DESIGNING INTERNAL CONTROL SYSTEMS FOR SMALLER ENTITIES

By Larry L. Perry, CPA

CPA Firm Support Services, LLC

LEARNING OBJECTIVES

  • Understand the fundamental concepts and the components of internal control.
  • Be able to design and operate effective accounting and internal control systems for smaller entities.
  • Learn to prepare flowcharts effectively and efficiently

THE FOUNDATION OF INTERNAL CONTROL

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a voluntary private-sector organization established in the United States. It is dedicated to providing guidance on organizational governance, business ethics, internal control, enterprise risk management, fraud and financial reporting. COSO established a common internal control model that is used by large and small reporting entities.

COSO defines internal control as a process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. The COSO framework involves several key concepts:

  1. Internal control is a process. It is a means to an end, not an end in itself.
  2. Internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization.
  3. Internal control can provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
  4. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

A Historical Perspective of Internal Controls

The Committee of Sponsoring Organizations (COSO) of the National Commission on Fraudulent Financial Reporting (Treadway Commission) issued its first report in 1985stressing the importance of internal control, the control environment, codes of conduct, audit committees and internal audit functions. In 1992, a task force of COSO issued a report entitled Internal Control—Integrated Framework, called the COSO Report.

Among other things, the COSO Report defines internal control and its components and provides criteria for evaluating internal control. The report presents these interrelated components of internal control:

  • Control Environment—The core of any business is its people and the environment in which they operate. The tone at the top, i.e., management’s attitudes, values and behaviors, provides the control environment for other employees.
  • Risk Assessment—The entity must be aware of and deal with the risks it faces; identifying the risk of error or fraud and implementing corrective actions is the primary responsibility of management.
  • Control Activities—Control policies and procedures must be designed and operated to address risks to the achievement of the entity’s objectives.
  • Information and Communication—These systems enable the entity’s people to obtain and use information necessary to conduct, manage and control operations.
  • Monitoring—The internal control process must be monitored and changed by management as circumstances and conditions necessitate.

In 2013, COSO updated and issued Internal Control—Integrated Framework. The updated report did not change to basic components of internal control but, among other clarifying issues, the Framework sets out seventeen principles for applying these components. These principles from COSO’s report are presented below as they apply to these components.

Control Environment

  1. The organization demonstrates a commitment to integrity and ethical values.
  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
  4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment

  1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
  3. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
  4. The organization identifies and assesses changes that could significantly impact the system of internal control.

Control Activities

  1. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  2. The organization selects and develops general control activities over technology to support the achievement of objectives.
  3. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information and Communication

  1. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
  2. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  3. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities

  1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
  2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Internal control is always relevant to the nature, size and complexity of a reporting entity. Smaller entities will ordinarily have more informal controls that are carried out by one or a few persons. While the basic components of internal control should be present in small- and medium-size entities, the 17 principles will ordinarily be subjectively included in an entity’s design and operation of internal controls.

Generally, internal controls over financial reporting include those that are designed to make sure financial data is recorded, processed, summarized and reported consistent with management’s representations (assertions) in financial statements. Management of an entity has the primary responsibility for internal control. An auditor’s responsibilities include the evaluation of whether the five components are designed and operating effectively, given the nature, size and complexity of the entity.

Management’s Control Objectives

An entity’s internal control system provides the machinery used by management to accomplish these basic objectives:

  • Effectiveness and efficiency of operations—basic business objectives, profitability goals and safeguarding of assets and other resources.
  • Reliability of financial reporting—preparation of accurate financial statements.
  • Compliance with laws and regulations—all to which the entity is subject.

Understanding the Components of Internal Control

The Tone at the Top and Bottom:

The control environment sets the tone of any organization, i.e., causes its people to be conscious of the importance of the entity’s system of internal control. It is the foundation for application of all other components of internal control. For small entities, the character and behavior of the person having top financial responsibility for the entity, e.g., an owner or manager, sets the tone for employees to follow. For larger entities, management personnel at various levels are also the primary influence on the control environment. In all cases, it’s what management does, not what they say, that directs employees’ behavior. The operating philosophies and style of management, their delegation of responsibility and authority, their emphasis on developing and guiding employees and their utilization of input from persons charged with governance defines what employees do.

The Importance of Descriptive Charts of Accounts and Budgeting Controls:

A comprehensive chart of accounts is the foundation of the financial reporting process. Designed to guide the authorization, initiation, classification, recording and summarizing of transactions, it is most effective when it includes descriptions of the activity that may be recorded in each account. The chart of accounts should include accounts in all functional, departmental and/or job classifications. It should also be designed to facilitate budget preparation and monitoring as part of an entity’s internal control system.

Budgets may be prepared using a base line, such as the prior year’s operations, or they may be zero based, that is built from the ground up. Whichever method is used, participation by department heads and other operating personnel is essential for producing effective budgets. The final review and approval responsibility for budgets should rest with persons charged with governance of the organization.

To provide value, the budget should be compared to actual results on a periodic basis by management and other persons charged with governance, usually monthly. Unusual or unexpected variances from budgeted amounts should be considered and corrective actions implemented when necessary.

A budget should be designed for use also based on an entity’s nature, size and complexity. A medium-size church employed an executive pastor that was formerly a chief financial officer for a public company. He spent most of his time micro-managing weekly budgets for department heads. Using a report from the church’s accounting software, the executive pastor met with department heads weekly to discuss their budget status. Over expenditures were met with severe cutbacks in planned future expenditures. Under expenditures resulted in reductions of monthly or annual budgeted amounts. While this micro-management significantly strengthened the church’s internal control system, its cost was high, too high for the size of this organization. The practical side of internal control is that the cost of operation of a control activity should result in benefits appropriate for the nature, size and complexity of the organization.

While properly prepared and monitored budgets can significantly improve a small entity’s internal controls, their use should provide benefits commensurate with the cost of preparation and monitoring. Like the design and operation of internal control procedures, benefits must be measured in terms of the relative costs of implementation and maintenance.

The Importance of a Code of Conduct:

While smaller entities don’t normally have a written code of conduct, larger organizations are establishing these codes. Publically-held companies, issuers under the Sarbanes-Oxley Act, are required to establish and communicate codes of conduct. Other privately-held companies, non-issuers, are also creating codes of conduct as part of their control environment.

Whether written or communicated informally, a code of conduct defines behavior expectations for both management and other employees. While such codes do not prevent inappropriate behavior or fraud, they do provide employees with legal and ethical standards that will influence their performance and commitment to the entity’s system of internal control.

An entity’s code of conduct will ordinarily include these sections:

  • Use of company assets and resources for business and not personal use
  • Use of telephones, email and the internet
  • Avoiding actual and potential conflicts of interest
  • Protecting the company’s confidential information
  • Maintaining complete and accurate accounting records
  • Investigating and reporting any accounting, auditing and disclosure concerns
  • Retaining and disposing of records and documents
  • Prohibiting discrimination and harassment
  • Prohibiting use of alcohol and illegal drugs
  • Complying with laws, rules and regulations
  • Protecting intellectual property and using copyrighted materials
  • Giving and receiving gifts, meals, services and entertainment
  • Understanding disciplinary actions for code violations
  • Reporting concerns and code violations

The Entity’s Risk Assessment Process:

Risks at the entity level may come from external factors such as changes in technology, customer’s needs, competition, regulations or laws and the economy. At the entity level, risks also arise from internal factors such as information systems failures, personnel practices affecting the quality of employees, access to assets and the susceptibility of an entity’s operations to fraud.

At the activity level, risk assessment involves business operations and financial reporting. Analyzing operational reports, financial and non-financial data and observations of employees’ activities may bring risks to management’s attention.

Control Activities:

Control activities that are established in response to perceived risks relate to management’s representations (assertions) in the entity’s financial statements. The assertions from section AU-C 315 of the Auditing Standards Board Clarified Auditing Standards can be synthesized and organized in this way:

  • Completeness
  • Occurrence and cut-off
  • Valuation and accuracy
  • Existence
  • Rights
  • Obligations
  • Disclosure and Presentation

An entity’s financial reporting and internal control systems should result in financial statement classifications that are appropriate and reasonable.

Key or Entity-Level Controls

Key controls are those elements of the five components of internal control that have a pervasive affect upon the accomplishment of management’s control objectives. For smaller entities, key controls are normally performed at the entity level, although some may exist at the activity level. Illustrated in the accompanying Small Audits Internal Control Questionnaire (SAICQ), these controls may be informal and ordinarily carried out by one or a few persons such as an owner/manager. The design and operation of these key controls can prevent material misstatements due to error or fraud from occurring and going undetected. When these circumstances exist, even a small entity can have a good internal control system!

Components of key controls for both large and small entities are:

  • Management’s integrity and ethical values.
  • Management’s commitment to doing things right.
  • Management’s ways of doing things.
  • The involvement of persons charged with governance.
  • The delegation of authority and responsibility.
  • Personnel policies and procedures.

Activity-Level Controls

The COSO Report states that control activities are the policies and procedures established to help ensure that management directives are carried out and that management’s objectives are accomplished. The key controls described above are primary to accomplishing these objectives. Absent the design of key controls, or when key controls are designed but not operating, activity-level controls may be necessary to prevent misstatements from occurring and going undetected.

These controls may be applied through features in an accounting software system, by personnel while performing accounting procedures or by the design of documents or data. The SAICQ mentioned above also illustrates the activity-level controls for the financial statement classifications of a small entity. If key controls are not designed or operating, certain activity-level controls may prevent errors from occurring and going undetected.

Information and Communication:

Comprising the nature of internal information produced and distributed by an entity, this component is intended to enable management and others to operate, manage and control the entity’s business. It is also intended to provide employees an understanding of financial reporting and safeguarding controls and their operations. For larger entities, communication may take the form of policy and procedure manuals, instructional memos and oral communications. For smaller entities, communication will often be verbal, face to face and directed by the owner or a manager.

Communications may also involve outside parties such as auditors, customers and vendors. These communications may provide information that can lead to identifying deficiencies in internal control.

Monitoring:

The monitoring component is intended to cause management to assess the design and operating effectiveness of the entity’s system of internal control on a short and long-range basis. Monitoring can be performed on an on-going basis or be performed on separate occasions.

Monitoring is the evaluation the effectiveness of other internal control components and how well management’s and other employees’ duties are being performed. Monitoring in small entities normally consists of the day-to-day observations of an owner or manager.

Special Issues for Small Entities

As discussed above, the owner or manager of a small entity is that entity’s control environment. If he or she has good character, is committed to performing key controls and is diligent in carrying out day-to-day responsibilities, it is possible for a small entity to have a good system of internal control. On the other hand, an ineffective owner/manager may increase the risk of material misstatements at both the financial statement and assertion levels.

Boards of directors for small entities, especially non-profit organizations, may not be knowledgeable of business operations, accounting and tax activities or internal control over financial reporting. In such cases, the caliber of the owner or manager will be even more important in preventing errors from occurring and going undetected. A knowledgeable board, on the other hand, can serve to reduce the risk of material misstatement when the owner or manager’s capabilities are not strong.

An informal organization structure of a small entity may result in control deficiencies due to a lack of segregation of duties in operations and accounting. Because employees may be trained to perform many different functions, the resources and accounting records could be at risk ofmisstatement due to error or fraud. Highly effective key controls at the entity level would be necessary to mitigate these risks.

Many of the key controls performed by an owner or manager depend on the physical presence of the person. Prolonged absences from the work place by the owner or manager decrease the effectiveness of key controls and increase the risk of material misstatements.

Can a Small Entity Have Good Internal Controls?

As discussed above, the owner or manager (CEO, director, superintendent, CFO or other top financial authority) has primary responsibility for the design and operation of internal controls. Most of the key controls will be informal and they will be performed by the owner or manager. It is the commitment to accurate financial reporting and the diligence of the responsible person that primarily affects the risk of material misstatements in financial statements.