Chapter 4– Internal controls
Objectives.
•Define “internal control” and explain its importance in the accounting information system
•Explain the basic purposes of internal control
•Describe and give examples of various kinds of risk exposures
•Conduct a comprehensive risk assessment
•Summarize and explain the importance of the COSO documents on internal control
•Critique existing internal control systems and design effective internal controls
Definition of internal control.
Most definitions of internal control contain four common elements:
•Internal control is a process
•Internal controls are designed to provide reasonable assurance
•Internal control necessarily involves people in the organization
•Internal controls provide that reasonable assurance in a few common areas
Internal control purposes
Broadly speaking, internal controls should help organizations:
•Safeguard their assets
•Ensure the reliability of financial statements
•Promote operating efficiency
•Encourage compliance with management’s directives
Risk exposures
One good way to start designing internal controls is to think about an organization’s risks.
Among the many good ways to think about risk is Brown’s taxonomy.
Risk exposures
- Operational risk
•Systems risk: related to information technology
•Human error risk: people in the organization might make mistakes
- Financial risk
•Market risk: changes in stock prices, investment values, interest rates
•Credit risk: customers’ unwillingness or inability to pay their debts
•Liquidity risk: insufficient cash to pay debts
- Hazard risk
- Officers’ and directors’ liability:
•people might break laws, resulting in personal penalties
- Strategic risks
- Legal and regulatory risk: people might break laws, resulting in penalties for the organization
- Business strategy risk: poor decision making related to market competition
COSO frameworks
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed two frameworks related to internal control (1985) and enterprise risk management (2004).
Internal Control: Integrated Framework
- Control environment: the tone at the top
- Risk assessment: using a taxonomy to identify organizational risks
- Control activities: actual responses to risk.
•Preventive, detective, corrective
•General, application
- Information and communication: keeping people informed
- Monitoring: periodic reviews and updates
Enterprise Risk Management: Integrated Framework
- Internal environment: tone at the top
- Objective setting: organizational goals
•Strategic
•Reporting
•Operations
•Compliance
- Event identification: what can happen that may impede goals
•Internal
•External
- Risk assessment: likelihood and impact
•Inherent
•Residual
- Risk response: generic ways to deal with risk
•Avoid
•Accept
•Reduce
•Share
- Control activities: specific procedures for responding to risk
•Information and communication: keep people informed about what’s happening with risk and the plan
•Monitoring: Ongoing activities and / or separate evaluations that ensure the plan is updated as needed
Examples:
Although every organization’s approach to internal control is slightly different, certain controls are common in many organizations. The following slides contain some examples.
•Adequate documentation
•Background checks
•Back-up computer files
•Back-up power supplies
•Bank reconciliation
•Batch control totals
•Data encryption
•Document matching
•Edit checks
•Examples
•Firewalls
•Insurance and bonding
•Internal audits
•Limit checks
•Lockbox systems
•Physical security
•Preformatted data entry screens
•Prenumbered documents
•Restrictive endorsements of checks
•Daily deposit of cash receipts
•Segregation of duties
•User training
All internal controls have associated costs—financial, operational and behavioral. The key is ensuring that the benefits outweigh the costs.
ACC 3113 – Accounting Information SystemsChapter 4 | Page 1