact on the
effectiveness of the specific control procedures. Several factors comprise the control
environment, including:
1. Integrity and Ethical Values - include management’s actions to remove or reduce
incentives and temptations that might prompt personnel to engage in dishonest,
illegal, or unethical acts. This also include the communication of entity values and
behavioral standards to personnel through policy statements, a code of conduct, and
management’s example of appropriate behavior.
2. Management Philosophy and Operating Style – refers to management’s attitude
towards a) business risk b) financial reporting, c) meeting budget, profit and other
established goals which all have impact on the reliability of the financial statements.
3. Organizational Structure – provides the overall framework for planning, directing
and controlling operations. The responsibilities and authorities of the various
personnel within the organization should be established in such a manner as to 1)
assist the entity in meeting its goals and objectives and 2) ensure that transactions are
processed, recorded, summarized and reported in an accurate and timely manner.
4. The Audit Committee – composed of board members who are not employees of
the company. The role of the committee usually consists of nominating the
independent auditor and reviewing the scope and the results of the audit.
5. Assigning Authority and Responsibility - personnel within an organization need to
have a clear understanding of their responsibilities and the rules and regulations that
govern their actions.
6. Management Control Methods –include 1) budgeting, forecasting and profit
planning systems, 2) policies and procedures for monitoring the states of actual
organization performance and exceptions from planned performance, and 3) policies
and procedures for investigating any significant variance from expected results.
7. Internal Audit Function
8. Personnel Policies and Procedures
9. Commitment to Competence. Competence is the knowledge and skills necessary
to accomplish tasks that define an employee’s job. Commitment to competence –
means that management considers the competence levels for particular jobs in
determining the skills and knowledge required of each employee and that it hires
employees competent to perform the tasks.
10. External Influences- include monitoring and compliance requirements imposed by
legislative and regulatory bodies.
The Control Environment – sets the tone of an organization, influencing the control
consciousness of all its employees and the individuals charged with governance. It
includes the attitudes, awareness, and actions of those individuals concerning the
importance of internal control. It is the responsibility of those charged with
governance and management to design internal controls that will help prevent and
detect error and fraud. The control environment includes the following:
 Communication and enforcement of integrity and ethical values

 Commitment to competence in skills and knowledge

 Participation by those charged with governance

 Management’s philosophy and operating style

 The organizational structure

 Assignment of authority and responsibility

Risk assessment focus on how the entity considers the possibility of transactions not
being recorded or identifies and assesses significant estimates recorded in the
financial statements. Risks arise from both external and internal circumstances that
may adversely affect an entity’s ability to record, process, summarize, and report
financial data consistent with its financial statement assertions. Examples of these
circumstances are: changes in the regulatory or operating environment that result in
competitive pressures or other risks, new personnel who have a different focus on or
understanding of internal control, adoption of new accounting principles or changing
accounting principle.
The Risk Assessment Process – This process asks questions such as:
 What risks affect the accuracy and integrity of the financial reporting process?

 How significant are those risks?

 How likely is it such risks will occur?

 What actions are appropriate to address and minimize such risks?

Control Activities. Another element of an entity’s control structure is the existence of

effective control procedures. Control procedures – means those policies and
procedures in addition to the control environment which management has
established to achieve the entity’s specific objectives. Examples: Reporting, reviewing
and approving reconciliations, checking the arithmetic accuracy, limiting direct
physical access to assets and records, comparing and analyzing the financial results
with budgeted amounts.
Control Activities – are policies and procedures which help ensure that management
directives are carried out. Control activities address both manual and information
technology processes, and are applied at various organizational and functional levels.
Control activities address questions such as:
 Authorization –who initiates and who approves transactions?

 Performance reviews – is each employee meeting his/her responsibilities?

 Information processing – does the system, whether manual or computerized,

work as designed?
 Physical controls – are assets guarded against loss or unauthorized use?

 Segregation of duties – are as many people as practical involved in each

record-keeping process?
The major categories of control procedures are: 1. Performance Review –
management uses accounting and operating data to assess performance, and it then
takes corrective action. 2. Information Processing Controls – are policies and
procedures designed to require authorization of transactions and to ensure the
accuracy and completeness of transaction processing. Control activities may be
classified according to the scope of the system they affect.
General controls – are control activities that prevent or detect errors or irregularities
for all accounting systems.
Application controls – are controls that pertain to the processing of a specific type of
transaction, such as payroll, or sales and collections.
Control Activities related to the processing of transactions may be grouped as follows:
1. proper authorization 2. design and the use of adequate documents and records,
and 3. independent checks on performance.
Information Processing Controls: 1. Proper authorization of transactions and activities
2. Segregation of duties 3. Adequate documents and records 4. Safeguards over
access to assets, and 5. Independent checks on performance.
Concept of Reasonable Assurance recognizes that the cost of internal control should
not exceed the expected benefits which will accrue from having the control.
Information and Communication – involves the accounting and financial reporting
information system as well as the procedures used to communicate that system to
employees and others. The information system includes the procedures and records
that are used to initiate, record, process, and report transactions, events, and
conditions. It includes procedures to maintain accountability for assets, liabilities, and
net assets. This component includes procedures and records that inform employees
of their respective roles and responsibilities within the accounting and financial
reporting process.
Control Activities – are policies and procedures which help ensure that management
directives are carried out. Control activities address both manual and information
technology processes, and are applied at various organizational and functional levels.
Control activities address questions such as:
 Authorization –who initiates and who approves transactions?

 Performance reviews – is each employee meeting his/her responsibilities?

 Information processing – does the system, whether manual or computerized,

work as designed?
 Physical controls – are assets guarded against loss or unauthorized use?

 Segregation of duties – are as many people as practical involved in each

record-keeping process?
Monitoring of Controls- Management not only establishes internal controls, but
should continually monitor those controls to determine whether they are functioning
as intended. Ongoing monitoring activities are often built into the normal recurring
activities of the entity and include regular management and supervisory activities.
Such monitoring should include an assessment of the accuracy of the data that is
used for periodic testing of controls. The monitoring process also includes
determining corrective action when controls are found to be deficient.
General Observations on Internal Control
1. Controls Not Employee Specific – the specific control process should be designed
to meet the organization’s needs and to accomplish stated objectives.
2. Attention to Errors and Fraud – Internal control is designed to safeguard assets
and to enhance the reliability and efficiency of the operation. The internal control
process is designed just as much to detect unintentional errors as to discover
deliberate fraud.
3. Exposure to Temptation – It is a disservice to employees to put them in positions,
or to allow them to work under circumstances, which expose them to temptation and
make it easy for them to yield. If one eventually succumbs to the pressure, those who
have permitted that exposure must share the responsibility. “For evils that we might
have checked, we are just as responsible as if we were guilty of the acts ourselves”
Desire of Ages, p.441.
4. Fidelity Bond – organizations should protect their assets by utilizing fidelity bond
of adequate limits.
5. Job Descriptions – clearly defines duties and responsibilities of the position, the
extent of authority specified, and to whom the employee is responsible.
6. Evaluation of Personnel – all personnel should be evaluated annually based on
their job descriptions and standards of performance.
7. Segregation of Duties- incompatible functions must be handled by different
personnel to minimize the opportunity of fraud and errors to occur and remain
undetected.
8. Management Involvement – it may be practical for review of significant
transactions to be performed by a member of an oversight group, such as an audit
committee or finance committee.