Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.
It is a means by which an organization’s resources are directed, monitored, and measured. It plays an important role in detecting and preventing fraud and protecting the organization’s resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks).
At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization’s payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act(FCPA) of 1977 and the Sarbanes–Oxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are also referred to as operational controls.
Internal control plays an important role in the prevention and detection of fraud. Under the Sarbanes-Oxley Act, companies are required to perform a fraud risk assessment and assess related controls. This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level. The risk that senior management might override important financial controls to manipulate financial reporting is also a key area of focus in fraud risk assessment. The AICPA, IIA, and ACFE also sponsored a guide published during 2008 that includes a framework for helping organizations manage their fraud risk.
Controls can be evaluated and improved to make a business operation run more effectively and efficiently. For example, automating controls that are manual in nature can save costs and improve transaction processing. If the internal control system is thought of by executives as only a means of preventing fraud and complying with laws and regulations, an important opportunity may be missed. Internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.
An effective internal control structure includes a company’s plan of organization and all the procedures and actions it takes to:
•Protect its assets against theft and waste.
•Ensure compliance with company policies and federal law.
•Evaluate the performance of all personnel to promote efficient operations.
•Ensure accurate and reliable operating data and accounting reports.
As you study the basic procedures and actions of an effective internal control structure, remember that even small companies can benefit from using some internal control measures. Preventing theft and waste is only a part of internal control.
In general terms, the purpose of internal control is to ensure the efficient operations of a business, thus enabling the business to effectively reach its goals.
Companies protect their assets by (1) segregating employee duties, (2) assigning specific duties to each employee, (3) rotating employee job assignments, and (4) using mechanical devices.
Unfortunately, even though a company implements all of these features in its internal control structure, theft may still occur. If employees are dishonest, they can usually figure out a way to steal from a company, thus circumventing even the most effective internal control structure. Therefore, companies should carry adequate casualty insurance on assets. This insurance reimburses the company for loss of a nonmonetary asset such as specialized equipment. Companies should also have fidelity bonds on employees handling cash and other negotiable instruments. These bonds ensure that a company is reimbursed for losses due to theft of cash and other monetary assets. With both casualty insurance on assets and fidelity bonds on employees, a company can recover at least a portion of any loss that occurs.
Internal Control Responsibility
Internal control is the general responsibility of all members in an organization. However, the following three groups have specific responsibilities regarding the internal control structure.
- Management holds ultimate responsibility for establishing and maintaining an effective internal control structure. Through leadership and example, management demonstrates ethical behavior and integrity within the company.
- The board of directors provides guidance to management. Because board members have a working knowledge of the functions of the company, they help shield the company from managers who try to override some control procedures for dishonest purposes. Often, an efficient board that has access to the company’s internal auditors can discover such fraud.
- Auditors within the organization evaluate the effectiveness of the internal control structure and determine whether company policies and procedures are being followed. All employees are part of a communications network that enables an internal control structure to work effectively.
Computerized financial records require the same internal control principles of separation of duties and control over access as a manual accounting system. The exact control steps depend on whether a company is using mainframe computers and minicomputers or microcomputers.
In a personal computer environment, the following controls can be useful:
•Require computer users to have tight control over storage of programs and data. Just as one person maintains custody over a certain set of records in a manual system, in a computer system one person maintains custody over certain information (such as the accounts receivable subsidiary ledger). Make backup copies that are retained in a different secured location.
•Require passwords (kept secret) to gain entry into data files maintained on the hard disk.
•In situations where a local area network (LAN) links the personal computers into one system, permit only certain computers and persons in the network to have access to some data files (the accounting records, for example).
Computerized accounting systems do not lessen the need for internal control. In fact, access to a computer by an unauthorized person could result in significant theft in less time than with a manual system.